TLS: variables $tls_(in,out)_tlsver
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
b038d456 49# define OPENSSL_AUTO_SHA256
c8dfb21d
JH
50#else
51# define EXIM_HAVE_EPHEM_RSA_KEX
52# define EXIM_HAVE_RAND_PSEUDO
53#endif
54#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 55# define EXIM_HAVE_SHA256
c8dfb21d 56#endif
34e3241d 57
d7978c0f
JH
58/* X509_check_host provides sane certificate hostname checking, but was added
59to OpenSSL late, after other projects forked off the code-base. So in
60addition to guarding against the base version number, beware that LibreSSL
61does not (at this time) support this function.
62
63If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64opt to disentangle and ask a LibreSSL user to provide glue for a third
65crypto provider for libtls instead of continuing to tie the OpenSSL glue
66into even twistier knots. If LibreSSL gains the same API, we can just
67change this guard and punt the issue for a while longer. */
68
34e3241d
PP
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 74# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 75# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 76# define EXIM_HAVE_SESSION_TICKET
e570d136 77# define EXIM_HAVE_OPESSL_TRACE
012dd02e 78# define EXIM_HAVE_OPESSL_GET0_SERIAL
7434882d
JH
79# else
80# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
81# endif
82# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 83 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
84# define EXIM_HAVE_OPENSSL_CHECKHOST
85# endif
11aa88b0 86#endif
10ca4f1c 87
11aa88b0
RA
88#if !defined(LIBRESSL_VERSION_NUMBER) \
89 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
90# if !defined(OPENSSL_NO_ECDH)
91# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 92# define EXIM_HAVE_ECDH
10ca4f1c
JH
93# endif
94# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
95# define EXIM_HAVE_OPENSSL_EC_NIST2NID
96# endif
97# endif
2dfb468b 98#endif
3bcbbbe2 99
8a40db1c
JH
100#ifndef LIBRESSL_VERSION_NUMBER
101# if OPENSSL_VERSION_NUMBER >= 0x010101000L
102# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 103# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 104# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH
105# endif
106#endif
107
67791ce4
JH
108#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
109# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
110# define DISABLE_OCSP
111#endif
43e2db44
JH
112
113#ifdef EXPERIMENTAL_TLS_RESUME
114# if OPENSSL_VERSION_NUMBER < 0x0101010L
115# error OpenSSL version too old for session-resumption
116# endif
117#endif
67791ce4 118
a6510420
JH
119#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
120# include <openssl/x509v3.h>
121#endif
122
f1be21cf
JH
123#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
124# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
125# define SSL_CIPHER_get_id(c) (c->id)
126# endif
dca6d121
JH
127# ifndef MACRO_PREDEF
128# include "tls-cipher-stdname.c"
129# endif
f1be21cf
JH
130#endif
131
8442641e
JH
132/*************************************************
133* OpenSSL option parse *
134*************************************************/
135
136typedef struct exim_openssl_option {
137 uschar *name;
138 long value;
139} exim_openssl_option;
140/* We could use a macro to expand, but we need the ifdef and not all the
141options document which version they were introduced in. Policylet: include
142all options unless explicitly for DTLS, let the administrator choose which
143to apply.
144
145This list is current as of:
146 ==> 1.0.1b <==
147Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
148Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
149*/
150static exim_openssl_option exim_openssl_options[] = {
151/* KEEP SORTED ALPHABETICALLY! */
152#ifdef SSL_OP_ALL
6d95688d 153 { US"all", (long) SSL_OP_ALL },
8442641e
JH
154#endif
155#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
156 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
157#endif
158#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
159 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
160#endif
161#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
162 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
163#endif
164#ifdef SSL_OP_EPHEMERAL_RSA
165 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
166#endif
167#ifdef SSL_OP_LEGACY_SERVER_CONNECT
168 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
169#endif
170#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
171 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
172#endif
173#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
174 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
175#endif
176#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
177 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
178#endif
179#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
180 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
181#endif
182#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
183 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
184#endif
185#ifdef SSL_OP_NO_COMPRESSION
186 { US"no_compression", SSL_OP_NO_COMPRESSION },
187#endif
188#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
189 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
190#endif
191#ifdef SSL_OP_NO_SSLv2
192 { US"no_sslv2", SSL_OP_NO_SSLv2 },
193#endif
194#ifdef SSL_OP_NO_SSLv3
195 { US"no_sslv3", SSL_OP_NO_SSLv3 },
196#endif
197#ifdef SSL_OP_NO_TICKET
198 { US"no_ticket", SSL_OP_NO_TICKET },
199#endif
200#ifdef SSL_OP_NO_TLSv1
201 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
202#endif
203#ifdef SSL_OP_NO_TLSv1_1
204#if SSL_OP_NO_TLSv1_1 == 0x00000400L
205 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
206#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
207#else
208 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
209#endif
210#endif
211#ifdef SSL_OP_NO_TLSv1_2
212 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
213#endif
214#ifdef SSL_OP_NO_TLSv1_3
215 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
216#endif
217#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
218 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
219#endif
220#ifdef SSL_OP_SINGLE_DH_USE
221 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
222#endif
223#ifdef SSL_OP_SINGLE_ECDH_USE
224 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
225#endif
226#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
227 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
228#endif
229#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
230 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
231#endif
232#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
233 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
234#endif
235#ifdef SSL_OP_TLS_D5_BUG
236 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
237#endif
238#ifdef SSL_OP_TLS_ROLLBACK_BUG
239 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
240#endif
241};
242
243#ifndef MACRO_PREDEF
244static int exim_openssl_options_size = nelem(exim_openssl_options);
245#endif
246
247#ifdef MACRO_PREDEF
248void
249options_tls(void)
250{
8442641e
JH
251uschar buf[64];
252
d7978c0f 253for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
254 o < exim_openssl_options + nelem(exim_openssl_options); o++)
255 {
256 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
257 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
258
259 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
260 builtin_macro_create(buf);
261 }
b10c87b3
JH
262
263# ifdef EXPERIMENTAL_TLS_RESUME
264builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
265# endif
e326959e
JH
266# ifdef SSL_OP_NO_TLSv1_3
267builtin_macro_create(US"_HAVE_TLS1_3");
268# endif
8442641e
JH
269}
270#else
271
272/******************************************************************************/
273
059ec3d9
PH
274/* Structure for collecting random data for seeding. */
275
276typedef struct randstuff {
9e3331ea
TK
277 struct timeval tv;
278 pid_t p;
059ec3d9
PH
279} randstuff;
280
281/* Local static variables */
282
a2ff477a
JH
283static BOOL client_verify_callback_called = FALSE;
284static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
285static const uschar *sid_ctx = US"exim";
286
d4f09789
PP
287/* We have three different contexts to care about.
288
289Simple case: client, `client_ctx`
290 As a client, we can be doing a callout or cut-through delivery while receiving
291 a message. So we have a client context, which should have options initialised
74f1a423
JH
292 from the SMTP Transport. We may also concurrently want to make TLS connections
293 to utility daemons, so client-contexts are allocated and passed around in call
294 args rather than using a gobal.
d4f09789
PP
295
296Server:
297 There are two cases: with and without ServerNameIndication from the client.
298 Given TLS SNI, we can be using different keys, certs and various other
299 configuration settings, because they're re-expanded with $tls_sni set. This
300 allows vhosting with TLS. This SNI is sent in the handshake.
301 A client might not send SNI, so we need a fallback, and an initial setup too.
302 So as a server, we start out using `server_ctx`.
303 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
304 `server_sni` from `server_ctx` and then initialise settings by re-expanding
305 configuration.
306*/
307
74f1a423
JH
308typedef struct {
309 SSL_CTX * ctx;
310 SSL * ssl;
c09dbcfb 311 gstring * corked;
74f1a423
JH
312} exim_openssl_client_tls_ctx;
313
817d9f57 314static SSL_CTX *server_ctx = NULL;
817d9f57 315static SSL *server_ssl = NULL;
389ca47a 316
35731706 317#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 318static SSL_CTX *server_sni = NULL;
35731706 319#endif
059ec3d9
PH
320
321static char ssl_errstring[256];
322
dea4b568 323static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH
324static BOOL client_verify_optional = FALSE;
325static BOOL server_verify_optional = FALSE;
059ec3d9 326
f5d78688 327static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
328
329
5b2fd993
JH
330typedef struct ocsp_resp {
331 struct ocsp_resp * next;
332 OCSP_RESPONSE * resp;
333} ocsp_resplist;
334
7be682ca 335typedef struct tls_ext_ctx_cb {
b10c87b3 336 tls_support * tlsp;
7be682ca
PP
337 uschar *certificate;
338 uschar *privatekey;
f5d78688 339 BOOL is_server;
a6510420 340#ifndef DISABLE_OCSP
c3033f13 341 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
342 union {
343 struct {
344 uschar *file;
5b2fd993
JH
345 const uschar *file_expanded;
346 ocsp_resplist *olist;
f5d78688
JH
347 } server;
348 struct {
44662487
JH
349 X509_STORE *verify_store; /* non-null if status requested */
350 BOOL verify_required;
f5d78688
JH
351 } client;
352 } u_ocsp;
3f7eeb86 353#endif
7be682ca
PP
354 uschar *dhparam;
355 /* these are cached from first expand */
356 uschar *server_cipher_list;
357 /* only passed down to tls_error: */
358 host_item *host;
55414b25 359 const uschar * verify_cert_hostnames;
0cbf2b82 360#ifndef DISABLE_EVENT
a7538db1
JH
361 uschar * event_action;
362#endif
7be682ca
PP
363} tls_ext_ctx_cb;
364
365/* should figure out a cleanup of API to handle state preserved per
366implementation, for various reasons, which can be void * in the APIs.
