OpenSSL 1.0.0 const fix for SSL_get_current_cipher
[exim.git] / src / src / tls-openssl.c
CommitLineData
a053d125 1/* $Cambridge: exim/src/src/tls-openssl.c,v 1.28 2010/06/12 17:56:32 jetmore Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
0a49a7a4 7/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25
26/* Structure for collecting random data for seeding. */
27
28typedef struct randstuff {
9e3331ea
TK
29 struct timeval tv;
30 pid_t p;
059ec3d9
PH
31} randstuff;
32
33/* Local static variables */
34
35static BOOL verify_callback_called = FALSE;
36static const uschar *sid_ctx = US"exim";
37
38static SSL_CTX *ctx = NULL;
39static SSL *ssl = NULL;
40
41static char ssl_errstring[256];
42
43static int ssl_session_timeout = 200;
44static BOOL verify_optional = FALSE;
45
46
47
48
49
50/*************************************************
51* Handle TLS error *
52*************************************************/
53
54/* Called from lots of places when errors occur before actually starting to do
55the TLS handshake, that is, while the session is still in clear. Always returns
56DEFER for a server and FAIL for a client so that most calls can use "return
57tls_error(...)" to do this processing and then give an appropriate return. A
58single function is used for both server and client, because it is called from
59some shared functions.
60
61Argument:
62 prefix text to include in the logged error
63 host NULL if setting up a server;
64 the connected host if setting up a client
7199e1ee 65 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
66
67Returns: OK/DEFER/FAIL
68*/
69
70static int
7199e1ee 71tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 72{
7199e1ee
TF
73if (msg == NULL)
74 {
75 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 76 msg = (uschar *)ssl_errstring;
7199e1ee
TF
77 }
78
059ec3d9
PH
79if (host == NULL)
80 {
7199e1ee 81 uschar *conn_info = smtp_get_connection_info();
5ca6d115 82 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
83 conn_info += 5;
84 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
85 conn_info, prefix, msg);
059ec3d9
PH
86 return DEFER;
87 }
88else
89 {
90 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 91 host->name, host->address, prefix, msg);
059ec3d9
PH
92 return FAIL;
93 }
94}
95
96
97
98/*************************************************
99* Callback to generate RSA key *
100*************************************************/
101
102/*
103Arguments:
104 s SSL connection
105 export not used
106 keylength keylength
107
108Returns: pointer to generated key
109*/
110
111static RSA *
112rsa_callback(SSL *s, int export, int keylength)
113{
114RSA *rsa_key;
115export = export; /* Shut picky compilers up */
116DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
117rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
118if (rsa_key == NULL)
119 {
120 ERR_error_string(ERR_get_error(), ssl_errstring);
121 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
122 ssl_errstring);
123 return NULL;
124 }
125return rsa_key;
126}
127
128
129
130
131/*************************************************
132* Callback for verification *
133*************************************************/
134
135/* The SSL library does certificate verification if set up to do so. This
136callback has the current yes/no state is in "state". If verification succeeded,
137we set up the tls_peerdn string. If verification failed, what happens depends
138on whether the client is required to present a verifiable certificate or not.
139
140If verification is optional, we change the state to yes, but still log the
141verification error. For some reason (it really would help to have proper
142documentation of OpenSSL), this callback function then gets called again, this
143time with state = 1. In fact, that's useful, because we can set up the peerdn
144value, but we must take care not to set the private verified flag on the second
145time through.
146
147Note: this function is not called if the client fails to present a certificate
148when asked. We get here only if a certificate has been received. Handling of
149optional verification for this case is done when requesting SSL to verify, by
150setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
151
152Arguments:
153 state current yes/no state as 1/0
154 x509ctx certificate information.
