Fix eximon build.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
a2ff477a
JH
45static BOOL client_verify_callback_called = FALSE;
46static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
47static const uschar *sid_ctx = US"exim";
48
817d9f57
JH
49static SSL_CTX *client_ctx = NULL;
50static SSL_CTX *server_ctx = NULL;
51static SSL *client_ssl = NULL;
52static SSL *server_ssl = NULL;
389ca47a 53
35731706 54#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 55static SSL_CTX *server_sni = NULL;
35731706 56#endif
059ec3d9
PH
57
58static char ssl_errstring[256];
59
60static int ssl_session_timeout = 200;
a2ff477a
JH
61static BOOL client_verify_optional = FALSE;
62static BOOL server_verify_optional = FALSE;
059ec3d9 63
7be682ca 64static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
65
66
7be682ca
PP
67typedef struct tls_ext_ctx_cb {
68 uschar *certificate;
69 uschar *privatekey;
3f7eeb86
PP
70#ifdef EXPERIMENTAL_OCSP
71 uschar *ocsp_file;
72 uschar *ocsp_file_expanded;
73 OCSP_RESPONSE *ocsp_response;
74#endif
7be682ca
PP
75 uschar *dhparam;
76 /* these are cached from first expand */
77 uschar *server_cipher_list;
78 /* only passed down to tls_error: */
79 host_item *host;
80} tls_ext_ctx_cb;
81
82/* should figure out a cleanup of API to handle state preserved per
83implementation, for various reasons, which can be void * in the APIs.
84For now, we hack around it. */
817d9f57
JH
85tls_ext_ctx_cb *client_static_cbinfo = NULL;
86tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
87
88static int
a2ff477a 89setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client);
059ec3d9 90
3f7eeb86 91/* Callbacks */
3bcbbbe2 92#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 93static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 94#endif
3f7eeb86
PP
95#ifdef EXPERIMENTAL_OCSP
96static int tls_stapling_cb(SSL *s, void *arg);
97#endif
98
059ec3d9
PH
99
100/*************************************************
101* Handle TLS error *
102*************************************************/
103
104/* Called from lots of places when errors occur before actually starting to do
105the TLS handshake, that is, while the session is still in clear. Always returns
106DEFER for a server and FAIL for a client so that most calls can use "return
107tls_error(...)" to do this processing and then give an appropriate return. A
108single function is used for both server and client, because it is called from
109some shared functions.
110
111Argument:
112 prefix text to include in the logged error
113 host NULL if setting up a server;
114 the connected host if setting up a client
7199e1ee 115 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
116
117Returns: OK/DEFER/FAIL
118*/
119
120static int
7199e1ee 121tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 122{
7199e1ee
TF
123if (msg == NULL)
124 {
125 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 126 msg = (uschar *)ssl_errstring;
7199e1ee
TF
127 }
128
059ec3d9
PH
129if (host == NULL)
130 {
7199e1ee 131 uschar *conn_info = smtp_get_connection_info();
5ca6d115 132 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
133 conn_info += 5;
134 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
135 conn_info, prefix, msg);
059ec3d9
PH
136 return DEFER;
137 }
138else
139 {
140 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 141 host->name, host->address, prefix, msg);
059ec3d9
PH
142 return FAIL;
143 }
144}
145
146
147
148/*************************************************
149* Callback to generate RSA key *
150*************************************************/
151
152/*
153Arguments:
154 s SSL connection
155 export not used
156 keylength keylength
157
158Returns: pointer to generated key
159*/
160
161static RSA *
162rsa_callback(SSL *s, int export, int keylength)
163{
164RSA *rsa_key;
165export = export; /* Shut picky compilers up */
166DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
167rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
168if (rsa_key == NULL)
169 {
170 ERR_error_string(ERR_get_error(), ssl_errstring);
171 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
172 ssl_errstring);
173 return NULL;
174 }
175return rsa_key;
176}
177
178
179
180
181/*************************************************
182* Callback for verification *
183*************************************************/
184
185/* The SSL library does certificate verification if set up to do so. This
186callback has the current yes/no state is in "state". If verification succeeded,
187we set up the tls_peerdn string. If verification failed, what happens depends
188on whether the client is required to present a verifiable certificate or not.
189
190If verification is optional, we change the state to yes, but still log the
191verification error. For some reason (it really would help to have proper
192documentation of OpenSSL), this callback function then gets called again, this
193time with state = 1. In fact, that's useful, because we can set up the peerdn
194value, but we must take care not to set the private verified flag on the second
195time through.
196
197Note: this function is not called if the client fails to present a certificate
198when asked. We get here only if a certificate has been received. Handling of
199optional verification for this case is done when requesting SSL to verify, by
200setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
201
202Arguments:
203 state current yes/no state as 1/0
204 x509ctx certificate information.
a2ff477a 205 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
206
207Returns: 1 if verified, 0 if not
208*/
209
210static int
a2ff477a 211verify_callback(int state, X509_STORE_CTX *x509ctx, BOOL client)
059ec3d9
PH
212{
213static uschar txt[256];
a2ff477a
JH
214tls_support * tlsp;
215BOOL * calledp;
216BOOL * optionalp;
217
218if (client)
219 {
220 tlsp= &tls_out;
221 calledp= &client_verify_callback_called;
222 optionalp= &client_verify_optional;
223 }
224else
225 {
226 tlsp= &tls_in;
227 calledp= &server_verify_callback_called;
228 optionalp= &server_verify_optional;
229 }
059ec3d9
PH
230
231X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
232 CS txt, sizeof(txt));
233
234if (state == 0)
235 {
236 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
237 x509ctx->error_depth,
238 X509_verify_cert_error_string(x509ctx->error),
239 txt);
a2ff477a
JH
240 tlsp->certificate_verified = FALSE;
241 *calledp = TRUE;
242 if (!*optionalp) return 0; /* reject */
059ec3d9
PH
243 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
244 "tls_try_verify_hosts)\n");
245 return 1; /* accept */
246 }
247
248if (x509ctx->error_depth != 0)
249 {
250 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
251 x509ctx->error_depth, txt);
252 }
253else
254 {
255 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
a2ff477a
JH
256 *calledp ? "" : " authenticated", txt);
257 tlsp->peerdn = txt;
059ec3d9
PH
258 }
259
a2ff477a
JH
260if (!*calledp) tlsp->certificate_verified = TRUE;
261*calledp = TRUE;
059ec3d9
PH
262
263return 1; /* accept */
264}
265
a2ff477a
JH
266static int
267verify_callback_client(int state, X509_STORE_CTX *x509ctx)
268{
269return verify_callback(state, x509ctx, TRUE);
270}
271
272static int
273verify_callback_server(int state, X509_STORE_CTX *x509ctx)
274{
275return verify_callback(state, x509ctx, FALSE);
276}
277
059ec3d9
PH
278
279
280/*************************************************
281* Information callback *
282*************************************************/
283
284/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
285are doing. We copy the string to the debugging output when TLS debugging has
286been requested.
