Testsuite cases for basic cutthrough_delivery.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
45static BOOL verify_callback_called = FALSE;
46static const uschar *sid_ctx = US"exim";
47
48static SSL_CTX *ctx = NULL;
35731706 49#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 50static SSL_CTX *ctx_sni = NULL;
35731706 51#endif
059ec3d9
PH
52static SSL *ssl = NULL;
53
54static char ssl_errstring[256];
55
56static int ssl_session_timeout = 200;
57static BOOL verify_optional = FALSE;
58
7be682ca 59static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
60
61
7be682ca
PP
62typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
3f7eeb86
PP
65#ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69#endif
7be682ca
PP
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75} tls_ext_ctx_cb;
76
77/* should figure out a cleanup of API to handle state preserved per
78implementation, for various reasons, which can be void * in the APIs.
79For now, we hack around it. */
80tls_ext_ctx_cb *static_cbinfo = NULL;
81
82static int
83setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9 84
3f7eeb86 85/* Callbacks */
3bcbbbe2 86#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 87static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 88#endif
3f7eeb86
PP
89#ifdef EXPERIMENTAL_OCSP
90static int tls_stapling_cb(SSL *s, void *arg);
91#endif
92
059ec3d9
PH
93
94/*************************************************
95* Handle TLS error *
96*************************************************/
97
98/* Called from lots of places when errors occur before actually starting to do
99the TLS handshake, that is, while the session is still in clear. Always returns
100DEFER for a server and FAIL for a client so that most calls can use "return
101tls_error(...)" to do this processing and then give an appropriate return. A
102single function is used for both server and client, because it is called from
103some shared functions.
104
105Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
7199e1ee 109 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
110
111Returns: OK/DEFER/FAIL
112*/
113
114static int
7199e1ee 115tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 116{
7199e1ee
TF
117if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 120 msg = (uschar *)ssl_errstring;
7199e1ee
TF
121 }
122
059ec3d9
PH
123if (host == NULL)
124 {
7199e1ee 125 uschar *conn_info = smtp_get_connection_info();
5ca6d115 126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
059ec3d9
PH
130 return DEFER;
131 }
132else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 135 host->name, host->address, prefix, msg);
059ec3d9
PH
136 return FAIL;
137 }
138}
139
140
141
142/*************************************************
143* Callback to generate RSA key *
144*************************************************/
145
146/*
147Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152Returns: pointer to generated key
153*/
154
155static RSA *
156rsa_callback(SSL *s, int export, int keylength)
157{
158RSA *rsa_key;
159export = export; /* Shut picky compilers up */
160DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169return rsa_key;
170}
171
172
173
174
175/*************************************************
176* Callback for verification *
177*************************************************/
178
179/* The SSL library does certificate verification if set up to do so. This
180callback has the current yes/no state is in "state". If verification succeeded,
181we set up the tls_peerdn string. If verification failed, what happens depends
182on whether the client is required to present a verifiable certificate or not.
183
184If verification is optional, we change the state to yes, but still log the
185verification error. For some reason (it really would help to have proper
186documentation of OpenSSL), this callback function then gets called again, this
187time with state = 1. In fact, that's useful, because we can set up the peerdn
188value, but we must take care not to set the private verified flag on the second
189time through.
190
191Note: this function is not called if the client fails to present a certificate
192when asked. We get here only if a certificate has been received. Handling of
193optional verification for this case is done when requesting SSL to verify, by
194setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200Returns: 1 if verified, 0 if not
201*/
202
203static int
204verify_callback(int state, X509_STORE_CTX *x509ctx)
205{
206static uschar txt[256];
207
208X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
059ec3d9
PH
237if (!verify_callback_called) tls_certificate_verified = TRUE;
238verify_callback_called = TRUE;
239
240return 1; /* accept */
241}
242
243
244
245/*************************************************
246* Information callback *
247*************************************************/
248
249/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
250are doing. We copy the string to the debugging output when TLS debugging has
251been requested.
059ec3d9
PH
252
253Arguments:
254 s the SSL connection
255 where
256 ret
257
258Returns: nothing
259*/
260
261static void
262info_callback(SSL *s, int where, int ret)
263{
264where = where;
265ret = ret;
266DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267}
268
269
270
271/*************************************************
272* Initialize for DH *
273*************************************************/
274
275/* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277Arguments:
a799883d 278 dhparam DH parameter file or fixed parameter identity string
7199e1ee 279 host connected host, if client; NULL if server
059ec3d9
PH
280
281Returns: TRUE if OK (nothing to set up, or setup worked)
282*/
283
284static BOOL
a799883d 285init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
059ec3d9 286{
059ec3d9
PH
287BIO *bio;
288DH *dh;
289uschar *dhexpanded;
a799883d 290const char *pem;
059ec3d9
PH
291
292if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
a799883d 295if (dhexpanded == NULL || *dhexpanded == '\0')
059ec3d9 296 {
a799883d 297 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
059ec3d9 298 }
a799883d 299else if (dhexpanded[0] == '/')
059ec3d9 300 {
a799883d
PP
301 bio = BIO_new_file(CS dhexpanded, "r");
302 if (bio == NULL)
059ec3d9 303 {
7199e1ee 304 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
305 host, US strerror(errno));
306 return FALSE;
059ec3d9 307 }
a799883d
PP
308 }
309else
310 {
311 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 312 {
a799883d
PP
313 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
314 return TRUE;
059ec3d9 315 }
a799883d
PP
316
317 pem = std_dh_prime_named(dhexpanded);
318 if (!pem)
319 {
320 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
321 host, US strerror(errno));
322 return FALSE;
323 }
324 bio = BIO_new_mem_buf(CS pem, -1);
325 }
326
327dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
328if (dh == NULL)
329 {
059ec3d9 330 BIO_free(bio);
a799883d
PP
331 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
332 host, NULL);
333 return FALSE;
334 }
335
336/* Even if it is larger, we silently return success rather than cause things
337 * to fail out, so that a too-large DH will not knock out all TLS; it's a
338 * debatable choice. */
339if ((8*DH_size(dh)) > tls_dh_max_bits)
340 {
341 DEBUG(D_tls)
342 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
343 8*DH_size(dh), tls_dh_max_bits);
344 }
345else
346 {
347 SSL_CTX_set_tmp_dh(sctx, dh);
348 DEBUG(D_tls)
349 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
350 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
351 }
352
a799883d
PP
353DH_free(dh);
354BIO_free(bio);
355
356return TRUE;
059ec3d9
PH
357}
358
359
360
361
3f7eeb86
PP
362#ifdef EXPERIMENTAL_OCSP
363/*************************************************
364* Load OCSP information into state *
365*************************************************/
366
367/* Called to load the OCSP response from the given file into memory, once
368caller has determined this is needed. Checks validity. Debugs a message
369if invalid.