155
156Returns: 1 if verified, 0 if not
157*/
158
159static int
160verify_callback(int state, X509_STORE_CTX *x509ctx)
161{
162static uschar txt[256];
163
164X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
165 CS txt, sizeof(txt));
166
167if (state == 0)
168 {
169 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
170 x509ctx->error_depth,
171 X509_verify_cert_error_string(x509ctx->error),
172 txt);
173 tls_certificate_verified = FALSE;
174 verify_callback_called = TRUE;
175 if (!verify_optional) return 0; /* reject */
176 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
177 "tls_try_verify_hosts)\n");
178 return 1; /* accept */
179 }
180
181if (x509ctx->error_depth != 0)
182 {
183 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
184 x509ctx->error_depth, txt);
185 }
186else
187 {
188 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
189 verify_callback_called? "" : " authenticated", txt);
190 tls_peerdn = txt;
191 }
192
059ec3d9
PH
193if (!verify_callback_called) tls_certificate_verified = TRUE;
194verify_callback_called = TRUE;
195
196return 1; /* accept */
197}
198
199
200
201/*************************************************
202* Information callback *
203*************************************************/
204
205/* The SSL library functions call this from time to time to indicate what they
206are doing. We copy the string to the debugging output when the level is high
207enough.
208
209Arguments:
210 s the SSL connection
211 where
212 ret
213
214Returns: nothing
215*/
216
217static void
218info_callback(SSL *s, int where, int ret)
219{
220where = where;
221ret = ret;
222DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
223}
224
225
226
227/*************************************************
228* Initialize for DH *
229*************************************************/
230
231/* If dhparam is set, expand it, and load up the parameters for DH encryption.
232
233Arguments:
234 dhparam DH parameter file
7199e1ee 235 host connected host, if client; NULL if server
059ec3d9
PH
236
237Returns: TRUE if OK (nothing to set up, or setup worked)
238*/
239
240static BOOL
7199e1ee 241init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH
242{
243BOOL yield = TRUE;
244BIO *bio;
245DH *dh;
246uschar *dhexpanded;
247
248if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
249 return FALSE;
250
251if (dhexpanded == NULL) return TRUE;
252
253if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
254 {
7199e1ee 255 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 256 host, (uschar *)strerror(errno));
059ec3d9
PH
257 yield = FALSE;
258 }
259else
260 {
261 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
262 {
7199e1ee
TF
263 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
264 host, NULL);
059ec3d9
PH
265 yield = FALSE;
266 }
267 else
268 {
269 SSL_CTX_set_tmp_dh(ctx, dh);
270 DEBUG(D_tls)
271 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
272 dhexpanded, 8*DH_size(dh));
273 DH_free(dh);
274 }
275 BIO_free(bio);
276 }
277
278return yield;
279}
280
281
282
283
284/*************************************************
285* Initialize for TLS *
286*************************************************/
287
288/* Called from both server and client code, to do preliminary initialization of
289the library.
290
291Arguments:
292 host connected host, if client; NULL if server
293 dhparam DH parameter file
294 certificate certificate file
295 privatekey private key
296 addr address if client; NULL if server (for some randomness)
297
298Returns: OK/DEFER/FAIL
299*/
300
301static int
c91535f3
PH
302tls_init(host_item *host, uschar *dhparam, uschar *certificate,
303 uschar *privatekey, address_item *addr)
059ec3d9 304{
77bb000f
PP
305long init_options;
306BOOL okay;
307
059ec3d9
PH
308SSL_load_error_strings(); /* basic set up */
309OpenSSL_add_ssl_algorithms();
310
388d6564 311#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 312/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
313list of available digests. */
314EVP_add_digest(EVP_sha256());
cf1ef1a9 315#endif
a0475b69 316
059ec3d9
PH
317/* Create a context */
318
319ctx = SSL_CTX_new((host == NULL)?
320 SSLv23_server_method() : SSLv23_client_method());
321
7199e1ee 322if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
323
324/* It turns out that we need to seed the random number generator this early in
325order to get the full complement of ciphers to work. It took me roughly a day
326of work to discover this by experiment.
327
328On systems that have /dev/urandom, SSL may automatically seed itself from
329there. Otherwise, we have to make something up as best we can. Double check
330afterwards. */
331
332if (!RAND_status())
333 {
334 randstuff r;
9e3331ea 335 gettimeofday(&r.tv, NULL);
059ec3d9
PH
336 r.p = getpid();
337
338 RAND_seed((uschar *)(&r), sizeof(r));
339 RAND_seed((uschar *)big_buffer, big_buffer_size);
340 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
341
342 if (!RAND_status())
7199e1ee 343 return tls_error(US"RAND_status", host,
5ca6d115 344 US"unable to seed random number generator");
059ec3d9
PH
345 }
346
347/* Set up the information callback, which outputs if debugging is at a suitable
348level. */
349
58c01c94 350SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 351
77bb000f
PP
352/* Apply administrator-supplied work-arounds.