059ec3d9
PH
287
288Arguments:
289 s the SSL connection
290 where
291 ret
292
293Returns: nothing
294*/
295
296static void
297info_callback(SSL *s, int where, int ret)
298{
299where = where;
300ret = ret;
301DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
302}
303
304
305
306/*************************************************
307* Initialize for DH *
308*************************************************/
309
310/* If dhparam is set, expand it, and load up the parameters for DH encryption.
311
312Arguments:
a799883d 313 dhparam DH parameter file or fixed parameter identity string
7199e1ee 314 host connected host, if client; NULL if server
059ec3d9
PH
315
316Returns: TRUE if OK (nothing to set up, or setup worked)
317*/
318
319static BOOL
a799883d 320init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
059ec3d9 321{
059ec3d9
PH
322BIO *bio;
323DH *dh;
324uschar *dhexpanded;
a799883d 325const char *pem;
059ec3d9
PH
326
327if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
328 return FALSE;
329
a799883d 330if (dhexpanded == NULL || *dhexpanded == '\0')
059ec3d9 331 {
a799883d 332 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
059ec3d9 333 }
a799883d 334else if (dhexpanded[0] == '/')
059ec3d9 335 {
a799883d
PP
336 bio = BIO_new_file(CS dhexpanded, "r");
337 if (bio == NULL)
059ec3d9 338 {
7199e1ee 339 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
340 host, US strerror(errno));
341 return FALSE;
059ec3d9 342 }
a799883d
PP
343 }
344else
345 {
346 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 347 {
a799883d
PP
348 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
349 return TRUE;
059ec3d9 350 }
a799883d
PP
351
352 pem = std_dh_prime_named(dhexpanded);
353 if (!pem)
354 {
355 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
356 host, US strerror(errno));
357 return FALSE;
358 }
359 bio = BIO_new_mem_buf(CS pem, -1);
360 }
361
362dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
363if (dh == NULL)
364 {
059ec3d9 365 BIO_free(bio);
a799883d
PP
366 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
367 host, NULL);
368 return FALSE;
369 }
370
371/* Even if it is larger, we silently return success rather than cause things
372 * to fail out, so that a too-large DH will not knock out all TLS; it's a
373 * debatable choice. */
374if ((8*DH_size(dh)) > tls_dh_max_bits)
375 {
376 DEBUG(D_tls)
377 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
378 8*DH_size(dh), tls_dh_max_bits);
379 }
380else
381 {
382 SSL_CTX_set_tmp_dh(sctx, dh);
383 DEBUG(D_tls)
384 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
385 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
386 }
387
a799883d
PP
388DH_free(dh);
389BIO_free(bio);
390
391return TRUE;
059ec3d9
PH
392}
393
394
395
396
3f7eeb86
PP
397#ifdef EXPERIMENTAL_OCSP
398/*************************************************
399* Load OCSP information into state *
400*************************************************/
401
402/* Called to load the OCSP response from the given file into memory, once
403caller has determined this is needed. Checks validity. Debugs a message
404if invalid.
405
406ASSUMES: single response, for single cert.
407
408Arguments:
409 sctx the SSL_CTX* to update
410 cbinfo various parts of session state
411 expanded the filename putatively holding an OCSP response
412
413*/
414
415static void
416ocsp_load_response(SSL_CTX *sctx,
417 tls_ext_ctx_cb *cbinfo,
418 const uschar *expanded)
419{
420BIO *bio;
421OCSP_RESPONSE *resp;
422OCSP_BASICRESP *basic_response;
423OCSP_SINGLERESP *single_response;
424ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
425X509_STORE *store;
426unsigned long verify_flags;
427int status, reason, i;
428
429cbinfo->ocsp_file_expanded = string_copy(expanded);
430if (cbinfo->ocsp_response)
431 {
432 OCSP_RESPONSE_free(cbinfo->ocsp_response);
433 cbinfo->ocsp_response = NULL;
434 }
435
436bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
437if (!bio)
438 {
439 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
440 cbinfo->ocsp_file_expanded);
441 return;
442 }
443
444resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
445BIO_free(bio);
446if (!resp)
447 {
448 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
449 return;
450 }
451
452status = OCSP_response_status(resp);
453if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
454 {
455 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
456 OCSP_response_status_str(status), status);
457 return;
458 }
459
460basic_response = OCSP_response_get1_basic(resp);
461if (!basic_response)
462 {
463 DEBUG(D_tls)
464 debug_printf("OCSP response parse error: unable to extract basic response.\n");
465 return;
466 }
467
468store = SSL_CTX_get_cert_store(sctx);
469verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
470
471/* May need to expose ability to adjust those flags?
472OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
473OCSP_TRUSTOTHER OCSP_NOINTERN */
474
475i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
476if (i <= 0)
477 {
478 DEBUG(D_tls) {
479 ERR_error_string(ERR_get_error(), ssl_errstring);
480 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
481 }
482 return;
483 }
484
485/* Here's the simplifying assumption: there's only one response, for the
486one certificate we use, and nothing for anything else in a chain. If this
487proves false, we need to extract a cert id from our issued cert
488(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
489right cert in the stack and then calls OCSP_single_get0_status()).
490
491I'm hoping to avoid reworking a bunch more of how we handle state here. */
492single_response = OCSP_resp_get0(basic_response, 0);
493if (!single_response)
494 {
495 DEBUG(D_tls)
496 debug_printf("Unable to get first response from OCSP basic response.\n");
497 return;
498 }
499
500status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
501/* how does this status differ from the one above? */
502if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
503 {
504 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
505 OCSP_response_status_str(status), status);
506 return;
507 }
508
509if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
510 {
511 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
512 return;
513 }
514
515cbinfo->ocsp_response = resp;
516}
517#endif
518
519
520
521
059ec3d9 522/*************************************************
7be682ca
PP
523* Expand key and cert file specs *
524*************************************************/
525
526/* Called once during tls_init and possibly againt during TLS setup, for a
527new context, if Server Name Indication was used and tls_sni was seen in
528the certificate string.
