OpenSSL: better debug info for OCSP
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
d4e5e70b 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
85098ee7 31#ifdef EXPERIMENTAL_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256
55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
34e3241d
PP
73# endif
74# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
76# define EXIM_HAVE_OPENSSL_CHECKHOST
77# endif
11aa88b0 78#endif
10ca4f1c 79
11aa88b0
RA
80#if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
82# if !defined(OPENSSL_NO_ECDH)
83# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84# define EXIM_HAVE_ECDH
85# endif
86# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
87# define EXIM_HAVE_OPENSSL_EC_NIST2NID
88# endif
89# endif
2dfb468b 90#endif
3bcbbbe2 91
67791ce4
JH
92#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94# define DISABLE_OCSP
95#endif
96
a6510420
JH
97#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
98# include <openssl/x509v3.h>
99#endif
100
059ec3d9
PH
101/* Structure for collecting random data for seeding. */
102
103typedef struct randstuff {
9e3331ea
TK
104 struct timeval tv;
105 pid_t p;
059ec3d9
PH
106} randstuff;
107
108/* Local static variables */
109
a2ff477a
JH
110static BOOL client_verify_callback_called = FALSE;
111static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
112static const uschar *sid_ctx = US"exim";
113
d4f09789
PP
114/* We have three different contexts to care about.
115
116Simple case: client, `client_ctx`
117 As a client, we can be doing a callout or cut-through delivery while receiving
118 a message. So we have a client context, which should have options initialised
119 from the SMTP Transport.
120
121Server:
122 There are two cases: with and without ServerNameIndication from the client.
123 Given TLS SNI, we can be using different keys, certs and various other
124 configuration settings, because they're re-expanded with $tls_sni set. This
125 allows vhosting with TLS. This SNI is sent in the handshake.
126 A client might not send SNI, so we need a fallback, and an initial setup too.
127 So as a server, we start out using `server_ctx`.
128 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
129 `server_sni` from `server_ctx` and then initialise settings by re-expanding
130 configuration.
131*/
132
817d9f57
JH
133static SSL_CTX *client_ctx = NULL;
134static SSL_CTX *server_ctx = NULL;
135static SSL *client_ssl = NULL;
136static SSL *server_ssl = NULL;
389ca47a 137
35731706 138#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 139static SSL_CTX *server_sni = NULL;
35731706 140#endif
059ec3d9
PH
141
142static char ssl_errstring[256];
143
144static int ssl_session_timeout = 200;
a2ff477a
JH
145static BOOL client_verify_optional = FALSE;
146static BOOL server_verify_optional = FALSE;
059ec3d9 147
f5d78688 148static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
149
150
7be682ca
PP
151typedef struct tls_ext_ctx_cb {
152 uschar *certificate;
153 uschar *privatekey;
f5d78688 154 BOOL is_server;
a6510420 155#ifndef DISABLE_OCSP
c3033f13 156 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
157 union {
158 struct {
159 uschar *file;
160 uschar *file_expanded;
161 OCSP_RESPONSE *response;
162 } server;
163 struct {
44662487
JH
164 X509_STORE *verify_store; /* non-null if status requested */
165 BOOL verify_required;
f5d78688
JH
166 } client;
167 } u_ocsp;
3f7eeb86 168#endif
7be682ca
PP
169 uschar *dhparam;
170 /* these are cached from first expand */
171 uschar *server_cipher_list;
172 /* only passed down to tls_error: */
173 host_item *host;
55414b25 174 const uschar * verify_cert_hostnames;
0cbf2b82 175#ifndef DISABLE_EVENT
a7538db1
JH
176 uschar * event_action;
177#endif
7be682ca
PP
178} tls_ext_ctx_cb;
179
180/* should figure out a cleanup of API to handle state preserved per
181implementation, for various reasons, which can be void * in the APIs.
182For now, we hack around it. */
817d9f57
JH
183tls_ext_ctx_cb *client_static_cbinfo = NULL;
184tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
185
186static int
983207c1 187setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 188 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 189
3f7eeb86 190/* Callbacks */
3bcbbbe2 191#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 192static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 193#endif
f2de3a33 194#ifndef DISABLE_OCSP
f5d78688 195static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
196#endif
197
059ec3d9
PH
198
199/*************************************************
200* Handle TLS error *
201*************************************************/
202
203/* Called from lots of places when errors occur before actually starting to do
204the TLS handshake, that is, while the session is still in clear. Always returns
205DEFER for a server and FAIL for a client so that most calls can use "return
206tls_error(...)" to do this processing and then give an appropriate return. A
207single function is used for both server and client, because it is called from
208some shared functions.
209
210Argument:
211 prefix text to include in the logged error
212 host NULL if setting up a server;
213 the connected host if setting up a client
7199e1ee 214 msg error message or NULL if we should ask OpenSSL
cf0c6164 215 errstr pointer to output error message
059ec3d9
PH
216
217Returns: OK/DEFER/FAIL
218*/
219
220static int
cf0c6164 221tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 222{
c562fd30 223if (!msg)
7199e1ee
TF
224 {
225 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 226 msg = US ssl_errstring;
7199e1ee
TF
227 }
228
cf0c6164
JH
229if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
230return host ? FAIL : DEFER;
059ec3d9
PH
231}
232
233
234
235/*************************************************
236* Callback to generate RSA key *
237*************************************************/
238
239/*
240Arguments:
3ae79556 241 s SSL connection (not used)
059ec3d9
PH
242 export not used
243 keylength keylength
244
245Returns: pointer to generated key
246*/
247
248static RSA *
249rsa_callback(SSL *s, int export, int keylength)
250{
251RSA *rsa_key;
c8dfb21d
JH
252#ifdef EXIM_HAVE_RSA_GENKEY_EX
253BIGNUM *bn = BN_new();
254#endif
255
059ec3d9
PH
256export = export; /* Shut picky compilers up */
257DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
258
259#ifdef EXIM_HAVE_RSA_GENKEY_EX
260if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 261 || !(rsa_key = RSA_new())
c8dfb21d
JH
262 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
263 )
264#else
23bb6982 265if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
266#endif
267
059ec3d9
PH
268 {
269 ERR_error_string(ERR_get_error(), ssl_errstring);
270 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
271 ssl_errstring);
272 return NULL;
273 }
274return rsa_key;
275}
276
277
278
f5d78688 279/* Extreme debug
f2de3a33 280#ifndef DISABLE_OCSP
f5d78688
JH
281void
282x509_store_dump_cert_s_names(X509_STORE * store)
283{
284STACK_OF(X509_OBJECT) * roots= store->objs;
285int i;
286static uschar name[256];
287
288for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
289 {
290 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
291 if(tmp_obj->type == X509_LU_X509)
292 {
293 X509 * current_cert= tmp_obj->data.x509;
294 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 295 name[sizeof(name)-1] = '\0';
f5d78688
JH
296 debug_printf(" %s\n", name);
297 }
298 }
299}
300#endif
301*/
302
059ec3d9 303
0cbf2b82 304#ifndef DISABLE_EVENT
f69979cf
JH
305static int
306verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
307 BOOL *calledp, const BOOL *optionalp, const uschar * what)
308{
309uschar * ev;
310uschar * yield;
311X509 * old_cert;
312
313ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
314if (ev)
315 {
aaba7d03 316 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
317 old_cert = tlsp->peercert;
318 tlsp->peercert = X509_dup(cert);
319 /* NB we do not bother setting peerdn */
320 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
321 {
322 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
323 "depth=%d cert=%s: %s",
324 tlsp == &tls_out ? deliver_host_address : sender_host_address,
325 what, depth, dn, yield);
326 *calledp = TRUE;
327 if (!*optionalp)
328 {
329 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
330 return 1; /* reject (leaving peercert set) */
331 }
332 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
333 "(host in tls_try_verify_hosts)\n");
334 }
335 X509_free(tlsp->peercert);
336 tlsp->peercert = old_cert;
337 }
338return 0;
339}
340#endif
341
059ec3d9
PH
342/*************************************************
343* Callback for verification *
344*************************************************/
345
346/* The SSL library does certificate verification if set up to do so. This
347callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
348we set the certificate-verified flag. If verification failed, what happens
349depends on whether the client is required to present a verifiable certificate
350or not.
059ec3d9
PH
351
352If verification is optional, we change the state to yes, but still log the
353verification error. For some reason (it really would help to have proper
354documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
355time with state = 1. We must take care not to set the private verified flag on
356the second time through.
059ec3d9
PH
357
358Note: this function is not called if the client fails to present a certificate
359when asked. We get here only if a certificate has been received. Handling of
360optional verification for this case is done when requesting SSL to verify, by
361setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
362
a7538db1
JH
363May be called multiple times for different issues with a certificate, even
364for a given "depth" in the certificate chain.
365
059ec3d9 366Arguments:
f2f2c91b
JH
367 preverify_ok current yes/no state as 1/0
368 x509ctx certificate information.