353Historically we applied just one requested option,
354SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
355moved to an administrator-controlled list of options to specify and
356grandfathered in the first one as the default value for "openssl_options".
059ec3d9 357
77bb000f
PP
358No OpenSSL version number checks: the options we accept depend upon the
359availability of the option value macros from OpenSSL. */
059ec3d9 360
77bb000f
PP
361okay = tls_openssl_options_parse(openssl_options, &init_options);
362if (!okay)
73a46702 363 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
364
365if (init_options)
366 {
367 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
368 if (!(SSL_CTX_set_options(ctx, init_options)))
369 return tls_error(string_sprintf(
370 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
371 }
372else
373 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
374
375/* Initialize with DH parameters if supplied */
376
7199e1ee 377if (!init_dh(dhparam, host)) return DEFER;
059ec3d9
PH
378
379/* Set up certificate and key */
380
381if (certificate != NULL)
382 {
383 uschar *expanded;
384 if (!expand_check(certificate, US"tls_certificate", &expanded))
385 return DEFER;
386
387 if (expanded != NULL)
388 {
389 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
390 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
d6453af2 391 return tls_error(string_sprintf(
7199e1ee 392 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
059ec3d9
PH
393 }
394
395 if (privatekey != NULL &&
396 !expand_check(privatekey, US"tls_privatekey", &expanded))
397 return DEFER;
398
c91535f3
PH
399 /* If expansion was forced to fail, key_expanded will be NULL. If the result
400 of the expansion is an empty string, ignore it also, and assume the private
401 key is in the same file as the certificate. */
402
403 if (expanded != NULL && *expanded != 0)
059ec3d9
PH
404 {
405 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
406 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
d6453af2 407 return tls_error(string_sprintf(
7199e1ee 408 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
059ec3d9
PH
409 }
410 }
411
412/* Set up the RSA callback */
413
414SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
415
416/* Finally, set the timeout, and we are done */
417
418SSL_CTX_set_timeout(ctx, ssl_session_timeout);
419DEBUG(D_tls) debug_printf("Initialized TLS\n");
420return OK;
421}
422
423
424
425
426/*************************************************
427* Get name of cipher in use *
428*************************************************/
429
430/* The answer is left in a static buffer, and tls_cipher is set to point
431to it.
432
433Argument: pointer to an SSL structure for the connection
434Returns: nothing
435*/
436
437static void
438construct_cipher_name(SSL *ssl)
439{
440static uschar cipherbuf[256];
57b3a7f5
PP
441/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
442yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
443the accessor functions use const in the prototype. */
444const SSL_CIPHER *c;
059ec3d9
PH
445uschar *ver;
446int bits;
447
448switch (ssl->session->ssl_version)
449 {
450 case SSL2_VERSION:
451 ver = US"SSLv2";
452 break;
453
454 case SSL3_VERSION:
455 ver = US"SSLv3";
456 break;
457
458 case TLS1_VERSION:
459 ver = US"TLSv1";
460 break;
461
462 default:
463 ver = US"UNKNOWN";
464 }
465
57b3a7f5 466c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9
PH
467SSL_CIPHER_get_bits(c, &bits);
468
469string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
470 SSL_CIPHER_get_name(c), bits);
471tls_cipher = cipherbuf;
472
473DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
474}
475
476
477
478
479
480/*************************************************
481* Set up for verifying certificates *
482*************************************************/
483
484/* Called by both client and server startup
485
486Arguments:
487 certs certs file or NULL
488 crl CRL file or NULL
489 host NULL in a server; the remote host in a client
490 optional TRUE if called from a server for a host in tls_try_verify_hosts;
491 otherwise passed as FALSE
492
493Returns: OK/DEFER/FAIL
494*/
495