529
530Arguments:
531 sctx the SSL_CTX* to update
532 cbinfo various parts of session state
533
534Returns: OK/DEFER/FAIL
535*/
536
537static int
3f7eeb86 538tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
539{
540uschar *expanded;
541
542if (cbinfo->certificate == NULL)
543 return OK;
544
d9b2312b
JH
545if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
546 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
547 Ustrstr(cbinfo->certificate, US"tls_out_sni")
548 )
7be682ca
PP
549 reexpand_tls_files_for_sni = TRUE;
550
551if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
552 return DEFER;
553
554if (expanded != NULL)
555 {
556 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
557 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
558 return tls_error(string_sprintf(
559 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
560 cbinfo->host, NULL);
561 }
562
563if (cbinfo->privatekey != NULL &&
564 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
565 return DEFER;
566
567/* If expansion was forced to fail, key_expanded will be NULL. If the result
568of the expansion is an empty string, ignore it also, and assume the private
569key is in the same file as the certificate. */
570
571if (expanded != NULL && *expanded != 0)
572 {
573 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
574 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
575 return tls_error(string_sprintf(
576 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
577 }
578
3f7eeb86
PP
579#ifdef EXPERIMENTAL_OCSP
580if (cbinfo->ocsp_file != NULL)
581 {
582 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
583 return DEFER;
584
585 if (expanded != NULL && *expanded != 0)
586 {
587 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
588 if (cbinfo->ocsp_file_expanded &&
589 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
590 {
591 DEBUG(D_tls)
592 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
593 } else {
594 ocsp_load_response(sctx, cbinfo, expanded);
595 }
596 }
597 }
598#endif
599
7be682ca
PP
600return OK;
601}
602
603
604
605
606/*************************************************
607* Callback to handle SNI *
608*************************************************/
609
610/* Called when acting as server during the TLS session setup if a Server Name
611Indication extension was sent by the client.
612
613API documentation is OpenSSL s_server.c implementation.
614
615Arguments:
616 s SSL* of the current session
617 ad unknown (part of OpenSSL API) (unused)
618 arg Callback of "our" registered data
619
620Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
621*/
622
3bcbbbe2 623#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 624static int
7be682ca
PP
625tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
626{
627const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 628tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 629int rc;
3f0945ff 630int old_pool = store_pool;
7be682ca
PP
631
632if (!servername)
633 return SSL_TLSEXT_ERR_OK;
634
3f0945ff 635DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
636 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
637
638/* Make the extension value available for expansion */
3f0945ff 639store_pool = POOL_PERM;
817d9f57 640tls_in.sni = string_copy(US servername);
3f0945ff 641store_pool = old_pool;
7be682ca
PP
642
643if (!reexpand_tls_files_for_sni)
644 return SSL_TLSEXT_ERR_OK;
645
646/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
647not confident that memcpy wouldn't break some internal reference counting.
648Especially since there's a references struct member, which would be off. */
649
817d9f57
JH
650server_sni = SSL_CTX_new(SSLv23_server_method());
651if (!server_sni)
7be682ca
PP
652 {
653 ERR_error_string(ERR_get_error(), ssl_errstring);
654 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
655 return SSL_TLSEXT_ERR_NOACK;
656 }
657
658/* Not sure how many of these are actually needed, since SSL object
659already exists. Might even need this selfsame callback, for reneg? */
660
817d9f57
JH
661SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
662SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
663SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
664SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
665SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
666SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
7be682ca 667if (cbinfo->server_cipher_list)
817d9f57 668 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
669#ifdef EXPERIMENTAL_OCSP
670if (cbinfo->ocsp_file)
671 {
817d9f57 672 SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
5e55c7a9 673 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86
PP
674 }
675#endif
7be682ca 676
a2ff477a 677rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
7be682ca
PP
678if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
679
3f7eeb86
PP
680/* do this after setup_certs, because this can require the certs for verifying
681OCSP information. */
817d9f57 682rc = tls_expand_session_files(server_sni, cbinfo);
7be682ca
PP
683if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
684
389ca47a 685rc = init_dh(server_sni, cbinfo->dhparam, NULL);
a799883d
PP
686if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
687
7be682ca 688DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 689SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
690
691return SSL_TLSEXT_ERR_OK;
692}
3bcbbbe2 693#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
694
695
696
697
3f7eeb86
PP
698#ifdef EXPERIMENTAL_OCSP
699/*************************************************
700* Callback to handle OCSP Stapling *
701*************************************************/
702
703/* Called when acting as server during the TLS session setup if the client
704requests OCSP information with a Certificate Status Request.
705
706Documentation via openssl s_server.c and the Apache patch from the OpenSSL
707project.
708
709*/
710
711static int
712tls_stapling_cb(SSL *s, void *arg)
713{
714const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
715uschar *response_der;
716int response_der_len;
717
718DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
719 cbinfo->ocsp_response ? "have" : "lack");
720if (!cbinfo->ocsp_response)
721 return SSL_TLSEXT_ERR_NOACK;
722
723response_der = NULL;
724response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
725if (response_der_len <= 0)
726 return SSL_TLSEXT_ERR_NOACK;
727
5e55c7a9 728SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
3f7eeb86
PP
729return SSL_TLSEXT_ERR_OK;
730}
731
732#endif /* EXPERIMENTAL_OCSP */
733
734
735
736
7be682ca 737/*************************************************
059ec3d9
PH
738* Initialize for TLS *
739*************************************************/
740
741/* Called from both server and client code, to do preliminary initialization of
742the library.
743
744Arguments:
745 host connected host, if client; NULL if server
746 dhparam DH parameter file
747 certificate certificate file
748 privatekey private key
749 addr address if client; NULL if server (for some randomness)
750
751Returns: OK/DEFER/FAIL
752*/
753
754static int
817d9f57 755tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
756 uschar *privatekey,
757#ifdef EXPERIMENTAL_OCSP
758 uschar *ocsp_file,
759#endif
817d9f57 760 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 761{
77bb000f 762long init_options;
7be682ca 763int rc;
77bb000f 764BOOL okay;
7be682ca
PP
765tls_ext_ctx_cb *cbinfo;
766
767cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
768cbinfo->certificate = certificate;
769cbinfo->privatekey = privatekey;
3f7eeb86
PP
770#ifdef EXPERIMENTAL_OCSP
771cbinfo->ocsp_file = ocsp_file;
772#endif
7be682ca
PP
773cbinfo->dhparam = dhparam;
774cbinfo->host = host;
77bb000f 775
059ec3d9
PH
776SSL_load_error_strings(); /* basic set up */
777OpenSSL_add_ssl_algorithms();
778
388d6564 779#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 780/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
781list of available digests. */
782EVP_add_digest(EVP_sha256());
cf1ef1a9 783#endif
a0475b69 784
f0f5a555
PP
785/* Create a context.
786The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
787negotiation in the different methods; as far as I can tell, the only
788*_{server,client}_method which allows negotiation is SSLv23, which exists even
789when OpenSSL is built without SSLv2 support.
790By disabling with openssl_options, we can let admins re-enable with the
791existing knob. */
059ec3d9 792
817d9f57 793*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
794 SSLv23_server_method() : SSLv23_client_method());
795
817d9f57 796if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
797
798/* It turns out that we need to seed the random number generator this early in
799order to get the full complement of ciphers to work. It took me roughly a day
800of work to discover this by experiment.