369 tlsp per-direction (client vs. server) support data
370 calledp has-been-called flag
371 optionalp verification-is-optional flag
059ec3d9 372
f2f2c91b 373Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
374*/
375
376static int
f2f2c91b 377verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
421aff85 378 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 379{
421aff85 380X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 381int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 382uschar dn[256];
059ec3d9 383
f69979cf
JH
384X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
385dn[sizeof(dn)-1] = '\0';
059ec3d9 386
f2f2c91b 387if (preverify_ok == 0)
059ec3d9 388 {
f77197ae
JH
389 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
390 *verify_mode, sender_host_address)
391 : US"";
392 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
393 tlsp == &tls_out ? deliver_host_address : sender_host_address,
394 extra, depth,
395 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 396 *calledp = TRUE;
9d1c15ef
JH
397 if (!*optionalp)
398 {
f69979cf
JH
399 if (!tlsp->peercert)
400 tlsp->peercert = X509_dup(cert); /* record failing cert */
401 return 0; /* reject */
9d1c15ef 402 }
059ec3d9
PH
403 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
404 "tls_try_verify_hosts)\n");
059ec3d9
PH
405 }
406
a7538db1 407else if (depth != 0)
059ec3d9 408 {
f69979cf 409 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 410#ifndef DISABLE_OCSP
f5d78688
JH
411 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
412 { /* client, wanting stapling */
413 /* Add the server cert's signing chain as the one
414 for the verification of the OCSP stapled information. */
94431adb 415
f5d78688 416 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 417 cert))
f5d78688 418 ERR_clear_error();
c3033f13 419 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
420 }
421#endif
0cbf2b82 422#ifndef DISABLE_EVENT
f69979cf
JH
423 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
424 return 0; /* reject, with peercert set */
a7538db1 425#endif
059ec3d9
PH
426 }
427else
428 {
55414b25 429 const uschar * verify_cert_hostnames;
e51c7be2 430
e51c7be2
JH
431 if ( tlsp == &tls_out
432 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
433 /* client, wanting hostname check */
e51c7be2 434 {
f69979cf 435
740f36d4 436#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
437# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
438# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
439# endif
440# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
441# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
442# endif
e51c7be2 443 int sep = 0;
55414b25 444 const uschar * list = verify_cert_hostnames;
e51c7be2 445 uschar * name;
d8e7834a
JH
446 int rc;
447 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 448 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 449 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
450 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
451 NULL)))
d8e7834a
JH
452 {
453 if (rc < 0)
454 {
93a6fce2 455 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 456 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
457 name = NULL;
458 }
e51c7be2 459 break;
d8e7834a 460 }
e51c7be2 461 if (!name)
f69979cf 462#else
e51c7be2 463 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 464#endif
e51c7be2 465 {
f77197ae
JH
466 uschar * extra = verify_mode
467 ? string_sprintf(" (during %c-verify for [%s])",
468 *verify_mode, sender_host_address)
469 : US"";
e51c7be2 470 log_write(0, LOG_MAIN,
f77197ae
JH
471 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
472 tlsp == &tls_out ? deliver_host_address : sender_host_address,
473 extra, dn, verify_cert_hostnames);
a3ef7310
JH
474 *calledp = TRUE;
475 if (!*optionalp)
f69979cf
JH
476 {
477 if (!tlsp->peercert)
478 tlsp->peercert = X509_dup(cert); /* record failing cert */
479 return 0; /* reject */
480 }
a3ef7310
JH
481 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
482 "tls_try_verify_hosts)\n");
e51c7be2 483 }
f69979cf 484 }
e51c7be2 485
0cbf2b82 486#ifndef DISABLE_EVENT
f69979cf
JH
487 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
488 return 0; /* reject, with peercert set */
e51c7be2
JH
489#endif
490
93dcb1c2 491 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 492 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
493 if (!*calledp) tlsp->certificate_verified = TRUE;
494 *calledp = TRUE;
059ec3d9
PH
495 }
496
a7538db1 497return 1; /* accept, at least for this level */
059ec3d9
PH
498}
499
a2ff477a 500static int
f2f2c91b 501verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 502{
f2f2c91b
JH
503return verify_callback(preverify_ok, x509ctx, &tls_out,
504 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
505}
506
507static int
f2f2c91b 508verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 509{
f2f2c91b
JH
510return verify_callback(preverify_ok, x509ctx, &tls_in,
511 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
512}
513
059ec3d9 514
e5cccda9 515#ifdef EXPERIMENTAL_DANE
53a7196b 516
e5cccda9
JH
517/* This gets called *by* the dane library verify callback, which interposes
518itself.
519*/
520static int
f2f2c91b 521verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
522{
523X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 524uschar dn[256];
83b27293 525int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 526#ifndef DISABLE_EVENT
f69979cf 527BOOL dummy_called, optional = FALSE;
83b27293 528#endif
e5cccda9 529
f69979cf
JH
530X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
531dn[sizeof(dn)-1] = '\0';
e5cccda9 532
f2f2c91b
JH
533DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
534 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 535
0cbf2b82 536#ifndef DISABLE_EVENT
f69979cf
JH
537 if (verify_event(&tls_out, cert, depth, dn,
538 &dummy_called, &optional, US"DANE"))
539 return 0; /* reject, with peercert set */
83b27293
JH
540#endif
541
f2f2c91b 542if (preverify_ok == 1)
53a7196b 543 tls_out.dane_verified =
e5cccda9 544 tls_out.certificate_verified = TRUE;
f2f2c91b
JH
545else
546 {
547 int err = X509_STORE_CTX_get_error(x509ctx);
548 DEBUG(D_tls)
549 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 550 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
551 preverify_ok = 1;
552 }
553return preverify_ok;
e5cccda9 554}
53a7196b
JH
555
556#endif /*EXPERIMENTAL_DANE*/
e5cccda9 557
059ec3d9
PH
558
559/*************************************************
560* Information callback *
561*************************************************/
562
563/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
564are doing. We copy the string to the debugging output when TLS debugging has
565been requested.
059ec3d9
PH
566
567Arguments:
568 s the SSL connection
569 where
570 ret
571
572Returns: nothing
573*/
574
575static void
576info_callback(SSL *s, int where, int ret)
577{
578where = where;
579ret = ret;
580DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
581}
582
583
584
585/*************************************************
586* Initialize for DH *
587*************************************************/
588
589/* If dhparam is set, expand it, and load up the parameters for DH encryption.
590
591Arguments:
038597d2 592 sctx The current SSL CTX (inbound or outbound)
a799883d 593 dhparam DH parameter file or fixed parameter identity string
7199e1ee 594 host connected host, if client; NULL if server
cf0c6164 595 errstr error string pointer
059ec3d9
PH
596
597Returns: TRUE if OK (nothing to set up, or setup worked)
598*/
599
600static BOOL
cf0c6164 601init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 602{
059ec3d9
PH
603BIO *bio;
604DH *dh;
605uschar *dhexpanded;
a799883d 606const char *pem;
6600985a 607int dh_bitsize;
059ec3d9 608
cf0c6164 609if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
610 return FALSE;
611
0df4ab80 612if (!dhexpanded || !*dhexpanded)
a799883d 613 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 614else if (dhexpanded[0] == '/')
059ec3d9 615 {
0df4ab80 616 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 617 {
7199e1ee 618 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 619 host, US strerror(errno), errstr);
a799883d 620 return FALSE;
059ec3d9 621 }
a799883d
PP
622 }
623else
624 {
625 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 626 {
a799883d
PP
627 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
628 return TRUE;
059ec3d9 629 }
a799883d 630
0df4ab80 631 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
632 {
633 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 634 host, US strerror(errno), errstr);
a799883d
PP
635 return FALSE;
636 }
637 bio = BIO_new_mem_buf(CS pem, -1);
638 }
639
0df4ab80 640if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 641 {
059ec3d9 642 BIO_free(bio);
a799883d 643 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 644 host, NULL, errstr);
a799883d
PP
645 return FALSE;
646 }
647
6600985a
PP
648/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
649 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
650 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
651 * If someone wants to dance at the edge, then they can raise the limit or use
652 * current libraries. */
653#ifdef EXIM_HAVE_OPENSSL_DH_BITS
654/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
655 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
656dh_bitsize = DH_bits(dh);
657#else
658dh_bitsize = 8 * DH_size(dh);
659#endif
660
a799883d
PP
661/* Even if it is larger, we silently return success rather than cause things
662 * to fail out, so that a too-large DH will not knock out all TLS; it's a
663 * debatable choice. */
6600985a 664if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
665 {
666 DEBUG(D_tls)
170f4904 667 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 668 dh_bitsize, tls_dh_max_bits);
a799883d
PP
669 }
670else
671 {
672 SSL_CTX_set_tmp_dh(sctx, dh);
673 DEBUG(D_tls)
674 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 675 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
676 }
677
a799883d
PP
678DH_free(dh);
679BIO_free(bio);
680
681return TRUE;
059ec3d9
PH
682}
683
684
685
686
038597d2
PP
687/*************************************************
688* Initialize for ECDH *
689*************************************************/
690
691/* Load parameters for ECDH encryption.
692
693For now, we stick to NIST P-256 because: it's simple and easy to configure;
694it avoids any patent issues that might bite redistributors; despite events in
695the news and concerns over curve choices, we're not cryptographers, we're not
696pretending to be, and this is "good enough" to be better than no support,
697protecting against most adversaries. Given another year or two, there might
698be sufficient clarity about a "right" way forward to let us make an informed
699decision, instead of a knee-jerk reaction.
700
701Longer-term, we should look at supporting both various named curves and
702external files generated with "openssl ecparam", much as we do for init_dh().
703We should also support "none" as a value, to explicitly avoid initialisation.
704
705Patches welcome.
706
707Arguments:
708 sctx The current SSL CTX (inbound or outbound)
709 host connected host, if client; NULL if server
cf0c6164 710 errstr error string pointer
038597d2
PP
711
712Returns: TRUE if OK (nothing to set up, or setup worked)
713*/
714
715static BOOL
cf0c6164 716init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 717{
63f0dbe0
JH
718#ifdef OPENSSL_NO_ECDH
719return TRUE;
720#else
721
10ca4f1c
JH
722EC_KEY * ecdh;
723uschar * exp_curve;
724int nid;
725BOOL rv;
726
038597d2
PP
727if (host) /* No ECDH setup for clients, only for servers */
728 return TRUE;
729
10ca4f1c 730# ifndef EXIM_HAVE_ECDH
038597d2
PP
731DEBUG(D_tls)
732 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
733return TRUE;
038597d2 734# else
10ca4f1c 735
cf0c6164 736if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
737 return FALSE;
738if (!exp_curve || !*exp_curve)
739 return TRUE;
740
8e53a4fc 741/* "auto" needs to be handled carefully.
4c04137d 742 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 743 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 744 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
745 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
746 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
747 */
10ca4f1c 748if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 749 {
8e53a4fc 750#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 751 DEBUG(D_tls) debug_printf(
8e53a4fc 752 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 753 exp_curve = US"prime256v1";
8e53a4fc
HSHR
754#else
755# if defined SSL_CTRL_SET_ECDH_AUTO
756 DEBUG(D_tls) debug_printf(
757 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
758 SSL_CTX_set_ecdh_auto(sctx, 1);
759 return TRUE;
8e53a4fc
HSHR
760# else
761 DEBUG(D_tls) debug_printf(
762 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
763 return TRUE;
764# endif
765#endif
10ca4f1c 766 }
038597d2 767
10ca4f1c
JH
768DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
769if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
770# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
771 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
772# endif
773 )
774 {
cf0c6164
JH
775 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
776 host, NULL, errstr);
10ca4f1c
JH
777 return FALSE;
778 }
038597d2 779
10ca4f1c
JH
780if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
781 {
cf0c6164 782 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 783 return FALSE;
038597d2 784 }
10ca4f1c
JH
785
786/* The "tmp" in the name here refers to setting a temporary key
787not to the stability of the interface. */
788
789if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 790 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
791else
792 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
793
794EC_KEY_free(ecdh);
795return !rv;
796
797# endif /*EXIM_HAVE_ECDH*/
798#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
799}
800
801
802
803
f2de3a33 804#ifndef DISABLE_OCSP
3f7eeb86
PP
805/*************************************************
806* Load OCSP information into state *
807*************************************************/
f5d78688 808/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
809caller has determined this is needed. Checks validity. Debugs a message
810if invalid.
811
812ASSUMES: single response, for single cert.
813
814Arguments:
815 sctx the SSL_CTX* to update
816 cbinfo various parts of session state
817 expanded the filename putatively holding an OCSP response
818
819*/
820
821static void
f5d78688 822ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 823{
ee5b1e28
JH
824BIO * bio;
825OCSP_RESPONSE * resp;
826OCSP_BASICRESP * basic_response;
827OCSP_SINGLERESP * single_response;
828ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 829STACK_OF(X509) * sk;
3f7eeb86
PP
830unsigned long verify_flags;
831int status, reason, i;
832
f5d78688
JH
833cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
834if (cbinfo->u_ocsp.server.response)
3f7eeb86 835 {
f5d78688
JH
836 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
837 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
838 }
839
ee5b1e28 840if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
841 {
842 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 843 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
844 return;
845 }
846
847resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
848BIO_free(bio);
849if (!resp)
850 {
851 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
852 return;
853 }
854
ee5b1e28 855if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
856 {
857 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
858 OCSP_response_status_str(status), status);
f5d78688 859 goto bad;
3f7eeb86
PP
860 }
861
ee5b1e28 862if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
863 {
864 DEBUG(D_tls)
865 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 866 goto bad;
3f7eeb86
PP
867 }
868
c3033f13 869sk = cbinfo->verify_stack;
3f7eeb86
PP
870verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
871
872/* May need to expose ability to adjust those flags?
873OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
874OCSP_TRUSTOTHER OCSP_NOINTERN */
875
4c04137d 876/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
877up; possibly overkill - just date-checks might be nice enough.
878
879OCSP_basic_verify takes a "store" arg, but does not
880use it for the chain verification, which is all we do
881when OCSP_NOVERIFY is set. The content from the wire
882"basic_response" and a cert-stack "sk" are all that is used.
883
c3033f13
JH
884We have a stack, loaded in setup_certs() if tls_verify_certificates
885was a file (not a directory, or "system"). It is unfortunate we
886cannot used the connection context store, as that would neatly
887handle the "system" case too, but there seems to be no library
888function for getting a stack from a store.
e3555426 889[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
890We do not free the stack since it could be needed a second time for
891SNI handling.
892
4c04137d 893Separately we might try to replace using OCSP_basic_verify() - which seems to not
ee5b1e28
JH
894be a public interface into the OpenSSL library (there's no manual entry) -
895But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 896And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
897library does it for us anyway? */
898
899if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 900 {
ee5b1e28
JH
901 DEBUG(D_tls)
902 {
3f7eeb86
PP
903 ERR_error_string(ERR_get_error(), ssl_errstring);
904 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
905 }
906 goto bad;
3f7eeb86
PP
907 }
908
909/* Here's the simplifying assumption: there's only one response, for the
910one certificate we use, and nothing for anything else in a chain. If this
911proves false, we need to extract a cert id from our issued cert
912(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
913right cert in the stack and then calls OCSP_single_get0_status()).
914
915I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
916
917if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
918 {
919 DEBUG(D_tls)
920 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 921 goto bad;
3f7eeb86
PP
922 }
923
924status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 925if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 926 {
f5d78688
JH
927 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
928 OCSP_cert_status_str(status), status,
929 OCSP_crl_reason_str(reason), reason);
930 goto bad;
3f7eeb86
PP
931 }
932
933if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
934 {
935 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 936 goto bad;
3f7eeb86
PP
937 }
938
f5d78688 939supply_response:
47195144 940 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
941return;
942
943bad:
018058b2
JH
944 if (running_in_test_harness)
945 {
946 extern char ** environ;
947 uschar ** p;
47195144 948 if (environ) for (p = USS environ; *p; p++)
018058b2
JH
949 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
950 {
951 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
952 goto supply_response;
953 }
954 }
f5d78688 955return;
3f7eeb86 956}
f2de3a33 957#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
958
959
960
961
23bb6982
JH
962/* Create and install a selfsigned certificate, for use in server mode */
963
964static int
cf0c6164 965tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
966{
967X509 * x509 = NULL;
968EVP_PKEY * pkey;
969RSA * rsa;
970X509_NAME * name;
971uschar * where;
972
973where = US"allocating pkey";
974if (!(pkey = EVP_PKEY_new()))
975 goto err;
976
977where = US"allocating cert";
978if (!(x509 = X509_new()))
979 goto err;
980
981where = US"generating pkey";
3ae79556 982if (!(rsa = rsa_callback(NULL, 0, 1024)))
23bb6982
JH
983 goto err;
984
4c04137d 985where = US"assigning pkey";
23bb6982
JH
986if (!EVP_PKEY_assign_RSA(pkey, rsa))
987 goto err;
988
989X509_set_version(x509, 2); /* N+1 - version 3 */
990ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
991X509_gmtime_adj(X509_get_notBefore(x509), 0);
992X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
993X509_set_pubkey(x509, pkey);
994
995name = X509_get_subject_name(x509);
996X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 997 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 998X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 999 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1000X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1001 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1002X509_set_issuer_name(x509, name);
1003
1004where = US"signing cert";
1005if (!X509_sign(x509, pkey, EVP_md5()))
1006 goto err;
1007
1008where = US"installing selfsign cert";
1009if (!SSL_CTX_use_certificate(sctx, x509))
1010 goto err;
1011
1012where = US"installing selfsign key";
1013if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1014 goto err;
1015
1016return OK;
1017
1018err:
cf0c6164 1019 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1020 if (x509) X509_free(x509);
1021 if (pkey) EVP_PKEY_free(pkey);
1022 return DEFER;
1023}
1024
1025
1026
1027
ba86e143
JH
1028static int
1029tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1030 uschar ** errstr)
1031{
1032DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1033if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1034 return tls_error(string_sprintf(
1035 "SSL_CTX_use_certificate_chain_file file=%s", file),
1036 cbinfo->host, NULL, errstr);
1037return 0;
1038}
1039
1040static int
1041tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1042 uschar ** errstr)
1043{
1044DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1045if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1046 return tls_error(string_sprintf(
1047 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1048return 0;
1049}
1050
1051
059ec3d9 1052/*************************************************
7be682ca
PP
1053* Expand key and cert file specs *
1054*************************************************/
1055
f5d78688 1056/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1057new context, if Server Name Indication was used and tls_sni was seen in
1058the certificate string.
1059
1060Arguments:
1061 sctx the SSL_CTX* to update
1062 cbinfo various parts of session state
cf0c6164 1063 errstr error string pointer
7be682ca
PP
1064
1065Returns: OK/DEFER/FAIL
1066*/
1067
1068static int
cf0c6164
JH
1069tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1070 uschar ** errstr)
7be682ca
PP
1071{
1072uschar *expanded;
1073
23bb6982 1074if (!cbinfo->certificate)
7be682ca 1075 {
ba86e143 1076 if (!cbinfo->is_server) /* client */
23bb6982
JH
1077 return OK;
1078 /* server */
cf0c6164 1079 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1080 return DEFER;
7be682ca 1081 }
23bb6982
JH
1082else
1083 {
ba86e143
JH
1084 int err;
1085
23bb6982
JH
1086 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1087 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1088 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1089 )
1090 reexpand_tls_files_for_sni = TRUE;
7be682ca 1091
cf0c6164 1092 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1093 return DEFER;
1094
ba86e143
JH
1095 if (expanded)
1096 if (cbinfo->is_server)
1097 {
1098 const uschar * file_list = expanded;
1099 int sep = 0;
1100 uschar * file;
1101
1102 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1103 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1104 return err;
1105 }
1106 else /* would there ever be a need for multiple client certs? */
1107 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1108 return err;
7be682ca 1109
23bb6982 1110 if (cbinfo->privatekey != NULL &&
cf0c6164 1111 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1112 return DEFER;
7be682ca 1113
23bb6982
JH
1114 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1115 of the expansion is an empty string, ignore it also, and assume the private
1116 key is in the same file as the certificate. */
1117
1118 if (expanded && *expanded)
ba86e143
JH
1119 if (cbinfo->is_server)
1120 {
1121 const uschar * file_list = expanded;
1122 int sep = 0;
1123 uschar * file;
1124
1125 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1126 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1127 return err;
1128 }
1129 else /* would there ever be a need for multiple client certs? */
1130 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1131 return err;
7be682ca
PP
1132 }
1133
f2de3a33 1134#ifndef DISABLE_OCSP
f40d5be3 1135if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1136 {
47195144 1137 /*XXX stack*/
cf0c6164 1138 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1139 return DEFER;
1140
f40d5be3 1141 if (expanded && *expanded)
3f7eeb86
PP
1142 {
1143 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1144 if ( cbinfo->u_ocsp.server.file_expanded
1145 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1146 {
f40d5be3
JH
1147 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1148 }
1149 else
f40d5be3 1150 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1151 }
1152 }
1153#endif
1154
7be682ca
PP
1155return OK;
1156}
1157
1158
1159
1160
1161/*************************************************
1162* Callback to handle SNI *
1163*************************************************/
1164
1165/* Called when acting as server during the TLS session setup if a Server Name
1166Indication extension was sent by the client.
1167
1168API documentation is OpenSSL s_server.c implementation.
1169
1170Arguments:
1171 s SSL* of the current session
1172 ad unknown (part of OpenSSL API) (unused)
1173 arg Callback of "our" registered data
1174
1175Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1176*/
1177
3bcbbbe2 1178#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1179static int
7be682ca
PP
1180tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1181{
1182const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1183tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1184int rc;
3f0945ff 1185int old_pool = store_pool;
cf0c6164 1186uschar * dummy_errstr;
7be682ca
PP
1187
1188if (!servername)
1189 return SSL_TLSEXT_ERR_OK;
1190
3f0945ff 1191DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1192 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1193
1194/* Make the extension value available for expansion */
3f0945ff 1195store_pool = POOL_PERM;
817d9f57 1196tls_in.sni = string_copy(US servername);
3f0945ff 1197store_pool = old_pool;
7be682ca
PP
1198
1199if (!reexpand_tls_files_for_sni)
1200 return SSL_TLSEXT_ERR_OK;
1201
1202/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1203not confident that memcpy wouldn't break some internal reference counting.
1204Especially since there's a references struct member, which would be off. */
1205
0df4ab80 1206if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
1207 {
1208 ERR_error_string(ERR_get_error(), ssl_errstring);
1209 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1210 return SSL_TLSEXT_ERR_NOACK;
1211 }
1212
1213/* Not sure how many of these are actually needed, since SSL object
1214already exists. Might even need this selfsame callback, for reneg? */
1215
817d9f57
JH
1216SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1217SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1218SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1219SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1220SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1221SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1222
cf0c6164
JH
1223if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1224 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP
1225 )
1226 return SSL_TLSEXT_ERR_NOACK;
1227
7be682ca 1228if (cbinfo->server_cipher_list)
817d9f57 1229 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 1230#ifndef DISABLE_OCSP
f5d78688 1231if (cbinfo->u_ocsp.server.file)
3f7eeb86 1232 {
f5d78688 1233 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1234 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1235 }
1236#endif
7be682ca 1237
c3033f13 1238if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1239 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1240 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1241
3f7eeb86
PP
1242/* do this after setup_certs, because this can require the certs for verifying
1243OCSP information. */
cf0c6164 1244if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1245 return SSL_TLSEXT_ERR_NOACK;
a799883d 1246
7be682ca 1247DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1248SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
1249
1250return SSL_TLSEXT_ERR_OK;
1251}
3bcbbbe2 1252#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1253
1254
1255
1256
f2de3a33 1257#ifndef DISABLE_OCSP
f5d78688 1258
3f7eeb86
PP
1259/*************************************************
1260* Callback to handle OCSP Stapling *
1261*************************************************/
1262
1263/* Called when acting as server during the TLS session setup if the client
1264requests OCSP information with a Certificate Status Request.
1265
1266Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1267project.