496static int
497setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
498{
499uschar *expcerts, *expcrl;
500
501if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
502 return DEFER;
503
504if (expcerts != NULL)
505 {
506 struct stat statbuf;
507 if (!SSL_CTX_set_default_verify_paths(ctx))
7199e1ee 508 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
509
510 if (Ustat(expcerts, &statbuf) < 0)
511 {
512 log_write(0, LOG_MAIN|LOG_PANIC,
513 "failed to stat %s for certificates", expcerts);
514 return DEFER;
515 }
516 else
517 {
518 uschar *file, *dir;
519 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
520 { file = NULL; dir = expcerts; }
521 else
522 { file = expcerts; dir = NULL; }
523
524 /* If a certificate file is empty, the next function fails with an
525 unhelpful error message. If we skip it, we get the correct behaviour (no
526 certificates are recognized, but the error message is still misleading (it
527 says no certificate was supplied.) But this is better. */
528
529 if ((file == NULL || statbuf.st_size > 0) &&
530 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
7199e1ee 531 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
532
533 if (file != NULL)
534 {
535 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
536 }
537 }
538
539 /* Handle a certificate revocation list. */
540
541 #if OPENSSL_VERSION_NUMBER > 0x00907000L
542
8b417f2c
PH
543 /* This bit of code is now the version supplied by Lars Mainka. (I have
544 * merely reformatted it into the Exim code style.)
545
546 * "From here I changed the code to add support for multiple crl's
547 * in pem format in one file or to support hashed directory entries in
548 * pem format instead of a file. This method now uses the library function
549 * X509_STORE_load_locations to add the CRL location to the SSL context.
550 * OpenSSL will then handle the verify against CA certs and CRLs by
551 * itself in the verify callback." */
552
059ec3d9
PH
553 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
554 if (expcrl != NULL && *expcrl != 0)
555 {
8b417f2c
PH
556 struct stat statbufcrl;
557 if (Ustat(expcrl, &statbufcrl) < 0)
558 {
559 log_write(0, LOG_MAIN|LOG_PANIC,
560 "failed to stat %s for certificates revocation lists", expcrl);
561 return DEFER;
562 }
563 else
059ec3d9 564 {
8b417f2c
PH
565 /* is it a file or directory? */
566 uschar *file, *dir;
567 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
568 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 569 {
8b417f2c
PH
570 file = NULL;
571 dir = expcrl;
572 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
573 }
574 else
575 {
8b417f2c
PH
576 file = expcrl;
577 dir = NULL;
578 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 579 }
8b417f2c 580 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 581 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
582
583 /* setting the flags to check against the complete crl chain */
584
585 X509_STORE_set_flags(cvstore,
586 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 587 }
059ec3d9
PH
588 }
589
590 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
591
592 /* If verification is optional, don't fail if no certificate */
593
594 SSL_CTX_set_verify(ctx,
595 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
596 verify_callback);
597 }
598
599return OK;
600}
601
602
603
604/*************************************************
605* Start a TLS session in a server *
606*************************************************/
607
608/* This is called when Exim is running as a server, after having received
609the STARTTLS command. It must respond to that command, and then negotiate
610a TLS session.
611
612Arguments:
613 require_ciphers allowed ciphers
83da1223
PH
614 ------------------------------------------------------
615 require_mac list of allowed MACs ) Not used
616 require_kx list of allowed key_exchange methods ) for
617 require_proto list of allowed protocols ) OpenSSL
618 ------------------------------------------------------
059ec3d9
PH
619
620Returns: OK on success
621 DEFER for errors before the start of the negotiation
622 FAIL for errors during the negotation; the server can't
623 continue running.