801
802On systems that have /dev/urandom, SSL may automatically seed itself from
803there. Otherwise, we have to make something up as best we can. Double check
804afterwards. */
805
806if (!RAND_status())
807 {
808 randstuff r;
9e3331ea 809 gettimeofday(&r.tv, NULL);
059ec3d9
PH
810 r.p = getpid();
811
812 RAND_seed((uschar *)(&r), sizeof(r));
813 RAND_seed((uschar *)big_buffer, big_buffer_size);
814 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
815
816 if (!RAND_status())
7199e1ee 817 return tls_error(US"RAND_status", host,
5ca6d115 818 US"unable to seed random number generator");
059ec3d9
PH
819 }
820
821/* Set up the information callback, which outputs if debugging is at a suitable
822level. */
823
817d9f57 824SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 825
c80c5570 826/* Automatically re-try reads/writes after renegotiation. */
817d9f57 827(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 828
77bb000f
PP
829/* Apply administrator-supplied work-arounds.
830Historically we applied just one requested option,
831SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
832moved to an administrator-controlled list of options to specify and
833grandfathered in the first one as the default value for "openssl_options".
059ec3d9 834
77bb000f
PP
835No OpenSSL version number checks: the options we accept depend upon the
836availability of the option value macros from OpenSSL. */
059ec3d9 837
77bb000f
PP
838okay = tls_openssl_options_parse(openssl_options, &init_options);
839if (!okay)
73a46702 840 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
841
842if (init_options)
843 {
844 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 845 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
846 return tls_error(string_sprintf(
847 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
848 }
849else
850 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
851
852/* Initialize with DH parameters if supplied */
853
817d9f57 854if (!init_dh(*ctxp, dhparam, host)) return DEFER;
059ec3d9 855
3f7eeb86 856/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 857
817d9f57 858rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 859if (rc != OK) return rc;
c91535f3 860
7be682ca 861/* If we need to handle SNI, do so */
3bcbbbe2 862#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
863if (host == NULL)
864 {
3f7eeb86
PP
865#ifdef EXPERIMENTAL_OCSP
866 /* We check ocsp_file, not ocsp_response, because we care about if
867 the option exists, not what the current expansion might be, as SNI might
868 change the certificate and OCSP file in use between now and the time the
869 callback is invoked. */
870 if (cbinfo->ocsp_file)
871 {
5e55c7a9
PP
872 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_stapling_cb);
873 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86
PP
874 }
875#endif
3f0945ff
PP
876 /* We always do this, so that $tls_sni is available even if not used in
877 tls_certificate */
817d9f57
JH
878 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
879 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 880 }
7be682ca 881#endif
059ec3d9
PH
882
883/* Set up the RSA callback */
884
817d9f57 885SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
886
887/* Finally, set the timeout, and we are done */
888
817d9f57 889SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 890DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 891
817d9f57 892*cbp = cbinfo;
7be682ca 893
059ec3d9
PH
894return OK;
895}
896
897
898
899
900/*************************************************
901* Get name of cipher in use *
902*************************************************/
903
817d9f57 904/*
059ec3d9 905Argument: pointer to an SSL structure for the connection
817d9f57
JH
906 buffer to use for answer
907 size of buffer
908 pointer to number of bits for cipher
059ec3d9
PH
909Returns: nothing
910*/
911
912static void
817d9f57 913construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 914{
57b3a7f5
PP
915/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
916yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
917the accessor functions use const in the prototype. */
918const SSL_CIPHER *c;
059ec3d9 919uschar *ver;
059ec3d9
PH
920
921switch (ssl->session->ssl_version)
922 {
923 case SSL2_VERSION:
924 ver = US"SSLv2";
925 break;
926
927 case SSL3_VERSION:
928 ver = US"SSLv3";
929 break;
930
931 case TLS1_VERSION:
932 ver = US"TLSv1";
933 break;
934
c80c5570
PP
935#ifdef TLS1_1_VERSION
936 case TLS1_1_VERSION:
937 ver = US"TLSv1.1";
938 break;
939#endif
940
941#ifdef TLS1_2_VERSION
942 case TLS1_2_VERSION:
943 ver = US"TLSv1.2";
944 break;
945#endif
946
059ec3d9
PH
947 default:
948 ver = US"UNKNOWN";
949 }
950
57b3a7f5 951c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 952SSL_CIPHER_get_bits(c, bits);
059ec3d9 953
817d9f57
JH
954string_format(cipherbuf, bsize, "%s:%s:%u", ver,
955 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
956
957DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
958}
959
960
961
962
963
964/*************************************************
965* Set up for verifying certificates *
966*************************************************/
967
968/* Called by both client and server startup
969
970Arguments:
7be682ca 971 sctx SSL_CTX* to initialise
059ec3d9
PH
972 certs certs file or NULL
973 crl CRL file or NULL
974 host NULL in a server; the remote host in a client
975 optional TRUE if called from a server for a host in tls_try_verify_hosts;
976 otherwise passed as FALSE
a2ff477a 977 client TRUE if called for client startup, FALSE for server startup
059ec3d9
PH
978
979Returns: OK/DEFER/FAIL
980*/
981
982static int
a2ff477a 983setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client)
059ec3d9
PH
984{
985uschar *expcerts, *expcrl;
986
987if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
988 return DEFER;
989
990if (expcerts != NULL)
991 {
992 struct stat statbuf;
7be682ca 993 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 994 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
995
996 if (Ustat(expcerts, &statbuf) < 0)
997 {
998 log_write(0, LOG_MAIN|LOG_PANIC,
999 "failed to stat %s for certificates", expcerts);
1000 return DEFER;
1001 }
1002 else
1003 {
1004 uschar *file, *dir;
1005 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1006 { file = NULL; dir = expcerts; }
1007 else
1008 { file = expcerts; dir = NULL; }
1009
1010 /* If a certificate file is empty, the next function fails with an
1011 unhelpful error message. If we skip it, we get the correct behaviour (no
1012 certificates are recognized, but the error message is still misleading (it
1013 says no certificate was supplied.) But this is better. */
1014
1015 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 1016 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 1017 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
1018
1019 if (file != NULL)
1020 {
7be682ca 1021 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
1022 }
1023 }
1024
1025 /* Handle a certificate revocation list. */
1026
1027 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1028
8b417f2c
PH
1029 /* This bit of code is now the version supplied by Lars Mainka. (I have
1030 * merely reformatted it into the Exim code style.)
1031
1032 * "From here I changed the code to add support for multiple crl's
1033 * in pem format in one file or to support hashed directory entries in
1034 * pem format instead of a file. This method now uses the library function
1035 * X509_STORE_load_locations to add the CRL location to the SSL context.
