OpenSSL: Debug output TLS 1.3 keying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
db3f7b69
JH
57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP
68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
7434882d
JH
73# else
74# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
75# endif
76# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 77 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
78# define EXIM_HAVE_OPENSSL_CHECKHOST
79# endif
11aa88b0 80#endif
10ca4f1c 81
11aa88b0
RA
82#if !defined(LIBRESSL_VERSION_NUMBER) \
83 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
84# if !defined(OPENSSL_NO_ECDH)
85# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 86# define EXIM_HAVE_ECDH
10ca4f1c
JH
87# endif
88# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
89# define EXIM_HAVE_OPENSSL_EC_NIST2NID
90# endif
91# endif
2dfb468b 92#endif
3bcbbbe2 93
3c1f3b85
JH
94#ifndef LIBRESSL_VERSION_NUMBER
95# if OPENSSL_VERSION_NUMBER >= 0x010101000L
96# define OPENSSL_HAVE_KEYLOG_CB
97# endif
98#endif
99
67791ce4
JH
100#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
101# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
102# define DISABLE_OCSP
103#endif
104
a6510420
JH
105#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
106# include <openssl/x509v3.h>
107#endif
108
8442641e
JH
109/*************************************************
110* OpenSSL option parse *
111*************************************************/
112
113typedef struct exim_openssl_option {
114 uschar *name;
115 long value;
116} exim_openssl_option;
117/* We could use a macro to expand, but we need the ifdef and not all the
118options document which version they were introduced in. Policylet: include
119all options unless explicitly for DTLS, let the administrator choose which
120to apply.
121
122This list is current as of:
123 ==> 1.0.1b <==
124Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
125Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
126*/
127static exim_openssl_option exim_openssl_options[] = {
128/* KEEP SORTED ALPHABETICALLY! */
129#ifdef SSL_OP_ALL
130 { US"all", SSL_OP_ALL },
131#endif
132#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
133 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
134#endif
135#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
136 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
137#endif
138#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
139 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
140#endif
141#ifdef SSL_OP_EPHEMERAL_RSA
142 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
143#endif
144#ifdef SSL_OP_LEGACY_SERVER_CONNECT
145 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
146#endif
147#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
148 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
149#endif
150#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
151 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
152#endif
153#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
154 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
155#endif
156#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
157 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
158#endif
159#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
160 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
161#endif
162#ifdef SSL_OP_NO_COMPRESSION
163 { US"no_compression", SSL_OP_NO_COMPRESSION },
164#endif
165#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
166 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
167#endif
168#ifdef SSL_OP_NO_SSLv2
169 { US"no_sslv2", SSL_OP_NO_SSLv2 },
170#endif
171#ifdef SSL_OP_NO_SSLv3
172 { US"no_sslv3", SSL_OP_NO_SSLv3 },
173#endif
174#ifdef SSL_OP_NO_TICKET
175 { US"no_ticket", SSL_OP_NO_TICKET },
176#endif
177#ifdef SSL_OP_NO_TLSv1
178 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
179#endif
180#ifdef SSL_OP_NO_TLSv1_1
181#if SSL_OP_NO_TLSv1_1 == 0x00000400L
182 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
183#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
184#else
185 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
186#endif
187#endif
188#ifdef SSL_OP_NO_TLSv1_2
189 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
190#endif
191#ifdef SSL_OP_NO_TLSv1_3
192 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
193#endif
194#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
195 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
196#endif
197#ifdef SSL_OP_SINGLE_DH_USE
198 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
199#endif
200#ifdef SSL_OP_SINGLE_ECDH_USE
201 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
202#endif
203#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
204 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
205#endif
206#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
207 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
208#endif
209#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
210 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
211#endif
212#ifdef SSL_OP_TLS_D5_BUG
213 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
214#endif
215#ifdef SSL_OP_TLS_ROLLBACK_BUG
216 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
217#endif
218};
219
220#ifndef MACRO_PREDEF
221static int exim_openssl_options_size = nelem(exim_openssl_options);
222#endif
223
224#ifdef MACRO_PREDEF
225void
226options_tls(void)
227{
8442641e
JH
228uschar buf[64];
229
db3f7b69 230for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
231 o < exim_openssl_options + nelem(exim_openssl_options); o++)
232 {
233 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
234 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
235
236 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
237 builtin_macro_create(buf);
238 }
239}
240#else
241
242/******************************************************************************/
243
059ec3d9
PH
244/* Structure for collecting random data for seeding. */
245
246typedef struct randstuff {
9e3331ea
TK
247 struct timeval tv;
248 pid_t p;
059ec3d9
PH
249} randstuff;
250
251/* Local static variables */
252
a2ff477a
JH
253static BOOL client_verify_callback_called = FALSE;
254static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
255static const uschar *sid_ctx = US"exim";
256
d4f09789
PP
257/* We have three different contexts to care about.
258
259Simple case: client, `client_ctx`
260 As a client, we can be doing a callout or cut-through delivery while receiving
261 a message. So we have a client context, which should have options initialised
74f1a423
JH
262 from the SMTP Transport. We may also concurrently want to make TLS connections
263 to utility daemons, so client-contexts are allocated and passed around in call
264 args rather than using a gobal.
d4f09789
PP
265
266Server:
267 There are two cases: with and without ServerNameIndication from the client.
268 Given TLS SNI, we can be using different keys, certs and various other
269 configuration settings, because they're re-expanded with $tls_sni set. This
270 allows vhosting with TLS. This SNI is sent in the handshake.
271 A client might not send SNI, so we need a fallback, and an initial setup too.
272 So as a server, we start out using `server_ctx`.
273 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
274 `server_sni` from `server_ctx` and then initialise settings by re-expanding
275 configuration.
276*/
277
74f1a423
JH
278typedef struct {
279 SSL_CTX * ctx;
280 SSL * ssl;
281} exim_openssl_client_tls_ctx;
282
817d9f57 283static SSL_CTX *server_ctx = NULL;
817d9f57 284static SSL *server_ssl = NULL;
389ca47a 285
35731706 286#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 287static SSL_CTX *server_sni = NULL;
35731706 288#endif
059ec3d9
PH
289
290static char ssl_errstring[256];
291
292static int ssl_session_timeout = 200;
a2ff477a
JH
293static BOOL client_verify_optional = FALSE;
294static BOOL server_verify_optional = FALSE;
059ec3d9 295
f5d78688 296static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
297
298
7be682ca
PP
299typedef struct tls_ext_ctx_cb {
300 uschar *certificate;
301 uschar *privatekey;
f5d78688 302 BOOL is_server;
a6510420 303#ifndef DISABLE_OCSP
c3033f13 304 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
305 union {
306 struct {
307 uschar *file;
308 uschar *file_expanded;
309 OCSP_RESPONSE *response;
310 } server;
311 struct {
44662487
JH
312 X509_STORE *verify_store; /* non-null if status requested */
313 BOOL verify_required;
f5d78688
JH
314 } client;
315 } u_ocsp;
3f7eeb86 316#endif
7be682ca
PP
317 uschar *dhparam;
318 /* these are cached from first expand */
319 uschar *server_cipher_list;
320 /* only passed down to tls_error: */
321 host_item *host;
55414b25 322 const uschar * verify_cert_hostnames;
0cbf2b82 323#ifndef DISABLE_EVENT
a7538db1
JH
324 uschar * event_action;
325#endif
7be682ca
PP
326} tls_ext_ctx_cb;
327
328/* should figure out a cleanup of API to handle state preserved per
329implementation, for various reasons, which can be void * in the APIs.
330For now, we hack around it. */
817d9f57
JH
331tls_ext_ctx_cb *client_static_cbinfo = NULL;
332tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
333
334static int
983207c1 335setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 336 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 337
3f7eeb86 338/* Callbacks */
3bcbbbe2 339#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 340static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 341#endif
f2de3a33 342#ifndef DISABLE_OCSP
f5d78688 343static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
344#endif
345
059ec3d9
PH
346
347/*************************************************
348* Handle TLS error *
349*************************************************/
350
351/* Called from lots of places when errors occur before actually starting to do
352the TLS handshake, that is, while the session is still in clear. Always returns
353DEFER for a server and FAIL for a client so that most calls can use "return
354tls_error(...)" to do this processing and then give an appropriate return. A
355single function is used for both server and client, because it is called from
356some shared functions.
357
358Argument:
359 prefix text to include in the logged error
360 host NULL if setting up a server;
361 the connected host if setting up a client
7199e1ee 362 msg error message or NULL if we should ask OpenSSL
cf0c6164 363 errstr pointer to output error message
059ec3d9
PH
364
365Returns: OK/DEFER/FAIL
366*/
367
368static int
cf0c6164 369tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 370{
c562fd30 371if (!msg)
7199e1ee 372 {
0abc5a13 373 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 374 msg = US ssl_errstring;
7199e1ee
TF
375 }
376
5a2a0989
JH
377msg = string_sprintf("(%s): %s", prefix, msg);
378DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
379if (errstr) *errstr = msg;
cf0c6164 380return host ? FAIL : DEFER;
059ec3d9
PH
381}
382
383
384
385/*************************************************
386* Callback to generate RSA key *
387*************************************************/
388
389/*
390Arguments:
3ae79556 391 s SSL connection (not used)
059ec3d9
PH
392 export not used
393 keylength keylength
394
395Returns: pointer to generated key
396*/
397
398static RSA *
399rsa_callback(SSL *s, int export, int keylength)
400{
401RSA *rsa_key;
c8dfb21d
JH
402#ifdef EXIM_HAVE_RSA_GENKEY_EX
403BIGNUM *bn = BN_new();
404#endif
405
059ec3d9
PH
406export = export; /* Shut picky compilers up */
407DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
408
409#ifdef EXIM_HAVE_RSA_GENKEY_EX
410if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 411 || !(rsa_key = RSA_new())
c8dfb21d
JH
412 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
413 )
414#else
23bb6982 415if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
416#endif
417
059ec3d9 418 {
0abc5a13 419 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
420 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
421 ssl_errstring);
422 return NULL;
423 }
424return rsa_key;
425}
426
427
428
f5d78688 429/* Extreme debug
f2de3a33 430#ifndef DISABLE_OCSP
f5d78688
JH
431void
432x509_store_dump_cert_s_names(X509_STORE * store)
433{
434STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
435static uschar name[256];
436
db3f7b69 437for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
438 {
439 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
440 if(tmp_obj->type == X509_LU_X509)
441 {
70e384dd
JH
442 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
443 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
444 {
445 name[sizeof(name)-1] = '\0';
446 debug_printf(" %s\n", name);
447 }
f5d78688
JH
448 }
449 }
450}
451#endif
452*/
453
059ec3d9 454
0cbf2b82 455#ifndef DISABLE_EVENT
f69979cf
JH
456static int
457verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
458 BOOL *calledp, const BOOL *optionalp, const uschar * what)
459{
460uschar * ev;
461uschar * yield;
462X509 * old_cert;
463
464ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
465if (ev)
466 {
aaba7d03 467 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
468 old_cert = tlsp->peercert;
469 tlsp->peercert = X509_dup(cert);
470 /* NB we do not bother setting peerdn */
471 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
472 {
473 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
474 "depth=%d cert=%s: %s",
475 tlsp == &tls_out ? deliver_host_address : sender_host_address,
476 what, depth, dn, yield);
477 *calledp = TRUE;
478 if (!*optionalp)
479 {
480 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
481 return 1; /* reject (leaving peercert set) */
482 }
483 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
484 "(host in tls_try_verify_hosts)\n");
485 }
486 X509_free(tlsp->peercert);
487 tlsp->peercert = old_cert;
488 }
489return 0;
490}
491#endif
492
059ec3d9
PH
493/*************************************************
494* Callback for verification *
495*************************************************/
496
497/* The SSL library does certificate verification if set up to do so. This
498callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
499we set the certificate-verified flag. If verification failed, what happens
500depends on whether the client is required to present a verifiable certificate
501or not.