367For now, we hack around it. */
b10c87b3 368tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 369tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
370
371static int
983207c1 372setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 373 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 374
3f7eeb86 375/* Callbacks */
3bcbbbe2 376#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 377static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 378#endif
f2de3a33 379#ifndef DISABLE_OCSP
f5d78688 380static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
381#endif
382
059ec3d9 383
b10c87b3 384
4d93129f 385/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH
386#ifdef EXPERIMENTAL_TLS_RESUME
387static void tk_init(void);
388static int tls_exdata_idx = -1;
389#endif
390
391void
392tls_daemon_init(void)
393{
394#ifdef EXPERIMENTAL_TLS_RESUME
395tk_init();
396#endif
397return;
398}
399
400
059ec3d9
PH
401/*************************************************
402* Handle TLS error *
403*************************************************/
404
405/* Called from lots of places when errors occur before actually starting to do
406the TLS handshake, that is, while the session is still in clear. Always returns
407DEFER for a server and FAIL for a client so that most calls can use "return
408tls_error(...)" to do this processing and then give an appropriate return. A
409single function is used for both server and client, because it is called from
410some shared functions.
411
412Argument:
413 prefix text to include in the logged error
414 host NULL if setting up a server;
415 the connected host if setting up a client
7199e1ee 416 msg error message or NULL if we should ask OpenSSL
cf0c6164 417 errstr pointer to output error message
059ec3d9
PH
418
419Returns: OK/DEFER/FAIL
420*/
421
422static int
cf0c6164 423tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 424{
c562fd30 425if (!msg)
7199e1ee 426 {
0abc5a13 427 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 428 msg = US ssl_errstring;
7199e1ee
TF
429 }
430
5a2a0989
JH
431msg = string_sprintf("(%s): %s", prefix, msg);
432DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
433if (errstr) *errstr = msg;
cf0c6164 434return host ? FAIL : DEFER;
059ec3d9
PH
435}
436
437
438
439/*************************************************
440* Callback to generate RSA key *
441*************************************************/
442
443/*
444Arguments:
3ae79556 445 s SSL connection (not used)
059ec3d9
PH
446 export not used
447 keylength keylength
448
449Returns: pointer to generated key
450*/
451
452static RSA *
453rsa_callback(SSL *s, int export, int keylength)
454{
455RSA *rsa_key;
c8dfb21d
JH
456#ifdef EXIM_HAVE_RSA_GENKEY_EX
457BIGNUM *bn = BN_new();
458#endif
459
059ec3d9
PH
460export = export; /* Shut picky compilers up */
461DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
462
463#ifdef EXIM_HAVE_RSA_GENKEY_EX
464if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 465 || !(rsa_key = RSA_new())
c8dfb21d
JH
466 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
467 )
468#else
23bb6982 469if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
470#endif
471
059ec3d9 472 {
0abc5a13 473 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
474 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
475 ssl_errstring);
476 return NULL;
477 }
478return rsa_key;
479}
480
481
482
f5d78688 483/* Extreme debug
f2de3a33 484#ifndef DISABLE_OCSP
f5d78688
JH
485void
486x509_store_dump_cert_s_names(X509_STORE * store)
487{
488STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
489static uschar name[256];
490
d7978c0f 491for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
492 {
493 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
494 if(tmp_obj->type == X509_LU_X509)
495 {
70e384dd
JH
496 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
497 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
498 {
499 name[sizeof(name)-1] = '\0';
500 debug_printf(" %s\n", name);
501 }
f5d78688
JH
502 }
503 }
504}
505#endif
506*/
507
059ec3d9 508
0cbf2b82 509#ifndef DISABLE_EVENT
f69979cf
JH
510static int
511verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
512 BOOL *calledp, const BOOL *optionalp, const uschar * what)
513{
514uschar * ev;
515uschar * yield;
516X509 * old_cert;
517
518ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
519if (ev)
520 {
aaba7d03 521 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
522 old_cert = tlsp->peercert;
523 tlsp->peercert = X509_dup(cert);
524 /* NB we do not bother setting peerdn */
525 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
526 {
527 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
528 "depth=%d cert=%s: %s",
529 tlsp == &tls_out ? deliver_host_address : sender_host_address,
530 what, depth, dn, yield);
531 *calledp = TRUE;
532 if (!*optionalp)
533 {
534 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
535 return 1; /* reject (leaving peercert set) */
536 }
537 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
538 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 539 tlsp->verify_override = TRUE;
f69979cf
JH
540 }
541 X509_free(tlsp->peercert);
542 tlsp->peercert = old_cert;
543 }
544return 0;
545}
546#endif
547
059ec3d9
PH
548/*************************************************
549* Callback for verification *
550*************************************************/
551
552/* The SSL library does certificate verification if set up to do so. This
553callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
554we set the certificate-verified flag. If verification failed, what happens
555depends on whether the client is required to present a verifiable certificate
556or not.
059ec3d9
PH
557
558If verification is optional, we change the state to yes, but still log the
559verification error. For some reason (it really would help to have proper
560documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
561time with state = 1. We must take care not to set the private verified flag on
562the second time through.
059ec3d9
PH
563
564Note: this function is not called if the client fails to present a certificate
565when asked. We get here only if a certificate has been received. Handling of
566optional verification for this case is done when requesting SSL to verify, by
567setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
568
a7538db1
JH
569May be called multiple times for different issues with a certificate, even
570for a given "depth" in the certificate chain.
571
059ec3d9 572Arguments:
f2f2c91b
JH
573 preverify_ok current yes/no state as 1/0
574 x509ctx certificate information.
575 tlsp per-direction (client vs. server) support data
576 calledp has-been-called flag
577 optionalp verification-is-optional flag
059ec3d9 578
f2f2c91b 579Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
580*/
581
582static int
70e384dd
JH
583verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
584 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 585{
421aff85 586X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 587int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 588uschar dn[256];
059ec3d9 589
70e384dd
JH
590if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
591 {
592 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
593 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
594 tlsp == &tls_out ? deliver_host_address : sender_host_address);
595 return 0;
596 }
f69979cf 597dn[sizeof(dn)-1] = '\0';
059ec3d9 598
f4e62a87 599tlsp->verify_override = FALSE;
f2f2c91b 600if (preverify_ok == 0)
059ec3d9 601 {
f77197ae
JH
602 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
603 *verify_mode, sender_host_address)
604 : US"";
605 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
606 tlsp == &tls_out ? deliver_host_address : sender_host_address,
607 extra, depth,
608 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 609 *calledp = TRUE;
9d1c15ef
JH
610 if (!*optionalp)
611 {
f69979cf
JH
612 if (!tlsp->peercert)
613 tlsp->peercert = X509_dup(cert); /* record failing cert */
614 return 0; /* reject */
9d1c15ef 615 }
059ec3d9
PH
616 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
617 "tls_try_verify_hosts)\n");
4a1bd6b9 618 tlsp->verify_override = TRUE;
059ec3d9
PH
619 }
620
a7538db1 621else if (depth != 0)
059ec3d9 622 {
f69979cf 623 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 624#ifndef DISABLE_OCSP
f5d78688
JH
625 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
626 { /* client, wanting stapling */
627 /* Add the server cert's signing chain as the one
628 for the verification of the OCSP stapled information. */
94431adb 629
f5d78688 630 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 631 cert))
f5d78688 632 ERR_clear_error();
c3033f13 633 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
634 }
635#endif
0cbf2b82 636#ifndef DISABLE_EVENT
f69979cf
JH
637 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
638 return 0; /* reject, with peercert set */
a7538db1 639#endif
059ec3d9
PH
640 }
641else
642 {
55414b25 643 const uschar * verify_cert_hostnames;
e51c7be2 644
e51c7be2
JH
645 if ( tlsp == &tls_out
646 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 647 /* client, wanting hostname check */
e51c7be2 648 {
f69979cf 649
740f36d4 650#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
651# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
652# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
653# endif
654# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
655# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
656# endif
e51c7be2 657 int sep = 0;
55414b25 658 const uschar * list = verify_cert_hostnames;
e51c7be2 659 uschar * name;
d8e7834a
JH
660 int rc;
661 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 662 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 663 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
664 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
665 NULL)))
d8e7834a
JH
666 {
667 if (rc < 0)
668 {
93a6fce2 669 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 670 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
671 name = NULL;
672 }
e51c7be2 673 break;
d8e7834a 674 }
e51c7be2 675 if (!name)
f69979cf 676#else
e51c7be2 677 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 678#endif
e51c7be2 679 {
f77197ae
JH
680 uschar * extra = verify_mode
681 ? string_sprintf(" (during %c-verify for [%s])",
682 *verify_mode, sender_host_address)
683 : US"";
e51c7be2 684 log_write(0, LOG_MAIN,
f77197ae
JH
685 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
686 tlsp == &tls_out ? deliver_host_address : sender_host_address,
687 extra, dn, verify_cert_hostnames);
a3ef7310
JH
688 *calledp = TRUE;
689 if (!*optionalp)
f69979cf
JH
690 {
691 if (!tlsp->peercert)
692 tlsp->peercert = X509_dup(cert); /* record failing cert */
693 return 0; /* reject */
694 }
4a1bd6b9 695 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 696 "tls_try_verify_hosts)\n");
4a1bd6b9 697 tlsp->verify_override = TRUE;
e51c7be2 698 }
f69979cf 699 }
e51c7be2 700
0cbf2b82 701#ifndef DISABLE_EVENT
f69979cf
JH
702 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
703 return 0; /* reject, with peercert set */
e51c7be2
JH
704#endif
705
93dcb1c2 706 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 707 *calledp ? "" : " authenticated", dn);
93dcb1c2 708 *calledp = TRUE;
059ec3d9
PH
709 }
710
a7538db1 711return 1; /* accept, at least for this level */
059ec3d9
PH
712}
713
a2ff477a 714static int
f2f2c91b 715verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 716{
f2f2c91b
JH
717return verify_callback(preverify_ok, x509ctx, &tls_out,
718 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
719}
720
721static int
f2f2c91b 722verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 723{
f2f2c91b
JH
724return verify_callback(preverify_ok, x509ctx, &tls_in,
725 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
726}
727
059ec3d9 728
c0635b6d 729#ifdef SUPPORT_DANE
53a7196b 730
e5cccda9
JH
731/* This gets called *by* the dane library verify callback, which interposes
732itself.