1036 * OpenSSL will then handle the verify against CA certs and CRLs by
1037 * itself in the verify callback." */
1038
059ec3d9
PH
1039 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1040 if (expcrl != NULL && *expcrl != 0)
1041 {
8b417f2c
PH
1042 struct stat statbufcrl;
1043 if (Ustat(expcrl, &statbufcrl) < 0)
1044 {
1045 log_write(0, LOG_MAIN|LOG_PANIC,
1046 "failed to stat %s for certificates revocation lists", expcrl);
1047 return DEFER;
1048 }
1049 else
059ec3d9 1050 {
8b417f2c
PH
1051 /* is it a file or directory? */
1052 uschar *file, *dir;
7be682ca 1053 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1054 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1055 {
8b417f2c
PH
1056 file = NULL;
1057 dir = expcrl;
1058 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1059 }
1060 else
1061 {
8b417f2c
PH
1062 file = expcrl;
1063 dir = NULL;
1064 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1065 }
8b417f2c 1066 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1067 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1068
1069 /* setting the flags to check against the complete crl chain */
1070
1071 X509_STORE_set_flags(cvstore,
1072 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1073 }
059ec3d9
PH
1074 }
1075
1076 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1077
1078 /* If verification is optional, don't fail if no certificate */
1079
7be682ca 1080 SSL_CTX_set_verify(sctx,
059ec3d9 1081 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
a2ff477a 1082 client ? verify_callback_client : verify_callback_server);
059ec3d9
PH
1083 }
1084
1085return OK;
1086}
1087
1088
1089
1090/*************************************************
1091* Start a TLS session in a server *
1092*************************************************/
1093
1094/* This is called when Exim is running as a server, after having received
1095the STARTTLS command. It must respond to that command, and then negotiate
1096a TLS session.
1097
1098Arguments:
1099 require_ciphers allowed ciphers
1100
1101Returns: OK on success
1102 DEFER for errors before the start of the negotiation
1103 FAIL for errors during the negotation; the server can't
1104 continue running.
1105*/
1106
1107int
17c76198 1108tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1109{
1110int rc;
1111uschar *expciphers;
7be682ca 1112tls_ext_ctx_cb *cbinfo;
817d9f57 1113static uschar cipherbuf[256];
059ec3d9
PH
1114
1115/* Check for previous activation */
1116
817d9f57 1117if (tls_in.active >= 0)
059ec3d9 1118 {
5ca6d115 1119 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1120 smtp_printf("554 Already in TLS\r\n");
1121 return FAIL;
1122 }
1123
1124/* Initialize the SSL library. If it fails, it will already have logged
1125the error. */
1126
817d9f57 1127rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
3f7eeb86
PP
1128#ifdef EXPERIMENTAL_OCSP
1129 tls_ocsp_file,
1130#endif
817d9f57 1131 NULL, &server_static_cbinfo);
059ec3d9 1132if (rc != OK) return rc;
817d9f57 1133cbinfo = server_static_cbinfo;
059ec3d9
PH
1134
1135if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1136 return FAIL;
1137
1138/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1139were historically separated by underscores. So that I can use either form in my
1140tests, and also for general convenience, we turn underscores into hyphens here.
1141*/
059ec3d9
PH
1142
1143if (expciphers != NULL)
1144 {
1145 uschar *s = expciphers;
1146 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1147 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1148 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1149 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1150 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1151 }
1152
1153/* If this is a host for which certificate verification is mandatory or
1154optional, set up appropriately. */
1155
817d9f57 1156tls_in.certificate_verified = FALSE;
a2ff477a 1157server_verify_callback_called = FALSE;
059ec3d9
PH
1158
1159if (verify_check_host(&tls_verify_hosts) == OK)
1160 {
a2ff477a 1161 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
059ec3d9 1162 if (rc != OK) return rc;
a2ff477a 1163 server_verify_optional = FALSE;
059ec3d9
PH
1164 }
1165else if (verify_check_host(&tls_try_verify_hosts) == OK)
1166 {
a2ff477a 1167 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, TRUE, FALSE);
059ec3d9 1168 if (rc != OK) return rc;
a2ff477a 1169 server_verify_optional = TRUE;
059ec3d9
PH
1170 }
1171
1172/* Prepare for new connection */
1173
817d9f57 1174if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1175
1176/* Warning: we used to SSL_clear(ssl) here, it was removed.
1177 *
1178 * With the SSL_clear(), we get strange interoperability bugs with
1179 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1180 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1181 *
1182 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1183 * session shutdown. In this case, we have a brand new object and there's no
1184 * obvious reason to immediately clear it. I'm guessing that this was
1185 * originally added because of incomplete initialisation which the clear fixed,
1186 * in some historic release.
1187 */
059ec3d9
PH
1188
1189/* Set context and tell client to go ahead, except in the case of TLS startup
1190on connection, where outputting anything now upsets the clients and tends to
1191make them disconnect. We need to have an explicit fflush() here, to force out
1192the response. Other smtp_printf() calls do not need it, because in non-TLS
1193mode, the fflush() happens when smtp_getc() is called. */
1194
817d9f57
JH
1195SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1196if (!tls_in.on_connect)
059ec3d9
PH
1197 {
1198 smtp_printf("220 TLS go ahead\r\n");
1199 fflush(smtp_out);
1200 }
1201
1202/* Now negotiate the TLS session. We put our own timer on it, since it seems
1203that the OpenSSL library doesn't. */
1204
817d9f57
JH
1205SSL_set_wfd(server_ssl, fileno(smtp_out));
1206SSL_set_rfd(server_ssl, fileno(smtp_in));
1207SSL_set_accept_state(server_ssl);
059ec3d9
PH
1208
1209DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1210
1211sigalrm_seen = FALSE;
1212if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1213rc = SSL_accept(server_ssl);
059ec3d9
PH
1214alarm(0);
1215
1216if (rc <= 0)
1217 {
7199e1ee 1218 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1219 if (ERR_get_error() == 0)
1220 log_write(0, LOG_MAIN,
a053d125 1221 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1222 return FAIL;
1223 }
1224
1225DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1226
1227/* TLS has been set up. Adjust the input functions to read via TLS,
1228and initialize things. */
1229
817d9f57
JH
1230construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1231tls_in.cipher = cipherbuf;
059ec3d9
PH
1232
1233DEBUG(D_tls)
1234 {
1235 uschar buf[2048];
817d9f57 1236 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1237 debug_printf("Shared ciphers: %s\n", buf);
1238 }
1239
1240
817d9f57
JH
1241/* Only used by the server-side tls (tls_in), including tls_getc.
1242 Client-side (tls_out) reads (seem to?) go via
1243 smtp_read_response()/ip_recv().