370
371ASSUMES: single response, for single cert.
372
373Arguments:
374 sctx the SSL_CTX* to update
375 cbinfo various parts of session state
376 expanded the filename putatively holding an OCSP response
377
378*/
379
380static void
381ocsp_load_response(SSL_CTX *sctx,
382 tls_ext_ctx_cb *cbinfo,
383 const uschar *expanded)
384{
385BIO *bio;
386OCSP_RESPONSE *resp;
387OCSP_BASICRESP *basic_response;
388OCSP_SINGLERESP *single_response;
389ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
390X509_STORE *store;
391unsigned long verify_flags;
392int status, reason, i;
393
394cbinfo->ocsp_file_expanded = string_copy(expanded);
395if (cbinfo->ocsp_response)
396 {
397 OCSP_RESPONSE_free(cbinfo->ocsp_response);
398 cbinfo->ocsp_response = NULL;
399 }
400
401bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
402if (!bio)
403 {
404 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
405 cbinfo->ocsp_file_expanded);
406 return;
407 }
408
409resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
410BIO_free(bio);
411if (!resp)
412 {
413 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
414 return;
415 }
416
417status = OCSP_response_status(resp);
418if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
419 {
420 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
421 OCSP_response_status_str(status), status);
422 return;
423 }
424
425basic_response = OCSP_response_get1_basic(resp);
426if (!basic_response)
427 {
428 DEBUG(D_tls)
429 debug_printf("OCSP response parse error: unable to extract basic response.\n");
430 return;
431 }
432
433store = SSL_CTX_get_cert_store(sctx);
434verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
435
436/* May need to expose ability to adjust those flags?
437OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
438OCSP_TRUSTOTHER OCSP_NOINTERN */
439
440i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
441if (i <= 0)
442 {
443 DEBUG(D_tls) {
444 ERR_error_string(ERR_get_error(), ssl_errstring);
445 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
446 }
447 return;
448 }
449
450/* Here's the simplifying assumption: there's only one response, for the
451one certificate we use, and nothing for anything else in a chain. If this
452proves false, we need to extract a cert id from our issued cert
453(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
454right cert in the stack and then calls OCSP_single_get0_status()).
455
456I'm hoping to avoid reworking a bunch more of how we handle state here. */
457single_response = OCSP_resp_get0(basic_response, 0);
458if (!single_response)
459 {
460 DEBUG(D_tls)
461 debug_printf("Unable to get first response from OCSP basic response.\n");
462 return;
463 }
464
465status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
466/* how does this status differ from the one above? */
467if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
468 {
469 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
470 OCSP_response_status_str(status), status);
471 return;
472 }
473
474if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
475 {
476 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
477 return;
478 }
479
480cbinfo->ocsp_response = resp;
481}
482#endif
483
484
485
486
059ec3d9 487/*************************************************
7be682ca
PP
488* Expand key and cert file specs *
489*************************************************/
490
491/* Called once during tls_init and possibly againt during TLS setup, for a
492new context, if Server Name Indication was used and tls_sni was seen in
493the certificate string.
494
495Arguments:
496 sctx the SSL_CTX* to update
497 cbinfo various parts of session state
498
499Returns: OK/DEFER/FAIL
500*/
501
502static int
3f7eeb86 503tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
504{
505uschar *expanded;
506
507if (cbinfo->certificate == NULL)
508 return OK;
509
510if (Ustrstr(cbinfo->certificate, US"tls_sni"))
511 reexpand_tls_files_for_sni = TRUE;
512
513if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
514 return DEFER;
515
516if (expanded != NULL)
517 {
518 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
519 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
520 return tls_error(string_sprintf(
521 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
522 cbinfo->host, NULL);
523 }
524
525if (cbinfo->privatekey != NULL &&
526 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
527 return DEFER;
528
529/* If expansion was forced to fail, key_expanded will be NULL. If the result
530of the expansion is an empty string, ignore it also, and assume the private
531key is in the same file as the certificate. */
532
533if (expanded != NULL && *expanded != 0)
534 {
535 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
536 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
537 return tls_error(string_sprintf(
538 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
539 }
540
3f7eeb86
PP
541#ifdef EXPERIMENTAL_OCSP
542if (cbinfo->ocsp_file != NULL)
543 {
544 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
545 return DEFER;
546
547 if (expanded != NULL && *expanded != 0)
548 {
549 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
550 if (cbinfo->ocsp_file_expanded &&
551 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
552 {
553 DEBUG(D_tls)
554 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
555 } else {
556 ocsp_load_response(sctx, cbinfo, expanded);
557 }
558 }
559 }
560#endif
561
7be682ca
PP
562return OK;
563}
564
565
566
567
568/*************************************************
569* Callback to handle SNI *
570*************************************************/
571
572/* Called when acting as server during the TLS session setup if a Server Name
573Indication extension was sent by the client.
574
575API documentation is OpenSSL s_server.c implementation.