059ec3d9
PH
502
503If verification is optional, we change the state to yes, but still log the
504verification error. For some reason (it really would help to have proper
505documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
506time with state = 1. We must take care not to set the private verified flag on
507the second time through.
059ec3d9
PH
508
509Note: this function is not called if the client fails to present a certificate
510when asked. We get here only if a certificate has been received. Handling of
511optional verification for this case is done when requesting SSL to verify, by
512setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
513
a7538db1
JH
514May be called multiple times for different issues with a certificate, even
515for a given "depth" in the certificate chain.
516
059ec3d9 517Arguments:
f2f2c91b
JH
518 preverify_ok current yes/no state as 1/0
519 x509ctx certificate information.
520 tlsp per-direction (client vs. server) support data
521 calledp has-been-called flag
522 optionalp verification-is-optional flag
059ec3d9 523
f2f2c91b 524Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
525*/
526
527static int
70e384dd
JH
528verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
529 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 530{
421aff85 531X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 532int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 533uschar dn[256];
059ec3d9 534
70e384dd
JH
535if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
536 {
537 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
538 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
539 tlsp == &tls_out ? deliver_host_address : sender_host_address);
540 return 0;
541 }
f69979cf 542dn[sizeof(dn)-1] = '\0';
059ec3d9 543
f2f2c91b 544if (preverify_ok == 0)
059ec3d9 545 {
f77197ae
JH
546 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
547 *verify_mode, sender_host_address)
548 : US"";
549 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
550 tlsp == &tls_out ? deliver_host_address : sender_host_address,
551 extra, depth,
552 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 553 *calledp = TRUE;
9d1c15ef
JH
554 if (!*optionalp)
555 {
f69979cf
JH
556 if (!tlsp->peercert)
557 tlsp->peercert = X509_dup(cert); /* record failing cert */
558 return 0; /* reject */
9d1c15ef 559 }
059ec3d9
PH
560 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
561 "tls_try_verify_hosts)\n");
059ec3d9
PH
562 }
563
a7538db1 564else if (depth != 0)
059ec3d9 565 {
f69979cf 566 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 567#ifndef DISABLE_OCSP
f5d78688
JH
568 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
569 { /* client, wanting stapling */
570 /* Add the server cert's signing chain as the one
571 for the verification of the OCSP stapled information. */
94431adb 572
f5d78688 573 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 574 cert))
f5d78688 575 ERR_clear_error();
c3033f13 576 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
577 }
578#endif
0cbf2b82 579#ifndef DISABLE_EVENT
f69979cf
JH
580 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
581 return 0; /* reject, with peercert set */
a7538db1 582#endif
059ec3d9
PH
583 }
584else
585 {
55414b25 586 const uschar * verify_cert_hostnames;
e51c7be2 587
e51c7be2
JH
588 if ( tlsp == &tls_out
589 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 590 /* client, wanting hostname check */
e51c7be2 591 {
f69979cf 592
740f36d4 593#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
594# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
595# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
596# endif
597# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
598# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
599# endif
e51c7be2 600 int sep = 0;
55414b25 601 const uschar * list = verify_cert_hostnames;
e51c7be2 602 uschar * name;
d8e7834a
JH
603 int rc;
604 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 605 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 606 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
607 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
608 NULL)))
d8e7834a
JH
609 {
610 if (rc < 0)
611 {
93a6fce2 612 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 613 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
614 name = NULL;
615 }
e51c7be2 616 break;
d8e7834a 617 }
e51c7be2 618 if (!name)
f69979cf 619#else
e51c7be2 620 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 621#endif
e51c7be2 622 {
f77197ae
JH
623 uschar * extra = verify_mode
624 ? string_sprintf(" (during %c-verify for [%s])",
625 *verify_mode, sender_host_address)
626 : US"";
e51c7be2 627 log_write(0, LOG_MAIN,
f77197ae
JH
628 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
629 tlsp == &tls_out ? deliver_host_address : sender_host_address,
630 extra, dn, verify_cert_hostnames);
a3ef7310
JH
631 *calledp = TRUE;
632 if (!*optionalp)
f69979cf
JH
633 {
634 if (!tlsp->peercert)
635 tlsp->peercert = X509_dup(cert); /* record failing cert */
636 return 0; /* reject */
637 }
a3ef7310
JH
638 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
639 "tls_try_verify_hosts)\n");
e51c7be2 640 }
f69979cf 641 }
e51c7be2 642
0cbf2b82 643#ifndef DISABLE_EVENT
f69979cf
JH
644 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
645 return 0; /* reject, with peercert set */
e51c7be2
JH
646#endif
647
93dcb1c2 648 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 649 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
650 if (!*calledp) tlsp->certificate_verified = TRUE;
651 *calledp = TRUE;
059ec3d9
PH
652 }
653
a7538db1 654return 1; /* accept, at least for this level */
059ec3d9
PH
655}
656
a2ff477a 657static int
f2f2c91b 658verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 659{
f2f2c91b
JH
660return verify_callback(preverify_ok, x509ctx, &tls_out,
661 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
662}
663
664static int
f2f2c91b 665verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 666{
f2f2c91b
JH
667return verify_callback(preverify_ok, x509ctx, &tls_in,
668 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
669}
670
059ec3d9 671
c0635b6d 672#ifdef SUPPORT_DANE
53a7196b 673
e5cccda9
JH
674/* This gets called *by* the dane library verify callback, which interposes
675itself.
676*/
677static int
f2f2c91b 678verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
679{
680X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 681uschar dn[256];
83b27293 682int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 683#ifndef DISABLE_EVENT
f69979cf 684BOOL dummy_called, optional = FALSE;
83b27293 685#endif
e5cccda9 686
70e384dd
JH
687if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
688 {
689 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
690 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
691 deliver_host_address);
692 return 0;
693 }
f69979cf 694dn[sizeof(dn)-1] = '\0';
e5cccda9 695
f2f2c91b
JH
696DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
697 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 698
0cbf2b82 699#ifndef DISABLE_EVENT
f69979cf
JH
700 if (verify_event(&tls_out, cert, depth, dn,
701 &dummy_called, &optional, US"DANE"))
702 return 0; /* reject, with peercert set */
83b27293
JH
703#endif
704
f2f2c91b 705if (preverify_ok == 1)
6fbf3599
JH
706 {
707 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
708#ifndef DISABLE_OCSP
709 if (client_static_cbinfo->u_ocsp.client.verify_store)
710 { /* client, wanting stapling */
711 /* Add the server cert's signing chain as the one
712 for the verification of the OCSP stapled information. */
713
714 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
715 cert))
716 ERR_clear_error();
717 sk_X509_push(client_static_cbinfo->verify_stack, cert);
718 }
719#endif
720 }
f2f2c91b
JH
721else
722 {
723 int err = X509_STORE_CTX_get_error(x509ctx);
724 DEBUG(D_tls)
725 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 726 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
727 preverify_ok = 1;
728 }
729return preverify_ok;
e5cccda9 730}
53a7196b 731
c0635b6d 732#endif /*SUPPORT_DANE*/
e5cccda9 733
059ec3d9
PH
734
735/*************************************************
736* Information callback *
737*************************************************/
738
739/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
740are doing. We copy the string to the debugging output when TLS debugging has
741been requested.
059ec3d9
PH
742
743Arguments:
744 s the SSL connection
745 where
746 ret
747
748Returns: nothing
749*/
750
751static void
752info_callback(SSL *s, int where, int ret)
753{
0abc5a13
JH
754DEBUG(D_tls)
755 {
756 const uschar * str;
757
758 if (where & SSL_ST_CONNECT)
48224640 759 str = US"SSL_connect";
0abc5a13 760 else if (where & SSL_ST_ACCEPT)
48224640 761 str = US"SSL_accept";
0abc5a13 762 else
48224640 763 str = US"SSL info (undefined)";
0abc5a13
JH
764
765 if (where & SSL_CB_LOOP)
766 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
767 else if (where & SSL_CB_ALERT)
768 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 769 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
770 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
771 else if (where & SSL_CB_EXIT)
772 if (ret == 0)
773 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
774 else if (ret < 0)
775 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
776 else if (where & SSL_CB_HANDSHAKE_START)
777 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
778 else if (where & SSL_CB_HANDSHAKE_DONE)
779 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
780 }
059ec3d9
PH
781}
782
3c1f3b85
JH
783static void
784keylog_callback(const SSL *ssl, const char *line)
785{
786DEBUG(D_tls) debug_printf("%.200s\n", line);
787}
788
059ec3d9
PH
789
790
791/*************************************************
792* Initialize for DH *
793*************************************************/
794
795/* If dhparam is set, expand it, and load up the parameters for DH encryption.
796
797Arguments:
038597d2 798 sctx The current SSL CTX (inbound or outbound)
a799883d 799 dhparam DH parameter file or fixed parameter identity string
7199e1ee 800 host connected host, if client; NULL if server
cf0c6164 801 errstr error string pointer
059ec3d9
PH
802
803Returns: TRUE if OK (nothing to set up, or setup worked)
804*/
805
806static BOOL
cf0c6164 807init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 808{
059ec3d9
PH
809BIO *bio;
810DH *dh;
811uschar *dhexpanded;
a799883d 812const char *pem;
6600985a 813int dh_bitsize;
059ec3d9 814
cf0c6164 815if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
816 return FALSE;
817
0df4ab80 818if (!dhexpanded || !*dhexpanded)
a799883d 819 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 820else if (dhexpanded[0] == '/')
059ec3d9 821 {
0df4ab80 822 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 823 {
7199e1ee 824 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 825 host, US strerror(errno), errstr);
a799883d 826 return FALSE;
059ec3d9 827 }
a799883d
PP
828 }
829else
830 {
831 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 832 {
a799883d
PP
833 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
834 return TRUE;
059ec3d9 835 }
a799883d 836
0df4ab80 837 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
838 {
839 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 840 host, US strerror(errno), errstr);
a799883d
PP
841 return FALSE;
842 }
843 bio = BIO_new_mem_buf(CS pem, -1);
844 }
845
0df4ab80 846if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 847 {
059ec3d9 848 BIO_free(bio);
a799883d 849 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 850 host, NULL, errstr);
a799883d
PP
851 return FALSE;
852 }
853
6600985a
PP
854/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
855 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
856 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
857 * If someone wants to dance at the edge, then they can raise the limit or use
858 * current libraries. */
859#ifdef EXIM_HAVE_OPENSSL_DH_BITS
860/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
861 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
862dh_bitsize = DH_bits(dh);
863#else
864dh_bitsize = 8 * DH_size(dh);
865#endif
866
a799883d
PP
867/* Even if it is larger, we silently return success rather than cause things
868 * to fail out, so that a too-large DH will not knock out all TLS; it's a
869 * debatable choice. */
6600985a 870if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
871 {
872 DEBUG(D_tls)
170f4904 873 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 874 dh_bitsize, tls_dh_max_bits);
a799883d
PP
875 }
876else
877 {
878 SSL_CTX_set_tmp_dh(sctx, dh);
879 DEBUG(D_tls)
880 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 881 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
882 }
883
a799883d
PP
884DH_free(dh);
885BIO_free(bio);
886
887return TRUE;
059ec3d9
PH
888}
889
890
891
892
038597d2
PP
893/*************************************************
894* Initialize for ECDH *
895*************************************************/
896
897/* Load parameters for ECDH encryption.