733*/
734static int
f2f2c91b 735verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
736{
737X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 738uschar dn[256];
83b27293 739int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 740#ifndef DISABLE_EVENT
f69979cf 741BOOL dummy_called, optional = FALSE;
83b27293 742#endif
e5cccda9 743
70e384dd
JH
744if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
745 {
746 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
747 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
748 deliver_host_address);
749 return 0;
750 }
f69979cf 751dn[sizeof(dn)-1] = '\0';
e5cccda9 752
f2f2c91b
JH
753DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
754 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 755
0cbf2b82 756#ifndef DISABLE_EVENT
f69979cf
JH
757 if (verify_event(&tls_out, cert, depth, dn,
758 &dummy_called, &optional, US"DANE"))
759 return 0; /* reject, with peercert set */
83b27293
JH
760#endif
761
f2f2c91b 762if (preverify_ok == 1)
6fbf3599 763 {
4a1bd6b9 764 tls_out.dane_verified = TRUE;
6fbf3599
JH
765#ifndef DISABLE_OCSP
766 if (client_static_cbinfo->u_ocsp.client.verify_store)
767 { /* client, wanting stapling */
768 /* Add the server cert's signing chain as the one
769 for the verification of the OCSP stapled information. */
770
771 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
772 cert))
773 ERR_clear_error();
774 sk_X509_push(client_static_cbinfo->verify_stack, cert);
775 }
776#endif
777 }
f2f2c91b
JH
778else
779 {
780 int err = X509_STORE_CTX_get_error(x509ctx);
781 DEBUG(D_tls)
782 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 783 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
784 preverify_ok = 1;
785 }
786return preverify_ok;
e5cccda9 787}
53a7196b 788
c0635b6d 789#endif /*SUPPORT_DANE*/
e5cccda9 790
059ec3d9
PH
791
792/*************************************************
793* Information callback *
794*************************************************/
795
796/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
797are doing. We copy the string to the debugging output when TLS debugging has
798been requested.
059ec3d9
PH
799
800Arguments:
801 s the SSL connection
802 where
803 ret
804
805Returns: nothing
806*/
807
808static void
809info_callback(SSL *s, int where, int ret)
810{
0abc5a13
JH
811DEBUG(D_tls)
812 {
813 const uschar * str;
814
815 if (where & SSL_ST_CONNECT)
48224640 816 str = US"SSL_connect";
0abc5a13 817 else if (where & SSL_ST_ACCEPT)
48224640 818 str = US"SSL_accept";
0abc5a13 819 else
48224640 820 str = US"SSL info (undefined)";
0abc5a13
JH
821
822 if (where & SSL_CB_LOOP)
823 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
824 else if (where & SSL_CB_ALERT)
825 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 826 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
827 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
828 else if (where & SSL_CB_EXIT)
829 if (ret == 0)
830 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
831 else if (ret < 0)
832 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
833 else if (where & SSL_CB_HANDSHAKE_START)
834 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
835 else if (where & SSL_CB_HANDSHAKE_DONE)
836 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
837 }
059ec3d9
PH
838}
839
8238bc7b 840#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
841static void
842keylog_callback(const SSL *ssl, const char *line)
843{
844DEBUG(D_tls) debug_printf("%.200s\n", line);
845}
8238bc7b 846#endif
8a40db1c 847
059ec3d9 848
b10c87b3
JH
849#ifdef EXPERIMENTAL_TLS_RESUME
850/* Manage the keysets used for encrypting the session tickets, on the server. */
851
852typedef struct { /* Session ticket encryption key */
853 uschar name[16];
854
855 const EVP_CIPHER * aes_cipher;
4d93129f 856 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH
857 const EVP_MD * hmac_hash;
858 uschar hmac_key[16];
859 time_t renew;
860 time_t expire;
861} exim_stek;
862
4d93129f
JH
863static exim_stek exim_tk; /* current key */
864static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH
865
866static void
867tk_init(void)
868{
4d93129f
JH
869time_t t = time(NULL);
870
b10c87b3
JH
871if (exim_tk.name[0])
872 {
4d93129f 873 if (exim_tk.renew >= t) return;
b10c87b3
JH
874 exim_tk_old = exim_tk;
875 }
876
877if (f.running_in_test_harness) ssl_session_timeout = 6;
878
879DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
880if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
881if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
882if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
883
884exim_tk.name[0] = 'E';
4d93129f 885exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 886exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH
887exim_tk.expire = t + ssl_session_timeout;
888exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH
889}
890
891static exim_stek *
892tk_current(void)
893{
894if (!exim_tk.name[0]) return NULL;
895return &exim_tk;
896}
897
898static exim_stek *
899tk_find(const uschar * name)
900{
901return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
902 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
903 : NULL;
904}
905
906/* Callback for session tickets, on server */
907static int
908ticket_key_callback(SSL * ssl, uschar key_name[16],
909 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
910{
911tls_support * tlsp = server_static_cbinfo->tlsp;
912exim_stek * key;
913
914if (enc)
915 {
916 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
917 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
918
919 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
920 return -1; /* insufficient random */
921
922 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
923 return 0; /* key couldn't be created */
924 memcpy(key_name, key->name, 16);
d70fc283 925 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH
926
927 /*XXX will want these dependent on the ssl session strength */
928 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
929 key->hmac_hash, NULL);
930 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
931
932 DEBUG(D_tls) debug_printf("ticket created\n");
933 return 1;
934 }
935else
936 {
937 time_t now = time(NULL);
938
939 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
940 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
941
942 if (!(key = tk_find(key_name)) || key->expire < now)
943 {
944 DEBUG(D_tls)
945 {
946 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 947 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH
948 }
949 return 0;
950 }
951
952 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
953 key->hmac_hash, NULL);
954 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
955
d70fc283 956 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH
957
958 /* The ticket lifetime and renewal are the same as the STEK lifetime and
959 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
960 be better. To do that we'd have to encode ticket lifetime in the name as
961 we don't yet see the restored session. Could check posthandshake for TLS1.3
962 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH
963 return key->renew < now ? 2 : 1;
964 }
965}
966#endif
967
968
059ec3d9
PH
969
970/*************************************************
971* Initialize for DH *
972*************************************************/
973
974/* If dhparam is set, expand it, and load up the parameters for DH encryption.
975
976Arguments:
038597d2 977 sctx The current SSL CTX (inbound or outbound)
a799883d 978 dhparam DH parameter file or fixed parameter identity string
7199e1ee 979 host connected host, if client; NULL if server
cf0c6164 980 errstr error string pointer
059ec3d9
PH
981
982Returns: TRUE if OK (nothing to set up, or setup worked)
983*/
984
985static BOOL
cf0c6164 986init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 987{
059ec3d9
PH
988BIO *bio;
989DH *dh;
990uschar *dhexpanded;
a799883d 991const char *pem;
6600985a 992int dh_bitsize;
059ec3d9 993
cf0c6164 994if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
995 return FALSE;
996
0df4ab80 997if (!dhexpanded || !*dhexpanded)
a799883d 998 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 999else if (dhexpanded[0] == '/')
059ec3d9 1000 {
0df4ab80 1001 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 1002 {
7199e1ee 1003 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 1004 host, US strerror(errno), errstr);
a799883d 1005 return FALSE;
059ec3d9 1006 }
a799883d
PP
1007 }
1008else
1009 {
1010 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1011 {
a799883d
PP
1012 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1013 return TRUE;
059ec3d9 1014 }
a799883d 1015
0df4ab80 1016 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
1017 {
1018 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1019 host, US strerror(errno), errstr);
a799883d
PP
1020 return FALSE;
1021 }
1022 bio = BIO_new_mem_buf(CS pem, -1);
1023 }
1024
0df4ab80 1025if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1026 {
059ec3d9 1027 BIO_free(bio);
a799883d 1028 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1029 host, NULL, errstr);
a799883d
PP
1030 return FALSE;
1031 }
1032
6600985a
PP
1033/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1034 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1035 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1036 * If someone wants to dance at the edge, then they can raise the limit or use
1037 * current libraries. */
1038#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1039/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1040 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1041dh_bitsize = DH_bits(dh);
1042#else
1043dh_bitsize = 8 * DH_size(dh);
1044#endif
1045
a799883d
PP
1046/* Even if it is larger, we silently return success rather than cause things
1047 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1048 * debatable choice. */
6600985a 1049if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
1050 {
1051 DEBUG(D_tls)
170f4904 1052 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1053 dh_bitsize, tls_dh_max_bits);
a799883d
PP
1054 }
1055else
1056 {
1057 SSL_CTX_set_tmp_dh(sctx, dh);
1058 DEBUG(D_tls)
1059 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1060 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
1061 }
1062
a799883d
PP
1063DH_free(dh);
1064BIO_free(bio);
1065
1066return TRUE;
059ec3d9
PH
1067}
1068
1069
1070
1071
038597d2
PP
1072/*************************************************
1073* Initialize for ECDH *
1074*************************************************/
1075
1076/* Load parameters for ECDH encryption.