576
577Arguments:
578 s SSL* of the current session
579 ad unknown (part of OpenSSL API) (unused)
580 arg Callback of "our" registered data
581
582Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
583*/
584
3bcbbbe2 585#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 586static int
7be682ca
PP
587tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
588{
589const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 590tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 591int rc;
3f0945ff 592int old_pool = store_pool;
7be682ca
PP
593
594if (!servername)
595 return SSL_TLSEXT_ERR_OK;
596
3f0945ff 597DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
598 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
599
600/* Make the extension value available for expansion */
3f0945ff
PP
601store_pool = POOL_PERM;
602tls_sni = string_copy(US servername);
603store_pool = old_pool;
7be682ca
PP
604
605if (!reexpand_tls_files_for_sni)
606 return SSL_TLSEXT_ERR_OK;
607
608/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
609not confident that memcpy wouldn't break some internal reference counting.
610Especially since there's a references struct member, which would be off. */
611
612ctx_sni = SSL_CTX_new(SSLv23_server_method());
613if (!ctx_sni)
614 {
615 ERR_error_string(ERR_get_error(), ssl_errstring);
616 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
617 return SSL_TLSEXT_ERR_NOACK;
618 }
619
620/* Not sure how many of these are actually needed, since SSL object
621already exists. Might even need this selfsame callback, for reneg? */
622
623SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
624SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
625SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
626SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
627SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
628SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
629if (cbinfo->server_cipher_list)
630 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
631#ifdef EXPERIMENTAL_OCSP
632if (cbinfo->ocsp_file)
633 {
634 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
635 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
636 }
637#endif
7be682ca 638
3f7eeb86 639rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
7be682ca
PP
640if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
641
3f7eeb86
PP
642/* do this after setup_certs, because this can require the certs for verifying
643OCSP information. */
644rc = tls_expand_session_files(ctx_sni, cbinfo);
7be682ca
PP
645if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
646
a799883d
PP
647rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
648if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
649
7be682ca
PP
650DEBUG(D_tls) debug_printf("Switching SSL context.\n");
651SSL_set_SSL_CTX(s, ctx_sni);
652
653return SSL_TLSEXT_ERR_OK;
654}
3bcbbbe2 655#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
656
657
658
659
3f7eeb86
PP
660#ifdef EXPERIMENTAL_OCSP
661/*************************************************
662* Callback to handle OCSP Stapling *
663*************************************************/
664
665/* Called when acting as server during the TLS session setup if the client
666requests OCSP information with a Certificate Status Request.
667
668Documentation via openssl s_server.c and the Apache patch from the OpenSSL
669project.
670
671*/
672
673static int
674tls_stapling_cb(SSL *s, void *arg)
675{
676const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
677uschar *response_der;
678int response_der_len;
679
680DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
681 cbinfo->ocsp_response ? "have" : "lack");
682if (!cbinfo->ocsp_response)
683 return SSL_TLSEXT_ERR_NOACK;
684
685response_der = NULL;
686response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
687if (response_der_len <= 0)
688 return SSL_TLSEXT_ERR_NOACK;
689
690SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
691return SSL_TLSEXT_ERR_OK;
692}
693
694#endif /* EXPERIMENTAL_OCSP */
695
696
697
698
7be682ca 699/*************************************************
059ec3d9
PH
700* Initialize for TLS *
701*************************************************/
702
703/* Called from both server and client code, to do preliminary initialization of
704the library.
705
706Arguments:
707 host connected host, if client; NULL if server
708 dhparam DH parameter file
709 certificate certificate file
710 privatekey private key
711 addr address if client; NULL if server (for some randomness)
712
713Returns: OK/DEFER/FAIL
714*/
715
716static int
c91535f3 717tls_init(host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
718 uschar *privatekey,
719#ifdef EXPERIMENTAL_OCSP
720 uschar *ocsp_file,
721#endif
722 address_item *addr)
059ec3d9 723{
77bb000f 724long init_options;
7be682ca 725int rc;
77bb000f 726BOOL okay;
7be682ca
PP
727tls_ext_ctx_cb *cbinfo;
728
729cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
730cbinfo->certificate = certificate;
731cbinfo->privatekey = privatekey;
3f7eeb86
PP
732#ifdef EXPERIMENTAL_OCSP
733cbinfo->ocsp_file = ocsp_file;
734#endif
7be682ca
PP
735cbinfo->dhparam = dhparam;
736cbinfo->host = host;
77bb000f 737
059ec3d9
PH
738SSL_load_error_strings(); /* basic set up */
739OpenSSL_add_ssl_algorithms();
740
388d6564 741#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 742/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
743list of available digests. */
744EVP_add_digest(EVP_sha256());
cf1ef1a9 745#endif
a0475b69 746
f0f5a555
PP
747/* Create a context.
748The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
749negotiation in the different methods; as far as I can tell, the only
750*_{server,client}_method which allows negotiation is SSLv23, which exists even
751when OpenSSL is built without SSLv2 support.
752By disabling with openssl_options, we can let admins re-enable with the
753existing knob. */
059ec3d9
PH
754
755ctx = SSL_CTX_new((host == NULL)?
756 SSLv23_server_method() : SSLv23_client_method());
757
7199e1ee 758if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
759
760/* It turns out that we need to seed the random number generator this early in
761order to get the full complement of ciphers to work. It took me roughly a day
762of work to discover this by experiment.
763
764On systems that have /dev/urandom, SSL may automatically seed itself from
765there. Otherwise, we have to make something up as best we can. Double check
766afterwards. */
767
768if (!RAND_status())
769 {
770 randstuff r;
9e3331ea 771 gettimeofday(&r.tv, NULL);
059ec3d9
PH
772 r.p = getpid();
773
774 RAND_seed((uschar *)(&r), sizeof(r));
775 RAND_seed((uschar *)big_buffer, big_buffer_size);
776 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
777
778 if (!RAND_status())
7199e1ee 779 return tls_error(US"RAND_status", host,
5ca6d115 780 US"unable to seed random number generator");
059ec3d9
PH
781 }
782
783/* Set up the information callback, which outputs if debugging is at a suitable
784level. */
785
58c01c94 786SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 787
c80c5570
PP
788/* Automatically re-try reads/writes after renegotiation. */
789(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
790
77bb000f
PP
791/* Apply administrator-supplied work-arounds.