898
899For now, we stick to NIST P-256 because: it's simple and easy to configure;
900it avoids any patent issues that might bite redistributors; despite events in
901the news and concerns over curve choices, we're not cryptographers, we're not
902pretending to be, and this is "good enough" to be better than no support,
903protecting against most adversaries. Given another year or two, there might
904be sufficient clarity about a "right" way forward to let us make an informed
905decision, instead of a knee-jerk reaction.
906
907Longer-term, we should look at supporting both various named curves and
908external files generated with "openssl ecparam", much as we do for init_dh().
909We should also support "none" as a value, to explicitly avoid initialisation.
910
911Patches welcome.
912
913Arguments:
914 sctx The current SSL CTX (inbound or outbound)
915 host connected host, if client; NULL if server
cf0c6164 916 errstr error string pointer
038597d2
PP
917
918Returns: TRUE if OK (nothing to set up, or setup worked)
919*/
920
921static BOOL
cf0c6164 922init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 923{
63f0dbe0
JH
924#ifdef OPENSSL_NO_ECDH
925return TRUE;
926#else
927
10ca4f1c
JH
928EC_KEY * ecdh;
929uschar * exp_curve;
930int nid;
931BOOL rv;
932
038597d2
PP
933if (host) /* No ECDH setup for clients, only for servers */
934 return TRUE;
935
10ca4f1c 936# ifndef EXIM_HAVE_ECDH
038597d2
PP
937DEBUG(D_tls)
938 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
939return TRUE;
038597d2 940# else
10ca4f1c 941
cf0c6164 942if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
943 return FALSE;
944if (!exp_curve || !*exp_curve)
945 return TRUE;
946
8e53a4fc 947/* "auto" needs to be handled carefully.
4c04137d 948 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 949 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 950 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
951 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
952 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
953 */
10ca4f1c 954if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 955 {
8e53a4fc 956#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 957 DEBUG(D_tls) debug_printf(
8e53a4fc 958 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 959 exp_curve = US"prime256v1";
8e53a4fc
HSHR
960#else
961# if defined SSL_CTRL_SET_ECDH_AUTO
962 DEBUG(D_tls) debug_printf(
963 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
964 SSL_CTX_set_ecdh_auto(sctx, 1);
965 return TRUE;
8e53a4fc
HSHR
966# else
967 DEBUG(D_tls) debug_printf(
968 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
969 return TRUE;
970# endif
971#endif
10ca4f1c 972 }
038597d2 973
10ca4f1c
JH
974DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
975if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
976# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
977 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
978# endif
979 )
980 {
cf0c6164
JH
981 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
982 host, NULL, errstr);
10ca4f1c
JH
983 return FALSE;
984 }
038597d2 985
10ca4f1c
JH
986if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
987 {
cf0c6164 988 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 989 return FALSE;
038597d2 990 }
10ca4f1c
JH
991
992/* The "tmp" in the name here refers to setting a temporary key
993not to the stability of the interface. */
994
995if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 996 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
997else
998 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
999
1000EC_KEY_free(ecdh);
1001return !rv;
1002
1003# endif /*EXIM_HAVE_ECDH*/
1004#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1005}
1006
1007
1008
1009
f2de3a33 1010#ifndef DISABLE_OCSP
3f7eeb86
PP
1011/*************************************************
1012* Load OCSP information into state *
1013*************************************************/
f5d78688 1014/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1015caller has determined this is needed. Checks validity. Debugs a message
1016if invalid.
1017
1018ASSUMES: single response, for single cert.
1019
1020Arguments:
1021 sctx the SSL_CTX* to update
1022 cbinfo various parts of session state
1023 expanded the filename putatively holding an OCSP response
1024
1025*/
1026
1027static void
f5d78688 1028ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1029{
ee5b1e28
JH
1030BIO * bio;
1031OCSP_RESPONSE * resp;
1032OCSP_BASICRESP * basic_response;
1033OCSP_SINGLERESP * single_response;
1034ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1035STACK_OF(X509) * sk;
3f7eeb86
PP
1036unsigned long verify_flags;
1037int status, reason, i;
1038
f5d78688
JH
1039cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1040if (cbinfo->u_ocsp.server.response)
3f7eeb86 1041 {
f5d78688
JH
1042 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1043 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1044 }
1045
ee5b1e28 1046if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1047 {
1048 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1049 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1050 return;
1051 }
1052
1053resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1054BIO_free(bio);
1055if (!resp)
1056 {
1057 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1058 return;
1059 }
1060
ee5b1e28 1061if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1062 {
1063 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1064 OCSP_response_status_str(status), status);
f5d78688 1065 goto bad;
3f7eeb86
PP
1066 }
1067
ee5b1e28 1068if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1069 {
1070 DEBUG(D_tls)
1071 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1072 goto bad;
3f7eeb86
PP
1073 }
1074
c3033f13 1075sk = cbinfo->verify_stack;
3f7eeb86
PP
1076verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1077
1078/* May need to expose ability to adjust those flags?
1079OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1080OCSP_TRUSTOTHER OCSP_NOINTERN */
1081
4c04137d 1082/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1083up; possibly overkill - just date-checks might be nice enough.
1084
1085OCSP_basic_verify takes a "store" arg, but does not
1086use it for the chain verification, which is all we do
1087when OCSP_NOVERIFY is set. The content from the wire
1088"basic_response" and a cert-stack "sk" are all that is used.
1089
c3033f13
JH
1090We have a stack, loaded in setup_certs() if tls_verify_certificates
1091was a file (not a directory, or "system"). It is unfortunate we
1092cannot used the connection context store, as that would neatly
1093handle the "system" case too, but there seems to be no library
1094function for getting a stack from a store.
e3555426 1095[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1096We do not free the stack since it could be needed a second time for
1097SNI handling.
1098
4c04137d 1099Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1100be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1101But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1102And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1103library does it for us anyway? */
1104
1105if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1106 {
ee5b1e28
JH
1107 DEBUG(D_tls)
1108 {
0abc5a13 1109 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1110 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1111 }
1112 goto bad;
3f7eeb86
PP
1113 }
1114
1115/* Here's the simplifying assumption: there's only one response, for the
1116one certificate we use, and nothing for anything else in a chain. If this
1117proves false, we need to extract a cert id from our issued cert
1118(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1119right cert in the stack and then calls OCSP_single_get0_status()).
1120
1121I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1122
1123if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1124 {
1125 DEBUG(D_tls)
1126 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1127 goto bad;
3f7eeb86
PP
1128 }
1129
1130status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1131if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1132 {
f5d78688
JH
1133 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1134 OCSP_cert_status_str(status), status,
1135 OCSP_crl_reason_str(reason), reason);
1136 goto bad;
3f7eeb86
PP
1137 }
1138
1139if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1140 {
1141 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1142 goto bad;
3f7eeb86
PP
1143 }
1144
f5d78688 1145supply_response:
47195144 1146 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
1147return;
1148
1149bad:
8768d548 1150 if (f.running_in_test_harness)
018058b2
JH
1151 {
1152 extern char ** environ;
db3f7b69 1153 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1154 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1155 {
1156 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1157 goto supply_response;
1158 }
1159 }
f5d78688 1160return;
3f7eeb86 1161}
f2de3a33 1162#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1163
1164
1165
1166
23bb6982
JH
1167/* Create and install a selfsigned certificate, for use in server mode */
1168
1169static int
cf0c6164 1170tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1171{
1172X509 * x509 = NULL;
1173EVP_PKEY * pkey;
1174RSA * rsa;
1175X509_NAME * name;
1176uschar * where;
1177
1178where = US"allocating pkey";
1179if (!(pkey = EVP_PKEY_new()))
1180 goto err;
1181
1182where = US"allocating cert";
1183if (!(x509 = X509_new()))
1184 goto err;
1185
1186where = US"generating pkey";
6aac3239 1187if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1188 goto err;
1189
4c04137d 1190where = US"assigning pkey";
23bb6982
JH
1191if (!EVP_PKEY_assign_RSA(pkey, rsa))
1192 goto err;
1193
1194X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1195ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1196X509_gmtime_adj(X509_get_notBefore(x509), 0);
1197X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1198X509_set_pubkey(x509, pkey);
1199
1200name = X509_get_subject_name(x509);
1201X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1202 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1203X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1204 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1205X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1206 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1207X509_set_issuer_name(x509, name);
1208
1209where = US"signing cert";
1210if (!X509_sign(x509, pkey, EVP_md5()))
1211 goto err;
1212
1213where = US"installing selfsign cert";
1214if (!SSL_CTX_use_certificate(sctx, x509))
1215 goto err;
1216
1217where = US"installing selfsign key";
1218if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1219 goto err;
1220
1221return OK;
1222
1223err:
cf0c6164 1224 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1225 if (x509) X509_free(x509);
1226 if (pkey) EVP_PKEY_free(pkey);
1227 return DEFER;
1228}
1229
1230
1231
1232
ba86e143
JH
1233static int
1234tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1235 uschar ** errstr)
1236{
1237DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1238if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1239 return tls_error(string_sprintf(
1240 "SSL_CTX_use_certificate_chain_file file=%s", file),
1241 cbinfo->host, NULL, errstr);
1242return 0;
1243}
1244
1245static int
1246tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1247 uschar ** errstr)
1248{
1249DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1250if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1251 return tls_error(string_sprintf(
1252 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1253return 0;
1254}
1255
1256
059ec3d9 1257/*************************************************
7be682ca
PP
1258* Expand key and cert file specs *
1259*************************************************/
1260
f5d78688 1261/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1262new context, if Server Name Indication was used and tls_sni was seen in
1263the certificate string.
1264
1265Arguments:
1266 sctx the SSL_CTX* to update
1267 cbinfo various parts of session state
cf0c6164 1268 errstr error string pointer
7be682ca
PP
1269
1270Returns: OK/DEFER/FAIL
1271*/
1272
1273static int
cf0c6164
JH
1274tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1275 uschar ** errstr)
7be682ca
PP
1276{
1277uschar *expanded;
1278
23bb6982 1279if (!cbinfo->certificate)
7be682ca 1280 {
ba86e143 1281 if (!cbinfo->is_server) /* client */
23bb6982 1282 return OK;
afdb5e9c 1283 /* server */
cf0c6164 1284 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1285 return DEFER;
7be682ca 1286 }
23bb6982
JH
1287else
1288 {
ba86e143
JH
1289 int err;
1290
23bb6982
JH
1291 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1292 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1293 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1294 )
1295 reexpand_tls_files_for_sni = TRUE;
7be682ca 1296
cf0c6164 1297 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1298 return DEFER;
1299
ba86e143
JH
1300 if (expanded)
1301 if (cbinfo->is_server)
1302 {
1303 const uschar * file_list = expanded;
1304 int sep = 0;
1305 uschar * file;
1306
1307 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1308 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1309 return err;
1310 }
1311 else /* would there ever be a need for multiple client certs? */
1312 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1313 return err;
7be682ca 1314
5a2a0989
JH
1315 if ( cbinfo->privatekey
1316 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1317 return DEFER;
7be682ca 1318
23bb6982
JH
1319 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1320 of the expansion is an empty string, ignore it also, and assume the private
1321 key is in the same file as the certificate. */
1322
1323 if (expanded && *expanded)
ba86e143
JH
1324 if (cbinfo->is_server)
1325 {
1326 const uschar * file_list = expanded;
1327 int sep = 0;
1328 uschar * file;
1329
1330 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1331 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1332 return err;
1333 }
1334 else /* would there ever be a need for multiple client certs? */
1335 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1336 return err;
7be682ca
PP
1337 }
1338
f2de3a33 1339#ifndef DISABLE_OCSP
f40d5be3 1340if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1341 {
47195144 1342 /*XXX stack*/
cf0c6164 1343 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1344 return DEFER;
1345
f40d5be3 1346 if (expanded && *expanded)
3f7eeb86
PP
1347 {
1348 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1349 if ( cbinfo->u_ocsp.server.file_expanded
1350 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1351 {
f40d5be3
JH
1352 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1353 }
1354 else
f40d5be3 1355 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1356 }
1357 }
1358#endif
1359
7be682ca
PP
1360return OK;
1361}
1362
1363
1364
1365
1366/*************************************************
1367* Callback to handle SNI *
1368*************************************************/
1369
1370/* Called when acting as server during the TLS session setup if a Server Name
1371Indication extension was sent by the client.