1077
1078For now, we stick to NIST P-256 because: it's simple and easy to configure;
1079it avoids any patent issues that might bite redistributors; despite events in
1080the news and concerns over curve choices, we're not cryptographers, we're not
1081pretending to be, and this is "good enough" to be better than no support,
1082protecting against most adversaries. Given another year or two, there might
1083be sufficient clarity about a "right" way forward to let us make an informed
1084decision, instead of a knee-jerk reaction.
1085
1086Longer-term, we should look at supporting both various named curves and
1087external files generated with "openssl ecparam", much as we do for init_dh().
1088We should also support "none" as a value, to explicitly avoid initialisation.
1089
1090Patches welcome.
1091
1092Arguments:
1093 sctx The current SSL CTX (inbound or outbound)
1094 host connected host, if client; NULL if server
cf0c6164 1095 errstr error string pointer
038597d2
PP
1096
1097Returns: TRUE if OK (nothing to set up, or setup worked)
1098*/
1099
1100static BOOL
cf0c6164 1101init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1102{
63f0dbe0
JH
1103#ifdef OPENSSL_NO_ECDH
1104return TRUE;
1105#else
1106
10ca4f1c
JH
1107EC_KEY * ecdh;
1108uschar * exp_curve;
1109int nid;
1110BOOL rv;
1111
038597d2
PP
1112if (host) /* No ECDH setup for clients, only for servers */
1113 return TRUE;
1114
10ca4f1c 1115# ifndef EXIM_HAVE_ECDH
038597d2
PP
1116DEBUG(D_tls)
1117 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1118return TRUE;
038597d2 1119# else
10ca4f1c 1120
cf0c6164 1121if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
1122 return FALSE;
1123if (!exp_curve || !*exp_curve)
1124 return TRUE;
1125
8e53a4fc 1126/* "auto" needs to be handled carefully.
4c04137d 1127 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1128 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1129 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
1130 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1131 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1132 */
10ca4f1c 1133if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1134 {
8e53a4fc 1135#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1136 DEBUG(D_tls) debug_printf(
8e53a4fc 1137 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1138 exp_curve = US"prime256v1";
8e53a4fc
HSHR
1139#else
1140# if defined SSL_CTRL_SET_ECDH_AUTO
1141 DEBUG(D_tls) debug_printf(
1142 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
1143 SSL_CTX_set_ecdh_auto(sctx, 1);
1144 return TRUE;
8e53a4fc
HSHR
1145# else
1146 DEBUG(D_tls) debug_printf(
1147 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1148 return TRUE;
1149# endif
1150#endif
10ca4f1c 1151 }
038597d2 1152
10ca4f1c
JH
1153DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1154if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1155# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1156 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1157# endif
1158 )
1159 {
cf0c6164
JH
1160 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1161 host, NULL, errstr);
10ca4f1c
JH
1162 return FALSE;
1163 }
038597d2 1164
10ca4f1c
JH
1165if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1166 {
cf0c6164 1167 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1168 return FALSE;
038597d2 1169 }
10ca4f1c
JH
1170
1171/* The "tmp" in the name here refers to setting a temporary key
1172not to the stability of the interface. */
1173
1174if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1175 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1176else
1177 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1178
1179EC_KEY_free(ecdh);
1180return !rv;
1181
1182# endif /*EXIM_HAVE_ECDH*/
1183#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1184}
1185
1186
1187
1188
f2de3a33 1189#ifndef DISABLE_OCSP
3f7eeb86
PP
1190/*************************************************
1191* Load OCSP information into state *
1192*************************************************/
f5d78688 1193/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1194caller has determined this is needed. Checks validity. Debugs a message
1195if invalid.
1196
1197ASSUMES: single response, for single cert.
1198
1199Arguments:
1200 sctx the SSL_CTX* to update
1201 cbinfo various parts of session state
5b2fd993 1202 filename the filename putatively holding an OCSP response
3f7eeb86
PP
1203
1204*/
1205
1206static void
5b2fd993
JH
1207ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1208 const uschar * filename)
3f7eeb86 1209{
ee5b1e28
JH
1210BIO * bio;
1211OCSP_RESPONSE * resp;
1212OCSP_BASICRESP * basic_response;
1213OCSP_SINGLERESP * single_response;
1214ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1215STACK_OF(X509) * sk;
3f7eeb86
PP
1216unsigned long verify_flags;
1217int status, reason, i;
1218
5b2fd993 1219DEBUG(D_tls) debug_printf("tls_ocsp_file '%s'\n", filename);
3f7eeb86 1220
5b2fd993 1221if (!(bio = BIO_new_file(CS filename, "rb")))
3f7eeb86
PP
1222 {
1223 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
5b2fd993 1224 filename);
3f7eeb86
PP
1225 return;
1226 }
1227
1228resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1229BIO_free(bio);
1230if (!resp)
1231 {
1232 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1233 return;
1234 }
1235
ee5b1e28 1236if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1237 {
1238 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1239 OCSP_response_status_str(status), status);
f5d78688 1240 goto bad;
3f7eeb86
PP
1241 }
1242
5b2fd993
JH
1243#ifdef notdef
1244 {
1245 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1246 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1247 BIO_free(bp);
1248 }
1249#endif
1250
ee5b1e28 1251if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1252 {
1253 DEBUG(D_tls)
1254 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1255 goto bad;
3f7eeb86
PP
1256 }
1257
c3033f13 1258sk = cbinfo->verify_stack;
3f7eeb86
PP
1259verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1260
1261/* May need to expose ability to adjust those flags?
1262OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1263OCSP_TRUSTOTHER OCSP_NOINTERN */
1264
4c04137d 1265/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1266up; possibly overkill - just date-checks might be nice enough.
1267
1268OCSP_basic_verify takes a "store" arg, but does not
1269use it for the chain verification, which is all we do
1270when OCSP_NOVERIFY is set. The content from the wire
1271"basic_response" and a cert-stack "sk" are all that is used.
1272
c3033f13
JH
1273We have a stack, loaded in setup_certs() if tls_verify_certificates
1274was a file (not a directory, or "system"). It is unfortunate we
1275cannot used the connection context store, as that would neatly
1276handle the "system" case too, but there seems to be no library
1277function for getting a stack from a store.
e3555426 1278[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1279We do not free the stack since it could be needed a second time for
1280SNI handling.
1281
4c04137d 1282Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1283be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1284But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1285And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1286library does it for us anyway? */
1287
1288if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1289 {
ee5b1e28
JH
1290 DEBUG(D_tls)
1291 {
0abc5a13 1292 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1293 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1294 }
1295 goto bad;
3f7eeb86
PP
1296 }
1297
1298/* Here's the simplifying assumption: there's only one response, for the
1299one certificate we use, and nothing for anything else in a chain. If this
1300proves false, we need to extract a cert id from our issued cert
1301(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1302right cert in the stack and then calls OCSP_single_get0_status()).
1303
5b2fd993
JH
1304I'm hoping to avoid reworking a bunch more of how we handle state here.
1305
1306XXX that will change when we add support for (TLS1.3) whole-chain stapling
1307*/
ee5b1e28
JH
1308
1309if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1310 {
1311 DEBUG(D_tls)
1312 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1313 goto bad;
3f7eeb86
PP
1314 }
1315
1316status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1317if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1318 {
f5d78688
JH
1319 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1320 OCSP_cert_status_str(status), status,
1321 OCSP_crl_reason_str(reason), reason);
1322 goto bad;
3f7eeb86
PP
1323 }
1324
1325if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1326 {
1327 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1328 goto bad;
3f7eeb86
PP
1329 }
1330
f5d78688 1331supply_response:
5b2fd993
JH
1332 /* Add the resp to the list used by tls_server_stapling_cb() */
1333 {
1334 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1335 while (oentry = *op)
1336 op = &oentry->next;
1337 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1338 oentry->next = NULL;
1339 oentry->resp = resp;
1340 }
f5d78688
JH
1341return;
1342
1343bad:
8768d548 1344 if (f.running_in_test_harness)
018058b2
JH
1345 {
1346 extern char ** environ;
d7978c0f 1347 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1348 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1349 {
1350 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1351 goto supply_response;
1352 }
1353 }
f5d78688 1354return;
3f7eeb86 1355}
5b2fd993
JH
1356
1357
1358static void
1359ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1360{
1361for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1362 olist = olist->next)
1363 OCSP_RESPONSE_free(olist->resp);
1364cbinfo->u_ocsp.server.olist = NULL;
1365}
f2de3a33 1366#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1367
1368
1369
1370
23bb6982
JH
1371/* Create and install a selfsigned certificate, for use in server mode */
1372
1373static int
cf0c6164 1374tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1375{
1376X509 * x509 = NULL;
1377EVP_PKEY * pkey;
1378RSA * rsa;
1379X509_NAME * name;
1380uschar * where;
1381
1382where = US"allocating pkey";
1383if (!(pkey = EVP_PKEY_new()))
1384 goto err;
1385
1386where = US"allocating cert";
1387if (!(x509 = X509_new()))
1388 goto err;
1389
1390where = US"generating pkey";
6aac3239 1391if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1392 goto err;
1393
4c04137d 1394where = US"assigning pkey";
23bb6982
JH
1395if (!EVP_PKEY_assign_RSA(pkey, rsa))
1396 goto err;
1397
1398X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1399ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1400X509_gmtime_adj(X509_get_notBefore(x509), 0);
1401X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1402X509_set_pubkey(x509, pkey);
1403
1404name = X509_get_subject_name(x509);
1405X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1406 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1407X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1408 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1409X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1410 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1411X509_set_issuer_name(x509, name);
1412
1413where = US"signing cert";
1414if (!X509_sign(x509, pkey, EVP_md5()))
1415 goto err;
1416
1417where = US"installing selfsign cert";
1418if (!SSL_CTX_use_certificate(sctx, x509))
1419 goto err;
1420
1421where = US"installing selfsign key";
1422if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1423 goto err;
1424
1425return OK;
1426
1427err:
cf0c6164 1428 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1429 if (x509) X509_free(x509);
1430 if (pkey) EVP_PKEY_free(pkey);
1431 return DEFER;
1432}
1433
1434
1435
1436
ba86e143
JH
1437static int
1438tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1439 uschar ** errstr)
1440{
5b2fd993 1441DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
ba86e143
JH
1442if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1443 return tls_error(string_sprintf(
1444 "SSL_CTX_use_certificate_chain_file file=%s", file),
1445 cbinfo->host, NULL, errstr);
1446return 0;
1447}
1448
1449static int
1450tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1451 uschar ** errstr)
1452{
5b2fd993 1453DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
ba86e143
JH
1454if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1455 return tls_error(string_sprintf(
1456 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1457return 0;
1458}
1459
1460
059ec3d9 1461/*************************************************
7be682ca
PP
1462* Expand key and cert file specs *
1463*************************************************/
1464
f5d78688 1465/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1466new context, if Server Name Indication was used and tls_sni was seen in
1467the certificate string.