624*/
625
626int
83da1223
PH
627tls_server_start(uschar *require_ciphers, uschar *require_mac,
628 uschar *require_kx, uschar *require_proto)
059ec3d9
PH
629{
630int rc;
631uschar *expciphers;
632
633/* Check for previous activation */
634
635if (tls_active >= 0)
636 {
5ca6d115 637 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
638 smtp_printf("554 Already in TLS\r\n");
639 return FAIL;
640 }
641
642/* Initialize the SSL library. If it fails, it will already have logged
643the error. */
644
645rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
646if (rc != OK) return rc;
647
648if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
649 return FAIL;
650
651/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
652are separated by underscores. So that I can use either form in my tests, and
653also for general convenience, we turn underscores into hyphens here. */
654
655if (expciphers != NULL)
656 {
657 uschar *s = expciphers;
658 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
659 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
660 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 661 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
059ec3d9
PH
662 }
663
664/* If this is a host for which certificate verification is mandatory or
665optional, set up appropriately. */
666
667tls_certificate_verified = FALSE;
668verify_callback_called = FALSE;
669
670if (verify_check_host(&tls_verify_hosts) == OK)
671 {
672 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
673 if (rc != OK) return rc;
674 verify_optional = FALSE;
675 }
676else if (verify_check_host(&tls_try_verify_hosts) == OK)
677 {
678 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
679 if (rc != OK) return rc;
680 verify_optional = TRUE;
681 }
682
683/* Prepare for new connection */
684
7199e1ee 685if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
059ec3d9
PH
686SSL_clear(ssl);
687
688/* Set context and tell client to go ahead, except in the case of TLS startup
689on connection, where outputting anything now upsets the clients and tends to
690make them disconnect. We need to have an explicit fflush() here, to force out
691the response. Other smtp_printf() calls do not need it, because in non-TLS
692mode, the fflush() happens when smtp_getc() is called. */
693
694SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
695if (!tls_on_connect)
696 {
697 smtp_printf("220 TLS go ahead\r\n");
698 fflush(smtp_out);
699 }
700
701/* Now negotiate the TLS session. We put our own timer on it, since it seems
702that the OpenSSL library doesn't. */
703
56f5d9bd
PH
704SSL_set_wfd(ssl, fileno(smtp_out));
705SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
706SSL_set_accept_state(ssl);
707
708DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
709
710sigalrm_seen = FALSE;
711if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
712rc = SSL_accept(ssl);
713alarm(0);
714
715if (rc <= 0)
716 {
7199e1ee 717 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
718 if (ERR_get_error() == 0)
719 log_write(0, LOG_MAIN,
a053d125 720 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
721 return FAIL;
722 }
723
724DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
725
726/* TLS has been set up. Adjust the input functions to read via TLS,
727and initialize things. */
728
729construct_cipher_name(ssl);
730
731DEBUG(D_tls)
732 {
733 uschar buf[2048];
734 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
735 debug_printf("Shared ciphers: %s\n", buf);
736 }
737
738
739ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
740ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
741ssl_xfer_eof = ssl_xfer_error = 0;
742
743receive_getc = tls_getc;
744receive_ungetc = tls_ungetc;
745receive_feof = tls_feof;
746receive_ferror = tls_ferror;
58eb016e 747receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
748
749tls_active = fileno(smtp_out);
750return OK;
751}
752
753
754
755
756
757/*************************************************
758* Start a TLS session in a client *
759*************************************************/
760
761/* Called from the smtp transport after STARTTLS has been accepted.
762
763Argument:
764 fd the fd of the connection
765 host connected host (for messages)
83da1223 766 addr the first address
059ec3d9
PH
767 dhparam DH parameter file
768 certificate certificate file
769 privatekey private key file
770 verify_certs file for certificate verify
771 crl file containing CRL
772 require_ciphers list of allowed ciphers
83da1223
PH
773 ------------------------------------------------------
774 require_mac list of allowed MACs ) Not used
775 require_kx list of allowed key_exchange methods ) for
776 require_proto list of allowed protocols ) OpenSSL
777 ------------------------------------------------------
778 timeout startup timeout
059ec3d9
PH
779
780Returns: OK on success
781 FAIL otherwise - note that tls_error() will not give DEFER
782 because this is not a server
783*/
784
785int
786tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
787 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
83da1223
PH
788 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
789 uschar *require_proto, int timeout)
059ec3d9
PH
790{
791static uschar txt[256];
792uschar *expciphers;
793X509* server_cert;
794int rc;
795
796rc = tls_init(host, dhparam, certificate, privatekey, addr);
797if (rc != OK) return rc;
798
799tls_certificate_verified = FALSE;
800verify_callback_called = FALSE;
801
802if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
803 return FAIL;
804
805/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
806are separated by underscores. So that I can use either form in my tests, and
807also for general convenience, we turn underscores into hyphens here. */
808
809if (expciphers != NULL)
810 {
811 uschar *s = expciphers;