792Historically we applied just one requested option,
793SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
794moved to an administrator-controlled list of options to specify and
795grandfathered in the first one as the default value for "openssl_options".
059ec3d9 796
77bb000f
PP
797No OpenSSL version number checks: the options we accept depend upon the
798availability of the option value macros from OpenSSL. */
059ec3d9 799
77bb000f
PP
800okay = tls_openssl_options_parse(openssl_options, &init_options);
801if (!okay)
73a46702 802 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
803
804if (init_options)
805 {
806 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
807 if (!(SSL_CTX_set_options(ctx, init_options)))
808 return tls_error(string_sprintf(
809 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
810 }
811else
812 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
813
814/* Initialize with DH parameters if supplied */
815
a799883d 816if (!init_dh(ctx, dhparam, host)) return DEFER;
059ec3d9 817
3f7eeb86 818/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 819
7be682ca
PP
820rc = tls_expand_session_files(ctx, cbinfo);
821if (rc != OK) return rc;
c91535f3 822
7be682ca 823/* If we need to handle SNI, do so */
3bcbbbe2 824#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
825if (host == NULL)
826 {
3f7eeb86
PP
827#ifdef EXPERIMENTAL_OCSP
828 /* We check ocsp_file, not ocsp_response, because we care about if
829 the option exists, not what the current expansion might be, as SNI might
830 change the certificate and OCSP file in use between now and the time the
831 callback is invoked. */
832 if (cbinfo->ocsp_file)
833 {
834 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
835 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
836 }
837#endif
3f0945ff
PP
838 /* We always do this, so that $tls_sni is available even if not used in
839 tls_certificate */
840 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
841 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
842 }
7be682ca 843#endif
059ec3d9
PH
844
845/* Set up the RSA callback */
846
847SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
848
849/* Finally, set the timeout, and we are done */
850
851SSL_CTX_set_timeout(ctx, ssl_session_timeout);
852DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP
853
854static_cbinfo = cbinfo;
855
059ec3d9
PH
856return OK;
857}
858
859
860
861
862/*************************************************
863* Get name of cipher in use *
864*************************************************/
865
866/* The answer is left in a static buffer, and tls_cipher is set to point
867to it.
868
869Argument: pointer to an SSL structure for the connection
870Returns: nothing
871*/
872
873static void
874construct_cipher_name(SSL *ssl)
875{
876static uschar cipherbuf[256];
57b3a7f5
PP
877/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
878yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
879the accessor functions use const in the prototype. */
880const SSL_CIPHER *c;
059ec3d9 881uschar *ver;
059ec3d9
PH
882
883switch (ssl->session->ssl_version)
884 {
885 case SSL2_VERSION:
886 ver = US"SSLv2";
887 break;
888
889 case SSL3_VERSION:
890 ver = US"SSLv3";
891 break;
892
893 case TLS1_VERSION:
894 ver = US"TLSv1";
895 break;
896
c80c5570
PP
897#ifdef TLS1_1_VERSION
898 case TLS1_1_VERSION:
899 ver = US"TLSv1.1";
900 break;
901#endif
902
903#ifdef TLS1_2_VERSION
904 case TLS1_2_VERSION:
905 ver = US"TLSv1.2";
906 break;
907#endif
908
059ec3d9
PH
909 default:
910 ver = US"UNKNOWN";
911 }
912
57b3a7f5 913c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 914SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH
915
916string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 917 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH
918tls_cipher = cipherbuf;
919
920DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
921}
922
923
924
925
926
927/*************************************************
928* Set up for verifying certificates *
929*************************************************/
930
931/* Called by both client and server startup
932
933Arguments:
7be682ca 934 sctx SSL_CTX* to initialise
059ec3d9
PH
935 certs certs file or NULL
936 crl CRL file or NULL
937 host NULL in a server; the remote host in a client
938 optional TRUE if called from a server for a host in tls_try_verify_hosts;
939 otherwise passed as FALSE
940
941Returns: OK/DEFER/FAIL
942*/
943
944static int
7be682ca 945setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH
946{
947uschar *expcerts, *expcrl;
948
949if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
950 return DEFER;
951
952if (expcerts != NULL)
953 {
954 struct stat statbuf;
7be682ca 955 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 956 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
957
958 if (Ustat(expcerts, &statbuf) < 0)
959 {
960 log_write(0, LOG_MAIN|LOG_PANIC,
961 "failed to stat %s for certificates", expcerts);
962 return DEFER;
963 }
964 else
965 {
966 uschar *file, *dir;
967 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
968 { file = NULL; dir = expcerts; }
969 else
970 { file = expcerts; dir = NULL; }
971
972 /* If a certificate file is empty, the next function fails with an
973 unhelpful error message. If we skip it, we get the correct behaviour (no
974 certificates are recognized, but the error message is still misleading (it
975 says no certificate was supplied.) But this is better. */
976
977 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 978 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 979 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
980
981 if (file != NULL)
982 {
7be682ca 983 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
984 }
985 }
986
987 /* Handle a certificate revocation list. */
988
989 #if OPENSSL_VERSION_NUMBER > 0x00907000L
990
8b417f2c
PH
991 /* This bit of code is now the version supplied by Lars Mainka. (I have
992 * merely reformatted it into the Exim code style.)
993
994 * "From here I changed the code to add support for multiple crl's
995 * in pem format in one file or to support hashed directory entries in
996 * pem format instead of a file. This method now uses the library function
997 * X509_STORE_load_locations to add the CRL location to the SSL context.
