Guard TLS SNI callback define better.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
45static BOOL verify_callback_called = FALSE;
46static const uschar *sid_ctx = US"exim";
47
48static SSL_CTX *ctx = NULL;
7be682ca 49static SSL_CTX *ctx_sni = NULL;
059ec3d9
PH
50static SSL *ssl = NULL;
51
52static char ssl_errstring[256];
53
54static int ssl_session_timeout = 200;
55static BOOL verify_optional = FALSE;
56
7be682ca 57static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
58
59
7be682ca
PP
60typedef struct tls_ext_ctx_cb {
61 uschar *certificate;
62 uschar *privatekey;
3f7eeb86
PP
63#ifdef EXPERIMENTAL_OCSP
64 uschar *ocsp_file;
65 uschar *ocsp_file_expanded;
66 OCSP_RESPONSE *ocsp_response;
67#endif
7be682ca
PP
68 uschar *dhparam;
69 /* these are cached from first expand */
70 uschar *server_cipher_list;
71 /* only passed down to tls_error: */
72 host_item *host;
73} tls_ext_ctx_cb;
74
75/* should figure out a cleanup of API to handle state preserved per
76implementation, for various reasons, which can be void * in the APIs.
77For now, we hack around it. */
78tls_ext_ctx_cb *static_cbinfo = NULL;
79
80static int
81setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9 82
3f7eeb86 83/* Callbacks */
3bcbbbe2 84#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 85static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 86#endif
3f7eeb86
PP
87#ifdef EXPERIMENTAL_OCSP
88static int tls_stapling_cb(SSL *s, void *arg);
89#endif
90
059ec3d9
PH
91
92/*************************************************
93* Handle TLS error *
94*************************************************/
95
96/* Called from lots of places when errors occur before actually starting to do
97the TLS handshake, that is, while the session is still in clear. Always returns
98DEFER for a server and FAIL for a client so that most calls can use "return
99tls_error(...)" to do this processing and then give an appropriate return. A
100single function is used for both server and client, because it is called from
101some shared functions.
102
103Argument:
104 prefix text to include in the logged error
105 host NULL if setting up a server;
106 the connected host if setting up a client
7199e1ee 107 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
108
109Returns: OK/DEFER/FAIL
110*/
111
112static int
7199e1ee 113tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 114{
7199e1ee
TF
115if (msg == NULL)
116 {
117 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 118 msg = (uschar *)ssl_errstring;
7199e1ee
TF
119 }
120
059ec3d9
PH
121if (host == NULL)
122 {
7199e1ee 123 uschar *conn_info = smtp_get_connection_info();
5ca6d115 124 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
125 conn_info += 5;
126 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
127 conn_info, prefix, msg);
059ec3d9
PH
128 return DEFER;
129 }
130else
131 {
132 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 133 host->name, host->address, prefix, msg);
059ec3d9
PH
134 return FAIL;
135 }
136}
137
138
139
140/*************************************************
141* Callback to generate RSA key *
142*************************************************/
143
144/*
145Arguments:
146 s SSL connection
147 export not used
148 keylength keylength
149
150Returns: pointer to generated key
151*/
152
153static RSA *
154rsa_callback(SSL *s, int export, int keylength)
155{
156RSA *rsa_key;
157export = export; /* Shut picky compilers up */
158DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
159rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
160if (rsa_key == NULL)
161 {
162 ERR_error_string(ERR_get_error(), ssl_errstring);
163 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
164 ssl_errstring);
165 return NULL;
166 }
167return rsa_key;
168}
169
170
171
172
173/*************************************************
174* Callback for verification *
175*************************************************/
176
177/* The SSL library does certificate verification if set up to do so. This
178callback has the current yes/no state is in "state". If verification succeeded,
179we set up the tls_peerdn string. If verification failed, what happens depends
180on whether the client is required to present a verifiable certificate or not.
181
182If verification is optional, we change the state to yes, but still log the
183verification error. For some reason (it really would help to have proper
184documentation of OpenSSL), this callback function then gets called again, this
185time with state = 1. In fact, that's useful, because we can set up the peerdn
186value, but we must take care not to set the private verified flag on the second
187time through.
188
189Note: this function is not called if the client fails to present a certificate
190when asked. We get here only if a certificate has been received. Handling of
191optional verification for this case is done when requesting SSL to verify, by
192setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
193
194Arguments:
195 state current yes/no state as 1/0
196 x509ctx certificate information.
197
198Returns: 1 if verified, 0 if not
199*/
200
201static int
202verify_callback(int state, X509_STORE_CTX *x509ctx)
203{
204static uschar txt[256];
205
206X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
207 CS txt, sizeof(txt));
208
209if (state == 0)
210 {
211 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
212 x509ctx->error_depth,
213 X509_verify_cert_error_string(x509ctx->error),
214 txt);
215 tls_certificate_verified = FALSE;
216 verify_callback_called = TRUE;
217 if (!verify_optional) return 0; /* reject */
218 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
219 "tls_try_verify_hosts)\n");
220 return 1; /* accept */
221 }
222
223if (x509ctx->error_depth != 0)
224 {
225 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
226 x509ctx->error_depth, txt);
227 }
228else
229 {
230 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
231 verify_callback_called? "" : " authenticated", txt);
232 tls_peerdn = txt;
233 }
234
059ec3d9
PH
235if (!verify_callback_called) tls_certificate_verified = TRUE;
236verify_callback_called = TRUE;
237
238return 1; /* accept */
239}
240
241
242
243/*************************************************
244* Information callback *
245*************************************************/
246
247/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
248are doing. We copy the string to the debugging output when TLS debugging has
249been requested.