1468
1469Arguments:
1470 sctx the SSL_CTX* to update
1471 cbinfo various parts of session state
cf0c6164 1472 errstr error string pointer
7be682ca
PP
1473
1474Returns: OK/DEFER/FAIL
1475*/
1476
1477static int
5b2fd993 1478tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
cf0c6164 1479 uschar ** errstr)
7be682ca 1480{
5b2fd993 1481uschar * expanded;
7be682ca 1482
23bb6982 1483if (!cbinfo->certificate)
7be682ca 1484 {
ba86e143 1485 if (!cbinfo->is_server) /* client */
23bb6982 1486 return OK;
afdb5e9c 1487 /* server */
cf0c6164 1488 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1489 return DEFER;
7be682ca 1490 }
23bb6982
JH
1491else
1492 {
ba86e143
JH
1493 int err;
1494
5b2fd993
JH
1495 if ( !reexpand_tls_files_for_sni
1496 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1497 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1498 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1499 ) )
23bb6982 1500 reexpand_tls_files_for_sni = TRUE;
7be682ca 1501
cf0c6164 1502 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1503 return DEFER;
1504
ba86e143
JH
1505 if (expanded)
1506 if (cbinfo->is_server)
1507 {
1508 const uschar * file_list = expanded;
1509 int sep = 0;
1510 uschar * file;
5b2fd993
JH
1511#ifndef DISABLE_OCSP
1512 const uschar * olist = cbinfo->u_ocsp.server.file;
1513 int osep = 0;
1514 uschar * ofile;
1515
1516 if (olist)
1517 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1518 return DEFER;
1519 if (olist && !*olist)
1520 olist = NULL;
1521
1522 if ( cbinfo->u_ocsp.server.file_expanded && olist
1523 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1524 {
1525 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1526 olist = NULL;
1527 }
1528 else
1529 {
1530 ocsp_free_response_list(cbinfo);
1531 cbinfo->u_ocsp.server.file_expanded = olist;
1532 }
1533#endif
ba86e143
JH
1534
1535 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
5b2fd993 1536 {
ba86e143
JH
1537 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1538 return err;
5b2fd993
JH
1539
1540#ifndef DISABLE_OCSP
1541 if (olist)
1542 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1543 ocsp_load_response(sctx, cbinfo, ofile);
1544 else
1545 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1546#endif
1547 }
ba86e143
JH
1548 }
1549 else /* would there ever be a need for multiple client certs? */
1550 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1551 return err;
7be682ca 1552
5a2a0989
JH
1553 if ( cbinfo->privatekey
1554 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1555 return DEFER;
7be682ca 1556
23bb6982
JH
1557 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1558 of the expansion is an empty string, ignore it also, and assume the private
1559 key is in the same file as the certificate. */
1560
1561 if (expanded && *expanded)
ba86e143
JH
1562 if (cbinfo->is_server)
1563 {
1564 const uschar * file_list = expanded;
1565 int sep = 0;
1566 uschar * file;
1567
1568 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1569 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1570 return err;
1571 }
1572 else /* would there ever be a need for multiple client certs? */
1573 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1574 return err;
7be682ca
PP
1575 }
1576
1577return OK;
1578}
1579
1580
1581
1582
1583/*************************************************
1584* Callback to handle SNI *
1585*************************************************/
1586
1587/* Called when acting as server during the TLS session setup if a Server Name
1588Indication extension was sent by the client.
1589
1590API documentation is OpenSSL s_server.c implementation.
1591
1592Arguments:
1593 s SSL* of the current session
1594 ad unknown (part of OpenSSL API) (unused)
1595 arg Callback of "our" registered data
1596
1597Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH
1598
1599XXX might need to change to using ClientHello callback,
1600per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP
1601*/
1602
3bcbbbe2 1603#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1604static int
7be682ca
PP
1605tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1606{
1607const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1608tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1609int rc;
3f0945ff 1610int old_pool = store_pool;
cf0c6164 1611uschar * dummy_errstr;
7be682ca
PP
1612
1613if (!servername)
1614 return SSL_TLSEXT_ERR_OK;
1615
3f0945ff 1616DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1617 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1618
1619/* Make the extension value available for expansion */
3f0945ff 1620store_pool = POOL_PERM;
89a80675 1621tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1622store_pool = old_pool;
7be682ca
PP
1623
1624if (!reexpand_tls_files_for_sni)
1625 return SSL_TLSEXT_ERR_OK;
1626
1627/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1628not confident that memcpy wouldn't break some internal reference counting.
1629Especially since there's a references struct member, which would be off. */
1630
7a8b9519
JH
1631#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1632if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1633#else
0df4ab80 1634if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1635#endif
7be682ca 1636 {
0abc5a13 1637 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1638 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1639 goto bad;
7be682ca
PP
1640 }
1641
1642/* Not sure how many of these are actually needed, since SSL object
1643already exists. Might even need this selfsame callback, for reneg? */
1644
817d9f57
JH
1645SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1646SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1647SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1648SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1649SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1650SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1651
cf0c6164
JH
1652if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1653 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1654 )
5a2a0989 1655 goto bad;
038597d2 1656
ca954d7f
JH
1657if ( cbinfo->server_cipher_list
1658 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1659 goto bad;
ca954d7f 1660
f2de3a33 1661#ifndef DISABLE_OCSP
f5d78688 1662if (cbinfo->u_ocsp.server.file)
3f7eeb86 1663 {
f5d78688 1664 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1665 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1666 }
1667#endif
7be682ca 1668
c3033f13 1669if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1670 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1671 goto bad;
7be682ca 1672
3f7eeb86
PP
1673/* do this after setup_certs, because this can require the certs for verifying
1674OCSP information. */
cf0c6164 1675if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1676 goto bad;
a799883d 1677
7be682ca 1678DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1679SSL_set_SSL_CTX(s, server_sni);
7be682ca 1680return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1681
1682bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1683}
3bcbbbe2 1684#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1685
1686
1687
1688
f2de3a33 1689#ifndef DISABLE_OCSP
f5d78688 1690
3f7eeb86
PP
1691/*************************************************
1692* Callback to handle OCSP Stapling *
1693*************************************************/
1694
1695/* Called when acting as server during the TLS session setup if the client
1696requests OCSP information with a Certificate Status Request.
1697
1698Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1699project.
1700
1701*/
1702
1703static int
f5d78688 1704tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86 1705{
5b2fd993
JH
1706const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1707ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1708uschar * response_der; /*XXX blob */
3f7eeb86
PP
1709int response_der_len;
1710
af4a1bca 1711DEBUG(D_tls)
5b2fd993
JH
1712 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1713 olist ? "have" : "lack");
f5d78688 1714
44662487 1715tls_in.ocsp = OCSP_NOT_RESP;
5b2fd993 1716if (!olist)
3f7eeb86
PP
1717 return SSL_TLSEXT_ERR_NOACK;
1718
012dd02e 1719#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
5b2fd993
JH
1720 {
1721 const X509 * cert_sent = SSL_get_certificate(s);
1722 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1723 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1724 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1725 uschar * chash;
1726 uint chash_len;
1727
1728 for (; olist; olist = olist->next)
1729 {
1730 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1731 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1732 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1733 ASN1_INTEGER * res_cert_serial;
1734 const BIGNUM * resp_bn;
1735 ASN1_OCTET_STRING * res_cert_iNameHash;
1736
1737
1738 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1739 (OCSP_CERTID *) cid);
1740 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1741
1742 DEBUG(D_tls)
1743 {
1744 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1745 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1746 }
1747
1748 if (BN_cmp(cert_bn, resp_bn) == 0)
1749 {
1750 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1751
1752 /*XXX TODO: check the rest of the list for duplicate matches.