1372
1373API documentation is OpenSSL s_server.c implementation.
1374
1375Arguments:
1376 s SSL* of the current session
1377 ad unknown (part of OpenSSL API) (unused)
1378 arg Callback of "our" registered data
1379
1380Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1381*/
1382
3bcbbbe2 1383#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1384static int
7be682ca
PP
1385tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1386{
1387const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1388tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1389int rc;
3f0945ff 1390int old_pool = store_pool;
cf0c6164 1391uschar * dummy_errstr;
7be682ca
PP
1392
1393if (!servername)
1394 return SSL_TLSEXT_ERR_OK;
1395
3f0945ff 1396DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1397 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1398
1399/* Make the extension value available for expansion */
3f0945ff 1400store_pool = POOL_PERM;
817d9f57 1401tls_in.sni = string_copy(US servername);
3f0945ff 1402store_pool = old_pool;
7be682ca
PP
1403
1404if (!reexpand_tls_files_for_sni)
1405 return SSL_TLSEXT_ERR_OK;
1406
1407/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1408not confident that memcpy wouldn't break some internal reference counting.
1409Especially since there's a references struct member, which would be off. */
1410
7a8b9519
JH
1411#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1412if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1413#else
0df4ab80 1414if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1415#endif
7be682ca 1416 {
0abc5a13 1417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1418 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1419 goto bad;
7be682ca
PP
1420 }
1421
1422/* Not sure how many of these are actually needed, since SSL object
1423already exists. Might even need this selfsame callback, for reneg? */
1424
817d9f57
JH
1425SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1426SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1427SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1428SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1429SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1430SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1431
cf0c6164
JH
1432if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1433 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1434 )
5a2a0989 1435 goto bad;
038597d2 1436
ca954d7f
JH
1437if ( cbinfo->server_cipher_list
1438 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1439 goto bad;
ca954d7f 1440
f2de3a33 1441#ifndef DISABLE_OCSP
f5d78688 1442if (cbinfo->u_ocsp.server.file)
3f7eeb86 1443 {
f5d78688 1444 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1445 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1446 }
1447#endif
7be682ca 1448
c3033f13 1449if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1450 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1451 goto bad;
7be682ca 1452
3f7eeb86
PP
1453/* do this after setup_certs, because this can require the certs for verifying
1454OCSP information. */
cf0c6164 1455if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1456 goto bad;
a799883d 1457
7be682ca 1458DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1459SSL_set_SSL_CTX(s, server_sni);
7be682ca 1460return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1461
1462bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1463}
3bcbbbe2 1464#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1465
1466
1467
1468
f2de3a33 1469#ifndef DISABLE_OCSP
f5d78688 1470
3f7eeb86
PP
1471/*************************************************
1472* Callback to handle OCSP Stapling *
1473*************************************************/
1474
1475/* Called when acting as server during the TLS session setup if the client
1476requests OCSP information with a Certificate Status Request.
1477
1478Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1479project.
1480
1481*/
1482
1483static int
f5d78688 1484tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1485{
1486const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1487uschar *response_der; /*XXX blob */
3f7eeb86
PP
1488int response_der_len;
1489
47195144
JH
1490/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1491out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1492buggy in current OpenSSL; it returns the last cert loaded always rather than
1493the one actually presented. So we can't support a stack of OCSP proofs at
1494this time. */
1495
af4a1bca 1496DEBUG(D_tls)
b3ef41c9 1497 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1498 cbinfo->u_ocsp.server.response ? "have" : "lack");
1499
44662487 1500tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1501if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1502 return SSL_TLSEXT_ERR_NOACK;
1503
1504response_der = NULL;
47195144 1505response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1506 &response_der);
3f7eeb86
PP
1507if (response_der_len <= 0)
1508 return SSL_TLSEXT_ERR_NOACK;
1509
5e55c7a9 1510SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1511tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1512return SSL_TLSEXT_ERR_OK;
1513}
1514
3f7eeb86 1515
f5d78688
JH
1516static void
1517time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1518{
1519BIO_printf(bp, "\t%s: ", str);
1520ASN1_GENERALIZEDTIME_print(bp, time);
1521BIO_puts(bp, "\n");
1522}
1523
1524static int
1525tls_client_stapling_cb(SSL *s, void *arg)
1526{
1527tls_ext_ctx_cb * cbinfo = arg;
1528const unsigned char * p;
1529int len;
1530OCSP_RESPONSE * rsp;
1531OCSP_BASICRESP * bs;
1532int i;
1533
1534DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1535len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1536if(!p)
1537 {
44662487 1538 /* Expect this when we requested ocsp but got none */
6c6d6e48 1539 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1540 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1541 else
1542 DEBUG(D_tls) debug_printf(" null\n");
44662487 1543 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1544 }
018058b2 1545
f5d78688
JH
1546if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1547 {
018058b2 1548 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1549 if (LOGGING(tls_cipher))
1eca31ca 1550 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1551 else
1552 DEBUG(D_tls) debug_printf(" parse error\n");
1553 return 0;
1554 }
1555
1556if(!(bs = OCSP_response_get1_basic(rsp)))
1557 {
018058b2 1558 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1559 if (LOGGING(tls_cipher))
1eca31ca 1560 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1561 else
1562 DEBUG(D_tls) debug_printf(" error parsing response\n");
1563 OCSP_RESPONSE_free(rsp);
1564 return 0;
1565 }
1566
1567/* We'd check the nonce here if we'd put one in the request. */
1568/* However that would defeat cacheability on the server so we don't. */
1569
f5d78688
JH
1570/* This section of code reworked from OpenSSL apps source;
1571 The OpenSSL Project retains copyright:
1572 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1573*/
1574 {
1575 BIO * bp = NULL;
f5d78688
JH
1576 int status, reason;
1577 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1578
57887ecc 1579 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1580
1581 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1582
1583 /* Use the chain that verified the server cert to verify the stapled info */
1584 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1585
c3033f13 1586 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1587 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1588 {
018058b2 1589 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1590 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1591 "Received TLS cert status response, itself unverifiable: %s",
1592 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1593 BIO_printf(bp, "OCSP response verify failure\n");
1594 ERR_print_errors(bp);
57887ecc 1595 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1596 goto failed;
f5d78688
JH
1597 }
1598
1599 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1600
c8dfb21d
JH
1601 /*XXX So we have a good stapled OCSP status. How do we know
1602 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1603 OCSP_resp_find_status() which matches on a cert id, which presumably
1604 we should use. Making an id needs OCSP_cert_id_new(), which takes
1605 issuerName, issuerKey, serialNumber. Are they all in the cert?
1606
1607 For now, carry on blindly accepting the resp. */
1608
f5d78688 1609 {
f5d78688
JH
1610 OCSP_SINGLERESP * single;
1611
c8dfb21d
JH
1612#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1613 if (OCSP_resp_count(bs) != 1)
1614#else
1615 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1616 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1617#endif
f5d78688 1618 {
018058b2 1619 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1620 log_write(0, LOG_MAIN, "OCSP stapling "
1621 "with multiple responses not handled");
c8dfb21d 1622 goto failed;
f5d78688
JH
1623 }
1624 single = OCSP_resp_get0(bs, 0);
44662487
JH
1625 status = OCSP_single_get0_status(single, &reason, &rev,
1626 &thisupd, &nextupd);
f5d78688
JH
1627 }
1628
f5d78688
JH
1629 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1630 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1631 if (!OCSP_check_validity(thisupd, nextupd,
1632 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1633 {
018058b2 1634 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1635 DEBUG(D_tls) ERR_print_errors(bp);
1636 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1637 }
44662487 1638 else
f5d78688 1639 {
44662487
JH
1640 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1641 OCSP_cert_status_str(status));
1642 switch(status)
1643 {
1644 case V_OCSP_CERTSTATUS_GOOD:
44662487 1645 tls_out.ocsp = OCSP_VFIED;
018058b2 1646 i = 1;
c8dfb21d 1647 goto good;
44662487 1648 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1649 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1650 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1651 reason != -1 ? "; reason: " : "",
1652 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1653 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1654 break;
1655 default:
018058b2 1656 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1657 log_write(0, LOG_MAIN,
1658 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1659 break;
1660 }
f5d78688 1661 }
c8dfb21d
JH
1662 failed:
1663 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1664 good:
f5d78688
JH
1665 BIO_free(bp);
1666 }
1667
1668OCSP_RESPONSE_free(rsp);
1669return i;
1670}
f2de3a33 1671#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1672
1673
7be682ca 1674/*************************************************
059ec3d9
PH
1675* Initialize for TLS *
1676*************************************************/
1677
e51c7be2
JH
1678/* Called from both server and client code, to do preliminary initialization
1679of the library. We allocate and return a context structure.
059ec3d9
PH
1680
1681Arguments:
946ecbe0 1682 ctxp returned SSL context
059ec3d9
PH
1683 host connected host, if client; NULL if server
1684 dhparam DH parameter file
1685 certificate certificate file
1686 privatekey private key
f5d78688 1687 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1688 addr address if client; NULL if server (for some randomness)
946ecbe0 1689 cbp place to put allocated callback context
cf0c6164 1690 errstr error string pointer
059ec3d9
PH
1691
1692Returns: OK/DEFER/FAIL
1693*/
1694
1695static int
817d9f57 1696tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1697 uschar *privatekey,
f2de3a33 1698#ifndef DISABLE_OCSP
47195144 1699 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1700#endif
cf0c6164 1701 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1702{
7006ee24 1703SSL_CTX * ctx;
77bb000f 1704long init_options;
7be682ca 1705int rc;
a7538db1 1706tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1707
1708cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1709cbinfo->certificate = certificate;
1710cbinfo->privatekey = privatekey;
a6510420 1711cbinfo->is_server = host==NULL;
f2de3a33 1712#ifndef DISABLE_OCSP
c3033f13 1713cbinfo->verify_stack = NULL;
a6510420 1714if (!host)
f5d78688
JH
1715 {
1716 cbinfo->u_ocsp.server.file = ocsp_file;
1717 cbinfo->u_ocsp.server.file_expanded = NULL;
1718 cbinfo->u_ocsp.server.response = NULL;
1719 }
1720else
1721 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1722#endif
7be682ca 1723cbinfo->dhparam = dhparam;
0df4ab80 1724cbinfo->server_cipher_list = NULL;
7be682ca 1725cbinfo->host = host;
0cbf2b82 1726#ifndef DISABLE_EVENT
a7538db1
JH
1727cbinfo->event_action = NULL;
1728#endif
77bb000f 1729
7434882d 1730#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
1731SSL_load_error_strings(); /* basic set up */
1732OpenSSL_add_ssl_algorithms();
7434882d 1733#endif
059ec3d9 1734
c8dfb21d 1735#ifdef EXIM_HAVE_SHA256
77bb000f 1736/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1737list of available digests. */
1738EVP_add_digest(EVP_sha256());
cf1ef1a9 1739#endif
a0475b69 1740
f0f5a555
PP
1741/* Create a context.