059ec3d9
PH
250
251Arguments:
252 s the SSL connection
253 where
254 ret
255
256Returns: nothing
257*/
258
259static void
260info_callback(SSL *s, int where, int ret)
261{
262where = where;
263ret = ret;
264DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
265}
266
267
268
269/*************************************************
270* Initialize for DH *
271*************************************************/
272
273/* If dhparam is set, expand it, and load up the parameters for DH encryption.
274
275Arguments:
276 dhparam DH parameter file
7199e1ee 277 host connected host, if client; NULL if server
059ec3d9
PH
278
279Returns: TRUE if OK (nothing to set up, or setup worked)
280*/
281
282static BOOL
7199e1ee 283init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH
284{
285BOOL yield = TRUE;
286BIO *bio;
287DH *dh;
288uschar *dhexpanded;
289
290if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
291 return FALSE;
292
293if (dhexpanded == NULL) return TRUE;
294
295if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
296 {
7199e1ee 297 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 298 host, (uschar *)strerror(errno));
059ec3d9
PH
299 yield = FALSE;
300 }
301else
302 {
303 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
304 {
7199e1ee
TF
305 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
306 host, NULL);
059ec3d9
PH
307 yield = FALSE;
308 }
309 else
310 {
311 SSL_CTX_set_tmp_dh(ctx, dh);
312 DEBUG(D_tls)
313 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
314 dhexpanded, 8*DH_size(dh));
315 DH_free(dh);
316 }
317 BIO_free(bio);
318 }
319
320return yield;
321}
322
323
324
325
3f7eeb86
PP
326#ifdef EXPERIMENTAL_OCSP
327/*************************************************
328* Load OCSP information into state *
329*************************************************/
330
331/* Called to load the OCSP response from the given file into memory, once
332caller has determined this is needed. Checks validity. Debugs a message
333if invalid.
334
335ASSUMES: single response, for single cert.
336
337Arguments:
338 sctx the SSL_CTX* to update
339 cbinfo various parts of session state
340 expanded the filename putatively holding an OCSP response
341
342*/
343
344static void
345ocsp_load_response(SSL_CTX *sctx,
346 tls_ext_ctx_cb *cbinfo,
347 const uschar *expanded)
348{
349BIO *bio;
350OCSP_RESPONSE *resp;
351OCSP_BASICRESP *basic_response;
352OCSP_SINGLERESP *single_response;
353ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
354X509_STORE *store;
355unsigned long verify_flags;
356int status, reason, i;
357
358cbinfo->ocsp_file_expanded = string_copy(expanded);
359if (cbinfo->ocsp_response)
360 {
361 OCSP_RESPONSE_free(cbinfo->ocsp_response);
362 cbinfo->ocsp_response = NULL;
363 }
364
365bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
366if (!bio)
367 {
368 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
369 cbinfo->ocsp_file_expanded);
370 return;
371 }
372
373resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
374BIO_free(bio);
375if (!resp)
376 {
377 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
378 return;
379 }
380
381status = OCSP_response_status(resp);
382if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
383 {
384 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
385 OCSP_response_status_str(status), status);
386 return;
387 }
388
389basic_response = OCSP_response_get1_basic(resp);
390if (!basic_response)
391 {
392 DEBUG(D_tls)
393 debug_printf("OCSP response parse error: unable to extract basic response.\n");
394 return;
395 }
396
397store = SSL_CTX_get_cert_store(sctx);
398verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
399
400/* May need to expose ability to adjust those flags?
401OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
402OCSP_TRUSTOTHER OCSP_NOINTERN */
403
404i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
405if (i <= 0)
406 {
407 DEBUG(D_tls) {
408 ERR_error_string(ERR_get_error(), ssl_errstring);
409 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
410 }
411 return;
412 }
413
414/* Here's the simplifying assumption: there's only one response, for the
415one certificate we use, and nothing for anything else in a chain. If this
416proves false, we need to extract a cert id from our issued cert
417(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
418right cert in the stack and then calls OCSP_single_get0_status()).
419
420I'm hoping to avoid reworking a bunch more of how we handle state here. */
421single_response = OCSP_resp_get0(basic_response, 0);
422if (!single_response)
423 {
424 DEBUG(D_tls)
425 debug_printf("Unable to get first response from OCSP basic response.\n");
426 return;
427 }
428
429status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
430/* how does this status differ from the one above? */
431if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
432 {
433 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
434 OCSP_response_status_str(status), status);
435 return;
436 }
437
438if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
439 {
440 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
441 return;
442 }
443
444cbinfo->ocsp_response = resp;
445}
446#endif
447
448
449
450
059ec3d9 451/*************************************************
7be682ca
PP
452* Expand key and cert file specs *
453*************************************************/
454
455/* Called once during tls_init and possibly againt during TLS setup, for a
456new context, if Server Name Indication was used and tls_sni was seen in
457the certificate string.
458
459Arguments:
460 sctx the SSL_CTX* to update
461 cbinfo various parts of session state
462
463Returns: OK/DEFER/FAIL
464*/
465
466static int
3f7eeb86 467tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
468{
469uschar *expanded;
470
471if (cbinfo->certificate == NULL)
472 return OK;
473
474if (Ustrstr(cbinfo->certificate, US"tls_sni"))
475 reexpand_tls_files_for_sni = TRUE;
476
477if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
478 return DEFER;
479
480if (expanded != NULL)
481 {
482 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
483 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
484 return tls_error(string_sprintf(
485 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
486 cbinfo->host, NULL);
487 }
488
489if (cbinfo->privatekey != NULL &&
490 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
491 return DEFER;
492
493/* If expansion was forced to fail, key_expanded will be NULL. If the result
494of the expansion is an empty string, ignore it also, and assume the private
495key is in the same file as the certificate. */
496
497if (expanded != NULL && *expanded != 0)
498 {
499 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
500 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
501 return tls_error(string_sprintf(
502 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
503 }
504
3f7eeb86
PP
505#ifdef EXPERIMENTAL_OCSP
506if (cbinfo->ocsp_file != NULL)
507 {
508 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
509 return DEFER;
510
511 if (expanded != NULL && *expanded != 0)
512 {
513 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
514 if (cbinfo->ocsp_file_expanded &&
515 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
516 {
517 DEBUG(D_tls)
518 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
519 } else {
520 ocsp_load_response(sctx, cbinfo, expanded);
521 }
522 }
523 }
524#endif
525
7be682ca
PP
526return OK;
527}
528
529
530
531
532/*************************************************
533* Callback to handle SNI *
534*************************************************/
535
536/* Called when acting as server during the TLS session setup if a Server Name
537Indication extension was sent by the client.