1753 If any, need to also check the Issuer Name hash.
1754 Without this, we will provide the wrong status in the case of
1755 duplicate id. */
1756
1757 break;
1758 }
1759 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1760 }
1761 if (!olist)
1762 {
1763 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1764 return SSL_TLSEXT_ERR_NOACK;
1765 }
1766 }
012dd02e
JH
1767#else
1768if (olist->next)
1769 {
1770 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1771 return SSL_TLSEXT_ERR_NOACK;
1772 }
1773#endif
5b2fd993
JH
1774
1775/*XXX could we do the i2d earlier, rather than during the callback? */
3f7eeb86 1776response_der = NULL;
5b2fd993 1777response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
3f7eeb86
PP
1778if (response_der_len <= 0)
1779 return SSL_TLSEXT_ERR_NOACK;
1780
5e55c7a9 1781SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1782tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1783return SSL_TLSEXT_ERR_OK;
1784}
1785
3f7eeb86 1786
f5d78688
JH
1787static void
1788time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1789{
1790BIO_printf(bp, "\t%s: ", str);
1791ASN1_GENERALIZEDTIME_print(bp, time);
1792BIO_puts(bp, "\n");
1793}
1794
1795static int
1796tls_client_stapling_cb(SSL *s, void *arg)
1797{
1798tls_ext_ctx_cb * cbinfo = arg;
1799const unsigned char * p;
1800int len;
1801OCSP_RESPONSE * rsp;
1802OCSP_BASICRESP * bs;
1803int i;
1804
1805DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1806len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1807if(!p)
1808 {
44662487 1809 /* Expect this when we requested ocsp but got none */
6c6d6e48 1810 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1811 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1812 else
1813 DEBUG(D_tls) debug_printf(" null\n");
44662487 1814 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1815 }
018058b2 1816
c82de233
JH
1817if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1818 {
1819 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1820 if (LOGGING(tls_cipher))
1eca31ca 1821 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1822 else
1823 DEBUG(D_tls) debug_printf(" parse error\n");
1824 return 0;
c82de233 1825 }
f5d78688 1826
c82de233 1827if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1828 {
018058b2 1829 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1830 if (LOGGING(tls_cipher))
1eca31ca 1831 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1832 else
1833 DEBUG(D_tls) debug_printf(" error parsing response\n");
1834 OCSP_RESPONSE_free(rsp);
1835 return 0;
1836 }
1837
1838/* We'd check the nonce here if we'd put one in the request. */
1839/* However that would defeat cacheability on the server so we don't. */
1840
f5d78688
JH
1841/* This section of code reworked from OpenSSL apps source;
1842 The OpenSSL Project retains copyright:
1843 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1844*/
1845 {
1846 BIO * bp = NULL;
f5d78688
JH
1847 int status, reason;
1848 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1849
57887ecc 1850 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1851
1852 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1853
1854 /* Use the chain that verified the server cert to verify the stapled info */
1855 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1856
c3033f13 1857 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1858 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1859 {
018058b2 1860 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1861 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1862 "Received TLS cert status response, itself unverifiable: %s",
1863 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1864 BIO_printf(bp, "OCSP response verify failure\n");
1865 ERR_print_errors(bp);
57887ecc 1866 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1867 goto failed;
f5d78688
JH
1868 }
1869
1870 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1871
c8dfb21d
JH
1872 /*XXX So we have a good stapled OCSP status. How do we know
1873 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1874 OCSP_resp_find_status() which matches on a cert id, which presumably
1875 we should use. Making an id needs OCSP_cert_id_new(), which takes
1876 issuerName, issuerKey, serialNumber. Are they all in the cert?
1877
1878 For now, carry on blindly accepting the resp. */
1879
f5d78688 1880 {
f5d78688
JH
1881 OCSP_SINGLERESP * single;
1882
c8dfb21d
JH
1883#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1884 if (OCSP_resp_count(bs) != 1)
1885#else
1886 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1887 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1888#endif
f5d78688 1889 {
018058b2 1890 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1891 log_write(0, LOG_MAIN, "OCSP stapling "
1892 "with multiple responses not handled");
c8dfb21d 1893 goto failed;
f5d78688
JH
1894 }
1895 single = OCSP_resp_get0(bs, 0);
44662487
JH
1896 status = OCSP_single_get0_status(single, &reason, &rev,
1897 &thisupd, &nextupd);
f5d78688
JH
1898 }
1899
f5d78688
JH
1900 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1901 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1902 if (!OCSP_check_validity(thisupd, nextupd,
1903 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1904 {
018058b2 1905 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1906 DEBUG(D_tls) ERR_print_errors(bp);
1907 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1908 }
44662487 1909 else
f5d78688 1910 {
44662487
JH
1911 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1912 OCSP_cert_status_str(status));
1913 switch(status)
1914 {
1915 case V_OCSP_CERTSTATUS_GOOD:
44662487 1916 tls_out.ocsp = OCSP_VFIED;
018058b2 1917 i = 1;
c8dfb21d 1918 goto good;
44662487 1919 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1920 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1921 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1922 reason != -1 ? "; reason: " : "",
1923 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1924 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1925 break;
1926 default:
018058b2 1927 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1928 log_write(0, LOG_MAIN,
1929 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1930 break;
1931 }
f5d78688 1932 }
c8dfb21d
JH
1933 failed:
1934 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1935 good:
f5d78688
JH
1936 BIO_free(bp);
1937 }
1938
1939OCSP_RESPONSE_free(rsp);
1940return i;
1941}
f2de3a33 1942#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1943
1944
7be682ca 1945/*************************************************
059ec3d9
PH
1946* Initialize for TLS *
1947*************************************************/
1948
b038d456
JH
1949static void
1950tls_openssl_init(void)
1951{
1952#ifdef EXIM_NEED_OPENSSL_INIT
1953SSL_load_error_strings(); /* basic set up */
1954OpenSSL_add_ssl_algorithms();
1955#endif
1956
1957#if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
1958/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1959list of available digests. */
1960EVP_add_digest(EVP_sha256());
1961#endif
1962}
1963
1964
1965
e51c7be2
JH
1966/* Called from both server and client code, to do preliminary initialization
1967of the library. We allocate and return a context structure.
059ec3d9
PH
1968
1969Arguments:
946ecbe0 1970 ctxp returned SSL context
059ec3d9
PH
1971 host connected host, if client; NULL if server
1972 dhparam DH parameter file
1973 certificate certificate file
1974 privatekey private key
f5d78688 1975 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1976 addr address if client; NULL if server (for some randomness)
946ecbe0 1977 cbp place to put allocated callback context
cf0c6164 1978 errstr error string pointer
059ec3d9
PH
1979
1980Returns: OK/DEFER/FAIL
1981*/
1982
1983static int
817d9f57 1984tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1985 uschar *privatekey,
f2de3a33 1986#ifndef DISABLE_OCSP
5b2fd993 1987 uschar *ocsp_file,
3f7eeb86 1988#endif
b10c87b3
JH
1989 address_item *addr, tls_ext_ctx_cb ** cbp,
1990 tls_support * tlsp,
1991 uschar ** errstr)
059ec3d9 1992{
7006ee24 1993SSL_CTX * ctx;
77bb000f 1994long init_options;
7be682ca 1995int rc;
a7538db1 1996tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1997
1998cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1999cbinfo->tlsp = tlsp;
7be682ca
PP
2000cbinfo->certificate = certificate;
2001cbinfo->privatekey = privatekey;
a6510420 2002cbinfo->is_server = host==NULL;
f2de3a33 2003#ifndef DISABLE_OCSP
c3033f13 2004cbinfo->verify_stack = NULL;
a6510420 2005if (!host)
f5d78688
JH
2006 {
2007 cbinfo->u_ocsp.server.file = ocsp_file;
2008 cbinfo->u_ocsp.server.file_expanded = NULL;
5b2fd993 2009 cbinfo->u_ocsp.server.olist = NULL;
f5d78688
JH
2010 }
2011else
2012 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 2013#endif
7be682ca 2014cbinfo->dhparam = dhparam;
0df4ab80 2015cbinfo->server_cipher_list = NULL;
7be682ca 2016cbinfo->host = host;
0cbf2b82 2017#ifndef DISABLE_EVENT
a7538db1
JH
2018cbinfo->event_action = NULL;
2019#endif
77bb000f 2020
b038d456 2021tls_openssl_init();
a0475b69 2022
f0f5a555
PP
2023/* Create a context.
2024The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2025negotiation in the different methods; as far as I can tell, the only
2026*_{server,client}_method which allows negotiation is SSLv23, which exists even
2027when OpenSSL is built without SSLv2 support.
2028By disabling with openssl_options, we can let admins re-enable with the
2029existing knob. */
059ec3d9 2030
7a8b9519
JH
2031#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2032if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2033#else
7006ee24 2034if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 2035#endif
7006ee24 2036 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
2037
2038/* It turns out that we need to seed the random number generator this early in
2039order to get the full complement of ciphers to work. It took me roughly a day
2040of work to discover this by experiment.