1268
1269*/
1270
1271static int
f5d78688 1272tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1273{
1274const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1275uschar *response_der; /*XXX blob */
3f7eeb86
PP
1276int response_der_len;
1277
47195144
JH
1278/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1279out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1280buggy in current OpenSSL; it returns the last cert loaded always rather than
1281the one actually presented. So we can't support a stack of OCSP proofs at
1282this time. */
1283
af4a1bca 1284DEBUG(D_tls)
b3ef41c9 1285 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1286 cbinfo->u_ocsp.server.response ? "have" : "lack");
1287
44662487 1288tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1289if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1290 return SSL_TLSEXT_ERR_NOACK;
1291
1292response_der = NULL;
47195144 1293response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1294 &response_der);
3f7eeb86
PP
1295if (response_der_len <= 0)
1296 return SSL_TLSEXT_ERR_NOACK;
1297
5e55c7a9 1298SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1299tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1300return SSL_TLSEXT_ERR_OK;
1301}
1302
3f7eeb86 1303
f5d78688
JH
1304static void
1305time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1306{
1307BIO_printf(bp, "\t%s: ", str);
1308ASN1_GENERALIZEDTIME_print(bp, time);
1309BIO_puts(bp, "\n");
1310}
1311
1312static int
1313tls_client_stapling_cb(SSL *s, void *arg)
1314{
1315tls_ext_ctx_cb * cbinfo = arg;
1316const unsigned char * p;
1317int len;
1318OCSP_RESPONSE * rsp;
1319OCSP_BASICRESP * bs;
1320int i;
1321
1322DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1323len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1324if(!p)
1325 {
44662487 1326 /* Expect this when we requested ocsp but got none */
6c6d6e48 1327 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1328 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1329 else
1330 DEBUG(D_tls) debug_printf(" null\n");
44662487 1331 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1332 }
018058b2 1333
f5d78688
JH
1334if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1335 {
018058b2 1336 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1337 if (LOGGING(tls_cipher))
1eca31ca 1338 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1339 else
1340 DEBUG(D_tls) debug_printf(" parse error\n");
1341 return 0;
1342 }
1343
1344if(!(bs = OCSP_response_get1_basic(rsp)))
1345 {
018058b2 1346 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1347 if (LOGGING(tls_cipher))
1eca31ca 1348 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1349 else
1350 DEBUG(D_tls) debug_printf(" error parsing response\n");
1351 OCSP_RESPONSE_free(rsp);
1352 return 0;
1353 }
1354
1355/* We'd check the nonce here if we'd put one in the request. */
1356/* However that would defeat cacheability on the server so we don't. */
1357
f5d78688
JH
1358/* This section of code reworked from OpenSSL apps source;
1359 The OpenSSL Project retains copyright:
1360 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1361*/
1362 {
1363 BIO * bp = NULL;
f5d78688
JH
1364 int status, reason;
1365 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1366
57887ecc 1367 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1368
1369 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1370
1371 /* Use the chain that verified the server cert to verify the stapled info */
1372 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1373
c3033f13 1374 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1375 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1376 {
018058b2 1377 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1378 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1379 "Received TLS cert status response, itself unverifiable: %s",
1380 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1381 BIO_printf(bp, "OCSP response verify failure\n");
1382 ERR_print_errors(bp);
57887ecc 1383 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1384 goto failed;
f5d78688
JH
1385 }
1386
1387 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1388
c8dfb21d
JH
1389 /*XXX So we have a good stapled OCSP status. How do we know
1390 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1391 OCSP_resp_find_status() which matches on a cert id, which presumably
1392 we should use. Making an id needs OCSP_cert_id_new(), which takes
1393 issuerName, issuerKey, serialNumber. Are they all in the cert?
1394
1395 For now, carry on blindly accepting the resp. */
1396
f5d78688 1397 {
f5d78688
JH
1398 OCSP_SINGLERESP * single;
1399
c8dfb21d
JH
1400#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1401 if (OCSP_resp_count(bs) != 1)
1402#else
1403 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1404 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1405#endif
f5d78688 1406 {
018058b2 1407 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1408 log_write(0, LOG_MAIN, "OCSP stapling "
1409 "with multiple responses not handled");
c8dfb21d 1410 goto failed;
f5d78688
JH
1411 }
1412 single = OCSP_resp_get0(bs, 0);
44662487
JH
1413 status = OCSP_single_get0_status(single, &reason, &rev,
1414 &thisupd, &nextupd);
f5d78688
JH
1415 }
1416
f5d78688
JH
1417 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1418 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1419 if (!OCSP_check_validity(thisupd, nextupd,
1420 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1421 {
018058b2 1422 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1423 DEBUG(D_tls) ERR_print_errors(bp);
1424 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1425 }
44662487 1426 else
f5d78688 1427 {
44662487
JH
1428 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1429 OCSP_cert_status_str(status));
1430 switch(status)
1431 {
1432 case V_OCSP_CERTSTATUS_GOOD:
44662487 1433 tls_out.ocsp = OCSP_VFIED;
018058b2 1434 i = 1;
c8dfb21d 1435 goto good;
44662487 1436 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1437 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1438 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1439 reason != -1 ? "; reason: " : "",
1440 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1441 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1442 break;
1443 default:
018058b2 1444 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1445 log_write(0, LOG_MAIN,
1446 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1447 break;
1448 }
f5d78688 1449 }
c8dfb21d
JH
1450 failed:
1451 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1452 good:
f5d78688
JH
1453 BIO_free(bp);
1454 }
1455
1456OCSP_RESPONSE_free(rsp);
1457return i;
1458}
f2de3a33 1459#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1460
1461
7be682ca 1462/*************************************************
059ec3d9
PH
1463* Initialize for TLS *
1464*************************************************/
1465
e51c7be2
JH
1466/* Called from both server and client code, to do preliminary initialization
1467of the library. We allocate and return a context structure.
059ec3d9
PH
1468
1469Arguments:
946ecbe0 1470 ctxp returned SSL context
059ec3d9
PH
1471 host connected host, if client; NULL if server
1472 dhparam DH parameter file
1473 certificate certificate file
1474 privatekey private key
f5d78688 1475 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1476 addr address if client; NULL if server (for some randomness)
946ecbe0 1477 cbp place to put allocated callback context
cf0c6164 1478 errstr error string pointer
059ec3d9
PH
1479
1480Returns: OK/DEFER/FAIL
1481*/
1482
1483static int
817d9f57 1484tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1485 uschar *privatekey,
f2de3a33 1486#ifndef DISABLE_OCSP
47195144 1487 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1488#endif
cf0c6164 1489 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1490{
7006ee24 1491SSL_CTX * ctx;
77bb000f 1492long init_options;
7be682ca 1493int rc;
a7538db1 1494tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1495
1496cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1497cbinfo->certificate = certificate;
1498cbinfo->privatekey = privatekey;
a6510420 1499cbinfo->is_server = host==NULL;
f2de3a33 1500#ifndef DISABLE_OCSP
c3033f13 1501cbinfo->verify_stack = NULL;
a6510420 1502if (!host)
f5d78688
JH
1503 {
1504 cbinfo->u_ocsp.server.file = ocsp_file;
1505 cbinfo->u_ocsp.server.file_expanded = NULL;
1506 cbinfo->u_ocsp.server.response = NULL;
1507 }
1508else
1509 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1510#endif
7be682ca 1511cbinfo->dhparam = dhparam;
0df4ab80 1512cbinfo->server_cipher_list = NULL;
7be682ca 1513cbinfo->host = host;
0cbf2b82 1514#ifndef DISABLE_EVENT
a7538db1
JH
1515cbinfo->event_action = NULL;
1516#endif
77bb000f 1517
059ec3d9
PH
1518SSL_load_error_strings(); /* basic set up */
1519OpenSSL_add_ssl_algorithms();
1520
c8dfb21d 1521#ifdef EXIM_HAVE_SHA256
77bb000f 1522/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1523list of available digests. */
1524EVP_add_digest(EVP_sha256());
cf1ef1a9 1525#endif
a0475b69 1526
f0f5a555
PP
1527/* Create a context.
1528The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1529negotiation in the different methods; as far as I can tell, the only
1530*_{server,client}_method which allows negotiation is SSLv23, which exists even
1531when OpenSSL is built without SSLv2 support.
1532By disabling with openssl_options, we can let admins re-enable with the
1533existing knob. */
059ec3d9 1534
7006ee24
JH
1535if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1536 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1537
1538/* It turns out that we need to seed the random number generator this early in
1539order to get the full complement of ciphers to work. It took me roughly a day
1540of work to discover this by experiment.
1541
1542On systems that have /dev/urandom, SSL may automatically seed itself from
1543there. Otherwise, we have to make something up as best we can. Double check
1544afterwards. */
1545
1546if (!RAND_status())
1547 {
1548 randstuff r;
9e3331ea 1549 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1550 r.p = getpid();
1551
5903c6ff
JH
1552 RAND_seed(US (&r), sizeof(r));
1553 RAND_seed(US big_buffer, big_buffer_size);
1554 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1555
1556 if (!RAND_status())
7199e1ee 1557 return tls_error(US"RAND_status", host,
cf0c6164 1558 US"unable to seed random number generator", errstr);
059ec3d9
PH
1559 }
1560
1561/* Set up the information callback, which outputs if debugging is at a suitable
1562level. */
1563
7006ee24 1564DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1565
c80c5570 1566/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1567(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1568
77bb000f
PP
1569/* Apply administrator-supplied work-arounds.