538
539API documentation is OpenSSL s_server.c implementation.
540
541Arguments:
542 s SSL* of the current session
543 ad unknown (part of OpenSSL API) (unused)
544 arg Callback of "our" registered data
545
546Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
547*/
548
3bcbbbe2 549#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 550static int
7be682ca
PP
551tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
552{
553const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 554tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 555int rc;
3f0945ff 556int old_pool = store_pool;
7be682ca
PP
557
558if (!servername)
559 return SSL_TLSEXT_ERR_OK;
560
3f0945ff 561DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
562 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
563
564/* Make the extension value available for expansion */
3f0945ff
PP
565store_pool = POOL_PERM;
566tls_sni = string_copy(US servername);
567store_pool = old_pool;
7be682ca
PP
568
569if (!reexpand_tls_files_for_sni)
570 return SSL_TLSEXT_ERR_OK;
571
572/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
573not confident that memcpy wouldn't break some internal reference counting.
574Especially since there's a references struct member, which would be off. */
575
576ctx_sni = SSL_CTX_new(SSLv23_server_method());
577if (!ctx_sni)
578 {
579 ERR_error_string(ERR_get_error(), ssl_errstring);
580 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
581 return SSL_TLSEXT_ERR_NOACK;
582 }
583
584/* Not sure how many of these are actually needed, since SSL object
585already exists. Might even need this selfsame callback, for reneg? */
586
587SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
588SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
589SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
590SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
591SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
592SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
593if (cbinfo->server_cipher_list)
594 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
595#ifdef EXPERIMENTAL_OCSP
596if (cbinfo->ocsp_file)
597 {
598 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
599 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
600 }
601#endif
7be682ca 602
3f7eeb86 603rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
7be682ca
PP
604if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
605
3f7eeb86
PP
606/* do this after setup_certs, because this can require the certs for verifying
607OCSP information. */
608rc = tls_expand_session_files(ctx_sni, cbinfo);
7be682ca
PP
609if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
610
611DEBUG(D_tls) debug_printf("Switching SSL context.\n");
612SSL_set_SSL_CTX(s, ctx_sni);
613
614return SSL_TLSEXT_ERR_OK;
615}
3bcbbbe2 616#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
617
618
619
620
3f7eeb86
PP
621#ifdef EXPERIMENTAL_OCSP
622/*************************************************
623* Callback to handle OCSP Stapling *
624*************************************************/
625
626/* Called when acting as server during the TLS session setup if the client
627requests OCSP information with a Certificate Status Request.
628
629Documentation via openssl s_server.c and the Apache patch from the OpenSSL
630project.
631
632*/
633
634static int
635tls_stapling_cb(SSL *s, void *arg)
636{
637const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
638uschar *response_der;
639int response_der_len;
640
641DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
642 cbinfo->ocsp_response ? "have" : "lack");
643if (!cbinfo->ocsp_response)
644 return SSL_TLSEXT_ERR_NOACK;
645
646response_der = NULL;
647response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
648if (response_der_len <= 0)
649 return SSL_TLSEXT_ERR_NOACK;
650
651SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
652return SSL_TLSEXT_ERR_OK;
653}
654
655#endif /* EXPERIMENTAL_OCSP */
656
657
658
659
7be682ca 660/*************************************************
059ec3d9
PH
661* Initialize for TLS *
662*************************************************/
663
664/* Called from both server and client code, to do preliminary initialization of
665the library.
666
667Arguments:
668 host connected host, if client; NULL if server
669 dhparam DH parameter file
670 certificate certificate file
671 privatekey private key
672 addr address if client; NULL if server (for some randomness)
673
674Returns: OK/DEFER/FAIL
675*/
676
677static int
c91535f3 678tls_init(host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
679 uschar *privatekey,
680#ifdef EXPERIMENTAL_OCSP
681 uschar *ocsp_file,
682#endif
683 address_item *addr)
059ec3d9 684{
77bb000f 685long init_options;
7be682ca 686int rc;
77bb000f 687BOOL okay;
7be682ca
PP
688tls_ext_ctx_cb *cbinfo;
689
690cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
691cbinfo->certificate = certificate;
692cbinfo->privatekey = privatekey;
3f7eeb86
PP
693#ifdef EXPERIMENTAL_OCSP
694cbinfo->ocsp_file = ocsp_file;
695#endif
7be682ca
PP
696cbinfo->dhparam = dhparam;
697cbinfo->host = host;
77bb000f 698
059ec3d9
PH
699SSL_load_error_strings(); /* basic set up */
700OpenSSL_add_ssl_algorithms();
701
388d6564 702#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 703/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
704list of available digests. */
705EVP_add_digest(EVP_sha256());
cf1ef1a9 706#endif
a0475b69 707
059ec3d9
PH
708/* Create a context */
709
710ctx = SSL_CTX_new((host == NULL)?
711 SSLv23_server_method() : SSLv23_client_method());
712
7199e1ee 713if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
714
715/* It turns out that we need to seed the random number generator this early in
716order to get the full complement of ciphers to work. It took me roughly a day
717of work to discover this by experiment.