2041
2042On systems that have /dev/urandom, SSL may automatically seed itself from
2043there. Otherwise, we have to make something up as best we can. Double check
2044afterwards. */
2045
2046if (!RAND_status())
2047 {
2048 randstuff r;
9e3331ea 2049 gettimeofday(&r.tv, NULL);
059ec3d9
PH
2050 r.p = getpid();
2051
5903c6ff
JH
2052 RAND_seed(US (&r), sizeof(r));
2053 RAND_seed(US big_buffer, big_buffer_size);
2054 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
2055
2056 if (!RAND_status())
7199e1ee 2057 return tls_error(US"RAND_status", host,
cf0c6164 2058 US"unable to seed random number generator", errstr);
059ec3d9
PH
2059 }
2060
2061/* Set up the information callback, which outputs if debugging is at a suitable
2062level. */
2063
b10c87b3
JH
2064DEBUG(D_tls)
2065 {
2066 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH
2067#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2068 /* this needs a debug build of OpenSSL */
b10c87b3
JH
2069 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2070#endif
8a40db1c 2071#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 2072 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 2073#endif
b10c87b3 2074 }
059ec3d9 2075
c80c5570 2076/* Automatically re-try reads/writes after renegotiation. */
7006ee24 2077(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 2078
77bb000f
PP
2079/* Apply administrator-supplied work-arounds.
2080Historically we applied just one requested option,
2081SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2082moved to an administrator-controlled list of options to specify and
2083grandfathered in the first one as the default value for "openssl_options".
059ec3d9 2084
77bb000f
PP
2085No OpenSSL version number checks: the options we accept depend upon the
2086availability of the option value macros from OpenSSL. */
059ec3d9 2087
7006ee24 2088if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 2089 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 2090
b10c87b3
JH
2091#ifdef EXPERIMENTAL_TLS_RESUME
2092tlsp->resumption = RESUME_SUPPORTED;
2093#endif
77bb000f
PP
2094if (init_options)
2095 {
b10c87b3
JH
2096#ifdef EXPERIMENTAL_TLS_RESUME
2097 /* Should the server offer session resumption? */
2098 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2099 {
2100 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2101 init_options &= ~SSL_OP_NO_TICKET;
2102 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2103 tlsp->host_resumable = TRUE;
2104 }
2105#endif
2106
77bb000f 2107 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2108 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2109 return tls_error(string_sprintf(
cf0c6164 2110 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
2111 }
2112else
2113 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2114
a28050f8
JH
2115/* We'd like to disable session cache unconditionally, but foolish Outlook
2116Express clients then give up the first TLS connection and make a second one
2117(which works). Only when there is an IMAP service on the same machine.
2118Presumably OE is trying to use the cache for A on B. Leave it enabled for
2119now, until we work out a decent way of presenting control to the config. It
2120will never be used because we use a new context every time. */
2121#ifdef notdef
7006ee24 2122(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2123#endif
7006ee24 2124
059ec3d9 2125/* Initialize with DH parameters if supplied */
10ca4f1c 2126/* Initialize ECDH temp key parameter selection */
059ec3d9 2127
7006ee24
JH
2128if ( !init_dh(ctx, dhparam, host, errstr)
2129 || !init_ecdh(ctx, host, errstr)
038597d2
PP
2130 )
2131 return DEFER;
059ec3d9 2132
3f7eeb86 2133/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2134
7006ee24 2135if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2136 return rc;
c91535f3 2137
c3033f13
JH
2138/* If we need to handle SNI or OCSP, do so */
2139
3bcbbbe2 2140#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
2141# ifndef DISABLE_OCSP
2142 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2143 {
2144 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2145 return FAIL;
2146 }
2147# endif
2148
7a8b9519 2149if (!host) /* server */
3f0945ff 2150 {
f2de3a33 2151# ifndef DISABLE_OCSP
5b2fd993 2152 /* We check u_ocsp.server.file, not server.olist, because we care about if
3f7eeb86
PP
2153 the option exists, not what the current expansion might be, as SNI might
2154 change the certificate and OCSP file in use between now and the time the
2155 callback is invoked. */
f5d78688 2156 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2157 {
7006ee24
JH
2158 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2159 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2160 }
f5d78688 2161# endif
3f0945ff
PP
2162 /* We always do this, so that $tls_sni is available even if not used in
2163 tls_certificate */
7006ee24
JH
2164 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2165 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2166 }
f2de3a33 2167# ifndef DISABLE_OCSP
f5d78688
JH
2168else /* client */
2169 if(ocsp_file) /* wanting stapling */
2170 {
2171 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2172 {
2173 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2174 return FAIL;
2175 }
7006ee24
JH
2176 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2177 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
2178 }
2179# endif
7be682ca 2180#endif
059ec3d9 2181
e51c7be2 2182cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2183
c8dfb21d 2184#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2185/* Set up the RSA callback */
7006ee24 2186SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2187#endif
059ec3d9 2188
b10c87b3
JH
2189/* Finally, set the session cache timeout, and we are done.
2190The period appears to be also used for (server-generated) session tickets */
059ec3d9 2191
7006ee24 2192SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2193DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2194
817d9f57 2195*cbp = cbinfo;
7006ee24 2196*ctxp = ctx;
7be682ca 2197
059ec3d9
PH
2198return OK;
2199}
2200
2201
2202
2203
2204/*************************************************
2205* Get name of cipher in use *
2206*************************************************/
2207
817d9f57 2208/*
059ec3d9 2209Argument: pointer to an SSL structure for the connection
817d9f57 2210 pointer to number of bits for cipher
f1be21cf 2211Returns: pointer to allocated string in perm-pool
059ec3d9
PH
2212*/
2213
f1be21cf 2214static uschar *
5b195d6b 2215construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
059ec3d9 2216{
f1be21cf 2217int pool = store_pool;
7a8b9519 2218/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
2219yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2220the accessor functions use const in the prototype. */
059ec3d9 2221
7a8b9519 2222const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2223uschar * s;
059ec3d9 2224
817d9f57 2225SSL_CIPHER_get_bits(c, bits);
059ec3d9 2226
f1be21cf
JH
2227store_pool = POOL_PERM;
2228s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2229store_pool = pool;
2230DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2231return s;
2232}
2233
059ec3d9 2234
f1be21cf
JH
2235/* Get IETF-standard name for ciphersuite.
2236Argument: pointer to an SSL structure for the connection
2237Returns: pointer to string
2238*/
2239
2240static const uschar *
2241cipher_stdname_ssl(SSL * ssl)
2242{
2243#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2244return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2245#else
2246ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2247return cipher_stdname(id >> 8, id & 0xff);
2248#endif
059ec3d9
PH
2249}
2250
2251
5b195d6b
JH
2252static const uschar *
2253tlsver_name(SSL * ssl)
2254{
2255uschar * s, * p;
2256int pool = store_pool;
2257
2258store_pool = POOL_PERM;
2259s = string_copy(US SSL_get_version(ssl));
2260store_pool = pool;
2261if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
2262 for (;; p++) if (!(*p = p[1])) break;
2263return CUS s;
2264}
2265
2266
f69979cf 2267static void
70e384dd 2268peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
2269{
2270/*XXX we might consider a list-of-certs variable for the cert chain.
2271SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2272in list-handling functions, also consider the difference between the entire
2273chain and the elements sent by the peer. */
2274
70e384dd
JH
2275tlsp->peerdn = NULL;
2276
f69979cf
JH
2277/* Will have already noted peercert on a verify fail; possibly not the leaf */
2278if (!tlsp->peercert)
2279 tlsp->peercert = SSL_get_peer_certificate(ssl);
2280/* Beware anonymous ciphers which lead to server_cert being NULL */
2281if (tlsp->peercert)
70e384dd
JH
2282 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2283 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2284 else
2285 {
4a1bd6b9
JH
2286 int oldpool = store_pool;
2287
2288 peerdn[siz-1] = '\0'; /* paranoia */
2289 store_pool = POOL_PERM;
2290 tlsp->peerdn = string_copy(peerdn);
2291 store_pool = oldpool;
2292
2293 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2294 but they don't get called on session-resumption. So use the official
2295 interface, which uses the resumed value. Unfortunately this claims verified
2296 when it actually failed but we're in try-verify mode, due to us wanting the
2297 knowlege that it failed so needing to have the callback and forcing a
2298 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH
2299 The extra bit of information is set in verify_override in the cb, stashed
2300 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH
2301
2302 if (!tlsp->verify_override)
2303 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2304 }
f69979cf
JH
2305}
2306
2307
059ec3d9
PH
2308
2309
2310
2311/*************************************************
2312* Set up for verifying certificates *
2313*************************************************/
2314
0e8aed8a 2315#ifndef DISABLE_OCSP
c3033f13
JH
2316/* Load certs from file, return TRUE on success */
2317
2318static BOOL
2319chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2320{
2321BIO * bp;
2322X509 * x;
2323
dec766a1
WB
2324while (sk_X509_num(verify_stack) > 0)
2325 X509_free(sk_X509_pop(verify_stack));
2326
c3033f13
JH
2327if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2328while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2329 sk_X509_push(verify_stack, x);
2330BIO_free(bp);
2331return TRUE;
2332}
0e8aed8a 2333#endif
c3033f13
JH
2334
2335
2336
dec766a1
WB
2337/* Called by both client and server startup; on the server possibly
2338repeated after a Server Name Indication.