1570Historically we applied just one requested option,
1571SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1572moved to an administrator-controlled list of options to specify and
1573grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1574
77bb000f
PP
1575No OpenSSL version number checks: the options we accept depend upon the
1576availability of the option value macros from OpenSSL. */
059ec3d9 1577
7006ee24 1578if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1579 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1580
1581if (init_options)
1582 {
1583 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1584 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1585 return tls_error(string_sprintf(
cf0c6164 1586 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1587 }
1588else
1589 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1590
7006ee24
JH
1591/* Disable session cache unconditionally */
1592
1593(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1594
059ec3d9 1595/* Initialize with DH parameters if supplied */
10ca4f1c 1596/* Initialize ECDH temp key parameter selection */
059ec3d9 1597
7006ee24
JH
1598if ( !init_dh(ctx, dhparam, host, errstr)
1599 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1600 )
1601 return DEFER;
059ec3d9 1602
3f7eeb86 1603/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1604
7006ee24 1605if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1606 return rc;
c91535f3 1607
c3033f13
JH
1608/* If we need to handle SNI or OCSP, do so */
1609
3bcbbbe2 1610#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1611# ifndef DISABLE_OCSP
1612 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1613 {
1614 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1615 return FAIL;
1616 }
1617# endif
1618
f5d78688 1619if (host == NULL) /* server */
3f0945ff 1620 {
f2de3a33 1621# ifndef DISABLE_OCSP
f5d78688 1622 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1623 the option exists, not what the current expansion might be, as SNI might
1624 change the certificate and OCSP file in use between now and the time the
1625 callback is invoked. */
f5d78688 1626 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1627 {
7006ee24
JH
1628 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1629 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1630 }
f5d78688 1631# endif
3f0945ff
PP
1632 /* We always do this, so that $tls_sni is available even if not used in
1633 tls_certificate */
7006ee24
JH
1634 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1635 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1636 }
f2de3a33 1637# ifndef DISABLE_OCSP
f5d78688
JH
1638else /* client */
1639 if(ocsp_file) /* wanting stapling */
1640 {
1641 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1642 {
1643 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1644 return FAIL;
1645 }
7006ee24
JH
1646 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1647 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1648 }
1649# endif
7be682ca 1650#endif
059ec3d9 1651
e51c7be2 1652cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1653
c8dfb21d 1654#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1655/* Set up the RSA callback */
7006ee24 1656SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1657#endif
059ec3d9
PH
1658
1659/* Finally, set the timeout, and we are done */
1660
7006ee24 1661SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1662DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1663
817d9f57 1664*cbp = cbinfo;
7006ee24 1665*ctxp = ctx;
7be682ca 1666
059ec3d9
PH
1667return OK;
1668}
1669
1670
1671
1672
1673/*************************************************
1674* Get name of cipher in use *
1675*************************************************/
1676
817d9f57 1677/*
059ec3d9 1678Argument: pointer to an SSL structure for the connection
817d9f57
JH
1679 buffer to use for answer
1680 size of buffer
1681 pointer to number of bits for cipher
059ec3d9
PH
1682Returns: nothing
1683*/
1684
1685static void
817d9f57 1686construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1687{
57b3a7f5
PP
1688/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1689yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1690the accessor functions use const in the prototype. */
1691const SSL_CIPHER *c;
d9784128 1692const uschar *ver;
059ec3d9 1693
d9784128 1694ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1695
57b3a7f5 1696c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1697SSL_CIPHER_get_bits(c, bits);
059ec3d9 1698
817d9f57
JH
1699string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1700 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1701
1702DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1703}
1704
1705
f69979cf
JH
1706static void
1707peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1708{
1709/*XXX we might consider a list-of-certs variable for the cert chain.
1710SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1711in list-handling functions, also consider the difference between the entire
1712chain and the elements sent by the peer. */
1713
1714/* Will have already noted peercert on a verify fail; possibly not the leaf */
1715if (!tlsp->peercert)
1716 tlsp->peercert = SSL_get_peer_certificate(ssl);
1717/* Beware anonymous ciphers which lead to server_cert being NULL */
1718if (tlsp->peercert)
1719 {
1720 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1721 peerdn[bsize-1] = '\0';
1722 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1723 }
1724else
1725 tlsp->peerdn = NULL;
1726}
1727
1728
059ec3d9
PH
1729
1730
1731
1732/*************************************************
1733* Set up for verifying certificates *
1734*************************************************/
1735
c3033f13
JH
1736/* Load certs from file, return TRUE on success */
1737
1738static BOOL
1739chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1740{
1741BIO * bp;
1742X509 * x;
1743
1744if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1745while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1746 sk_X509_push(verify_stack, x);
1747BIO_free(bp);
1748return TRUE;
1749}
1750
1751
1752
059ec3d9
PH
1753/* Called by both client and server startup
1754
1755Arguments:
7be682ca 1756 sctx SSL_CTX* to initialise
059ec3d9
PH
1757 certs certs file or NULL
1758 crl CRL file or NULL
1759 host NULL in a server; the remote host in a client
1760 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1761 otherwise passed as FALSE
983207c1 1762 cert_vfy_cb Callback function for certificate verification
cf0c6164 1763 errstr error string pointer
059ec3d9
PH
1764
1765Returns: OK/DEFER/FAIL
1766*/
1767
1768static int
983207c1 1769setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1770 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1771{
1772uschar *expcerts, *expcrl;
1773
cf0c6164 1774if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1775 return DEFER;
57cc2785 1776DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1777
10a831a3 1778if (expcerts && *expcerts)
059ec3d9 1779 {
10a831a3
JH
1780 /* Tell the library to use its compiled-in location for the system default
1781 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1782
10a831a3 1783 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1784 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
1785
1786 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1787 {
cb1d7830
JH
1788 struct stat statbuf;
1789
cb1d7830
JH
1790 if (Ustat(expcerts, &statbuf) < 0)
1791 {
1792 log_write(0, LOG_MAIN|LOG_PANIC,
1793 "failed to stat %s for certificates", expcerts);
1794 return DEFER;
1795 }
059ec3d9 1796 else
059ec3d9 1797 {
cb1d7830
JH
1798 uschar *file, *dir;
1799 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1800 { file = NULL; dir = expcerts; }
1801 else
c3033f13
JH
1802 {
1803 file = expcerts; dir = NULL;
1804#ifndef DISABLE_OCSP
1805 /* In the server if we will be offering an OCSP proof, load chain from
1806 file for verifying the OCSP proof at load time. */
1807
1808 if ( !host
1809 && statbuf.st_size > 0
1810 && server_static_cbinfo->u_ocsp.server.file
1811 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1812 )
1813 {
1814 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 1815 "failed to load cert chain from %s", file);
c3033f13
JH
1816 return DEFER;
1817 }
1818#endif
1819 }
cb1d7830
JH
1820
1821 /* If a certificate file is empty, the next function fails with an
1822 unhelpful error message. If we skip it, we get the correct behaviour (no
1823 certificates are recognized, but the error message is still misleading (it
c3033f13 1824 says no certificate was supplied). But this is better. */
cb1d7830 1825
f2f2c91b
JH
1826 if ( (!file || statbuf.st_size > 0)
1827 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 1828 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
1829
1830 /* Load the list of CAs for which we will accept certs, for sending
1831 to the client. This is only for the one-file tls_verify_certificates
1832 variant.
1833 If a list isn't loaded into the server, but
1834 some verify locations are set, the server end appears to make
4c04137d 1835 a wildcard request for client certs.
10a831a3 1836 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
1837 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1838 Because of this, and that the dir variant is likely only used for
1839 the public-CA bundle (not for a private CA), not worth fixing.
1840 */
f2f2c91b 1841 if (file)
cb1d7830
JH
1842 {
1843 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
f2f2c91b
JH
1844
1845 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830
JH
1846 sk_X509_NAME_num(names));
1847 SSL_CTX_set_client_CA_list(sctx, names);
1848 }
059ec3d9
PH
1849 }
1850 }
1851
1852 /* Handle a certificate revocation list. */
1853
10a831a3 1854#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 1855
8b417f2c 1856 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 1857 merely reformatted it into the Exim code style.)
8b417f2c 1858
10a831a3
JH
1859 "From here I changed the code to add support for multiple crl's
1860 in pem format in one file or to support hashed directory entries in
1861 pem format instead of a file. This method now uses the library function
1862 X509_STORE_load_locations to add the CRL location to the SSL context.
1863 OpenSSL will then handle the verify against CA certs and CRLs by
1864 itself in the verify callback." */
8b417f2c 1865
cf0c6164 1866 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 1867 if (expcrl && *expcrl)
059ec3d9 1868 {
8b417f2c
PH
1869 struct stat statbufcrl;
1870 if (Ustat(expcrl, &statbufcrl) < 0)
1871 {
1872 log_write(0, LOG_MAIN|LOG_PANIC,
1873 "failed to stat %s for certificates revocation lists", expcrl);
1874 return DEFER;
1875 }
1876 else
059ec3d9 1877 {
8b417f2c
PH
1878 /* is it a file or directory? */
1879 uschar *file, *dir;
7be682ca 1880 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1881 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1882 {
8b417f2c
PH
1883 file = NULL;
1884 dir = expcrl;
1885 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1886 }
1887 else
1888 {
8b417f2c
PH
1889 file = expcrl;
1890 dir = NULL;
1891 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1892 }
8b417f2c 1893 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 1894 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
1895
1896 /* setting the flags to check against the complete crl chain */
1897
1898 X509_STORE_set_flags(cvstore,
1899 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1900 }
059ec3d9
PH
1901 }
1902
10a831a3 1903#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
1904
1905 /* If verification is optional, don't fail if no certificate */
1906
7be682ca 1907 SSL_CTX_set_verify(sctx,
059ec3d9 1908 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1909 cert_vfy_cb);
059ec3d9
PH
1910 }
1911
1912return OK;
1913}
1914
1915
1916
1917/*************************************************
1918* Start a TLS session in a server *
1919*************************************************/
1920
1921/* This is called when Exim is running as a server, after having received
1922the STARTTLS command. It must respond to that command, and then negotiate
1923a TLS session.
1924
1925Arguments:
1926 require_ciphers allowed ciphers
cf0c6164 1927 errstr pointer to error message
059ec3d9
PH
1928
1929Returns: OK on success
1930 DEFER for errors before the start of the negotiation
4c04137d 1931 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
1932 continue running.
1933*/
1934
1935int
cf0c6164 1936tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
1937{
1938int rc;
cf0c6164
JH
1939uschar * expciphers;
1940tls_ext_ctx_cb * cbinfo;
f69979cf 1941static uschar peerdn[256];
817d9f57 1942static uschar cipherbuf[256];
059ec3d9
PH
1943
1944/* Check for previous activation */
1945
817d9f57 1946if (tls_in.active >= 0)
059ec3d9 1947 {
cf0c6164 1948 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 1949 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
1950 return FAIL;
1951 }
1952
1953/* Initialize the SSL library. If it fails, it will already have logged
1954the error. */
1955
817d9f57 1956rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1957#ifndef DISABLE_OCSP
47195144 1958 tls_ocsp_file, /*XXX stack*/
3f7eeb86 1959#endif
cf0c6164 1960 NULL, &server_static_cbinfo, errstr);
059ec3d9 1961if (rc != OK) return rc;
817d9f57 1962cbinfo = server_static_cbinfo;
059ec3d9 1963
cf0c6164 1964if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
1965 return FAIL;
1966
1967/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1968were historically separated by underscores. So that I can use either form in my
1969tests, and also for general convenience, we turn underscores into hyphens here.
1970*/
059ec3d9 1971
c3033f13 1972if (expciphers)
059ec3d9 1973 {
c3033f13 1974 uschar * s = expciphers;
059ec3d9
PH
1975 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1976 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1977 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 1978 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 1979 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1980 }
1981
1982/* If this is a host for which certificate verification is mandatory or
1983optional, set up appropriately. */
1984
817d9f57 1985tls_in.certificate_verified = FALSE;
53a7196b
JH
1986#ifdef EXPERIMENTAL_DANE
1987tls_in.dane_verified = FALSE;
1988#endif
a2ff477a 1989server_verify_callback_called = FALSE;
059ec3d9
PH
1990
1991if (verify_check_host(&tls_verify_hosts) == OK)
1992 {
983207c1 1993 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1994 FALSE, verify_callback_server, errstr);
059ec3d9 1995 if (rc != OK) return rc;
a2ff477a 1996 server_verify_optional = FALSE;
059ec3d9
PH
1997 }
1998else if (verify_check_host(&tls_try_verify_hosts) == OK)
1999 {
983207c1 2000 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 2001 TRUE, verify_callback_server, errstr);
059ec3d9 2002 if (rc != OK) return rc;
a2ff477a 2003 server_verify_optional = TRUE;
059ec3d9
PH
2004 }
2005
2006/* Prepare for new connection */
2007
cf0c6164
JH
2008if (!(server_ssl = SSL_new(server_ctx)))
2009 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2010
2011/* Warning: we used to SSL_clear(ssl) here, it was removed.