718
719On systems that have /dev/urandom, SSL may automatically seed itself from
720there. Otherwise, we have to make something up as best we can. Double check
721afterwards. */
722
723if (!RAND_status())
724 {
725 randstuff r;
9e3331ea 726 gettimeofday(&r.tv, NULL);
059ec3d9
PH
727 r.p = getpid();
728
729 RAND_seed((uschar *)(&r), sizeof(r));
730 RAND_seed((uschar *)big_buffer, big_buffer_size);
731 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
732
733 if (!RAND_status())
7199e1ee 734 return tls_error(US"RAND_status", host,
5ca6d115 735 US"unable to seed random number generator");
059ec3d9
PH
736 }
737
738/* Set up the information callback, which outputs if debugging is at a suitable
739level. */
740
58c01c94 741SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 742
c80c5570
PP
743/* Automatically re-try reads/writes after renegotiation. */
744(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
745
77bb000f
PP
746/* Apply administrator-supplied work-arounds.
747Historically we applied just one requested option,
748SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
749moved to an administrator-controlled list of options to specify and
750grandfathered in the first one as the default value for "openssl_options".
059ec3d9 751
77bb000f
PP
752No OpenSSL version number checks: the options we accept depend upon the
753availability of the option value macros from OpenSSL. */
059ec3d9 754
77bb000f
PP
755okay = tls_openssl_options_parse(openssl_options, &init_options);
756if (!okay)
73a46702 757 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
758
759if (init_options)
760 {
761 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
762 if (!(SSL_CTX_set_options(ctx, init_options)))
763 return tls_error(string_sprintf(
764 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
765 }
766else
767 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
768
769/* Initialize with DH parameters if supplied */
770
7199e1ee 771if (!init_dh(dhparam, host)) return DEFER;
059ec3d9 772
3f7eeb86 773/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 774
7be682ca
PP
775rc = tls_expand_session_files(ctx, cbinfo);
776if (rc != OK) return rc;
c91535f3 777
7be682ca 778/* If we need to handle SNI, do so */
3bcbbbe2 779#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
780if (host == NULL)
781 {
3f7eeb86
PP
782#ifdef EXPERIMENTAL_OCSP
783 /* We check ocsp_file, not ocsp_response, because we care about if
784 the option exists, not what the current expansion might be, as SNI might
785 change the certificate and OCSP file in use between now and the time the
786 callback is invoked. */
787 if (cbinfo->ocsp_file)
788 {
789 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
790 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
791 }
792#endif
3f0945ff
PP
793 /* We always do this, so that $tls_sni is available even if not used in
794 tls_certificate */
795 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
796 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
797 }
7be682ca 798#endif
059ec3d9
PH
799
800/* Set up the RSA callback */
801
802SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
803
804/* Finally, set the timeout, and we are done */
805
806SSL_CTX_set_timeout(ctx, ssl_session_timeout);
807DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP
808
809static_cbinfo = cbinfo;
810
059ec3d9
PH
811return OK;
812}
813
814
815
816
817/*************************************************
818* Get name of cipher in use *
819*************************************************/
820
821/* The answer is left in a static buffer, and tls_cipher is set to point
822to it.
823
824Argument: pointer to an SSL structure for the connection
825Returns: nothing
826*/
827
828static void
829construct_cipher_name(SSL *ssl)
830{
831static uschar cipherbuf[256];
57b3a7f5
PP
832/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
833yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
834the accessor functions use const in the prototype. */
835const SSL_CIPHER *c;
059ec3d9 836uschar *ver;
059ec3d9
PH
837
838switch (ssl->session->ssl_version)
839 {
840 case SSL2_VERSION:
841 ver = US"SSLv2";
842 break;
843
844 case SSL3_VERSION:
845 ver = US"SSLv3";
846 break;
847
848 case TLS1_VERSION:
849 ver = US"TLSv1";
850 break;
851
c80c5570
PP
852#ifdef TLS1_1_VERSION
853 case TLS1_1_VERSION:
854 ver = US"TLSv1.1";
855 break;
856#endif
857
858#ifdef TLS1_2_VERSION
859 case TLS1_2_VERSION:
860 ver = US"TLSv1.2";
861 break;
862#endif
863
059ec3d9
PH
864 default:
865 ver = US"UNKNOWN";
866 }
867
57b3a7f5 868c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 869SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH
870
871string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 872 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH
873tls_cipher = cipherbuf;
874
875DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
876}
877
878
879
880
881
882/*************************************************
883* Set up for verifying certificates *
884*************************************************/
885
886/* Called by both client and server startup
887
888Arguments:
7be682ca 889 sctx SSL_CTX* to initialise
059ec3d9
PH
890 certs certs file or NULL
891 crl CRL file or NULL
892 host NULL in a server; the remote host in a client
893 optional TRUE if called from a server for a host in tls_try_verify_hosts;
894 otherwise passed as FALSE
895
896Returns: OK/DEFER/FAIL
897*/
898
899static int
7be682ca 900setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH
901{
902uschar *expcerts, *expcrl;
903
904if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
905 return DEFER;
906
907if (expcerts != NULL)
908 {
909 struct stat statbuf;
7be682ca 910 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 911 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
912
913 if (Ustat(expcerts, &statbuf) < 0)
914 {
915 log_write(0, LOG_MAIN|LOG_PANIC,
916 "failed to stat %s for certificates", expcerts);
917 return DEFER;
918 }
919 else
920 {
921 uschar *file, *dir;
922 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
923 { file = NULL; dir = expcerts; }
924 else
925 { file = expcerts; dir = NULL; }
926
927 /* If a certificate file is empty, the next function fails with an
928 unhelpful error message. If we skip it, we get the correct behaviour (no
929 certificates are recognized, but the error message is still misleading (it
930 says no certificate was supplied.) But this is better. */
931
932 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 933 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 934 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
935
936 if (file != NULL)
937 {
7be682ca 938 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
939 }
940 }
941
942 /* Handle a certificate revocation list. */
943
944 #if OPENSSL_VERSION_NUMBER > 0x00907000L
945
8b417f2c
PH
946 /* This bit of code is now the version supplied by Lars Mainka. (I have
947 * merely reformatted it into the Exim code style.)