1742The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1743negotiation in the different methods; as far as I can tell, the only
1744*_{server,client}_method which allows negotiation is SSLv23, which exists even
1745when OpenSSL is built without SSLv2 support.
1746By disabling with openssl_options, we can let admins re-enable with the
1747existing knob. */
059ec3d9 1748
7a8b9519
JH
1749#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1750if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1751#else
7006ee24 1752if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1753#endif
7006ee24 1754 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1755
1756/* It turns out that we need to seed the random number generator this early in
1757order to get the full complement of ciphers to work. It took me roughly a day
1758of work to discover this by experiment.
1759
1760On systems that have /dev/urandom, SSL may automatically seed itself from
1761there. Otherwise, we have to make something up as best we can. Double check
1762afterwards. */
1763
1764if (!RAND_status())
1765 {
1766 randstuff r;
9e3331ea 1767 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1768 r.p = getpid();
1769
5903c6ff
JH
1770 RAND_seed(US (&r), sizeof(r));
1771 RAND_seed(US big_buffer, big_buffer_size);
1772 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1773
1774 if (!RAND_status())
7199e1ee 1775 return tls_error(US"RAND_status", host,
cf0c6164 1776 US"unable to seed random number generator", errstr);
059ec3d9
PH
1777 }
1778
1779/* Set up the information callback, which outputs if debugging is at a suitable
1780level. */
1781
7006ee24 1782DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
3c1f3b85
JH
1783#ifdef OPENSSL_HAVE_KEYLOG_CB
1784DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1785#endif
059ec3d9 1786
c80c5570 1787/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1788(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1789
77bb000f
PP
1790/* Apply administrator-supplied work-arounds.
1791Historically we applied just one requested option,
1792SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1793moved to an administrator-controlled list of options to specify and
1794grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1795
77bb000f
PP
1796No OpenSSL version number checks: the options we accept depend upon the
1797availability of the option value macros from OpenSSL. */
059ec3d9 1798
7006ee24 1799if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1800 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1801
1802if (init_options)
1803 {
1804 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1805 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1806 return tls_error(string_sprintf(
cf0c6164 1807 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1808 }
1809else
1810 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1811
a28050f8
JH
1812/* We'd like to disable session cache unconditionally, but foolish Outlook
1813Express clients then give up the first TLS connection and make a second one
1814(which works). Only when there is an IMAP service on the same machine.
1815Presumably OE is trying to use the cache for A on B. Leave it enabled for
1816now, until we work out a decent way of presenting control to the config. It
1817will never be used because we use a new context every time. */
1818#ifdef notdef
7006ee24 1819(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1820#endif
7006ee24 1821
059ec3d9 1822/* Initialize with DH parameters if supplied */
10ca4f1c 1823/* Initialize ECDH temp key parameter selection */
059ec3d9 1824
7006ee24
JH
1825if ( !init_dh(ctx, dhparam, host, errstr)
1826 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1827 )
1828 return DEFER;
059ec3d9 1829
3f7eeb86 1830/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1831
7006ee24 1832if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1833 return rc;
c91535f3 1834
c3033f13
JH
1835/* If we need to handle SNI or OCSP, do so */
1836
3bcbbbe2 1837#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1838# ifndef DISABLE_OCSP
1839 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1840 {
1841 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1842 return FAIL;
1843 }
1844# endif
1845
7a8b9519 1846if (!host) /* server */
3f0945ff 1847 {
f2de3a33 1848# ifndef DISABLE_OCSP
f5d78688 1849 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1850 the option exists, not what the current expansion might be, as SNI might
1851 change the certificate and OCSP file in use between now and the time the
1852 callback is invoked. */
f5d78688 1853 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1854 {
7006ee24
JH
1855 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1856 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1857 }
f5d78688 1858# endif
3f0945ff
PP
1859 /* We always do this, so that $tls_sni is available even if not used in
1860 tls_certificate */
7006ee24
JH
1861 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1862 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1863 }
f2de3a33 1864# ifndef DISABLE_OCSP
f5d78688
JH
1865else /* client */
1866 if(ocsp_file) /* wanting stapling */
1867 {
1868 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1869 {
1870 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1871 return FAIL;
1872 }
7006ee24
JH
1873 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1874 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1875 }
1876# endif
7be682ca 1877#endif
059ec3d9 1878
e51c7be2 1879cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1880
c8dfb21d 1881#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1882/* Set up the RSA callback */
7006ee24 1883SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1884#endif
059ec3d9
PH
1885
1886/* Finally, set the timeout, and we are done */
1887
7006ee24 1888SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1889DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1890
817d9f57 1891*cbp = cbinfo;
7006ee24 1892*ctxp = ctx;
7be682ca 1893
059ec3d9
PH
1894return OK;
1895}
1896
1897
1898
1899
1900/*************************************************
1901* Get name of cipher in use *
1902*************************************************/
1903
817d9f57 1904/*
059ec3d9 1905Argument: pointer to an SSL structure for the connection
817d9f57
JH
1906 buffer to use for answer
1907 size of buffer
1908 pointer to number of bits for cipher
059ec3d9
PH
1909Returns: nothing
1910*/
1911
1912static void
817d9f57 1913construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1914{
7a8b9519 1915/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1916yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1917the accessor functions use const in the prototype. */
059ec3d9 1918
7a8b9519
JH
1919const uschar * ver = CUS SSL_get_version(ssl);
1920const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1921
817d9f57 1922SSL_CIPHER_get_bits(c, bits);
059ec3d9 1923
817d9f57
JH
1924string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1925 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1926
1927DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1928}
1929
1930
f69979cf 1931static void
70e384dd 1932peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
1933{
1934/*XXX we might consider a list-of-certs variable for the cert chain.
1935SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1936in list-handling functions, also consider the difference between the entire
1937chain and the elements sent by the peer. */
1938
70e384dd
JH
1939tlsp->peerdn = NULL;
1940
f69979cf
JH
1941/* Will have already noted peercert on a verify fail; possibly not the leaf */
1942if (!tlsp->peercert)
1943 tlsp->peercert = SSL_get_peer_certificate(ssl);
1944/* Beware anonymous ciphers which lead to server_cert being NULL */
1945if (tlsp->peercert)
70e384dd
JH
1946 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1947 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1948 else
1949 {
1950 peerdn[siz-1] = '\0';
1951 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1952 }
f69979cf
JH
1953}
1954
1955
059ec3d9
PH
1956
1957
1958
1959/*************************************************
1960* Set up for verifying certificates *
1961*************************************************/
1962
0e8aed8a 1963#ifndef DISABLE_OCSP
c3033f13
JH
1964/* Load certs from file, return TRUE on success */
1965
1966static BOOL
1967chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1968{
1969BIO * bp;
1970X509 * x;
1971
dec766a1
WB
1972while (sk_X509_num(verify_stack) > 0)
1973 X509_free(sk_X509_pop(verify_stack));
1974
c3033f13
JH
1975if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1976while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1977 sk_X509_push(verify_stack, x);
1978BIO_free(bp);
1979return TRUE;
1980}
0e8aed8a 1981#endif
c3033f13
JH
1982
1983
1984
dec766a1
WB
1985/* Called by both client and server startup; on the server possibly
1986repeated after a Server Name Indication.
059ec3d9
PH
1987
1988Arguments:
7be682ca 1989 sctx SSL_CTX* to initialise
059ec3d9
PH
1990 certs certs file or NULL
1991 crl CRL file or NULL
1992 host NULL in a server; the remote host in a client
1993 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1994 otherwise passed as FALSE
983207c1 1995 cert_vfy_cb Callback function for certificate verification
cf0c6164 1996 errstr error string pointer
059ec3d9
PH
1997
1998Returns: OK/DEFER/FAIL
1999*/
2000
2001static int
983207c1 2002setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2003 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2004{
2005uschar *expcerts, *expcrl;
2006
cf0c6164 2007if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2008 return DEFER;
57cc2785 2009DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2010
10a831a3 2011if (expcerts && *expcerts)
059ec3d9 2012 {
10a831a3
JH
2013 /* Tell the library to use its compiled-in location for the system default
2014 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2015
10a831a3 2016 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2017 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2018
2019 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2020 {
cb1d7830
JH
2021 struct stat statbuf;
2022
cb1d7830
JH
2023 if (Ustat(expcerts, &statbuf) < 0)
2024 {
2025 log_write(0, LOG_MAIN|LOG_PANIC,
2026 "failed to stat %s for certificates", expcerts);
2027 return DEFER;
2028 }
059ec3d9 2029 else
059ec3d9 2030 {
cb1d7830
JH
2031 uschar *file, *dir;
2032 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2033 { file = NULL; dir = expcerts; }
2034 else
c3033f13
JH
2035 {
2036 file = expcerts; dir = NULL;
2037#ifndef DISABLE_OCSP
2038 /* In the server if we will be offering an OCSP proof, load chain from
2039 file for verifying the OCSP proof at load time. */
2040
2041 if ( !host
2042 && statbuf.st_size > 0
2043 && server_static_cbinfo->u_ocsp.server.file
2044 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2045 )
2046 {
2047 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2048 "failed to load cert chain from %s", file);
c3033f13
JH
2049 return DEFER;
2050 }
2051#endif
2052 }
cb1d7830
JH
2053
2054 /* If a certificate file is empty, the next function fails with an
2055 unhelpful error message. If we skip it, we get the correct behaviour (no
2056 certificates are recognized, but the error message is still misleading (it
c3033f13 2057 says no certificate was supplied). But this is better. */
cb1d7830 2058
f2f2c91b
JH
2059 if ( (!file || statbuf.st_size > 0)
2060 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2061 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2062
2063 /* Load the list of CAs for which we will accept certs, for sending
2064 to the client. This is only for the one-file tls_verify_certificates
2065 variant.
db3f7b69
JH
2066 If a list isn't loaded into the server, but some verify locations are set,
2067 the server end appears to make a wildcard request for client certs.
10a831a3 2068 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2069 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2070 Because of this, and that the dir variant is likely only used for
db3f7b69
JH
2071 the public-CA bundle (not for a private CA), not worth fixing. */
2072
f2f2c91b 2073 if (file)
cb1d7830 2074 {
2009ecca 2075 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2076
2077 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2078 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2079 sk_X509_NAME_num(names));
cb1d7830 2080 }
059ec3d9
PH
2081 }
2082 }
2083
2084 /* Handle a certificate revocation list. */
2085
10a831a3 2086#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2087
8b417f2c 2088 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2089 merely reformatted it into the Exim code style.)
8b417f2c 2090
10a831a3
JH
2091 "From here I changed the code to add support for multiple crl's
2092 in pem format in one file or to support hashed directory entries in
2093 pem format instead of a file. This method now uses the library function
2094 X509_STORE_load_locations to add the CRL location to the SSL context.
2095 OpenSSL will then handle the verify against CA certs and CRLs by
2096 itself in the verify callback." */
8b417f2c 2097
cf0c6164 2098 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2099 if (expcrl && *expcrl)
059ec3d9 2100 {
8b417f2c
PH
2101 struct stat statbufcrl;
2102 if (Ustat(expcrl, &statbufcrl) < 0)
2103 {
2104 log_write(0, LOG_MAIN|LOG_PANIC,
2105 "failed to stat %s for certificates revocation lists", expcrl);
2106 return DEFER;
2107 }
2108 else
059ec3d9 2109 {
8b417f2c
PH
2110 /* is it a file or directory? */
2111 uschar *file, *dir;
7be682ca 2112 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2113 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2114 {
8b417f2c
PH
2115 file = NULL;
2116 dir = expcrl;
2117 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2118 }
2119 else
2120 {
8b417f2c
PH
2121 file = expcrl;
2122 dir = NULL;
2123 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2124 }
8b417f2c 2125 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2126 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2127
2128 /* setting the flags to check against the complete crl chain */
2129
2130 X509_STORE_set_flags(cvstore,
2131 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2132 }
059ec3d9
PH
2133 }
2134
10a831a3 2135#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2136
2137 /* If verification is optional, don't fail if no certificate */
2138
7be682ca 2139 SSL_CTX_set_verify(sctx,
5a2a0989 2140 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2141 cert_vfy_cb);
059ec3d9
PH
2142 }
2143
2144return OK;
2145}
2146
2147
2148
2149/*************************************************
2150* Start a TLS session in a server *
2151*************************************************/
2152
2153/* This is called when Exim is running as a server, after having received
2154the STARTTLS command. It must respond to that command, and then negotiate
2155a TLS session.