998 * OpenSSL will then handle the verify against CA certs and CRLs by
999 * itself in the verify callback." */
1000
059ec3d9
PH
1001 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1002 if (expcrl != NULL && *expcrl != 0)
1003 {
8b417f2c
PH
1004 struct stat statbufcrl;
1005 if (Ustat(expcrl, &statbufcrl) < 0)
1006 {
1007 log_write(0, LOG_MAIN|LOG_PANIC,
1008 "failed to stat %s for certificates revocation lists", expcrl);
1009 return DEFER;
1010 }
1011 else
059ec3d9 1012 {
8b417f2c
PH
1013 /* is it a file or directory? */
1014 uschar *file, *dir;
7be682ca 1015 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1016 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1017 {
8b417f2c
PH
1018 file = NULL;
1019 dir = expcrl;
1020 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1021 }
1022 else
1023 {
8b417f2c
PH
1024 file = expcrl;
1025 dir = NULL;
1026 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1027 }
8b417f2c 1028 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1029 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1030
1031 /* setting the flags to check against the complete crl chain */
1032
1033 X509_STORE_set_flags(cvstore,
1034 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1035 }
059ec3d9
PH
1036 }
1037
1038 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1039
1040 /* If verification is optional, don't fail if no certificate */
1041
7be682ca 1042 SSL_CTX_set_verify(sctx,
059ec3d9
PH
1043 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1044 verify_callback);
1045 }
1046
1047return OK;
1048}
1049
1050
1051
1052/*************************************************
1053* Start a TLS session in a server *
1054*************************************************/
1055
1056/* This is called when Exim is running as a server, after having received
1057the STARTTLS command. It must respond to that command, and then negotiate
1058a TLS session.
1059
1060Arguments:
1061 require_ciphers allowed ciphers
1062
1063Returns: OK on success
1064 DEFER for errors before the start of the negotiation
1065 FAIL for errors during the negotation; the server can't
1066 continue running.
1067*/
1068
1069int
17c76198 1070tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1071{
1072int rc;
1073uschar *expciphers;
7be682ca 1074tls_ext_ctx_cb *cbinfo;
059ec3d9
PH
1075
1076/* Check for previous activation */
1077
1078if (tls_active >= 0)
1079 {
5ca6d115 1080 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1081 smtp_printf("554 Already in TLS\r\n");
1082 return FAIL;
1083 }
1084
1085/* Initialize the SSL library. If it fails, it will already have logged
1086the error. */
1087
3f7eeb86
PP
1088rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1089#ifdef EXPERIMENTAL_OCSP
1090 tls_ocsp_file,
1091#endif
1092 NULL);
059ec3d9 1093if (rc != OK) return rc;
7be682ca 1094cbinfo = static_cbinfo;
059ec3d9
PH
1095
1096if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1097 return FAIL;
1098
1099/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1100were historically separated by underscores. So that I can use either form in my
1101tests, and also for general convenience, we turn underscores into hyphens here.
1102*/
059ec3d9
PH
1103
1104if (expciphers != NULL)
1105 {
1106 uschar *s = expciphers;
1107 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1108 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1109 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1110 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1111 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1112 }
1113
1114/* If this is a host for which certificate verification is mandatory or
1115optional, set up appropriately. */
1116
1117tls_certificate_verified = FALSE;
1118verify_callback_called = FALSE;
1119
1120if (verify_check_host(&tls_verify_hosts) == OK)
1121 {
7be682ca 1122 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH
1123 if (rc != OK) return rc;
1124 verify_optional = FALSE;
1125 }
1126else if (verify_check_host(&tls_try_verify_hosts) == OK)
1127 {
7be682ca 1128 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH
1129 if (rc != OK) return rc;
1130 verify_optional = TRUE;
1131 }
1132
1133/* Prepare for new connection */
1134
7199e1ee 1135if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1136
1137/* Warning: we used to SSL_clear(ssl) here, it was removed.
1138 *
1139 * With the SSL_clear(), we get strange interoperability bugs with
1140 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1141 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1142 *
1143 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1144 * session shutdown. In this case, we have a brand new object and there's no
1145 * obvious reason to immediately clear it. I'm guessing that this was
1146 * originally added because of incomplete initialisation which the clear fixed,
1147 * in some historic release.
1148 */
059ec3d9
PH
1149
1150/* Set context and tell client to go ahead, except in the case of TLS startup
1151on connection, where outputting anything now upsets the clients and tends to
1152make them disconnect. We need to have an explicit fflush() here, to force out
1153the response. Other smtp_printf() calls do not need it, because in non-TLS
1154mode, the fflush() happens when smtp_getc() is called. */
1155
1156SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1157if (!tls_on_connect)
1158 {
1159 smtp_printf("220 TLS go ahead\r\n");
1160 fflush(smtp_out);
1161 }
1162
1163/* Now negotiate the TLS session. We put our own timer on it, since it seems
1164that the OpenSSL library doesn't. */
1165
56f5d9bd
PH
1166SSL_set_wfd(ssl, fileno(smtp_out));
1167SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
1168SSL_set_accept_state(ssl);
1169
1170DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1171
1172sigalrm_seen = FALSE;
1173if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1174rc = SSL_accept(ssl);
1175alarm(0);
1176
1177if (rc <= 0)
1178 {
7199e1ee 1179 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1180 if (ERR_get_error() == 0)
1181 log_write(0, LOG_MAIN,
a053d125 1182 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1183 return FAIL;
1184 }
1185
1186DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1187
1188/* TLS has been set up. Adjust the input functions to read via TLS,
1189and initialize things. */
1190
1191construct_cipher_name(ssl);
1192
1193DEBUG(D_tls)
1194 {
1195 uschar buf[2048];
1196 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1197 debug_printf("Shared ciphers: %s\n", buf);
1198 }
1199
1200
1201ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1202ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1203ssl_xfer_eof = ssl_xfer_error = 0;
1204
1205receive_getc = tls_getc;
1206receive_ungetc = tls_ungetc;
1207receive_feof = tls_feof;
1208receive_ferror = tls_ferror;
58eb016e 1209receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
1210
1211tls_active = fileno(smtp_out);
1212return OK;
1213}
1214
1215
1216
1217
1218
1219/*************************************************
1220* Start a TLS session in a client *
1221*************************************************/
1222
1223/* Called from the smtp transport after STARTTLS has been accepted.