948
949 * "From here I changed the code to add support for multiple crl's
950 * in pem format in one file or to support hashed directory entries in
951 * pem format instead of a file. This method now uses the library function
952 * X509_STORE_load_locations to add the CRL location to the SSL context.
953 * OpenSSL will then handle the verify against CA certs and CRLs by
954 * itself in the verify callback." */
955
059ec3d9
PH
956 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
957 if (expcrl != NULL && *expcrl != 0)
958 {
8b417f2c
PH
959 struct stat statbufcrl;
960 if (Ustat(expcrl, &statbufcrl) < 0)
961 {
962 log_write(0, LOG_MAIN|LOG_PANIC,
963 "failed to stat %s for certificates revocation lists", expcrl);
964 return DEFER;
965 }
966 else
059ec3d9 967 {
8b417f2c
PH
968 /* is it a file or directory? */
969 uschar *file, *dir;
7be682ca 970 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 971 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 972 {
8b417f2c
PH
973 file = NULL;
974 dir = expcrl;
975 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
976 }
977 else
978 {
8b417f2c
PH
979 file = expcrl;
980 dir = NULL;
981 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 982 }
8b417f2c 983 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 984 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
985
986 /* setting the flags to check against the complete crl chain */
987
988 X509_STORE_set_flags(cvstore,
989 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 990 }
059ec3d9
PH
991 }
992
993 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
994
995 /* If verification is optional, don't fail if no certificate */
996
7be682ca 997 SSL_CTX_set_verify(sctx,
059ec3d9
PH
998 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
999 verify_callback);
1000 }
1001
1002return OK;
1003}
1004
1005
1006
1007/*************************************************
1008* Start a TLS session in a server *
1009*************************************************/
1010
1011/* This is called when Exim is running as a server, after having received
1012the STARTTLS command. It must respond to that command, and then negotiate
1013a TLS session.
1014
1015Arguments:
1016 require_ciphers allowed ciphers
1017
1018Returns: OK on success
1019 DEFER for errors before the start of the negotiation
1020 FAIL for errors during the negotation; the server can't
1021 continue running.
1022*/
1023
1024int
17c76198 1025tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1026{
1027int rc;
1028uschar *expciphers;
7be682ca 1029tls_ext_ctx_cb *cbinfo;
059ec3d9
PH
1030
1031/* Check for previous activation */
1032
1033if (tls_active >= 0)
1034 {
5ca6d115 1035 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1036 smtp_printf("554 Already in TLS\r\n");
1037 return FAIL;
1038 }
1039
1040/* Initialize the SSL library. If it fails, it will already have logged
1041the error. */
1042
3f7eeb86
PP
1043rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1044#ifdef EXPERIMENTAL_OCSP
1045 tls_ocsp_file,
1046#endif
1047 NULL);
059ec3d9 1048if (rc != OK) return rc;
7be682ca 1049cbinfo = static_cbinfo;
059ec3d9
PH
1050
1051if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1052 return FAIL;
1053
1054/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1055were historically separated by underscores. So that I can use either form in my
1056tests, and also for general convenience, we turn underscores into hyphens here.
1057*/
059ec3d9
PH
1058
1059if (expciphers != NULL)
1060 {
1061 uschar *s = expciphers;
1062 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1063 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1064 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1065 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1066 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1067 }
1068
1069/* If this is a host for which certificate verification is mandatory or
1070optional, set up appropriately. */
1071
1072tls_certificate_verified = FALSE;
1073verify_callback_called = FALSE;
1074
1075if (verify_check_host(&tls_verify_hosts) == OK)
1076 {
7be682ca 1077 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH
1078 if (rc != OK) return rc;
1079 verify_optional = FALSE;
1080 }
1081else if (verify_check_host(&tls_try_verify_hosts) == OK)
1082 {
7be682ca 1083 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH
1084 if (rc != OK) return rc;
1085 verify_optional = TRUE;
1086 }
1087
1088/* Prepare for new connection */
1089
7199e1ee 1090if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1091
1092/* Warning: we used to SSL_clear(ssl) here, it was removed.
1093 *
1094 * With the SSL_clear(), we get strange interoperability bugs with
1095 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1096 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1097 *
1098 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1099 * session shutdown. In this case, we have a brand new object and there's no
1100 * obvious reason to immediately clear it. I'm guessing that this was
1101 * originally added because of incomplete initialisation which the clear fixed,
1102 * in some historic release.