2156
2157Arguments:
2158 require_ciphers allowed ciphers
cf0c6164 2159 errstr pointer to error message
059ec3d9
PH
2160
2161Returns: OK on success
2162 DEFER for errors before the start of the negotiation
4c04137d 2163 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2164 continue running.
2165*/
2166
2167int
cf0c6164 2168tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2169{
2170int rc;
cf0c6164
JH
2171uschar * expciphers;
2172tls_ext_ctx_cb * cbinfo;
f69979cf 2173static uschar peerdn[256];
817d9f57 2174static uschar cipherbuf[256];
059ec3d9
PH
2175
2176/* Check for previous activation */
2177
74f1a423 2178if (tls_in.active.sock >= 0)
059ec3d9 2179 {
cf0c6164 2180 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2181 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2182 return FAIL;
2183 }
2184
2185/* Initialize the SSL library. If it fails, it will already have logged
2186the error. */
2187
817d9f57 2188rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2189#ifndef DISABLE_OCSP
47195144 2190 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2191#endif
cf0c6164 2192 NULL, &server_static_cbinfo, errstr);
059ec3d9 2193if (rc != OK) return rc;
817d9f57 2194cbinfo = server_static_cbinfo;
059ec3d9 2195
cf0c6164 2196if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2197 return FAIL;
2198
2199/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2200were historically separated by underscores. So that I can use either form in my
2201tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2202
2203XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2204for TLS 1.3 . Since we do not call it at present we get the default list:
2205TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2206*/
059ec3d9 2207
c3033f13 2208if (expciphers)
059ec3d9 2209 {
c3033f13 2210 uschar * s = expciphers;
059ec3d9
PH
2211 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2212 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2213 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2214 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2215 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2216 }
2217
2218/* If this is a host for which certificate verification is mandatory or
2219optional, set up appropriately. */
2220
817d9f57 2221tls_in.certificate_verified = FALSE;
c0635b6d 2222#ifdef SUPPORT_DANE
53a7196b
JH
2223tls_in.dane_verified = FALSE;
2224#endif
a2ff477a 2225server_verify_callback_called = FALSE;
059ec3d9
PH
2226
2227if (verify_check_host(&tls_verify_hosts) == OK)
2228 {
983207c1 2229 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2230 FALSE, verify_callback_server, errstr);
059ec3d9 2231 if (rc != OK) return rc;
a2ff477a 2232 server_verify_optional = FALSE;
059ec3d9
PH
2233 }
2234else if (verify_check_host(&tls_try_verify_hosts) == OK)
2235 {
983207c1 2236 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2237 TRUE, verify_callback_server, errstr);
059ec3d9 2238 if (rc != OK) return rc;
a2ff477a 2239 server_verify_optional = TRUE;
059ec3d9
PH
2240 }
2241
2242/* Prepare for new connection */
2243
cf0c6164
JH
2244if (!(server_ssl = SSL_new(server_ctx)))
2245 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2246
2247/* Warning: we used to SSL_clear(ssl) here, it was removed.
2248 *
2249 * With the SSL_clear(), we get strange interoperability bugs with
2250 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2251 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2252 *
2253 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2254 * session shutdown. In this case, we have a brand new object and there's no
2255 * obvious reason to immediately clear it. I'm guessing that this was
2256 * originally added because of incomplete initialisation which the clear fixed,
2257 * in some historic release.
2258 */
059ec3d9
PH
2259
2260/* Set context and tell client to go ahead, except in the case of TLS startup
2261on connection, where outputting anything now upsets the clients and tends to
2262make them disconnect. We need to have an explicit fflush() here, to force out
2263the response. Other smtp_printf() calls do not need it, because in non-TLS
2264mode, the fflush() happens when smtp_getc() is called. */
2265
817d9f57
JH
2266SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2267if (!tls_in.on_connect)
059ec3d9 2268 {
925ac8e4 2269 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2270 fflush(smtp_out);
2271 }
2272
2273/* Now negotiate the TLS session. We put our own timer on it, since it seems
2274that the OpenSSL library doesn't. */
2275
817d9f57
JH
2276SSL_set_wfd(server_ssl, fileno(smtp_out));
2277SSL_set_rfd(server_ssl, fileno(smtp_in));
2278SSL_set_accept_state(server_ssl);
059ec3d9
PH
2279
2280DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2281
2282sigalrm_seen = FALSE;
c2a1bba0 2283if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2284rc = SSL_accept(server_ssl);
c2a1bba0 2285ALARM_CLR(0);
059ec3d9
PH
2286
2287if (rc <= 0)
2288 {
cf0c6164 2289 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2290 return FAIL;
2291 }
2292
2293DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2294
2295/* TLS has been set up. Adjust the input functions to read via TLS,
2296and initialize things. */
2297
f69979cf
JH
2298peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2299
817d9f57
JH
2300construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2301tls_in.cipher = cipherbuf;
059ec3d9
PH
2302
2303DEBUG(D_tls)
2304 {
2305 uschar buf[2048];
817d9f57 2306 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2307 debug_printf("Shared ciphers: %s\n", buf);
2308 }
2309
9d1c15ef
JH
2310/* Record the certificate we presented */
2311 {
2312 X509 * crt = SSL_get_certificate(server_ssl);
2313 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2314 }
059ec3d9 2315
817d9f57
JH
2316/* Only used by the server-side tls (tls_in), including tls_getc.
2317 Client-side (tls_out) reads (seem to?) go via
2318 smtp_read_response()/ip_recv().
2319 Hence no need to duplicate for _in and _out.
2320 */
b808677c 2321if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2322ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2323ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2324
2325receive_getc = tls_getc;
0d81dabc 2326receive_getbuf = tls_getbuf;
584e96c6 2327receive_get_cache = tls_get_cache;
059ec3d9
PH
2328receive_ungetc = tls_ungetc;
2329receive_feof = tls_feof;
2330receive_ferror = tls_ferror;
58eb016e 2331receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2332
74f1a423
JH
2333tls_in.active.sock = fileno(smtp_out);
2334tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2335return OK;
2336}
2337
2338
2339
2340
043b1248
JH
2341static int
2342tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2343 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2344 uschar ** errstr)
043b1248
JH
2345{
2346int rc;
94431adb 2347/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2348 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2349 the specified host patterns if one of them is defined */
2350
610ff438
JH
2351if ( ( !ob->tls_verify_hosts
2352 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2353 )
3c07dd2d 2354 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2355 )
043b1248 2356 client_verify_optional = FALSE;
3c07dd2d 2357else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2358 client_verify_optional = TRUE;
2359else
2360 return OK;
2361
2362if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2363 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2364 errstr)) != OK)
aa2a70ba 2365 return rc;
043b1248 2366
3c07dd2d 2367if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2368 {
4af0d74a 2369 cbinfo->verify_cert_hostnames =
8c5d388a 2370#ifdef SUPPORT_I18N
4af0d74a
JH
2371 string_domain_utf8_to_alabel(host->name, NULL);
2372#else
2373 host->name;
2374#endif
aa2a70ba
JH
2375 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2376 cbinfo->verify_cert_hostnames);
043b1248 2377 }
043b1248
JH
2378return OK;
2379}
059ec3d9 2380
fde080a4 2381
c0635b6d 2382#ifdef SUPPORT_DANE
fde080a4 2383static int
cf0c6164 2384dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2385{
fde080a4
JH
2386dns_scan dnss;
2387const char * hostnames[2] = { CS host->name, NULL };
2388int found = 0;
2389
2390if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2391 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2392
db3f7b69 2393for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2394 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2395 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2396 {
c3033f13 2397 const uschar * p = rr->data;
fde080a4
JH
2398 uint8_t usage, selector, mtype;
2399 const char * mdname;
2400
fde080a4 2401 usage = *p++;
133d2546
JH
2402
2403 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2404 if (usage != 2 && usage != 3) continue;
2405
fde080a4
JH
2406 selector = *p++;
2407 mtype = *p++;
2408
2409 switch (mtype)
2410 {
133d2546
JH
2411 default: continue; /* Only match-types 0, 1, 2 are supported */
2412 case 0: mdname = NULL; break;
2413 case 1: mdname = "sha256"; break;
2414 case 2: mdname = "sha512"; break;
fde080a4
JH
2415 }
2416
133d2546 2417 found++;
fde080a4
JH
2418 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2419 {
2420 default:
cf0c6164 2421 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2422 case 0: /* action not taken */
fde080a4
JH
2423 case 1: break;
2424 }
594706ea
JH
2425
2426 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2427 }
2428
2429if (found)
2430 return OK;
2431
133d2546 2432log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2433return DEFER;
fde080a4 2434}
c0635b6d 2435#endif /*SUPPORT_DANE*/
fde080a4
JH
2436
2437
2438
059ec3d9
PH
2439/*************************************************
2440* Start a TLS session in a client *
2441*************************************************/
2442
2443/* Called from the smtp transport after STARTTLS has been accepted.