1224
1225Argument:
1226 fd the fd of the connection
1227 host connected host (for messages)
83da1223 1228 addr the first address
059ec3d9
PH
1229 dhparam DH parameter file
1230 certificate certificate file
1231 privatekey private key file
3f0945ff 1232 sni TLS SNI to send to remote host
059ec3d9
PH
1233 verify_certs file for certificate verify
1234 crl file containing CRL
1235 require_ciphers list of allowed ciphers
54c90be1
PP
1236 dh_min_bits minimum number of bits acceptable in server's DH prime
1237 (unused in OpenSSL)
83da1223 1238 timeout startup timeout
059ec3d9
PH
1239
1240Returns: OK on success
1241 FAIL otherwise - note that tls_error() will not give DEFER
1242 because this is not a server
1243*/
1244
1245int
1246tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1247 uschar *certificate, uschar *privatekey, uschar *sni,
1248 uschar *verify_certs, uschar *crl,
54c90be1 1249 uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
059ec3d9
PH
1250{
1251static uschar txt[256];
1252uschar *expciphers;
1253X509* server_cert;
1254int rc;
1255
3f7eeb86
PP
1256rc = tls_init(host, dhparam, certificate, privatekey,
1257#ifdef EXPERIMENTAL_OCSP
1258 NULL,
1259#endif
1260 addr);
059ec3d9
PH
1261if (rc != OK) return rc;
1262
1263tls_certificate_verified = FALSE;
1264verify_callback_called = FALSE;
1265
1266if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1267 return FAIL;
1268
1269/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1270are separated by underscores. So that I can use either form in my tests, and
1271also for general convenience, we turn underscores into hyphens here. */
1272
1273if (expciphers != NULL)
1274 {
1275 uschar *s = expciphers;
1276 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1277 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1278 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1279 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1280 }
1281
7be682ca 1282rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH
1283if (rc != OK) return rc;
1284
7199e1ee 1285if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
1286SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1287SSL_set_fd(ssl, fd);
1288SSL_set_connect_state(ssl);
1289
3f0945ff
PP
1290if (sni)
1291 {
1292 if (!expand_check(sni, US"tls_sni", &tls_sni))
1293 return FAIL;
1294 if (!Ustrlen(tls_sni))
1295 tls_sni = NULL;
1296 else
1297 {
35731706 1298#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
1299 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1300 SSL_set_tlsext_host_name(ssl, tls_sni);
35731706
PP
1301#else
1302 DEBUG(D_tls)
1303 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1304 tls_sni);
1305#endif
3f0945ff
PP
1306 }
1307 }
1308
059ec3d9
PH
1309/* There doesn't seem to be a built-in timeout on connection. */
1310
1311DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1312sigalrm_seen = FALSE;
1313alarm(timeout);
1314rc = SSL_connect(ssl);
1315alarm(0);
1316
1317if (rc <= 0)
7199e1ee 1318 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1319
1320DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1321
453a6645 1322/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1323server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
1324if (server_cert)
1325 {
1326 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1327 CS txt, sizeof(txt));
1328 tls_peerdn = txt;
1329 }
1330else
1331 tls_peerdn = NULL;
059ec3d9
PH
1332
1333construct_cipher_name(ssl); /* Sets tls_cipher */
1334
1335tls_active = fd;
1336return OK;
1337}
1338
1339
1340
1341
1342
1343/*************************************************
1344* TLS version of getc *
1345*************************************************/
1346
1347/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1348it refills the buffer via the SSL reading function.
1349
1350Arguments: none
1351Returns: the next character or EOF
1352*/
1353
1354int
1355tls_getc(void)
1356{
1357if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1358 {
1359 int error;
1360 int inbytes;
1361
c80c5570
PP
1362 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1363 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1364
1365 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1366 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1367 error = SSL_get_error(ssl, inbytes);
1368 alarm(0);
1369
1370 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1371 closed down, not that the socket itself has been closed down. Revert to
1372 non-SSL handling. */
1373
1374 if (error == SSL_ERROR_ZERO_RETURN)
1375 {
1376 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1377
1378 receive_getc = smtp_getc;
1379 receive_ungetc = smtp_ungetc;
1380 receive_feof = smtp_feof;
1381 receive_ferror = smtp_ferror;
58eb016e 1382 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1383
1384 SSL_free(ssl);
1385 ssl = NULL;
1386 tls_active = -1;
3f0945ff 1387 tls_bits = 0;
059ec3d9
PH
1388 tls_cipher = NULL;
1389 tls_peerdn = NULL;
3f0945ff 1390 tls_sni = NULL;
059ec3d9
PH
1391
1392 return smtp_getc();
1393 }
1394
1395 /* Handle genuine errors */
1396
ba084640
PP
1397 else if (error == SSL_ERROR_SSL)
1398 {
1399 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1400 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1401 ssl_xfer_error = 1;
1402 return EOF;
1403 }
1404
059ec3d9
PH
1405 else if (error != SSL_ERROR_NONE)
1406 {
1407 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1408 ssl_xfer_error = 1;
1409 return EOF;
1410 }
c80c5570 1411
80a47a2c
TK
1412#ifndef DISABLE_DKIM
1413 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1414#endif
059ec3d9
PH
1415 ssl_xfer_buffer_hwm = inbytes;
1416 ssl_xfer_buffer_lwm = 0;
1417 }
1418
1419/* Something in the buffer; return next uschar */
1420
1421return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1422}
1423
1424
1425
1426/*************************************************
1427* Read bytes from TLS channel *
1428*************************************************/
1429
1430/*
1431Arguments:
1432 buff buffer of data
1433 len size of buffer
1434
1435Returns: the number of bytes read
1436 -1 after a failed read
1437*/
1438
1439int
1440tls_read(uschar *buff, size_t len)
1441{
1442int inbytes;
1443int error;
1444
c80c5570
PP
1445DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1446 buff, (unsigned int)len);
059ec3d9
PH
1447
1448inbytes = SSL_read(ssl, CS buff, len);
1449error = SSL_get_error(ssl, inbytes);
1450
1451if (error == SSL_ERROR_ZERO_RETURN)
1452 {
1453 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1454 return -1;
1455 }
1456else if (error != SSL_ERROR_NONE)
1457 {
1458 return -1;
1459 }
1460
1461return inbytes;
1462}
1463
1464
1465
1466
1467
1468/*************************************************
1469* Write bytes down TLS channel *
1470*************************************************/
1471
1472/*
1473Arguments:
1474 buff buffer of data
1475 len number of bytes
1476
1477Returns: the number of bytes after a successful write,
1478 -1 after a failed write
1479*/
1480
1481int
1482tls_write(const uschar *buff, size_t len)
1483{
1484int outbytes;
1485int error;
1486int left = len;
1487
c80c5570 1488DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1489while (left > 0)
1490 {
c80c5570 1491 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1492 outbytes = SSL_write(ssl, CS buff, left);
1493 error = SSL_get_error(ssl, outbytes);
1494 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1495 switch (error)
1496 {
1497 case SSL_ERROR_SSL:
1498 ERR_error_string(ERR_get_error(), ssl_errstring);
1499 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1500 return -1;
1501
1502 case SSL_ERROR_NONE:
1503 left -= outbytes;
1504 buff += outbytes;
1505 break;
1506
1507 case SSL_ERROR_ZERO_RETURN:
1508 log_write(0, LOG_MAIN, "SSL channel closed on write");
1509 return -1;
1510
1511 default:
1512 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1513 return -1;
1514 }
1515 }
1516return len;
1517}
1518
1519
1520
1521/*************************************************
1522* Close down a TLS session *
1523*************************************************/
1524
1525/* This is also called from within a delivery subprocess forked from the
1526daemon, to shut down the TLS library, without actually doing a shutdown (which
1527would tamper with the SSL session in the parent process).