2012 *
2013 * With the SSL_clear(), we get strange interoperability bugs with
2014 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2015 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2016 *
2017 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2018 * session shutdown. In this case, we have a brand new object and there's no
2019 * obvious reason to immediately clear it. I'm guessing that this was
2020 * originally added because of incomplete initialisation which the clear fixed,
2021 * in some historic release.
2022 */
059ec3d9
PH
2023
2024/* Set context and tell client to go ahead, except in the case of TLS startup
2025on connection, where outputting anything now upsets the clients and tends to
2026make them disconnect. We need to have an explicit fflush() here, to force out
2027the response. Other smtp_printf() calls do not need it, because in non-TLS
2028mode, the fflush() happens when smtp_getc() is called. */
2029
817d9f57
JH
2030SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2031if (!tls_in.on_connect)
059ec3d9 2032 {
925ac8e4 2033 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2034 fflush(smtp_out);
2035 }
2036
2037/* Now negotiate the TLS session. We put our own timer on it, since it seems
2038that the OpenSSL library doesn't. */
2039
817d9f57
JH
2040SSL_set_wfd(server_ssl, fileno(smtp_out));
2041SSL_set_rfd(server_ssl, fileno(smtp_in));
2042SSL_set_accept_state(server_ssl);
059ec3d9
PH
2043
2044DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2045
2046sigalrm_seen = FALSE;
2047if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 2048rc = SSL_accept(server_ssl);
059ec3d9
PH
2049alarm(0);
2050
2051if (rc <= 0)
2052 {
cf0c6164 2053 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2054 return FAIL;
2055 }
2056
2057DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2058
2059/* TLS has been set up. Adjust the input functions to read via TLS,
2060and initialize things. */
2061
f69979cf
JH
2062peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2063
817d9f57
JH
2064construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2065tls_in.cipher = cipherbuf;
059ec3d9
PH
2066
2067DEBUG(D_tls)
2068 {
2069 uschar buf[2048];
817d9f57 2070 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2071 debug_printf("Shared ciphers: %s\n", buf);
2072 }
2073
9d1c15ef
JH
2074/* Record the certificate we presented */
2075 {
2076 X509 * crt = SSL_get_certificate(server_ssl);
2077 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2078 }
059ec3d9 2079
817d9f57
JH
2080/* Only used by the server-side tls (tls_in), including tls_getc.
2081 Client-side (tls_out) reads (seem to?) go via
2082 smtp_read_response()/ip_recv().
2083 Hence no need to duplicate for _in and _out.
2084 */
059ec3d9
PH
2085ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2086ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2087ssl_xfer_eof = ssl_xfer_error = 0;
2088
2089receive_getc = tls_getc;
0d81dabc 2090receive_getbuf = tls_getbuf;
584e96c6 2091receive_get_cache = tls_get_cache;
059ec3d9
PH
2092receive_ungetc = tls_ungetc;
2093receive_feof = tls_feof;
2094receive_ferror = tls_ferror;
58eb016e 2095receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2096
817d9f57 2097tls_in.active = fileno(smtp_out);
059ec3d9
PH
2098return OK;
2099}
2100
2101
2102
2103
043b1248
JH
2104static int
2105tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2106 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2107 uschar ** errstr)
043b1248
JH
2108{
2109int rc;
94431adb 2110/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2111 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2112 the specified host patterns if one of them is defined */
2113
610ff438
JH
2114if ( ( !ob->tls_verify_hosts
2115 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2116 )
5130845b 2117 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 2118 )
043b1248 2119 client_verify_optional = FALSE;
5130845b 2120else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2121 client_verify_optional = TRUE;
2122else
2123 return OK;
2124
2125if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2126 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2127 errstr)) != OK)
aa2a70ba 2128 return rc;
043b1248 2129
5130845b 2130if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2131 {
4af0d74a 2132 cbinfo->verify_cert_hostnames =
8c5d388a 2133#ifdef SUPPORT_I18N
4af0d74a
JH
2134 string_domain_utf8_to_alabel(host->name, NULL);
2135#else
2136 host->name;
2137#endif
aa2a70ba
JH
2138 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2139 cbinfo->verify_cert_hostnames);
043b1248 2140 }
043b1248
JH
2141return OK;
2142}
059ec3d9 2143
fde080a4
JH
2144
2145#ifdef EXPERIMENTAL_DANE
2146static int
cf0c6164 2147dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2148{
2149dns_record * rr;
2150dns_scan dnss;
2151const char * hostnames[2] = { CS host->name, NULL };
2152int found = 0;
2153
2154if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2155 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2156
2157for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2158 rr;
2159 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2160 ) if (rr->type == T_TLSA)
2161 {
c3033f13 2162 const uschar * p = rr->data;
fde080a4
JH
2163 uint8_t usage, selector, mtype;
2164 const char * mdname;
2165
fde080a4 2166 usage = *p++;
133d2546
JH
2167
2168 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2169 if (usage != 2 && usage != 3) continue;
2170
fde080a4
JH
2171 selector = *p++;
2172 mtype = *p++;
2173
2174 switch (mtype)
2175 {
133d2546
JH
2176 default: continue; /* Only match-types 0, 1, 2 are supported */
2177 case 0: mdname = NULL; break;
2178 case 1: mdname = "sha256"; break;
2179 case 2: mdname = "sha512"; break;
fde080a4
JH
2180 }
2181
133d2546 2182 found++;
fde080a4
JH
2183 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2184 {
2185 default:
cf0c6164 2186 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2187 case 0: /* action not taken */
fde080a4
JH
2188 case 1: break;
2189 }
594706ea
JH
2190
2191 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2192 }
2193
2194if (found)
2195 return OK;
2196
133d2546 2197log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2198return DEFER;
fde080a4
JH
2199}
2200#endif /*EXPERIMENTAL_DANE*/
2201
2202
2203
059ec3d9
PH
2204/*************************************************
2205* Start a TLS session in a client *
2206*************************************************/
2207
2208/* Called from the smtp transport after STARTTLS has been accepted.
2209
2210Argument:
2211 fd the fd of the connection
2212 host connected host (for messages)
83da1223 2213 addr the first address
a7538db1 2214 tb transport (always smtp)
0e66b3b6 2215 tlsa_dnsa tlsa lookup, if DANE, else null
cf0c6164 2216 errstr error string pointer
059ec3d9
PH
2217
2218Returns: OK on success
2219 FAIL otherwise - note that tls_error() will not give DEFER
2220 because this is not a server
2221*/
2222
2223int
f5d78688 2224tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2225 transport_instance * tb,
0e66b3b6 2226#ifdef EXPERIMENTAL_DANE
cf0c6164 2227 dns_answer * tlsa_dnsa,
0e66b3b6 2228#endif
cf0c6164 2229 uschar ** errstr)
059ec3d9 2230{
a7538db1
JH
2231smtp_transport_options_block * ob =
2232 (smtp_transport_options_block *)tb->options_block;
f69979cf 2233static uschar peerdn[256];
868f5672 2234uschar * expciphers;
059ec3d9 2235int rc;
817d9f57 2236static uschar cipherbuf[256];
043b1248
JH
2237
2238#ifndef DISABLE_OCSP
043b1248 2239BOOL request_ocsp = FALSE;
6634ac8d 2240BOOL require_ocsp = FALSE;
043b1248 2241#endif
043b1248
JH
2242
2243#ifdef EXPERIMENTAL_DANE
594706ea 2244tls_out.tlsa_usage = 0;
043b1248
JH
2245#endif
2246
f2de3a33 2247#ifndef DISABLE_OCSP
043b1248 2248 {
4f59c424
JH
2249# ifdef EXPERIMENTAL_DANE
2250 if ( tlsa_dnsa
2251 && ob->hosts_request_ocsp[0] == '*'
2252 && ob->hosts_request_ocsp[1] == '\0'
2253 )
2254 {
2255 /* Unchanged from default. Use a safer one under DANE */
2256 request_ocsp = TRUE;
2257 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2258 " {= {4}{$tls_out_tlsa_usage}} } "
2259 " {*}{}}";
2260 }
2261# endif
2262
5130845b
JH
2263 if ((require_ocsp =
2264 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2265 request_ocsp = TRUE;
2266 else
fca41d5a 2267# ifdef EXPERIMENTAL_DANE
4f59c424 2268 if (!request_ocsp)
fca41d5a 2269# endif
5130845b
JH
2270 request_ocsp =
2271 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 2272 }
f5d78688 2273#endif
059ec3d9 2274
65867078
JH
2275rc = tls_init(&client_ctx, host, NULL,
2276 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2277#ifndef DISABLE_OCSP
44662487 2278 (void *)(long)request_ocsp,
3f7eeb86 2279#endif
cf0c6164 2280 addr, &client_static_cbinfo, errstr);
059ec3d9
PH
2281if (rc != OK) return rc;
2282
817d9f57 2283tls_out.certificate_verified = FALSE;
a2ff477a 2284client_verify_callback_called = FALSE;
059ec3d9 2285
65867078 2286if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
cf0c6164 2287 &expciphers, errstr))
059ec3d9
PH
2288 return FAIL;
2289
2290/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2291are separated by underscores. So that I can use either form in my tests, and
2292also for general convenience, we turn underscores into hyphens here. */
2293
cf0c6164 2294if (expciphers)
059ec3d9
PH
2295 {
2296 uschar *s = expciphers;
cf0c6164 2297 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2298 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2299 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
cf0c6164 2300 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
059ec3d9
PH
2301 }
2302
043b1248 2303#ifdef EXPERIMENTAL_DANE
0e66b3b6 2304if (tlsa_dnsa)
a63be306 2305 {
02af313d
JH
2306 SSL_CTX_set_verify(client_ctx,
2307 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2308 verify_callback_client_dane);
e5cccda9 2309
043b1248 2310 if (!DANESSL_library_init())
cf0c6164 2311 return tls_error(US"library init", host, NULL, errstr);
043b1248 2312 if (DANESSL_CTX_init(client_ctx) <= 0)
cf0c6164 2313 return tls_error(US"context init", host, NULL, errstr);
043b1248
JH
2314 }
2315else
e51c7be2 2316
043b1248
JH
2317#endif
2318
cf0c6164
JH
2319 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2320 client_static_cbinfo, errstr)) != OK)
65867078 2321 return rc;
059ec3d9 2322
65867078 2323if ((client_ssl = SSL_new(client_ctx)) == NULL)
cf0c6164 2324 return tls_error(US"SSL_new", host, NULL, errstr);
817d9f57
JH
2325SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2326SSL_set_fd(client_ssl, fd);
2327SSL_set_connect_state(client_ssl);
059ec3d9 2328
65867078 2329if (ob->tls_sni)
3f0945ff 2330 {
cf0c6164 2331 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
3f0945ff 2332 return FAIL;
cf0c6164 2333 if (!tls_out.sni)
2c9a0e86
PP
2334 {
2335 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2336 }
ec4b68e5 2337 else if (!Ustrlen(tls_out.sni))
817d9f57 2338 tls_out.sni = NULL;
3f0945ff
PP
2339 else
2340 {
35731706 2341#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
2342 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2343 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706 2344#else