1244 Hence no need to duplicate for _in and _out.
1245 */
059ec3d9
PH
1246ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1247ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1248ssl_xfer_eof = ssl_xfer_error = 0;
1249
1250receive_getc = tls_getc;
1251receive_ungetc = tls_ungetc;
1252receive_feof = tls_feof;
1253receive_ferror = tls_ferror;
58eb016e 1254receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1255
817d9f57 1256tls_in.active = fileno(smtp_out);
059ec3d9
PH
1257return OK;
1258}
1259
1260
1261
1262
1263
1264/*************************************************
1265* Start a TLS session in a client *
1266*************************************************/
1267
1268/* Called from the smtp transport after STARTTLS has been accepted.
1269
1270Argument:
1271 fd the fd of the connection
1272 host connected host (for messages)
83da1223 1273 addr the first address
059ec3d9
PH
1274 dhparam DH parameter file
1275 certificate certificate file
1276 privatekey private key file
3f0945ff 1277 sni TLS SNI to send to remote host
059ec3d9
PH
1278 verify_certs file for certificate verify
1279 crl file containing CRL
1280 require_ciphers list of allowed ciphers
54c90be1
PP
1281 dh_min_bits minimum number of bits acceptable in server's DH prime
1282 (unused in OpenSSL)
83da1223 1283 timeout startup timeout
059ec3d9
PH
1284
1285Returns: OK on success
1286 FAIL otherwise - note that tls_error() will not give DEFER
1287 because this is not a server
1288*/
1289
1290int
1291tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1292 uschar *certificate, uschar *privatekey, uschar *sni,
1293 uschar *verify_certs, uschar *crl,
54c90be1 1294 uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
059ec3d9
PH
1295{
1296static uschar txt[256];
1297uschar *expciphers;
1298X509* server_cert;
1299int rc;
817d9f57 1300static uschar cipherbuf[256];
059ec3d9 1301
817d9f57 1302rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
3f7eeb86
PP
1303#ifdef EXPERIMENTAL_OCSP
1304 NULL,
1305#endif
817d9f57 1306 addr, &client_static_cbinfo);
059ec3d9
PH
1307if (rc != OK) return rc;
1308
817d9f57 1309tls_out.certificate_verified = FALSE;
a2ff477a 1310client_verify_callback_called = FALSE;
059ec3d9
PH
1311
1312if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1313 return FAIL;
1314
1315/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1316are separated by underscores. So that I can use either form in my tests, and
1317also for general convenience, we turn underscores into hyphens here. */
1318
1319if (expciphers != NULL)
1320 {
1321 uschar *s = expciphers;
1322 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1323 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1324 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1325 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1326 }
1327
a2ff477a 1328rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, TRUE);
059ec3d9
PH
1329if (rc != OK) return rc;
1330
817d9f57
JH
1331if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1332SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1333SSL_set_fd(client_ssl, fd);
1334SSL_set_connect_state(client_ssl);
059ec3d9 1335
3f0945ff
PP
1336if (sni)
1337 {
817d9f57 1338 if (!expand_check(sni, US"tls_sni", &tls_out.sni))
3f0945ff 1339 return FAIL;
ec4b68e5 1340 if (tls_out.sni == NULL)
2c9a0e86
PP
1341 {
1342 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1343 }
ec4b68e5 1344 else if (!Ustrlen(tls_out.sni))
817d9f57 1345 tls_out.sni = NULL;
3f0945ff
PP
1346 else
1347 {
35731706 1348#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
1349 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1350 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
1351#else
1352 DEBUG(D_tls)
1353 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1354 tls_sni);
1355#endif
3f0945ff
PP
1356 }
1357 }
1358
059ec3d9
PH
1359/* There doesn't seem to be a built-in timeout on connection. */
1360
1361DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1362sigalrm_seen = FALSE;
1363alarm(timeout);
817d9f57 1364rc = SSL_connect(client_ssl);
059ec3d9
PH
1365alarm(0);
1366
1367if (rc <= 0)
7199e1ee 1368 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1369
1370DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1371
453a6645 1372/* Beware anonymous ciphers which lead to server_cert being NULL */
817d9f57 1373server_cert = SSL_get_peer_certificate (client_ssl);
453a6645
PP
1374if (server_cert)
1375 {
817d9f57 1376 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
453a6645 1377 CS txt, sizeof(txt));
817d9f57 1378 tls_out.peerdn = txt;
453a6645
PP
1379 }
1380else
817d9f57 1381 tls_out.peerdn = NULL;
059ec3d9 1382
817d9f57
JH
1383construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1384tls_out.cipher = cipherbuf;
059ec3d9 1385
817d9f57 1386tls_out.active = fd;
059ec3d9
PH
1387return OK;
1388}
1389
1390
1391
1392
1393
1394/*************************************************
1395* TLS version of getc *
1396*************************************************/
1397
1398/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1399it refills the buffer via the SSL reading function.
1400
1401Arguments: none
1402Returns: the next character or EOF
817d9f57
JH
1403
1404Only used by the server-side TLS.
059ec3d9
PH
1405*/
1406
1407int
1408tls_getc(void)
1409{
1410if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1411 {
1412 int error;
1413 int inbytes;
1414
817d9f57 1415 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 1416 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1417
1418 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
1419 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1420 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
1421 alarm(0);
1422
1423 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1424 closed down, not that the socket itself has been closed down. Revert to
1425 non-SSL handling. */
1426
1427 if (error == SSL_ERROR_ZERO_RETURN)
1428 {
1429 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1430
1431 receive_getc = smtp_getc;
1432 receive_ungetc = smtp_ungetc;
1433 receive_feof = smtp_feof;
1434 receive_ferror = smtp_ferror;
58eb016e 1435 receive_smtp_buffered = smtp_buffered;
059ec3d9 1436
817d9f57
JH
1437 SSL_free(server_ssl);
1438 server_ssl = NULL;
1439 tls_in.active = -1;
1440 tls_in.bits = 0;
1441 tls_in.cipher = NULL;
1442 tls_in.peerdn = NULL;
1443 tls_in.sni = NULL;
059ec3d9
PH
1444
1445 return smtp_getc();
1446 }
1447
1448 /* Handle genuine errors */
1449
ba084640
PP
1450 else if (error == SSL_ERROR_SSL)
1451 {
1452 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1453 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1454 ssl_xfer_error = 1;
1455 return EOF;
1456 }
1457
059ec3d9
PH
1458 else if (error != SSL_ERROR_NONE)
1459 {
1460 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1461 ssl_xfer_error = 1;
1462 return EOF;
1463 }
c80c5570 1464
80a47a2c
TK
1465#ifndef DISABLE_DKIM
1466 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1467#endif
059ec3d9
PH
1468 ssl_xfer_buffer_hwm = inbytes;
1469 ssl_xfer_buffer_lwm = 0;
1470 }
1471
1472/* Something in the buffer; return next uschar */
1473
1474return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1475}
1476
1477
1478
1479/*************************************************
1480* Read bytes from TLS channel *
1481*************************************************/
1482
1483/*
1484Arguments:
1485 buff buffer of data
1486 len size of buffer
1487
1488Returns: the number of bytes read
1489 -1 after a failed read
817d9f57
JH
1490
1491Only used by the client-side TLS.