1528
1529Arguments: TRUE if SSL_shutdown is to be called
1530Returns: nothing
1531*/
1532
1533void
1534tls_close(BOOL shutdown)
1535{
1536if (tls_active < 0) return; /* TLS was not active */
1537
1538if (shutdown)
1539 {
1540 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1541 SSL_shutdown(ssl);
1542 }
1543
1544SSL_free(ssl);
1545ssl = NULL;
1546
1547tls_active = -1;
1548}
1549
36f12725
NM
1550
1551
1552
1553/*************************************************
3375e053
PP
1554* Let tls_require_ciphers be checked at startup *
1555*************************************************/
1556
1557/* The tls_require_ciphers option, if set, must be something which the
1558library can parse.
1559
1560Returns: NULL on success, or error message
1561*/
1562
1563uschar *
1564tls_validate_require_cipher(void)
1565{
1566SSL_CTX *ctx;
1567uschar *s, *expciphers, *err;
1568
1569/* this duplicates from tls_init(), we need a better "init just global
1570state, for no specific purpose" singleton function of our own */
1571
1572SSL_load_error_strings();
1573OpenSSL_add_ssl_algorithms();
1574#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1575/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1576list of available digests. */
1577EVP_add_digest(EVP_sha256());
1578#endif
1579
1580if (!(tls_require_ciphers && *tls_require_ciphers))
1581 return NULL;
1582
1583if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1584 return US"failed to expand tls_require_ciphers";
1585
1586if (!(expciphers && *expciphers))
1587 return NULL;
1588
1589/* normalisation ripped from above */
1590s = expciphers;
1591while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1592
1593err = NULL;
1594
1595ctx = SSL_CTX_new(SSLv23_server_method());
1596if (!ctx)
1597 {
1598 ERR_error_string(ERR_get_error(), ssl_errstring);
1599 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1600 }
1601
1602DEBUG(D_tls)
1603 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1604
1605if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1606 {
1607 ERR_error_string(ERR_get_error(), ssl_errstring);
1608 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1609 }
1610
1611SSL_CTX_free(ctx);
1612
1613return err;
1614}
1615
1616
1617
1618
1619/*************************************************
36f12725
NM
1620* Report the library versions. *
1621*************************************************/
1622
1623/* There have historically been some issues with binary compatibility in
1624OpenSSL libraries; if Exim (like many other applications) is built against
1625one version of OpenSSL but the run-time linker picks up another version,
1626it can result in serious failures, including crashing with a SIGSEGV. So
1627report the version found by the compiler and the run-time version.
1628
1629Arguments: a FILE* to print the results to
1630Returns: nothing
1631*/
1632
1633void
1634tls_version_report(FILE *f)
1635{
754a0503
PP
1636fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1637 " Runtime: %s\n",
1638 OPENSSL_VERSION_TEXT,
1639 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1640}
1641
9e3331ea
TK
1642
1643
1644
1645/*************************************************
17c76198 1646* Random number generation *
9e3331ea
TK
1647*************************************************/
1648
1649/* Pseudo-random number generation. The result is not expected to be
1650cryptographically strong but not so weak that someone will shoot themselves
1651in the foot using it as a nonce in input in some email header scheme or
1652whatever weirdness they'll twist this into. The result should handle fork()
1653and avoid repeating sequences. OpenSSL handles that for us.