1103 */
059ec3d9
PH
1104
1105/* Set context and tell client to go ahead, except in the case of TLS startup
1106on connection, where outputting anything now upsets the clients and tends to
1107make them disconnect. We need to have an explicit fflush() here, to force out
1108the response. Other smtp_printf() calls do not need it, because in non-TLS
1109mode, the fflush() happens when smtp_getc() is called. */
1110
1111SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1112if (!tls_on_connect)
1113 {
1114 smtp_printf("220 TLS go ahead\r\n");
1115 fflush(smtp_out);
1116 }
1117
1118/* Now negotiate the TLS session. We put our own timer on it, since it seems
1119that the OpenSSL library doesn't. */
1120
56f5d9bd
PH
1121SSL_set_wfd(ssl, fileno(smtp_out));
1122SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
1123SSL_set_accept_state(ssl);
1124
1125DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1126
1127sigalrm_seen = FALSE;
1128if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1129rc = SSL_accept(ssl);
1130alarm(0);
1131
1132if (rc <= 0)
1133 {
7199e1ee 1134 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1135 if (ERR_get_error() == 0)
1136 log_write(0, LOG_MAIN,
a053d125 1137 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1138 return FAIL;
1139 }
1140
1141DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1142
1143/* TLS has been set up. Adjust the input functions to read via TLS,
1144and initialize things. */
1145
1146construct_cipher_name(ssl);
1147
1148DEBUG(D_tls)
1149 {
1150 uschar buf[2048];
1151 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1152 debug_printf("Shared ciphers: %s\n", buf);
1153 }
1154
1155
1156ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1157ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1158ssl_xfer_eof = ssl_xfer_error = 0;
1159
1160receive_getc = tls_getc;
1161receive_ungetc = tls_ungetc;
1162receive_feof = tls_feof;
1163receive_ferror = tls_ferror;
58eb016e 1164receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
1165
1166tls_active = fileno(smtp_out);
1167return OK;
1168}
1169
1170
1171
1172
1173
1174/*************************************************
1175* Start a TLS session in a client *
1176*************************************************/
1177
1178/* Called from the smtp transport after STARTTLS has been accepted.
1179
1180Argument:
1181 fd the fd of the connection
1182 host connected host (for messages)
83da1223 1183 addr the first address
059ec3d9
PH
1184 dhparam DH parameter file
1185 certificate certificate file
1186 privatekey private key file
3f0945ff 1187 sni TLS SNI to send to remote host
059ec3d9
PH
1188 verify_certs file for certificate verify
1189 crl file containing CRL
1190 require_ciphers list of allowed ciphers
83da1223 1191 timeout startup timeout
059ec3d9
PH
1192
1193Returns: OK on success
1194 FAIL otherwise - note that tls_error() will not give DEFER
1195 because this is not a server
1196*/
1197
1198int
1199tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1200 uschar *certificate, uschar *privatekey, uschar *sni,
1201 uschar *verify_certs, uschar *crl,
17c76198 1202 uschar *require_ciphers, int timeout)
059ec3d9
PH
1203{
1204static uschar txt[256];
1205uschar *expciphers;
1206X509* server_cert;
1207int rc;
1208
3f7eeb86
PP
1209rc = tls_init(host, dhparam, certificate, privatekey,
1210#ifdef EXPERIMENTAL_OCSP
1211 NULL,
1212#endif
1213 addr);
059ec3d9
PH
1214if (rc != OK) return rc;
1215
1216tls_certificate_verified = FALSE;
1217verify_callback_called = FALSE;
1218
1219if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1220 return FAIL;
1221
1222/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1223are separated by underscores. So that I can use either form in my tests, and
1224also for general convenience, we turn underscores into hyphens here. */
1225
1226if (expciphers != NULL)
1227 {
1228 uschar *s = expciphers;
1229 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1230 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1231 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1232 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1233 }
1234
7be682ca 1235rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH
1236if (rc != OK) return rc;
1237
7199e1ee 1238if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
1239SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1240SSL_set_fd(ssl, fd);
1241SSL_set_connect_state(ssl);
1242
3f0945ff
PP
1243if (sni)
1244 {
1245 if (!expand_check(sni, US"tls_sni", &tls_sni))
1246 return FAIL;
1247 if (!Ustrlen(tls_sni))
1248 tls_sni = NULL;
1249 else
1250 {
1251 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1252 SSL_set_tlsext_host_name(ssl, tls_sni);
1253 }
1254 }
1255
059ec3d9
PH
1256/* There doesn't seem to be a built-in timeout on connection. */
1257
1258DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1259sigalrm_seen = FALSE;
1260alarm(timeout);
1261rc = SSL_connect(ssl);
1262alarm(0);
1263
1264if (rc <= 0)
7199e1ee 1265 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1266
1267DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1268
453a6645 1269/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1270server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
1271if (server_cert)
1272 {
1273 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1274 CS txt, sizeof(txt));
1275 tls_peerdn = txt;
1276 }
1277else
1278 tls_peerdn = NULL;
059ec3d9
PH
1279
1280construct_cipher_name(ssl); /* Sets tls_cipher */
1281
1282tls_active = fd;
1283return OK;
1284}
1285
1286
1287
1288
1289
1290/*************************************************
1291* TLS version of getc *
1292*************************************************/
1293
1294/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1295it refills the buffer via the SSL reading function.