66802652 2345 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
02d9264f 2346 tls_out.sni);
35731706 2347#endif
3f0945ff
PP
2348 }
2349 }
2350
594706ea 2351#ifdef EXPERIMENTAL_DANE
0e66b3b6 2352if (tlsa_dnsa)
cf0c6164 2353 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
594706ea
JH
2354 return rc;
2355#endif
2356
f2de3a33 2357#ifndef DISABLE_OCSP
f5d78688
JH
2358/* Request certificate status at connection-time. If the server
2359does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2360# ifdef EXPERIMENTAL_DANE
44662487
JH
2361if (request_ocsp)
2362 {
594706ea 2363 const uschar * s;
41afb5cb
JH
2364 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2365 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2366 )
2367 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2368 this means we avoid the OCSP request, we wasted the setup
2369 cost in tls_init(). */
5130845b
JH
2370 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2371 request_ocsp = require_ocsp
2372 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2373 }
2374 }
b50c8b84
JH
2375# endif
2376
594706ea
JH
2377if (request_ocsp)
2378 {
f5d78688 2379 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
2380 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2381 tls_out.ocsp = OCSP_NOT_RESP;
2382 }
f5d78688
JH
2383#endif
2384
0cbf2b82 2385#ifndef DISABLE_EVENT
774ef2d7 2386client_static_cbinfo->event_action = tb->event_action;
a7538db1 2387#endif
043b1248 2388
059ec3d9
PH
2389/* There doesn't seem to be a built-in timeout on connection. */
2390
2391DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2392sigalrm_seen = FALSE;
65867078 2393alarm(ob->command_timeout);
817d9f57 2394rc = SSL_connect(client_ssl);
059ec3d9
PH
2395alarm(0);
2396
043b1248 2397#ifdef EXPERIMENTAL_DANE
0e66b3b6 2398if (tlsa_dnsa)
fde080a4 2399 DANESSL_cleanup(client_ssl);
043b1248
JH
2400#endif
2401
059ec3d9 2402if (rc <= 0)
cf0c6164
JH
2403 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2404 errstr);
059ec3d9
PH
2405
2406DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2407
f69979cf 2408peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2409
817d9f57
JH
2410construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2411tls_out.cipher = cipherbuf;
059ec3d9 2412
9d1c15ef
JH
2413/* Record the certificate we presented */
2414 {
2415 X509 * crt = SSL_get_certificate(client_ssl);
2416 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2417 }
2418
817d9f57 2419tls_out.active = fd;
059ec3d9
PH
2420return OK;
2421}
2422
2423
2424
2425
2426
0d81dabc
JH
2427static BOOL
2428tls_refill(unsigned lim)
2429{
2430int error;
2431int inbytes;
2432
2433DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2434 ssl_xfer_buffer, ssl_xfer_buffer_size);
2435
2436if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2437inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2438 MIN(ssl_xfer_buffer_size, lim));
2439error = SSL_get_error(server_ssl, inbytes);
2440alarm(0);
2441
2442/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2443closed down, not that the socket itself has been closed down. Revert to
2444non-SSL handling. */
2445
2446if (error == SSL_ERROR_ZERO_RETURN)
2447 {
2448 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2449
2450 receive_getc = smtp_getc;
2451 receive_getbuf = smtp_getbuf;
2452 receive_get_cache = smtp_get_cache;
2453 receive_ungetc = smtp_ungetc;
2454 receive_feof = smtp_feof;
2455 receive_ferror = smtp_ferror;
2456 receive_smtp_buffered = smtp_buffered;
2457
2458 SSL_free(server_ssl);
2459 server_ssl = NULL;
2460 tls_in.active = -1;
2461 tls_in.bits = 0;
2462 tls_in.cipher = NULL;
2463 tls_in.peerdn = NULL;
2464 tls_in.sni = NULL;
2465
2466 return FALSE;
2467 }
2468
2469/* Handle genuine errors */
2470
2471else if (error == SSL_ERROR_SSL)
2472 {
2473 ERR_error_string(ERR_get_error(), ssl_errstring);
2474 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2475 ssl_xfer_error = 1;
2476 return FALSE;
2477 }
2478
2479else if (error != SSL_ERROR_NONE)
2480 {
2481 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2482 ssl_xfer_error = 1;
2483 return FALSE;
2484 }
2485
2486#ifndef DISABLE_DKIM
2487dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2488#endif
2489ssl_xfer_buffer_hwm = inbytes;
2490ssl_xfer_buffer_lwm = 0;
2491return TRUE;
2492}
2493
2494
059ec3d9
PH
2495/*************************************************
2496* TLS version of getc *
2497*************************************************/
2498
2499/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2500it refills the buffer via the SSL reading function.
2501
bd8fbe36 2502Arguments: lim Maximum amount to read/buffer
059ec3d9 2503Returns: the next character or EOF
817d9f57
JH
2504
2505Only used by the server-side TLS.
059ec3d9
PH
2506*/
2507
2508int
bd8fbe36 2509tls_getc(unsigned lim)
059ec3d9
PH
2510{
2511if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2512 if (!tls_refill(lim))
2513 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2514
0d81dabc 2515/* Something in the buffer; return next uschar */
059ec3d9 2516
0d81dabc
JH
2517return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2518}
059ec3d9 2519
0d81dabc
JH
2520uschar *
2521tls_getbuf(unsigned * len)
2522{
2523unsigned size;
2524uschar * buf;
ba084640 2525
0d81dabc
JH
2526if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2527 if (!tls_refill(*len))
059ec3d9 2528 {
0d81dabc
JH
2529 if (!ssl_xfer_error) return smtp_getbuf(len);
2530 *len = 0;
2531 return NULL;
059ec3d9 2532 }
c80c5570 2533
0d81dabc
JH
2534if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2535 size = *len;
2536buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2537ssl_xfer_buffer_lwm += size;
2538*len = size;
2539return buf;
059ec3d9
PH
2540}
2541
0d81dabc 2542
584e96c6
JH
2543void
2544tls_get_cache()
2545{
9960d1e5 2546#ifndef DISABLE_DKIM
584e96c6
JH
2547int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2548if (n > 0)
2549 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2550#endif
9960d1e5 2551}
584e96c6 2552
059ec3d9 2553
925ac8e4
JH
2554BOOL
2555tls_could_read(void)
2556{
a5ffa9b4 2557return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2558}
2559
059ec3d9
PH
2560
2561/*************************************************
2562* Read bytes from TLS channel *
2563*************************************************/
2564
2565/*
2566Arguments:
2567 buff buffer of data
2568 len size of buffer
2569
2570Returns: the number of bytes read
2571 -1 after a failed read
817d9f57
JH
2572
2573Only used by the client-side TLS.
059ec3d9
PH
2574*/
2575
2576int
389ca47a 2577tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2578{
389ca47a 2579SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2580int inbytes;
2581int error;
2582
389ca47a 2583DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2584 buff, (unsigned int)len);
059ec3d9 2585
389ca47a
JH
2586inbytes = SSL_read(ssl, CS buff, len);
2587error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2588
2589if (error == SSL_ERROR_ZERO_RETURN)
2590 {
2591 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2592 return -1;
2593 }
2594else if (error != SSL_ERROR_NONE)
059ec3d9 2595 return -1;
059ec3d9
PH
2596
2597return inbytes;
2598}
2599
2600
2601
2602
2603
2604/*************************************************
2605* Write bytes down TLS channel *
2606*************************************************/
2607
2608/*
2609Arguments:
817d9f57 2610 is_server channel specifier
059ec3d9
PH
2611 buff buffer of data
2612 len number of bytes
925ac8e4 2613 more further data expected soon
059ec3d9
PH
2614
2615Returns: the number of bytes after a successful write,
2616 -1 after a failed write
817d9f57
JH
2617
2618Used by both server-side and client-side TLS.
059ec3d9
PH
2619*/
2620
2621int
925ac8e4 2622tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2623{
a5ffa9b4 2624int outbytes, error, left;
817d9f57 2625SSL *ssl = is_server ? server_ssl : client_ssl;
acec9514 2626static gstring * corked = NULL;
a5ffa9b4 2627
ef698bf6 2628DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2629 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2630
2631/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2632"more" is notified. This hack is only ok if small amounts are involved AND only
2633one stream does it, in one context (i.e. no store reset). Currently it is used
2634for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2635
2636if (is_server && (more || corked))
2637 {
acec9514 2638 corked = string_catn(corked, buff, len);
a5ffa9b4
JH
2639 if (more)
2640 return len;
acec9514
JH
2641 buff = CUS corked->s;
2642 len = corked->ptr;
2643 corked = NULL;
a5ffa9b4 2644 }
059ec3d9 2645
a5ffa9b4 2646for (left = len; left > 0;)
059ec3d9 2647 {
c80c5570 2648 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2649 outbytes = SSL_write(ssl, CS buff, left);
2650 error = SSL_get_error(ssl, outbytes);
2651 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2652 switch (error)
2653 {
2654 case SSL_ERROR_SSL:
96f5fe4c
JH
2655 ERR_error_string(ERR_get_error(), ssl_errstring);
2656 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2657 return -1;
059ec3d9
PH
2658
2659 case SSL_ERROR_NONE:
96f5fe4c
JH
2660 left -= outbytes;
2661 buff += outbytes;
2662 break;
059ec3d9
PH
2663
2664 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2665 log_write(0, LOG_MAIN, "SSL channel closed on write");
2666 return -1;
059ec3d9 2667
817d9f57 2668 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2669 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2670 sender_fullhost ? sender_fullhost : US"<unknown>",
2671 strerror(errno));
2672 return -1;
817d9f57 2673
059ec3d9 2674 default:
96f5fe4c
JH
2675 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2676 return -1;
059ec3d9
PH
2677 }
2678 }
2679return len;
2680}
2681
2682
2683
2684/*************************************************
2685* Close down a TLS session *
2686*************************************************/
2687
2688/* This is also called from within a delivery subprocess forked from the
2689daemon, to shut down the TLS library, without actually doing a shutdown (which
2690would tamper with the SSL session in the parent process).
2691
2692Arguments: TRUE if SSL_shutdown is to be called
2693Returns: nothing
817d9f57
JH
2694
2695Used by both server-side and client-side TLS.
059ec3d9
PH
2696*/
2697
2698void
817d9f57 2699tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2700{
817d9f57 2701SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2702int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2703
2704if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2705
2706if (shutdown)
2707 {
ec8b777a 2708 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2709 SSL_shutdown(*sslp);
059ec3d9
PH
2710 }
2711
817d9f57
JH
2712SSL_free(*sslp);
2713*sslp = NULL;
059ec3d9 2714
817d9f57 2715*fdp = -1;
059ec3d9
PH
2716}
2717
36f12725
NM
2718
2719
2720
2721/*************************************************
3375e053
PP
2722* Let tls_require_ciphers be checked at startup *
2723*************************************************/
2724
2725/* The tls_require_ciphers option, if set, must be something which the
2726library can parse.