2444
2445Argument:
2446 fd the fd of the connection
afdb5e9c
JH
2447 host connected host (for messages and option-tests)
2448 addr the first address (for some randomness; can be NULL)
a7538db1 2449 tb transport (always smtp)
0e66b3b6 2450 tlsa_dnsa tlsa lookup, if DANE, else null
afdb5e9c 2451 tlsp record details of channel configuration here; must be non-NULL
cf0c6164 2452 errstr error string pointer
059ec3d9 2453
74f1a423 2454Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH
2455*/
2456
74f1a423 2457void *
f5d78688 2458tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2459 transport_instance * tb,
c0635b6d 2460#ifdef SUPPORT_DANE
cf0c6164 2461 dns_answer * tlsa_dnsa,
0e66b3b6 2462#endif
74f1a423 2463 tls_support * tlsp, uschar ** errstr)
059ec3d9 2464{
afdb5e9c
JH
2465smtp_transport_options_block * ob = tb
2466 ? (smtp_transport_options_block *)tb->options_block
2467 : &smtp_transport_option_defaults;
74f1a423 2468exim_openssl_client_tls_ctx * exim_client_ctx;
f69979cf 2469static uschar peerdn[256];
868f5672 2470uschar * expciphers;
059ec3d9 2471int rc;
817d9f57 2472static uschar cipherbuf[256];
043b1248
JH
2473
2474#ifndef DISABLE_OCSP
043b1248 2475BOOL request_ocsp = FALSE;
6634ac8d 2476BOOL require_ocsp = FALSE;
043b1248 2477#endif
043b1248 2478
74f1a423
JH
2479rc = store_pool;
2480store_pool = POOL_PERM;
2481exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2482store_pool = rc;
2483
c0635b6d 2484#ifdef SUPPORT_DANE
74f1a423 2485tlsp->tlsa_usage = 0;
043b1248
JH
2486#endif
2487
f2de3a33 2488#ifndef DISABLE_OCSP
043b1248 2489 {
c0635b6d 2490# ifdef SUPPORT_DANE
4f59c424
JH
2491 if ( tlsa_dnsa
2492 && ob->hosts_request_ocsp[0] == '*'
2493 && ob->hosts_request_ocsp[1] == '\0'
2494 )
2495 {
2496 /* Unchanged from default. Use a safer one under DANE */
2497 request_ocsp = TRUE;
2498 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2499 " {= {4}{$tls_out_tlsa_usage}} } "
2500 " {*}{}}";
2501 }
2502# endif
2503
5130845b 2504 if ((require_ocsp =
3c07dd2d 2505 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2506 request_ocsp = TRUE;
2507 else
c0635b6d 2508# ifdef SUPPORT_DANE
4f59c424 2509 if (!request_ocsp)
fca41d5a 2510# endif
5130845b 2511 request_ocsp =
3c07dd2d 2512 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2513 }
f5d78688 2514#endif
059ec3d9 2515
74f1a423 2516rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2517 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2518#ifndef DISABLE_OCSP
44662487 2519 (void *)(long)request_ocsp,
3f7eeb86 2520#endif
cf0c6164 2521 addr, &client_static_cbinfo, errstr);
74f1a423 2522if (rc != OK) return NULL;
059ec3d9 2523
74f1a423 2524tlsp->certificate_verified = FALSE;
a2ff477a 2525client_verify_callback_called = FALSE;
059ec3d9 2526
5ec37a55
PP
2527expciphers = NULL;
2528#ifdef SUPPORT_DANE
2529if (tlsa_dnsa)
2530 {
2531 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2532 other failures should be treated as problems. */
2533 if (ob->dane_require_tls_ciphers &&
2534 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2535 &expciphers, errstr))
74f1a423 2536 return NULL;
5ec37a55
PP
2537 if (expciphers && *expciphers == '\0')
2538 expciphers = NULL;
2539 }
2540#endif
2541if (!expciphers &&
2542 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2543 &expciphers, errstr))
74f1a423 2544 return NULL;
059ec3d9
PH
2545
2546/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2547are separated by underscores. So that I can use either form in my tests, and
2548also for general convenience, we turn underscores into hyphens here. */
2549
cf0c6164 2550if (expciphers)
059ec3d9
PH
2551 {
2552 uschar *s = expciphers;
cf0c6164 2553 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2554 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2555 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2556 {
2557 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2558 return NULL;
2559 }
059ec3d9
PH
2560 }
2561
c0635b6d 2562#ifdef SUPPORT_DANE
0e66b3b6 2563if (tlsa_dnsa)
a63be306 2564 {
74f1a423 2565 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
2566 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2567 verify_callback_client_dane);
e5cccda9 2568
043b1248 2569 if (!DANESSL_library_init())
74f1a423
JH
2570 {
2571 tls_error(US"library init", host, NULL, errstr);
2572 return NULL;
2573 }
2574 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2575 {
2576 tls_error(US"context init", host, NULL, errstr);
2577 return NULL;
2578 }
043b1248
JH
2579 }
2580else
e51c7be2 2581
043b1248
JH
2582#endif
2583
74f1a423
JH
2584 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2585 client_static_cbinfo, errstr) != OK)
2586 return NULL;
059ec3d9 2587
74f1a423
JH
2588if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2589 {
2590 tls_error(US"SSL_new", host, NULL, errstr);
2591 return NULL;
2592 }
2593SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2594SSL_set_fd(exim_client_ctx->ssl, fd);
2595SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2596
65867078 2597if (ob->tls_sni)
3f0945ff 2598 {
74f1a423
JH
2599 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2600 return NULL;
2601 if (!tlsp->sni)
2c9a0e86
PP
2602 {
2603 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2604 }
74f1a423
JH
2605 else if (!Ustrlen(tlsp->sni))
2606 tlsp->sni = NULL;
3f0945ff
PP
2607 else
2608 {
35731706 2609#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
2610 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2611 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2612#else
66802652 2613 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2614 tlsp->sni);
35731706 2615#endif
3f0945ff
PP
2616 }
2617 }
2618
c0635b6d 2619#ifdef SUPPORT_DANE
0e66b3b6 2620if (tlsa_dnsa)
74f1a423
JH
2621 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2622 return NULL;
594706ea
JH
2623#endif
2624
f2de3a33 2625#ifndef DISABLE_OCSP
f5d78688
JH
2626/* Request certificate status at connection-time. If the server
2627does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2628# ifdef SUPPORT_DANE
44662487
JH
2629if (request_ocsp)
2630 {
594706ea 2631 const uschar * s;
41afb5cb
JH
2632 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2633 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2634 )
2635 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2636 this means we avoid the OCSP request, we wasted the setup
2637 cost in tls_init(). */
3c07dd2d 2638 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2639 request_ocsp = require_ocsp
3c07dd2d 2640 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2641 }
2642 }
b50c8b84
JH
2643# endif
2644
594706ea
JH
2645if (request_ocsp)
2646 {
74f1a423 2647 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2648 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2649 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2650 }
f5d78688
JH
2651#endif
2652
0cbf2b82 2653#ifndef DISABLE_EVENT
afdb5e9c 2654client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2655#endif
043b1248 2656
059ec3d9
PH
2657/* There doesn't seem to be a built-in timeout on connection. */
2658
2659DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2660sigalrm_seen = FALSE;
c2a1bba0 2661ALARM(ob->command_timeout);
74f1a423 2662rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 2663ALARM_CLR(0);
059ec3d9 2664
c0635b6d 2665#ifdef SUPPORT_DANE
0e66b3b6 2666if (tlsa_dnsa)
74f1a423 2667 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
2668#endif
2669
059ec3d9 2670if (rc <= 0)
74f1a423
JH
2671 {
2672 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2673 return NULL;
2674 }
059ec3d9
PH
2675
2676DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2677
74f1a423 2678peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2679
74f1a423
JH
2680construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2681tlsp->cipher = cipherbuf;
059ec3d9 2682
9d1c15ef
JH
2683/* Record the certificate we presented */
2684 {
74f1a423
JH
2685 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2686 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
2687 }
2688
74f1a423
JH
2689tlsp->active.sock = fd;
2690tlsp->active.tls_ctx = exim_client_ctx;
2691return exim_client_ctx;
059ec3d9
PH
2692}
2693
2694
2695
2696
2697
0d81dabc
JH
2698static BOOL
2699tls_refill(unsigned lim)
2700{
2701int error;
2702int inbytes;
2703
2704DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2705 ssl_xfer_buffer, ssl_xfer_buffer_size);
2706
c2a1bba0 2707if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
2708inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2709 MIN(ssl_xfer_buffer_size, lim));
2710error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 2711if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
2712
2713if (had_command_timeout) /* set by signal handler */
2714 smtp_command_timeout_exit(); /* does not return */
2715if (had_command_sigterm)
2716 smtp_command_sigterm_exit();
2717if (had_data_timeout)
2718 smtp_data_timeout_exit();
2719if (had_data_sigint)
2720 smtp_data_sigint_exit();
0d81dabc
JH
2721
2722/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2723closed down, not that the socket itself has been closed down. Revert to
2724non-SSL handling. */
2725
74f1a423 2726switch(error)
0d81dabc 2727 {
74f1a423
JH
2728 case SSL_ERROR_NONE:
2729 break;
2730
2731 case SSL_ERROR_ZERO_RETURN:
2732 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2733
74f1a423
JH
2734 receive_getc = smtp_getc;
2735 receive_getbuf = smtp_getbuf;
2736 receive_get_cache = smtp_get_cache;
2737 receive_ungetc = smtp_ungetc;
2738 receive_feof = smtp_feof;
2739 receive_ferror = smtp_ferror;
2740 receive_smtp_buffered = smtp_buffered;
0d81dabc 2741
74f1a423
JH
2742 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2743 SSL_shutdown(server_ssl);
dec766a1 2744
37f0ce65 2745#ifndef DISABLE_OCSP
74f1a423
JH
2746 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2747 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2748#endif
74f1a423
JH
2749 SSL_free(server_ssl);
2750 SSL_CTX_free(server_ctx);
2751 server_ctx = NULL;
2752 server_ssl = NULL;
2753 tls_in.active.sock = -1;
2754 tls_in.active.tls_ctx = NULL;
2755 tls_in.bits = 0;
2756 tls_in.cipher = NULL;
2757 tls_in.peerdn = NULL;
2758 tls_in.sni = NULL;
0d81dabc 2759
74f1a423 2760 return FALSE;
0d81dabc 2761
74f1a423
JH
2762 /* Handle genuine errors */
2763 case SSL_ERROR_SSL:
0abc5a13 2764 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
2765 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2766 ssl_xfer_error = TRUE;
2767 return FALSE;
0d81dabc 2768
74f1a423
JH
2769 default:
2770 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2771 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2772 debug_printf(" - syscall %s\n", strerror(errno));
2773 ssl_xfer_error = TRUE;
2774 return FALSE;
0d81dabc
JH
2775 }
2776
2777#ifndef DISABLE_DKIM
2778dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2779#endif
2780ssl_xfer_buffer_hwm = inbytes;
2781ssl_xfer_buffer_lwm = 0;
2782return TRUE;
2783}
2784
2785
059ec3d9
PH
2786/*************************************************
2787* TLS version of getc *
2788*************************************************/
2789
2790/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2791it refills the buffer via the SSL reading function.
2792
bd8fbe36 2793Arguments: lim Maximum amount to read/buffer
059ec3d9 2794Returns: the next character or EOF
817d9f57
JH
2795
2796Only used by the server-side TLS.
059ec3d9
PH
2797*/
2798
2799int
bd8fbe36 2800tls_getc(unsigned lim)
059ec3d9
PH
2801{
2802if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2803 if (!tls_refill(lim))
2804 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2805
0d81dabc 2806/* Something in the buffer; return next uschar */
059ec3d9 2807
0d81dabc
JH
2808return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2809}
059ec3d9 2810
0d81dabc
JH
2811uschar *
2812tls_getbuf(unsigned * len)
2813{
2814unsigned size;
2815uschar * buf;
ba084640 2816
0d81dabc
JH
2817if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2818 if (!tls_refill(*len))
059ec3d9 2819 {
0d81dabc
JH
2820 if (!ssl_xfer_error) return smtp_getbuf(len);
2821 *len = 0;
2822 return NULL;
059ec3d9 2823 }
c80c5570 2824
0d81dabc
JH
2825if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2826 size = *len;
2827buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2828ssl_xfer_buffer_lwm += size;
2829*len = size;
2830return buf;
059ec3d9
PH
2831}
2832
0d81dabc 2833
584e96c6
JH
2834void
2835tls_get_cache()
2836{
9960d1e5 2837#ifndef DISABLE_DKIM
584e96c6
JH
2838int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2839if (n > 0)
2840 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2841#endif
9960d1e5 2842}
584e96c6 2843
059ec3d9 2844
925ac8e4
JH
2845BOOL
2846tls_could_read(void)
2847{
a5ffa9b4 2848return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2849}
2850
059ec3d9
PH
2851
2852/*************************************************
2853* Read bytes from TLS channel *
2854*************************************************/
2855
2856/*
2857Arguments:
74f1a423 2858 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2859 buff buffer of data
2860 len size of buffer
2861
2862Returns: the number of bytes read
afdb5e9c 2863 -1 after a failed read, including EOF
817d9f57
JH
2864
2865Only used by the client-side TLS.