1296
1297Arguments: none
1298Returns: the next character or EOF
1299*/
1300
1301int
1302tls_getc(void)
1303{
1304if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1305 {
1306 int error;
1307 int inbytes;
1308
c80c5570
PP
1309 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1310 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1311
1312 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1313 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1314 error = SSL_get_error(ssl, inbytes);
1315 alarm(0);
1316
1317 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1318 closed down, not that the socket itself has been closed down. Revert to
1319 non-SSL handling. */
1320
1321 if (error == SSL_ERROR_ZERO_RETURN)
1322 {
1323 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1324
1325 receive_getc = smtp_getc;
1326 receive_ungetc = smtp_ungetc;
1327 receive_feof = smtp_feof;
1328 receive_ferror = smtp_ferror;
58eb016e 1329 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1330
1331 SSL_free(ssl);
1332 ssl = NULL;
1333 tls_active = -1;
3f0945ff 1334 tls_bits = 0;
059ec3d9
PH
1335 tls_cipher = NULL;
1336 tls_peerdn = NULL;
3f0945ff 1337 tls_sni = NULL;
059ec3d9
PH
1338
1339 return smtp_getc();
1340 }
1341
1342 /* Handle genuine errors */
1343
ba084640
PP
1344 else if (error == SSL_ERROR_SSL)
1345 {
1346 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1347 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1348 ssl_xfer_error = 1;
1349 return EOF;
1350 }
1351
059ec3d9
PH
1352 else if (error != SSL_ERROR_NONE)
1353 {
1354 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1355 ssl_xfer_error = 1;
1356 return EOF;
1357 }
c80c5570 1358
80a47a2c
TK
1359#ifndef DISABLE_DKIM
1360 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1361#endif
059ec3d9
PH
1362 ssl_xfer_buffer_hwm = inbytes;
1363 ssl_xfer_buffer_lwm = 0;
1364 }
1365
1366/* Something in the buffer; return next uschar */
1367
1368return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1369}
1370
1371
1372
1373/*************************************************
1374* Read bytes from TLS channel *
1375*************************************************/
1376
1377/*
1378Arguments:
1379 buff buffer of data
1380 len size of buffer
1381
1382Returns: the number of bytes read
1383 -1 after a failed read
1384*/
1385
1386int
1387tls_read(uschar *buff, size_t len)
1388{
1389int inbytes;
1390int error;
1391
c80c5570
PP
1392DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1393 buff, (unsigned int)len);
059ec3d9
PH
1394
1395inbytes = SSL_read(ssl, CS buff, len);
1396error = SSL_get_error(ssl, inbytes);
1397
1398if (error == SSL_ERROR_ZERO_RETURN)
1399 {
1400 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1401 return -1;
1402 }
1403else if (error != SSL_ERROR_NONE)
1404 {
1405 return -1;
1406 }
1407
1408return inbytes;
1409}
1410
1411
1412
1413
1414
1415/*************************************************
1416* Write bytes down TLS channel *
1417*************************************************/
1418
1419/*
1420Arguments:
1421 buff buffer of data
1422 len number of bytes
1423
1424Returns: the number of bytes after a successful write,
1425 -1 after a failed write
1426*/
1427
1428int
1429tls_write(const uschar *buff, size_t len)
1430{
1431int outbytes;
1432int error;
1433int left = len;
1434
c80c5570 1435DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1436while (left > 0)
1437 {
c80c5570 1438 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1439 outbytes = SSL_write(ssl, CS buff, left);
1440 error = SSL_get_error(ssl, outbytes);
1441 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1442 switch (error)
1443 {
1444 case SSL_ERROR_SSL:
1445 ERR_error_string(ERR_get_error(), ssl_errstring);
1446 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1447 return -1;
1448
1449 case SSL_ERROR_NONE:
1450 left -= outbytes;
1451 buff += outbytes;
1452 break;
1453
1454 case SSL_ERROR_ZERO_RETURN:
1455 log_write(0, LOG_MAIN, "SSL channel closed on write");
1456 return -1;
1457
1458 default:
1459 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1460 return -1;
1461 }
1462 }
1463return len;
1464}
1465
1466
1467
1468/*************************************************
1469* Close down a TLS session *
1470*************************************************/
1471
1472/* This is also called from within a delivery subprocess forked from the
1473daemon, to shut down the TLS library, without actually doing a shutdown (which
1474would tamper with the SSL session in the parent process).
1475
1476Arguments: TRUE if SSL_shutdown is to be called
1477Returns: nothing
1478*/
1479
1480void
1481tls_close(BOOL shutdown)
1482{
1483if (tls_active < 0) return; /* TLS was not active */
1484
1485if (shutdown)
1486 {
1487 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1488 SSL_shutdown(ssl);
1489 }
1490
1491SSL_free(ssl);
1492ssl = NULL;
1493
1494tls_active = -1;
1495}
1496
36f12725
NM
1497
1498
1499
1500/*************************************************
1501* Report the library versions. *
1502*************************************************/
1503
1504/* There have historically been some issues with binary compatibility in
1505OpenSSL libraries; if Exim (like many other applications) is built against
1506one version of OpenSSL but the run-time linker picks up another version,
1507it can result in serious failures, including crashing with a SIGSEGV. So
1508report the version found by the compiler and the run-time version.
1509
1510Arguments: a FILE* to print the results to
1511Returns: nothing
1512*/
1513
1514void
1515tls_version_report(FILE *f)
1516{
754a0503
PP
1517fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1518 " Runtime: %s\n",
1519 OPENSSL_VERSION_TEXT,
1520 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1521}
1522
9e3331ea
TK
1523
1524
1525
1526/*************************************************
17c76198 1527* Random number generation *
9e3331ea
TK
1528*************************************************/
1529
1530/* Pseudo-random number generation. The result is not expected to be
1531cryptographically strong but not so weak that someone will shoot themselves
1532in the foot using it as a nonce in input in some email header scheme or
1533whatever weirdness they'll twist this into. The result should handle fork()
1534and avoid repeating sequences. OpenSSL handles that for us.