1654
1655Arguments:
1656 max range maximum
1657Returns a random number in range [0, max-1]
1658*/
1659
1660int
17c76198 1661vaguely_random_number(int max)
9e3331ea
TK
1662{
1663unsigned int r;
1664int i, needed_len;
1665uschar *p;
1666uschar smallbuf[sizeof(r)];
1667
1668if (max <= 1)
1669 return 0;
1670
1671/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1672if (!RAND_status())
1673 {
1674 randstuff r;
1675 gettimeofday(&r.tv, NULL);
1676 r.p = getpid();
1677
1678 RAND_seed((uschar *)(&r), sizeof(r));
1679 }
1680/* We're after pseudo-random, not random; if we still don't have enough data
1681in the internal PRNG then our options are limited. We could sleep and hope
1682for entropy to come along (prayer technique) but if the system is so depleted
1683in the first place then something is likely to just keep taking it. Instead,
1684we'll just take whatever little bit of pseudo-random we can still manage to
1685get. */
1686
1687needed_len = sizeof(r);
1688/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1689asked for a number less than 10. */
1690for (r = max, i = 0; r; ++i)
1691 r >>= 1;
1692i = (i + 7) / 8;
1693if (i < needed_len)
1694 needed_len = i;
1695
1696/* We do not care if crypto-strong */
17c76198
PP
1697i = RAND_pseudo_bytes(smallbuf, needed_len);
1698if (i < 0)
1699 {
1700 DEBUG(D_all)
1701 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1702 return vaguely_random_number_fallback(max);
1703 }
1704
9e3331ea
TK
1705r = 0;
1706for (p = smallbuf; needed_len; --needed_len, ++p)
1707 {
1708 r *= 256;
1709 r += *p;
1710 }
1711
1712/* We don't particularly care about weighted results; if someone wants
1713smooth distribution and cares enough then they should submit a patch then. */
1714return r % max;
1715}
1716
77bb000f
PP
1717
1718
1719
1720/*************************************************
1721* OpenSSL option parse *
1722*************************************************/
1723
1724/* Parse one option for tls_openssl_options_parse below
1725
1726Arguments:
1727 name one option name
1728 value place to store a value for it
1729Returns success or failure in parsing
1730*/
1731
1732struct exim_openssl_option {
1733 uschar *name;
1734 long value;
1735};
1736/* We could use a macro to expand, but we need the ifdef and not all the
1737options document which version they were introduced in. Policylet: include
1738all options unless explicitly for DTLS, let the administrator choose which
1739to apply.
1740
1741This list is current as of:
c80c5570 1742 ==> 1.0.1b <== */
77bb000f
PP
1743static struct exim_openssl_option exim_openssl_options[] = {
1744/* KEEP SORTED ALPHABETICALLY! */
1745#ifdef SSL_OP_ALL
73a46702 1746 { US"all", SSL_OP_ALL },
77bb000f
PP
1747#endif
1748#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1749 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1750#endif
1751#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1752 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1753#endif
1754#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1755 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1756#endif
1757#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1758 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1759#endif
1760#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1761 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1762#endif
1763#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1764 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1765#endif
1766#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1767 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1768#endif
1769#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1770 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1771#endif
1772#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1773 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1774#endif
1775#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1776 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1777#endif
c80c5570
PP
1778#ifdef SSL_OP_NO_COMPRESSION
1779 { US"no_compression", SSL_OP_NO_COMPRESSION },
1780#endif
77bb000f 1781#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1782 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1783#endif
c0c7b2da
PP
1784#ifdef SSL_OP_NO_SSLv2
1785 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1786#endif
1787#ifdef SSL_OP_NO_SSLv3
1788 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1789#endif
1790#ifdef SSL_OP_NO_TICKET
1791 { US"no_ticket", SSL_OP_NO_TICKET },
1792#endif
1793#ifdef SSL_OP_NO_TLSv1
1794 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1795#endif
c80c5570
PP
1796#ifdef SSL_OP_NO_TLSv1_1
1797#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1798 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1799#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1800#else
1801 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1802#endif
1803#endif
1804#ifdef SSL_OP_NO_TLSv1_2
1805 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1806#endif
77bb000f 1807#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1808 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1809#endif
1810#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1811 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1812#endif
1813#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1814 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1815#endif
1816#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1817 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1818#endif
1819#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1820 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1821#endif
1822#ifdef SSL_OP_TLS_D5_BUG
73a46702 1823 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1824#endif
1825#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1826 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1827#endif
1828};
1829static int exim_openssl_options_size =
1830 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1831
c80c5570 1832
77bb000f
PP
1833static BOOL
1834tls_openssl_one_option_parse(uschar *name, long *value)
1835{
1836int first = 0;
1837int last = exim_openssl_options_size;
1838while (last > first)
1839 {
1840 int middle = (first + last)/2;
1841 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1842 if (c == 0)
1843 {
1844 *value = exim_openssl_options[middle].value;
1845 return TRUE;
1846 }
1847 else if (c > 0)
1848 first = middle + 1;
1849 else
1850 last = middle;
1851 }
1852return FALSE;
1853}
1854
1855
1856
1857
1858/*************************************************
1859* OpenSSL option parsing logic *
1860*************************************************/
1861
1862/* OpenSSL has a number of compatibility options which an administrator might
1863reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1864we look like log_selector.
1865
1866Arguments:
1867 option_spec the administrator-supplied string of options
1868 results ptr to long storage for the options bitmap
1869Returns success or failure
1870*/
1871
1872BOOL
1873tls_openssl_options_parse(uschar *option_spec, long *results)
1874{
1875long result, item;
1876uschar *s, *end;
1877uschar keep_c;
1878BOOL adding, item_parsed;
1879
0e944a0d 1880result = 0L;
b1770b6e 1881/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1882 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
1883#ifdef SSL_OP_NO_SSLv2
1884result |= SSL_OP_NO_SSLv2;
1885#endif
77bb000f
PP
1886
1887if (option_spec == NULL)
1888 {
1889 *results = result;
1890 return TRUE;
1891 }
1892
1893for (s=option_spec; *s != '\0'; /**/)
1894 {
1895 while (isspace(*s)) ++s;
1896 if (*s == '\0')
1897 break;
1898 if (*s != '+' && *s != '-')
1899 {
1900 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1901 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1902 return FALSE;
1903 }
1904 adding = *s++ == '+';
1905 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1906 keep_c = *end;
1907 *end = '\0';
1908 item_parsed = tls_openssl_one_option_parse(s, &item);
1909 if (!item_parsed)
1910 {
0e944a0d 1911 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1912 return FALSE;
1913 }
1914 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1915 adding ? "adding" : "removing", result, item, s);
1916 if (adding)
1917 result |= item;
1918 else
1919 result &= ~item;
1920 *end = keep_c;
1921 s = end;
1922 }
1923
1924*results = result;
1925return TRUE;
1926}
1927
059ec3d9 1928/* End of tls-openssl.c */