812 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
813 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
814 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 815 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
816 }
817
818rc = setup_certs(verify_certs, crl, host, FALSE);
819if (rc != OK) return rc;
820
7199e1ee 821if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
822SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
823SSL_set_fd(ssl, fd);
824SSL_set_connect_state(ssl);
825
826/* There doesn't seem to be a built-in timeout on connection. */
827
828DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
829sigalrm_seen = FALSE;
830alarm(timeout);
831rc = SSL_connect(ssl);
832alarm(0);
833
834if (rc <= 0)
7199e1ee 835 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
836
837DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
838
453a6645 839/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 840server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
841if (server_cert)
842 {
843 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
844 CS txt, sizeof(txt));
845 tls_peerdn = txt;
846 }
847else
848 tls_peerdn = NULL;
059ec3d9
PH
849
850construct_cipher_name(ssl); /* Sets tls_cipher */
851
852tls_active = fd;
853return OK;
854}
855
856
857
858
859
860/*************************************************
861* TLS version of getc *
862*************************************************/
863
864/* This gets the next byte from the TLS input buffer. If the buffer is empty,
865it refills the buffer via the SSL reading function.
866
867Arguments: none
868Returns: the next character or EOF
869*/
870
871int
872tls_getc(void)
873{
874if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
875 {
876 int error;
877 int inbytes;
878
879 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
880 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
881
882 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
883 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
884 error = SSL_get_error(ssl, inbytes);
885 alarm(0);
886
887 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
888 closed down, not that the socket itself has been closed down. Revert to
889 non-SSL handling. */
890
891 if (error == SSL_ERROR_ZERO_RETURN)
892 {
893 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
894
895 receive_getc = smtp_getc;
896 receive_ungetc = smtp_ungetc;
897 receive_feof = smtp_feof;
898 receive_ferror = smtp_ferror;
58eb016e 899 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
900
901 SSL_free(ssl);
902 ssl = NULL;
903 tls_active = -1;
904 tls_cipher = NULL;
905 tls_peerdn = NULL;
906
907 return smtp_getc();
908 }
909
910 /* Handle genuine errors */
911
ba084640
PP
912 else if (error == SSL_ERROR_SSL)
913 {
914 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 915 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
916 ssl_xfer_error = 1;
917 return EOF;
918 }
919
059ec3d9
PH
920 else if (error != SSL_ERROR_NONE)
921 {
922 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
923 ssl_xfer_error = 1;
924 return EOF;
925 }
80a47a2c
TK
926#ifndef DISABLE_DKIM
927 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
928#endif
059ec3d9
PH
929 ssl_xfer_buffer_hwm = inbytes;
930 ssl_xfer_buffer_lwm = 0;
931 }
932
933/* Something in the buffer; return next uschar */
934
935return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
936}
937
938
939
940/*************************************************
941* Read bytes from TLS channel *
942*************************************************/
943
944/*
945Arguments:
946 buff buffer of data
947 len size of buffer
948
949Returns: the number of bytes read
950 -1 after a failed read
951*/
952
953int
954tls_read(uschar *buff, size_t len)
955{
956int inbytes;
957int error;
958
959DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
960 (long)buff, (unsigned int)len);
961
962inbytes = SSL_read(ssl, CS buff, len);
963error = SSL_get_error(ssl, inbytes);
964
965if (error == SSL_ERROR_ZERO_RETURN)
966 {
967 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
968 return -1;
969 }
970else if (error != SSL_ERROR_NONE)
971 {
972 return -1;
973 }
974
975return inbytes;
976}
977
978
979
980
981
982/*************************************************
983* Write bytes down TLS channel *
984*************************************************/
985
986/*
987Arguments:
988 buff buffer of data
989 len number of bytes
990
991Returns: the number of bytes after a successful write,
992 -1 after a failed write
993*/
994
995int
996tls_write(const uschar *buff, size_t len)
997{
998int outbytes;
999int error;
1000int left = len;
1001
1002DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
1003while (left > 0)
1004 {
1005 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
1006 outbytes = SSL_write(ssl, CS buff, left);
1007 error = SSL_get_error(ssl, outbytes);
1008 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1009 switch (error)
1010 {
1011 case SSL_ERROR_SSL:
1012 ERR_error_string(ERR_get_error(), ssl_errstring);
1013 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1014 return -1;
1015
1016 case SSL_ERROR_NONE:
1017 left -= outbytes;
1018 buff += outbytes;
1019 break;
1020
1021 case SSL_ERROR_ZERO_RETURN:
1022 log_write(0, LOG_MAIN, "SSL channel closed on write");
1023 return -1;
1024
1025 default:
1026 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1027 return -1;
1028 }
1029 }
1030return len;
1031}
1032
1033
1034
1035/*************************************************
1036* Close down a TLS session *
1037*************************************************/
1038
1039/* This is also called from within a delivery subprocess forked from the
1040daemon, to shut down the TLS library, without actually doing a shutdown (which
1041would tamper with the SSL session in the parent process).