059ec3d9
PH
1492*/
1493
1494int
389ca47a 1495tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 1496{
389ca47a 1497SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
1498int inbytes;
1499int error;
1500
389ca47a 1501DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 1502 buff, (unsigned int)len);
059ec3d9 1503
389ca47a
JH
1504inbytes = SSL_read(ssl, CS buff, len);
1505error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
1506
1507if (error == SSL_ERROR_ZERO_RETURN)
1508 {
1509 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1510 return -1;
1511 }
1512else if (error != SSL_ERROR_NONE)
1513 {
1514 return -1;
1515 }
1516
1517return inbytes;
1518}
1519
1520
1521
1522
1523
1524/*************************************************
1525* Write bytes down TLS channel *
1526*************************************************/
1527
1528/*
1529Arguments:
817d9f57 1530 is_server channel specifier
059ec3d9
PH
1531 buff buffer of data
1532 len number of bytes
1533
1534Returns: the number of bytes after a successful write,
1535 -1 after a failed write
817d9f57
JH
1536
1537Used by both server-side and client-side TLS.
059ec3d9
PH
1538*/
1539
1540int
817d9f57 1541tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
1542{
1543int outbytes;
1544int error;
1545int left = len;
817d9f57 1546SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 1547
c80c5570 1548DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1549while (left > 0)
1550 {
c80c5570 1551 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1552 outbytes = SSL_write(ssl, CS buff, left);
1553 error = SSL_get_error(ssl, outbytes);
1554 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1555 switch (error)
1556 {
1557 case SSL_ERROR_SSL:
1558 ERR_error_string(ERR_get_error(), ssl_errstring);
1559 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1560 return -1;
1561
1562 case SSL_ERROR_NONE:
1563 left -= outbytes;
1564 buff += outbytes;
1565 break;
1566
1567 case SSL_ERROR_ZERO_RETURN:
1568 log_write(0, LOG_MAIN, "SSL channel closed on write");
1569 return -1;
1570
817d9f57
JH
1571 case SSL_ERROR_SYSCALL:
1572 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1573 sender_fullhost ? sender_fullhost : US"<unknown>",
1574 strerror(errno));
1575
059ec3d9
PH
1576 default:
1577 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1578 return -1;
1579 }
1580 }
1581return len;
1582}
1583
1584
1585
1586/*************************************************
1587* Close down a TLS session *
1588*************************************************/
1589
1590/* This is also called from within a delivery subprocess forked from the
1591daemon, to shut down the TLS library, without actually doing a shutdown (which
1592would tamper with the SSL session in the parent process).
1593
1594Arguments: TRUE if SSL_shutdown is to be called
1595Returns: nothing
817d9f57
JH
1596
1597Used by both server-side and client-side TLS.
059ec3d9
PH
1598*/
1599
1600void
817d9f57 1601tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 1602{
817d9f57 1603SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 1604int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
1605
1606if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
1607
1608if (shutdown)
1609 {
1610 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 1611 SSL_shutdown(*sslp);
059ec3d9
PH
1612 }
1613
817d9f57
JH
1614SSL_free(*sslp);
1615*sslp = NULL;
059ec3d9 1616
817d9f57 1617*fdp = -1;
059ec3d9
PH
1618}
1619
36f12725
NM
1620
1621
1622
1623/*************************************************
3375e053
PP
1624* Let tls_require_ciphers be checked at startup *
1625*************************************************/
1626
1627/* The tls_require_ciphers option, if set, must be something which the
1628library can parse.
1629
1630Returns: NULL on success, or error message
1631*/
1632
1633uschar *
1634tls_validate_require_cipher(void)
1635{
1636SSL_CTX *ctx;
1637uschar *s, *expciphers, *err;
1638
1639/* this duplicates from tls_init(), we need a better "init just global
1640state, for no specific purpose" singleton function of our own */
1641
1642SSL_load_error_strings();
1643OpenSSL_add_ssl_algorithms();
1644#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1645/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1646list of available digests. */
1647EVP_add_digest(EVP_sha256());
1648#endif
1649
1650if (!(tls_require_ciphers && *tls_require_ciphers))
1651 return NULL;
1652
1653if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1654 return US"failed to expand tls_require_ciphers";
1655
1656if (!(expciphers && *expciphers))
1657 return NULL;
1658
1659/* normalisation ripped from above */
1660s = expciphers;
1661while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1662
1663err = NULL;
1664
1665ctx = SSL_CTX_new(SSLv23_server_method());
1666if (!ctx)
1667 {
1668 ERR_error_string(ERR_get_error(), ssl_errstring);
1669 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1670 }
1671
1672DEBUG(D_tls)
1673 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1674
1675if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1676 {
1677 ERR_error_string(ERR_get_error(), ssl_errstring);
1678 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1679 }
1680
1681SSL_CTX_free(ctx);
1682
1683return err;
1684}
1685
1686
1687
1688
1689/*************************************************
36f12725
NM
1690* Report the library versions. *
1691*************************************************/
1692
1693/* There have historically been some issues with binary compatibility in
1694OpenSSL libraries; if Exim (like many other applications) is built against
1695one version of OpenSSL but the run-time linker picks up another version,
1696it can result in serious failures, including crashing with a SIGSEGV. So
1697report the version found by the compiler and the run-time version.
1698
1699Arguments: a FILE* to print the results to
1700Returns: nothing
1701*/
1702
1703void
1704tls_version_report(FILE *f)
1705{
754a0503
PP
1706fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1707 " Runtime: %s\n",
1708 OPENSSL_VERSION_TEXT,
1709 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1710}
1711
9e3331ea
TK
1712
1713
1714
1715/*************************************************
17c76198 1716* Random number generation *
9e3331ea
TK
1717*************************************************/
1718
1719/* Pseudo-random number generation. The result is not expected to be
1720cryptographically strong but not so weak that someone will shoot themselves
1721in the foot using it as a nonce in input in some email header scheme or
1722whatever weirdness they'll twist this into. The result should handle fork()
1723and avoid repeating sequences. OpenSSL handles that for us.