059ec3d9
PH
2866*/
2867
2868int
74f1a423 2869tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2870{
74f1a423 2871SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH
2872int inbytes;
2873int error;
2874
389ca47a 2875DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2876 buff, (unsigned int)len);
059ec3d9 2877
389ca47a
JH
2878inbytes = SSL_read(ssl, CS buff, len);
2879error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2880
2881if (error == SSL_ERROR_ZERO_RETURN)
2882 {
2883 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2884 return -1;
2885 }
2886else if (error != SSL_ERROR_NONE)
059ec3d9 2887 return -1;
059ec3d9
PH
2888
2889return inbytes;
2890}
2891
2892
2893
2894
2895
2896/*************************************************
2897* Write bytes down TLS channel *
2898*************************************************/
2899
2900/*
2901Arguments:
74f1a423 2902 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2903 buff buffer of data
2904 len number of bytes
925ac8e4 2905 more further data expected soon
059ec3d9
PH
2906
2907Returns: the number of bytes after a successful write,
2908 -1 after a failed write
817d9f57
JH
2909
2910Used by both server-side and client-side TLS.
059ec3d9
PH
2911*/
2912
2913int
74f1a423 2914tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2915{
f6a1bb92 2916size_t olen = len;
db3f7b69 2917int outbytes, error;
74f1a423 2918SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
acec9514 2919static gstring * corked = NULL;
a5ffa9b4 2920
ef698bf6 2921DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2922 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2923
2924/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2925"more" is notified. This hack is only ok if small amounts are involved AND only
2926one stream does it, in one context (i.e. no store reset). Currently it is used
2927for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
f6a1bb92
JH
2928/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2929a store reset there, so use POOL_PERM. */
2930/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 2931
f6a1bb92 2932if ((more || corked))
a5ffa9b4 2933 {
ee8b8090
JH
2934#ifdef EXPERIMENTAL_PIPE_CONNECT
2935 int save_pool = store_pool;
2936 store_pool = POOL_PERM;
2937#endif
2938
acec9514 2939 corked = string_catn(corked, buff, len);
ee8b8090
JH
2940
2941#ifdef EXPERIMENTAL_PIPE_CONNECT
2942 store_pool = save_pool;
2943#endif
2944
a5ffa9b4
JH
2945 if (more)
2946 return len;
acec9514
JH
2947 buff = CUS corked->s;
2948 len = corked->ptr;
2949 corked = NULL;
a5ffa9b4 2950 }
059ec3d9 2951
db3f7b69 2952for (int left = len; left > 0;)
059ec3d9 2953 {
74f1a423 2954 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH
2955 outbytes = SSL_write(ssl, CS buff, left);
2956 error = SSL_get_error(ssl, outbytes);
2957 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2958 switch (error)
2959 {
2960 case SSL_ERROR_SSL:
0abc5a13 2961 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH
2962 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2963 return -1;
059ec3d9
PH
2964
2965 case SSL_ERROR_NONE:
96f5fe4c
JH
2966 left -= outbytes;
2967 buff += outbytes;
2968 break;
059ec3d9
PH
2969
2970 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2971 log_write(0, LOG_MAIN, "SSL channel closed on write");
2972 return -1;
059ec3d9 2973
817d9f57 2974 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2975 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2976 sender_fullhost ? sender_fullhost : US"<unknown>",
2977 strerror(errno));
2978 return -1;
817d9f57 2979
059ec3d9 2980 default:
96f5fe4c
JH
2981 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2982 return -1;
059ec3d9
PH
2983 }
2984 }
f6a1bb92 2985return olen;
059ec3d9
PH
2986}
2987
2988
2989
2990/*************************************************
2991* Close down a TLS session *
2992*************************************************/
2993
2994/* This is also called from within a delivery subprocess forked from the
2995daemon, to shut down the TLS library, without actually doing a shutdown (which
2996would tamper with the SSL session in the parent process).
2997
dec766a1 2998Arguments:
74f1a423 2999 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB
3000 shutdown 1 if TLS close-alert is to be sent,
3001 2 if also response to be waited for
3002
059ec3d9 3003Returns: nothing
817d9f57
JH
3004
3005Used by both server-side and client-side TLS.
059ec3d9
PH
3006*/
3007
3008void
74f1a423 3009tls_close(void * ct_ctx, int shutdown)
059ec3d9 3010{
74f1a423
JH
3011exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3012SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3013SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3014int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH
3015
3016if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
3017
3018if (shutdown)
3019 {
dec766a1
WB
3020 int rc;
3021 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3022 shutdown > 1 ? " (with response-wait)" : "");
3023
3024 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3025 && shutdown > 1)
3026 {
c2a1bba0 3027 ALARM(2);
dec766a1 3028 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3029 ALARM_CLR(0);
dec766a1
WB
3030 }
3031
3032 if (rc < 0) DEBUG(D_tls)
3033 {
0abc5a13 3034 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB
3035 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3036 }
3037 }
3038
37f0ce65 3039#ifndef DISABLE_OCSP
74f1a423 3040if (!o_ctx) /* server side */
dec766a1
WB
3041 {
3042 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3043 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3044 }
37f0ce65 3045#endif
059ec3d9 3046
dec766a1 3047SSL_CTX_free(*ctxp);
817d9f57 3048SSL_free(*sslp);
dec766a1 3049*ctxp = NULL;
817d9f57 3050*sslp = NULL;
817d9f57 3051*fdp = -1;
059ec3d9
PH
3052}
3053
36f12725
NM
3054
3055
3056
3057/*************************************************
3375e053
PP
3058* Let tls_require_ciphers be checked at startup *
3059*************************************************/
3060
3061/* The tls_require_ciphers option, if set, must be something which the
3062library can parse.
3063
3064Returns: NULL on success, or error message
3065*/
3066
3067uschar *
3068tls_validate_require_cipher(void)
3069{
3070SSL_CTX *ctx;
3071uschar *s, *expciphers, *err;
3072
3073/* this duplicates from tls_init(), we need a better "init just global
3074state, for no specific purpose" singleton function of our own */
3075
7434882d 3076#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP
3077SSL_load_error_strings();
3078OpenSSL_add_ssl_algorithms();
7434882d 3079#endif
3375e053
PP
3080#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3081/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3082list of available digests. */
3083EVP_add_digest(EVP_sha256());
3084#endif
3085
3086if (!(tls_require_ciphers && *tls_require_ciphers))
3087 return NULL;
3088
cf0c6164
JH
3089if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3090 &err))
3375e053
PP
3091 return US"failed to expand tls_require_ciphers";
3092
3093if (!(expciphers && *expciphers))
3094 return NULL;
3095
3096/* normalisation ripped from above */
3097s = expciphers;
3098while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3099
3100err = NULL;
3101
7a8b9519
JH
3102#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3103if (!(ctx = SSL_CTX_new(TLS_server_method())))
3104#else
3105if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3106#endif
3375e053 3107 {
0abc5a13 3108 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP
3109 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3110 }
3111
3112DEBUG(D_tls)
3113 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3114
3115if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3116 {
0abc5a13 3117 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH
3118 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3119 expciphers, ssl_errstring);
3375e053
PP
3120 }
3121
3122SSL_CTX_free(ctx);
3123
3124return err;
3125}
3126
3127
3128
3129
3130/*************************************************
36f12725
NM
3131* Report the library versions. *
3132*************************************************/
3133
3134/* There have historically been some issues with binary compatibility in
3135OpenSSL libraries; if Exim (like many other applications) is built against
3136one version of OpenSSL but the run-time linker picks up another version,
3137it can result in serious failures, including crashing with a SIGSEGV. So
3138report the version found by the compiler and the run-time version.
3139
f64a1e23
PP
3140Note: some OS vendors backport security fixes without changing the version
3141number/string, and the version date remains unchanged. The _build_ date
3142will change, so we can more usefully assist with version diagnosis by also
3143reporting the build date.
3144
36f12725
NM
3145Arguments: a FILE* to print the results to
3146Returns: nothing
3147*/
3148
3149void
3150tls_version_report(FILE *f)
3151{
754a0503 3152fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
3153 " Runtime: %s\n"
3154 " : %s\n",
754a0503 3155 OPENSSL_VERSION_TEXT,
f64a1e23
PP
3156 SSLeay_version(SSLEAY_VERSION),
3157 SSLeay_version(SSLEAY_BUILT_ON));
3158/* third line is 38 characters for the %s and the line is 73 chars long;
3159the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
3160}
3161
9e3331ea
TK
3162
3163
3164
3165/*************************************************
17c76198 3166* Random number generation *
9e3331ea
TK
3167*************************************************/
3168
3169/* Pseudo-random number generation. The result is not expected to be
3170cryptographically strong but not so weak that someone will shoot themselves
3171in the foot using it as a nonce in input in some email header scheme or
3172whatever weirdness they'll twist this into. The result should handle fork()
3173and avoid repeating sequences. OpenSSL handles that for us.
3174
3175Arguments:
3176 max range maximum
3177Returns a random number in range [0, max-1]
3178*/
3179
3180int
17c76198 3181vaguely_random_number(int max)
9e3331ea
TK
3182{
3183unsigned int r;
3184int i, needed_len;
de6135a0
PP
3185static pid_t pidlast = 0;
3186pid_t pidnow;
9e3331ea
TK
3187uschar smallbuf[sizeof(r)];
3188
3189if (max <= 1)
3190 return 0;
3191
de6135a0
PP
3192pidnow = getpid();
3193if (pidnow != pidlast)
3194 {
3195 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3196 is unique for each thread", this doesn't apparently apply across processes,
3197 so our own warning from vaguely_random_number_fallback() applies here too.
3198 Fix per PostgreSQL. */
3199 if (pidlast != 0)
3200 RAND_cleanup();
3201 pidlast = pidnow;
3202 }
3203
9e3331ea
TK
3204/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3205if (!RAND_status())
3206 {
3207 randstuff r;
3208 gettimeofday(&r.tv, NULL);
3209 r.p = getpid();
3210
5903c6ff 3211 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
3212 }
3213/* We're after pseudo-random, not random; if we still don't have enough data
3214in the internal PRNG then our options are limited. We could sleep and hope
3215for entropy to come along (prayer technique) but if the system is so depleted
3216in the first place then something is likely to just keep taking it. Instead,
3217we'll just take whatever little bit of pseudo-random we can still manage to
3218get. */
3219
3220needed_len = sizeof(r);
3221/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3222asked for a number less than 10. */
3223for (r = max, i = 0; r; ++i)
3224 r >>= 1;
3225i = (i + 7) / 8;
3226if (i < needed_len)
3227 needed_len = i;
3228
c8dfb21d 3229#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3230/* We do not care if crypto-strong */
17c76198 3231i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
3232#else
3233i = RAND_bytes(smallbuf, needed_len);
3234#endif
3235
17c76198
PP
3236if (i < 0)
3237 {
3238 DEBUG(D_all)
3239 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3240 return vaguely_random_number_fallback(max);
3241 }
3242
9e3331ea 3243r = 0;
db3f7b69
JH
3244for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3245 r = 256 * r + *p;
9e3331ea
TK
3246
3247/* We don't particularly care about weighted results; if someone wants
3248smooth distribution and cares enough then they should submit a patch then. */
3249return r % max;
3250}
3251
77bb000f
PP
3252
3253
3254
3255/*************************************************
3256* OpenSSL option parse *
3257*************************************************/
3258
3259/* Parse one option for tls_openssl_options_parse below
3260
3261Arguments:
3262 name one option name
3263 value place to store a value for it
3264Returns success or failure in parsing
3265*/
3266
77bb000f 3267
c80c5570 3268
77bb000f
PP
3269static BOOL
3270tls_openssl_one_option_parse(uschar *name, long *value)
3271{
3272int first = 0;
3273int last = exim_openssl_options_size;
3274while (last > first)
3275 {
3276 int middle = (first + last)/2;
3277 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3278 if (c == 0)
3279 {