1042
1043Arguments: TRUE if SSL_shutdown is to be called
1044Returns: nothing
1045*/
1046
1047void
1048tls_close(BOOL shutdown)
1049{
1050if (tls_active < 0) return; /* TLS was not active */
1051
1052if (shutdown)
1053 {
1054 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1055 SSL_shutdown(ssl);
1056 }
1057
1058SSL_free(ssl);
1059ssl = NULL;
1060
1061tls_active = -1;
1062}
1063
36f12725
NM
1064
1065
1066
1067/*************************************************
1068* Report the library versions. *
1069*************************************************/
1070
1071/* There have historically been some issues with binary compatibility in
1072OpenSSL libraries; if Exim (like many other applications) is built against
1073one version of OpenSSL but the run-time linker picks up another version,
1074it can result in serious failures, including crashing with a SIGSEGV. So
1075report the version found by the compiler and the run-time version.
1076
1077Arguments: a FILE* to print the results to
1078Returns: nothing
1079*/
1080
1081void
1082tls_version_report(FILE *f)
1083{
1084fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
1085fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
1086}
1087
9e3331ea
TK
1088
1089
1090
1091/*************************************************
1092* Pseudo-random number generation *
1093*************************************************/
1094
1095/* Pseudo-random number generation. The result is not expected to be
1096cryptographically strong but not so weak that someone will shoot themselves
1097in the foot using it as a nonce in input in some email header scheme or
1098whatever weirdness they'll twist this into. The result should handle fork()
1099and avoid repeating sequences. OpenSSL handles that for us.
1100
1101Arguments:
1102 max range maximum
1103Returns a random number in range [0, max-1]
1104*/
1105
1106int
1107pseudo_random_number(int max)
1108{
1109unsigned int r;
1110int i, needed_len;
1111uschar *p;
1112uschar smallbuf[sizeof(r)];
1113
1114if (max <= 1)
1115 return 0;
1116
1117/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1118if (!RAND_status())
1119 {
1120 randstuff r;
1121 gettimeofday(&r.tv, NULL);
1122 r.p = getpid();
1123
1124 RAND_seed((uschar *)(&r), sizeof(r));
1125 }
1126/* We're after pseudo-random, not random; if we still don't have enough data
1127in the internal PRNG then our options are limited. We could sleep and hope
1128for entropy to come along (prayer technique) but if the system is so depleted
1129in the first place then something is likely to just keep taking it. Instead,
1130we'll just take whatever little bit of pseudo-random we can still manage to
1131get. */
1132
1133needed_len = sizeof(r);
1134/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1135asked for a number less than 10. */
1136for (r = max, i = 0; r; ++i)
1137 r >>= 1;
1138i = (i + 7) / 8;
1139if (i < needed_len)
1140 needed_len = i;
1141
1142/* We do not care if crypto-strong */
1143(void) RAND_pseudo_bytes(smallbuf, needed_len);
1144r = 0;
1145for (p = smallbuf; needed_len; --needed_len, ++p)
1146 {
1147 r *= 256;
1148 r += *p;
1149 }
1150
1151/* We don't particularly care about weighted results; if someone wants
1152smooth distribution and cares enough then they should submit a patch then. */
1153return r % max;
1154}
1155
77bb000f
PP
1156
1157
1158
1159/*************************************************
1160* OpenSSL option parse *
1161*************************************************/
1162
1163/* Parse one option for tls_openssl_options_parse below
1164
1165Arguments:
1166 name one option name
1167 value place to store a value for it
1168Returns success or failure in parsing
1169*/
1170
1171struct exim_openssl_option {
1172 uschar *name;
1173 long value;
1174};
1175/* We could use a macro to expand, but we need the ifdef and not all the
1176options document which version they were introduced in. Policylet: include
1177all options unless explicitly for DTLS, let the administrator choose which
1178to apply.