1724
1725Arguments:
1726 max range maximum
1727Returns a random number in range [0, max-1]
1728*/
1729
1730int
17c76198 1731vaguely_random_number(int max)
9e3331ea
TK
1732{
1733unsigned int r;
1734int i, needed_len;
1735uschar *p;
1736uschar smallbuf[sizeof(r)];
1737
1738if (max <= 1)
1739 return 0;
1740
1741/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1742if (!RAND_status())
1743 {
1744 randstuff r;
1745 gettimeofday(&r.tv, NULL);
1746 r.p = getpid();
1747
1748 RAND_seed((uschar *)(&r), sizeof(r));
1749 }
1750/* We're after pseudo-random, not random; if we still don't have enough data
1751in the internal PRNG then our options are limited. We could sleep and hope
1752for entropy to come along (prayer technique) but if the system is so depleted
1753in the first place then something is likely to just keep taking it. Instead,
1754we'll just take whatever little bit of pseudo-random we can still manage to
1755get. */
1756
1757needed_len = sizeof(r);
1758/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1759asked for a number less than 10. */
1760for (r = max, i = 0; r; ++i)
1761 r >>= 1;
1762i = (i + 7) / 8;
1763if (i < needed_len)
1764 needed_len = i;
1765
1766/* We do not care if crypto-strong */
17c76198
PP
1767i = RAND_pseudo_bytes(smallbuf, needed_len);
1768if (i < 0)
1769 {
1770 DEBUG(D_all)
1771 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1772 return vaguely_random_number_fallback(max);
1773 }
1774
9e3331ea
TK
1775r = 0;
1776for (p = smallbuf; needed_len; --needed_len, ++p)
1777 {
1778 r *= 256;
1779 r += *p;
1780 }
1781
1782/* We don't particularly care about weighted results; if someone wants
1783smooth distribution and cares enough then they should submit a patch then. */
1784return r % max;
1785}
1786
77bb000f
PP
1787
1788
1789
1790/*************************************************
1791* OpenSSL option parse *
1792*************************************************/
1793
1794/* Parse one option for tls_openssl_options_parse below
1795
1796Arguments:
1797 name one option name
1798 value place to store a value for it
1799Returns success or failure in parsing
1800*/
1801
1802struct exim_openssl_option {
1803 uschar *name;
1804 long value;
1805};
1806/* We could use a macro to expand, but we need the ifdef and not all the
1807options document which version they were introduced in. Policylet: include
1808all options unless explicitly for DTLS, let the administrator choose which
1809to apply.
1810
1811This list is current as of:
c80c5570 1812 ==> 1.0.1b <== */
77bb000f
PP
1813static struct exim_openssl_option exim_openssl_options[] = {
1814/* KEEP SORTED ALPHABETICALLY! */
1815#ifdef SSL_OP_ALL
73a46702 1816 { US"all", SSL_OP_ALL },
77bb000f
PP
1817#endif
1818#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1819 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1820#endif
1821#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1822 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1823#endif
1824#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1825 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1826#endif
1827#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1828 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1829#endif
1830#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1831 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1832#endif
1833#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1834 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1835#endif
1836#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1837 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1838#endif
1839#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1840 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1841#endif
1842#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1843 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1844#endif
1845#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1846 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1847#endif
c80c5570
PP
1848#ifdef SSL_OP_NO_COMPRESSION
1849 { US"no_compression", SSL_OP_NO_COMPRESSION },
1850#endif
77bb000f 1851#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1852 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1853#endif
c0c7b2da
PP
1854#ifdef SSL_OP_NO_SSLv2
1855 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1856#endif
1857#ifdef SSL_OP_NO_SSLv3
1858 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1859#endif
1860#ifdef SSL_OP_NO_TICKET
1861 { US"no_ticket", SSL_OP_NO_TICKET },
1862#endif
1863#ifdef SSL_OP_NO_TLSv1
1864 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1865#endif
c80c5570
PP
1866#ifdef SSL_OP_NO_TLSv1_1
1867#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1868 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1869#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1870#else
1871 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1872#endif
1873#endif
1874#ifdef SSL_OP_NO_TLSv1_2
1875 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1876#endif
77bb000f 1877#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1878 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1879#endif
1880#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1881 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1882#endif
1883#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1884 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1885#endif
1886#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1887 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1888#endif
1889#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1890 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1891#endif
1892#ifdef SSL_OP_TLS_D5_BUG
73a46702 1893 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1894#endif
1895#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1896 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1897#endif
1898};
1899static int exim_openssl_options_size =
1900 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1901
c80c5570 1902
77bb000f
PP
1903static BOOL
1904tls_openssl_one_option_parse(uschar *name, long *value)
1905{
1906int first = 0;
1907int last = exim_openssl_options_size;
1908while (last > first)
1909 {
1910 int middle = (first + last)/2;
1911 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1912 if (c == 0)
1913 {
1914 *value = exim_openssl_options[middle].value;
1915 return TRUE;
1916 }
1917 else if (c > 0)
1918 first = middle + 1;
1919 else
1920 last = middle;
1921 }
1922return FALSE;
1923}
1924
1925
1926
1927
1928/*************************************************
1929* OpenSSL option parsing logic *
1930*************************************************/
1931
1932/* OpenSSL has a number of compatibility options which an administrator might
1933reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1934we look like log_selector.
1935
1936Arguments:
1937 option_spec the administrator-supplied string of options
1938 results ptr to long storage for the options bitmap
1939Returns success or failure
1940*/
1941
1942BOOL
1943tls_openssl_options_parse(uschar *option_spec, long *results)
1944{
1945long result, item;
1946uschar *s, *end;
1947uschar keep_c;
1948BOOL adding, item_parsed;
1949
0e944a0d 1950result = 0L;
b1770b6e 1951/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1952 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
1953#ifdef SSL_OP_NO_SSLv2
1954result |= SSL_OP_NO_SSLv2;
1955#endif
77bb000f
PP
1956
1957if (option_spec == NULL)
1958 {
1959 *results = result;
1960 return TRUE;
1961 }
1962
1963for (s=option_spec; *s != '\0'; /**/)
1964 {
1965 while (isspace(*s)) ++s;
1966 if (*s == '\0')
1967 break;
1968 if (*s != '+' && *s != '-')
1969 {
1970 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1971 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1972 return FALSE;
1973 }
1974 adding = *s++ == '+';
1975 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1976 keep_c = *end;
1977 *end = '\0';
1978 item_parsed = tls_openssl_one_option_parse(s, &item);
1979 if (!item_parsed)
1980 {
0e944a0d 1981 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1982 return FALSE;
1983 }
1984 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1985 adding ? "adding" : "removing", result, item, s);
1986 if (adding)
1987 result |= item;
1988 else
1989 result &= ~item;
1990 *end = keep_c;
1991 s = end;
1992 }
1993
1994*results = result;
1995return TRUE;
1996}
1997
059ec3d9 1998/* End of tls-openssl.c */