2727
2728Returns: NULL on success, or error message
2729*/
2730
2731uschar *
2732tls_validate_require_cipher(void)
2733{
2734SSL_CTX *ctx;
2735uschar *s, *expciphers, *err;
2736
2737/* this duplicates from tls_init(), we need a better "init just global
2738state, for no specific purpose" singleton function of our own */
2739
2740SSL_load_error_strings();
2741OpenSSL_add_ssl_algorithms();
2742#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2743/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2744list of available digests. */
2745EVP_add_digest(EVP_sha256());
2746#endif
2747
2748if (!(tls_require_ciphers && *tls_require_ciphers))
2749 return NULL;
2750
cf0c6164
JH
2751if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2752 &err))
3375e053
PP
2753 return US"failed to expand tls_require_ciphers";
2754
2755if (!(expciphers && *expciphers))
2756 return NULL;
2757
2758/* normalisation ripped from above */
2759s = expciphers;
2760while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2761
2762err = NULL;
2763
2764ctx = SSL_CTX_new(SSLv23_server_method());
2765if (!ctx)
2766 {
2767 ERR_error_string(ERR_get_error(), ssl_errstring);
2768 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2769 }
2770
2771DEBUG(D_tls)
2772 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2773
2774if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2775 {
2776 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH
2777 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2778 expciphers, ssl_errstring);
3375e053
PP
2779 }
2780
2781SSL_CTX_free(ctx);
2782
2783return err;
2784}
2785
2786
2787
2788
2789/*************************************************
36f12725
NM
2790* Report the library versions. *
2791*************************************************/
2792
2793/* There have historically been some issues with binary compatibility in
2794OpenSSL libraries; if Exim (like many other applications) is built against
2795one version of OpenSSL but the run-time linker picks up another version,
2796it can result in serious failures, including crashing with a SIGSEGV. So
2797report the version found by the compiler and the run-time version.
2798
f64a1e23
PP
2799Note: some OS vendors backport security fixes without changing the version
2800number/string, and the version date remains unchanged. The _build_ date
2801will change, so we can more usefully assist with version diagnosis by also
2802reporting the build date.
2803
36f12725
NM
2804Arguments: a FILE* to print the results to
2805Returns: nothing
2806*/
2807
2808void
2809tls_version_report(FILE *f)
2810{
754a0503 2811fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2812 " Runtime: %s\n"
2813 " : %s\n",
754a0503 2814 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2815 SSLeay_version(SSLEAY_VERSION),
2816 SSLeay_version(SSLEAY_BUILT_ON));
2817/* third line is 38 characters for the %s and the line is 73 chars long;
2818the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2819}
2820
9e3331ea
TK
2821
2822
2823
2824/*************************************************
17c76198 2825* Random number generation *
9e3331ea
TK
2826*************************************************/
2827
2828/* Pseudo-random number generation. The result is not expected to be
2829cryptographically strong but not so weak that someone will shoot themselves
2830in the foot using it as a nonce in input in some email header scheme or
2831whatever weirdness they'll twist this into. The result should handle fork()
2832and avoid repeating sequences. OpenSSL handles that for us.
2833
2834Arguments:
2835 max range maximum
2836Returns a random number in range [0, max-1]
2837*/
2838
2839int
17c76198 2840vaguely_random_number(int max)
9e3331ea
TK
2841{
2842unsigned int r;
2843int i, needed_len;
de6135a0
PP
2844static pid_t pidlast = 0;
2845pid_t pidnow;
9e3331ea
TK
2846uschar *p;
2847uschar smallbuf[sizeof(r)];
2848
2849if (max <= 1)
2850 return 0;
2851
de6135a0
PP
2852pidnow = getpid();
2853if (pidnow != pidlast)
2854 {
2855 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2856 is unique for each thread", this doesn't apparently apply across processes,
2857 so our own warning from vaguely_random_number_fallback() applies here too.
2858 Fix per PostgreSQL. */
2859 if (pidlast != 0)
2860 RAND_cleanup();
2861 pidlast = pidnow;
2862 }
2863
9e3331ea
TK
2864/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2865if (!RAND_status())
2866 {
2867 randstuff r;
2868 gettimeofday(&r.tv, NULL);
2869 r.p = getpid();
2870
5903c6ff 2871 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
2872 }
2873/* We're after pseudo-random, not random; if we still don't have enough data
2874in the internal PRNG then our options are limited. We could sleep and hope
2875for entropy to come along (prayer technique) but if the system is so depleted
2876in the first place then something is likely to just keep taking it. Instead,
2877we'll just take whatever little bit of pseudo-random we can still manage to
2878get. */
2879
2880needed_len = sizeof(r);
2881/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2882asked for a number less than 10. */
2883for (r = max, i = 0; r; ++i)
2884 r >>= 1;
2885i = (i + 7) / 8;
2886if (i < needed_len)
2887 needed_len = i;
2888
c8dfb21d 2889#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 2890/* We do not care if crypto-strong */
17c76198 2891i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
2892#else
2893i = RAND_bytes(smallbuf, needed_len);
2894#endif
2895
17c76198
PP
2896if (i < 0)
2897 {
2898 DEBUG(D_all)
2899 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2900 return vaguely_random_number_fallback(max);
2901 }
2902
9e3331ea
TK
2903r = 0;
2904for (p = smallbuf; needed_len; --needed_len, ++p)
2905 {
2906 r *= 256;
2907 r += *p;
2908 }
2909
2910/* We don't particularly care about weighted results; if someone wants
2911smooth distribution and cares enough then they should submit a patch then. */
2912return r % max;
2913}
2914
77bb000f
PP
2915
2916
2917
2918/*************************************************
2919* OpenSSL option parse *
2920*************************************************/
2921
2922/* Parse one option for tls_openssl_options_parse below
2923
2924Arguments:
2925 name one option name
2926 value place to store a value for it
2927Returns success or failure in parsing
2928*/
2929
2930struct exim_openssl_option {
2931 uschar *name;
2932 long value;
2933};
2934/* We could use a macro to expand, but we need the ifdef and not all the
2935options document which version they were introduced in. Policylet: include
2936all options unless explicitly for DTLS, let the administrator choose which
2937to apply.
2938
2939This list is current as of:
e2fbf4a2
PP
2940 ==> 1.0.1b <==
2941Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2942*/
77bb000f
PP
2943static struct exim_openssl_option exim_openssl_options[] = {
2944/* KEEP SORTED ALPHABETICALLY! */
2945#ifdef SSL_OP_ALL
73a46702 2946 { US"all", SSL_OP_ALL },
77bb000f
PP
2947#endif
2948#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2949 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2950#endif
2951#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2952 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2953#endif
2954#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2955 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2956#endif
2957#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2958 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2959#endif
2960#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2961 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2962#endif
2963#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2964 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2965#endif
2966#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2967 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2968#endif
2969#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2970 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2971#endif
2972#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2973 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2974#endif
2975#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2976 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2977#endif
c80c5570
PP
2978#ifdef SSL_OP_NO_COMPRESSION
2979 { US"no_compression", SSL_OP_NO_COMPRESSION },
2980#endif
77bb000f 2981#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2982 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2983#endif
c0c7b2da
PP
2984#ifdef SSL_OP_NO_SSLv2
2985 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2986#endif
2987#ifdef SSL_OP_NO_SSLv3
2988 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2989#endif
2990#ifdef SSL_OP_NO_TICKET
2991 { US"no_ticket", SSL_OP_NO_TICKET },
2992#endif
2993#ifdef SSL_OP_NO_TLSv1
2994 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2995#endif
c80c5570
PP
2996#ifdef SSL_OP_NO_TLSv1_1
2997#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2998 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2999#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
3000#else
3001 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
3002#endif
3003#endif
3004#ifdef SSL_OP_NO_TLSv1_2
3005 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
3006#endif
e2fbf4a2
PP
3007#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
3008 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
3009#endif
77bb000f 3010#ifdef SSL_OP_SINGLE_DH_USE
73a46702 3011 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
3012#endif
3013#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 3014 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
3015#endif
3016#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 3017 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
3018#endif
3019#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 3020 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
3021#endif
3022#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 3023 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
3024#endif
3025#ifdef SSL_OP_TLS_D5_BUG
73a46702 3026 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
3027#endif
3028#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 3029 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
3030#endif
3031};
3032static int exim_openssl_options_size =
3033 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
3034
c80c5570 3035
77bb000f
PP
3036static BOOL
3037tls_openssl_one_option_parse(uschar *name, long *value)
3038{
3039int first = 0;
3040int last = exim_openssl_options_size;
3041while (last > first)
3042 {
3043 int middle = (first + last)/2;
3044 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3045 if (c == 0)
3046 {
3047 *value = exim_openssl_options[middle].value;
3048 return TRUE;
3049 }
3050 else if (c > 0)
3051 first = middle + 1;
3052 else
3053 last = middle;
3054 }
3055return FALSE;
3056}
3057
3058
3059
3060
3061/*************************************************
3062* OpenSSL option parsing logic *
3063*************************************************/
3064
3065/* OpenSSL has a number of compatibility options which an administrator might
3066reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3067we look like log_selector.
3068
3069Arguments:
3070 option_spec the administrator-supplied string of options
3071 results ptr to long storage for the options bitmap
3072Returns success or failure
3073*/
3074
3075BOOL
3076tls_openssl_options_parse(uschar *option_spec, long *results)
3077{
3078long result, item;
3079uschar *s, *end;
3080uschar keep_c;
3081BOOL adding, item_parsed;
3082
7006ee24 3083result = SSL_OP_NO_TICKET;
b1770b6e 3084/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3085 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
3086#ifdef SSL_OP_NO_SSLv2
3087result |= SSL_OP_NO_SSLv2;
3088#endif
a57b6200
JH
3089#ifdef SSL_OP_SINGLE_DH_USE
3090result |= SSL_OP_SINGLE_DH_USE;
3091#endif
77bb000f 3092
7006ee24 3093if (!option_spec)
77bb000f
PP
3094 {
3095 *results = result;
3096 return TRUE;
3097 }
3098
3099for (s=option_spec; *s != '\0'; /**/)
3100 {
3101 while (isspace(*s)) ++s;
3102 if (*s == '\0')
3103 break;
3104 if (*s != '+' && *s != '-')
3105 {
3106 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3107 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
3108 return FALSE;
3109 }
3110 adding = *s++ == '+';
3111 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3112 keep_c = *end;
3113 *end = '\0';
3114 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3115 *end = keep_c;
77bb000f
PP
3116 if (!item_parsed)
3117 {
0e944a0d 3118 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
3119 return FALSE;
3120 }
3121 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3122 adding ? "adding" : "removing", result, item, s);
3123 if (adding)
3124 result |= item;
3125 else
3126 result &= ~item;
77bb000f
PP
3127 s = end;
3128 }
3129
3130*results = result;
3131return TRUE;
3132}
3133
9d1c15ef
JH
3134/* vi: aw ai sw=2
3135*/
059ec3d9 3136/* End of tls-openssl.c */