1179
1180This list is current as of:
1181 ==> 0.9.8n <== */
1182static struct exim_openssl_option exim_openssl_options[] = {
1183/* KEEP SORTED ALPHABETICALLY! */
1184#ifdef SSL_OP_ALL
73a46702 1185 { US"all", SSL_OP_ALL },
77bb000f
PP
1186#endif
1187#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1188 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1189#endif
1190#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1191 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1192#endif
1193#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1194 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1195#endif
1196#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1197 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1198#endif
1199#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1200 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1201#endif
1202#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1203 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1204#endif
1205#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1206 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1207#endif
1208#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1209 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1210#endif
1211#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1212 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1213#endif
1214#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1215 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f
PP
1216#endif
1217#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1218 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f
PP
1219#endif
1220#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1221 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1222#endif
1223#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1224 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1225#endif
1226#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1227 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1228#endif
1229#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1230 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1231#endif
1232#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1233 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1234#endif
1235#ifdef SSL_OP_TLS_D5_BUG
73a46702 1236 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1237#endif
1238#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1239 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1240#endif
1241};
1242static int exim_openssl_options_size =
1243 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1244
1245static BOOL
1246tls_openssl_one_option_parse(uschar *name, long *value)
1247{
1248int first = 0;
1249int last = exim_openssl_options_size;
1250while (last > first)
1251 {
1252 int middle = (first + last)/2;
1253 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1254 if (c == 0)
1255 {
1256 *value = exim_openssl_options[middle].value;
1257 return TRUE;
1258 }
1259 else if (c > 0)
1260 first = middle + 1;
1261 else
1262 last = middle;
1263 }
1264return FALSE;
1265}
1266
1267
1268
1269
1270/*************************************************
1271* OpenSSL option parsing logic *
1272*************************************************/
1273
1274/* OpenSSL has a number of compatibility options which an administrator might
1275reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1276we look like log_selector.
1277
1278Arguments:
1279 option_spec the administrator-supplied string of options
1280 results ptr to long storage for the options bitmap
1281Returns success or failure
1282*/
1283
1284BOOL
1285tls_openssl_options_parse(uschar *option_spec, long *results)
1286{
1287long result, item;
1288uschar *s, *end;
1289uschar keep_c;
1290BOOL adding, item_parsed;
1291
1292/* We grandfather in as default the one option which we used to set always. */
1293#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1294result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1295#else
1296result = 0L;
1297#endif
1298
1299if (option_spec == NULL)
1300 {
1301 *results = result;
1302 return TRUE;
1303 }
1304
1305for (s=option_spec; *s != '\0'; /**/)
1306 {
1307 while (isspace(*s)) ++s;
1308 if (*s == '\0')
1309 break;
1310 if (*s != '+' && *s != '-')
1311 {
1312 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1313 "+ or - expected but found \"%s\"", s);
1314 return FALSE;
1315 }
1316 adding = *s++ == '+';
1317 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1318 keep_c = *end;
1319 *end = '\0';
1320 item_parsed = tls_openssl_one_option_parse(s, &item);
1321 if (!item_parsed)
1322 {
1323 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s);
1324 return FALSE;
1325 }
1326 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1327 adding ? "adding" : "removing", result, item, s);
1328 if (adding)
1329 result |= item;
1330 else
1331 result &= ~item;
1332 *end = keep_c;
1333 s = end;
1334 }
1335
1336*results = result;
1337return TRUE;
1338}
1339
059ec3d9 1340/* End of tls-openssl.c */