1535
1536Arguments:
1537 max range maximum
1538Returns a random number in range [0, max-1]
1539*/
1540
1541int
17c76198 1542vaguely_random_number(int max)
9e3331ea
TK
1543{
1544unsigned int r;
1545int i, needed_len;
1546uschar *p;
1547uschar smallbuf[sizeof(r)];
1548
1549if (max <= 1)
1550 return 0;
1551
1552/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1553if (!RAND_status())
1554 {
1555 randstuff r;
1556 gettimeofday(&r.tv, NULL);
1557 r.p = getpid();
1558
1559 RAND_seed((uschar *)(&r), sizeof(r));
1560 }
1561/* We're after pseudo-random, not random; if we still don't have enough data
1562in the internal PRNG then our options are limited. We could sleep and hope
1563for entropy to come along (prayer technique) but if the system is so depleted
1564in the first place then something is likely to just keep taking it. Instead,
1565we'll just take whatever little bit of pseudo-random we can still manage to
1566get. */
1567
1568needed_len = sizeof(r);
1569/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1570asked for a number less than 10. */
1571for (r = max, i = 0; r; ++i)
1572 r >>= 1;
1573i = (i + 7) / 8;
1574if (i < needed_len)
1575 needed_len = i;
1576
1577/* We do not care if crypto-strong */
17c76198
PP
1578i = RAND_pseudo_bytes(smallbuf, needed_len);
1579if (i < 0)
1580 {
1581 DEBUG(D_all)
1582 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1583 return vaguely_random_number_fallback(max);
1584 }
1585
9e3331ea
TK
1586r = 0;
1587for (p = smallbuf; needed_len; --needed_len, ++p)
1588 {
1589 r *= 256;
1590 r += *p;
1591 }
1592
1593/* We don't particularly care about weighted results; if someone wants
1594smooth distribution and cares enough then they should submit a patch then. */
1595return r % max;
1596}
1597
77bb000f
PP
1598
1599
1600
1601/*************************************************
1602* OpenSSL option parse *
1603*************************************************/
1604
1605/* Parse one option for tls_openssl_options_parse below
1606
1607Arguments:
1608 name one option name
1609 value place to store a value for it
1610Returns success or failure in parsing
1611*/
1612
1613struct exim_openssl_option {
1614 uschar *name;
1615 long value;
1616};
1617/* We could use a macro to expand, but we need the ifdef and not all the
1618options document which version they were introduced in. Policylet: include
1619all options unless explicitly for DTLS, let the administrator choose which
1620to apply.
1621
1622This list is current as of:
c80c5570 1623 ==> 1.0.1b <== */
77bb000f
PP
1624static struct exim_openssl_option exim_openssl_options[] = {
1625/* KEEP SORTED ALPHABETICALLY! */
1626#ifdef SSL_OP_ALL
73a46702 1627 { US"all", SSL_OP_ALL },
77bb000f
PP
1628#endif
1629#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1630 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1631#endif
1632#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1633 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1634#endif
1635#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1636 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1637#endif
1638#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1639 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1640#endif
1641#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1642 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1643#endif
1644#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1645 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1646#endif
1647#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1648 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1649#endif
1650#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1651 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1652#endif
1653#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1654 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1655#endif
1656#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1657 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1658#endif
c80c5570
PP
1659#ifdef SSL_OP_NO_COMPRESSION
1660 { US"no_compression", SSL_OP_NO_COMPRESSION },
1661#endif
77bb000f 1662#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1663 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1664#endif
c0c7b2da
PP
1665#ifdef SSL_OP_NO_SSLv2
1666 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1667#endif
1668#ifdef SSL_OP_NO_SSLv3
1669 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1670#endif
1671#ifdef SSL_OP_NO_TICKET
1672 { US"no_ticket", SSL_OP_NO_TICKET },
1673#endif
1674#ifdef SSL_OP_NO_TLSv1
1675 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1676#endif
c80c5570
PP
1677#ifdef SSL_OP_NO_TLSv1_1
1678#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1679 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1680#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1681#else
1682 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1683#endif
1684#endif
1685#ifdef SSL_OP_NO_TLSv1_2
1686 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1687#endif
77bb000f 1688#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1689 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1690#endif
1691#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1692 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1693#endif
1694#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1695 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1696#endif
1697#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1698 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1699#endif
1700#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1701 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1702#endif
1703#ifdef SSL_OP_TLS_D5_BUG
73a46702 1704 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1705#endif
1706#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1707 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1708#endif
1709};
1710static int exim_openssl_options_size =
1711 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1712
c80c5570 1713
77bb000f
PP
1714static BOOL
1715tls_openssl_one_option_parse(uschar *name, long *value)
1716{
1717int first = 0;
1718int last = exim_openssl_options_size;
1719while (last > first)
1720 {
1721 int middle = (first + last)/2;
1722 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1723 if (c == 0)
1724 {
1725 *value = exim_openssl_options[middle].value;
1726 return TRUE;
1727 }
1728 else if (c > 0)
1729 first = middle + 1;
1730 else
1731 last = middle;
1732 }
1733return FALSE;
1734}
1735
1736
1737
1738
1739/*************************************************
1740* OpenSSL option parsing logic *
1741*************************************************/
1742
1743/* OpenSSL has a number of compatibility options which an administrator might
1744reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1745we look like log_selector.
1746
1747Arguments:
1748 option_spec the administrator-supplied string of options
1749 results ptr to long storage for the options bitmap
1750Returns success or failure
1751*/
1752
1753BOOL
1754tls_openssl_options_parse(uschar *option_spec, long *results)
1755{
1756long result, item;
1757uschar *s, *end;
1758uschar keep_c;
1759BOOL adding, item_parsed;
1760
0e944a0d 1761result = 0L;
b1770b6e 1762/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1763 * from default because it increases BEAST susceptibility. */
77bb000f
PP
1764
1765if (option_spec == NULL)
1766 {
1767 *results = result;
1768 return TRUE;
1769 }
1770
1771for (s=option_spec; *s != '\0'; /**/)
1772 {
1773 while (isspace(*s)) ++s;
1774 if (*s == '\0')
1775 break;
1776 if (*s != '+' && *s != '-')
1777 {
1778 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1779 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1780 return FALSE;
1781 }
1782 adding = *s++ == '+';
1783 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1784 keep_c = *end;
1785 *end = '\0';
1786 item_parsed = tls_openssl_one_option_parse(s, &item);
1787 if (!item_parsed)
1788 {
0e944a0d 1789 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1790 return FALSE;
1791 }
1792 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1793 adding ? "adding" : "removing", result, item, s);
1794 if (adding)
1795 result |= item;
1796 else
1797 result &= ~item;
1798 *end = keep_c;
1799 s = end;
1800 }
1801
1802*results = result;
1803return TRUE;
1804}
1805
059ec3d9 1806/* End of tls-openssl.c */