059ec3d9
PH
2339
2340Arguments:
7be682ca 2341 sctx SSL_CTX* to initialise
059ec3d9
PH
2342 certs certs file or NULL
2343 crl CRL file or NULL
2344 host NULL in a server; the remote host in a client
2345 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2346 otherwise passed as FALSE
983207c1 2347 cert_vfy_cb Callback function for certificate verification
cf0c6164 2348 errstr error string pointer
059ec3d9
PH
2349
2350Returns: OK/DEFER/FAIL
2351*/
2352
2353static int
983207c1 2354setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2355 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2356{
2357uschar *expcerts, *expcrl;
2358
cf0c6164 2359if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2360 return DEFER;
57cc2785 2361DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2362
10a831a3 2363if (expcerts && *expcerts)
059ec3d9 2364 {
10a831a3
JH
2365 /* Tell the library to use its compiled-in location for the system default
2366 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2367
10a831a3 2368 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2369 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2370
2371 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2372 {
cb1d7830
JH
2373 struct stat statbuf;
2374
cb1d7830
JH
2375 if (Ustat(expcerts, &statbuf) < 0)
2376 {
2377 log_write(0, LOG_MAIN|LOG_PANIC,
2378 "failed to stat %s for certificates", expcerts);
2379 return DEFER;
2380 }
059ec3d9 2381 else
059ec3d9 2382 {
cb1d7830
JH
2383 uschar *file, *dir;
2384 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2385 { file = NULL; dir = expcerts; }
2386 else
c3033f13
JH
2387 {
2388 file = expcerts; dir = NULL;
2389#ifndef DISABLE_OCSP
2390 /* In the server if we will be offering an OCSP proof, load chain from
2391 file for verifying the OCSP proof at load time. */
2392
5b2fd993
JH
2393/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2394This is inconsistent with the need to verify the OCSP proof of the server cert.
2395*/
2396
c3033f13
JH
2397 if ( !host
2398 && statbuf.st_size > 0
2399 && server_static_cbinfo->u_ocsp.server.file
2400 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2401 )
2402 {
2403 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2404 "failed to load cert chain from %s", file);
c3033f13
JH
2405 return DEFER;
2406 }
2407#endif
2408 }
cb1d7830
JH
2409
2410 /* If a certificate file is empty, the next function fails with an
2411 unhelpful error message. If we skip it, we get the correct behaviour (no
2412 certificates are recognized, but the error message is still misleading (it
c3033f13 2413 says no certificate was supplied). But this is better. */
cb1d7830 2414
f2f2c91b
JH
2415 if ( (!file || statbuf.st_size > 0)
2416 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2417 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2418
2419 /* Load the list of CAs for which we will accept certs, for sending
2420 to the client. This is only for the one-file tls_verify_certificates
2421 variant.
d7978c0f
JH
2422 If a list isn't loaded into the server, but some verify locations are set,
2423 the server end appears to make a wildcard request for client certs.
10a831a3 2424 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2425 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2426 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2427 the public-CA bundle (not for a private CA), not worth fixing. */
2428
f2f2c91b 2429 if (file)
cb1d7830 2430 {
2009ecca 2431 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2432
2433 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2434 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2435 sk_X509_NAME_num(names));
cb1d7830 2436 }
059ec3d9
PH
2437 }
2438 }
2439
2440 /* Handle a certificate revocation list. */
2441
10a831a3 2442#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2443
8b417f2c 2444 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2445 merely reformatted it into the Exim code style.)
8b417f2c 2446
10a831a3
JH
2447 "From here I changed the code to add support for multiple crl's
2448 in pem format in one file or to support hashed directory entries in
2449 pem format instead of a file. This method now uses the library function
2450 X509_STORE_load_locations to add the CRL location to the SSL context.
2451 OpenSSL will then handle the verify against CA certs and CRLs by
2452 itself in the verify callback." */
8b417f2c 2453
cf0c6164 2454 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2455 if (expcrl && *expcrl)
059ec3d9 2456 {
8b417f2c
PH
2457 struct stat statbufcrl;
2458 if (Ustat(expcrl, &statbufcrl) < 0)
2459 {
2460 log_write(0, LOG_MAIN|LOG_PANIC,
2461 "failed to stat %s for certificates revocation lists", expcrl);
2462 return DEFER;
2463 }
2464 else
059ec3d9 2465 {
8b417f2c
PH
2466 /* is it a file or directory? */
2467 uschar *file, *dir;
7be682ca 2468 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2469 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2470 {
8b417f2c
PH
2471 file = NULL;
2472 dir = expcrl;
2473 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2474 }
2475 else
2476 {
8b417f2c
PH
2477 file = expcrl;
2478 dir = NULL;
2479 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2480 }
8b417f2c 2481 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2482 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2483
2484 /* setting the flags to check against the complete crl chain */
2485
2486 X509_STORE_set_flags(cvstore,
2487 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2488 }
059ec3d9
PH
2489 }
2490
10a831a3 2491#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2492
2493 /* If verification is optional, don't fail if no certificate */
2494
7be682ca 2495 SSL_CTX_set_verify(sctx,
5a2a0989 2496 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2497 cert_vfy_cb);
059ec3d9
PH
2498 }
2499
2500return OK;
2501}
2502
2503
2504
2505/*************************************************
2506* Start a TLS session in a server *
2507*************************************************/
2508
2509/* This is called when Exim is running as a server, after having received
2510the STARTTLS command. It must respond to that command, and then negotiate
2511a TLS session.
2512
2513Arguments:
2514 require_ciphers allowed ciphers
cf0c6164 2515 errstr pointer to error message
059ec3d9
PH
2516
2517Returns: OK on success
2518 DEFER for errors before the start of the negotiation
4c04137d 2519 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2520 continue running.
2521*/
2522
2523int
cf0c6164 2524tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2525{
2526int rc;
cf0c6164
JH
2527uschar * expciphers;
2528tls_ext_ctx_cb * cbinfo;
f69979cf 2529static uschar peerdn[256];
059ec3d9
PH
2530
2531/* Check for previous activation */
2532
74f1a423 2533if (tls_in.active.sock >= 0)
059ec3d9 2534 {
cf0c6164 2535 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2536 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2537 return FAIL;
2538 }
2539
2540/* Initialize the SSL library. If it fails, it will already have logged
2541the error. */
2542
817d9f57 2543rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2544#ifndef DISABLE_OCSP
5b2fd993 2545 tls_ocsp_file,
3f7eeb86 2546#endif
b10c87b3 2547 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2548if (rc != OK) return rc;
817d9f57 2549cbinfo = server_static_cbinfo;
059ec3d9 2550
cf0c6164 2551if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2552 return FAIL;
2553
2554/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2555were historically separated by underscores. So that I can use either form in my
2556tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2557
2558XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2559for TLS 1.3 . Since we do not call it at present we get the default list:
2560TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2561*/
059ec3d9 2562
c3033f13 2563if (expciphers)
059ec3d9 2564 {
b10c87b3 2565 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2566 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2567 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2568 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2569 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2570 }
2571
2572/* If this is a host for which certificate verification is mandatory or
2573optional, set up appropriately. */
2574
817d9f57 2575tls_in.certificate_verified = FALSE;
c0635b6d 2576#ifdef SUPPORT_DANE
53a7196b
JH
2577tls_in.dane_verified = FALSE;
2578#endif
a2ff477a 2579server_verify_callback_called = FALSE;
059ec3d9
PH
2580
2581if (verify_check_host(&tls_verify_hosts) == OK)
2582 {
983207c1 2583 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2584 FALSE, verify_callback_server, errstr);
059ec3d9 2585 if (rc != OK) return rc;
a2ff477a 2586 server_verify_optional = FALSE;
059ec3d9
PH
2587 }
2588else if (verify_check_host(&tls_try_verify_hosts) == OK)
2589 {
983207c1 2590 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2591 TRUE, verify_callback_server, errstr);
059ec3d9 2592 if (rc != OK) return rc;
a2ff477a 2593 server_verify_optional = TRUE;
059ec3d9
PH
2594 }
2595
b10c87b3
JH
2596#ifdef EXPERIMENTAL_TLS_RESUME
2597SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2598/* despite working, appears to always return failure, so ignoring */
2599#endif
2600#ifdef OPENSSL_HAVE_NUM_TICKETS
2601# ifdef EXPERIMENTAL_TLS_RESUME
2602SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2603# else
2604SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2605# endif
2606#endif
2607
2608
059ec3d9
PH
2609/* Prepare for new connection */
2610
cf0c6164
JH
2611if (!(server_ssl = SSL_new(server_ctx)))
2612 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2613
2614/* Warning: we used to SSL_clear(ssl) here, it was removed.
2615 *
2616 * With the SSL_clear(), we get strange interoperability bugs with
2617 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2618 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2619 *
2620 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2621 * session shutdown. In this case, we have a brand new object and there's no
2622 * obvious reason to immediately clear it. I'm guessing that this was
2623 * originally added because of incomplete initialisation which the clear fixed,
2624 * in some historic release.
2625 */
059ec3d9
PH
2626
2627/* Set context and tell client to go ahead, except in the case of TLS startup
2628on connection, where outputting anything now upsets the clients and tends to
2629make them disconnect. We need to have an explicit fflush() here, to force out
2630the response. Other smtp_printf() calls do not need it, because in non-TLS
2631mode, the fflush() happens when smtp_getc() is called. */
2632
817d9f57
JH
2633SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2634if (!tls_in.on_connect)
059ec3d9 2635 {
925ac8e4 2636 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2637 fflush(smtp_out);
2638 }
2639
2640/* Now negotiate the TLS session. We put our own timer on it, since it seems
2641that the OpenSSL library doesn't. */
2642
817d9f57
JH
2643SSL_set_wfd(server_ssl, fileno(smtp_out));
2644SSL_set_rfd(server_ssl, fileno(smtp_in));
2645SSL_set_accept_state(server_ssl);
059ec3d9
PH
2646
2647DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2648
2649sigalrm_seen = FALSE;
c2a1bba0 2650if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2651rc = SSL_accept(server_ssl);
c2a1bba0 2652ALARM_CLR(0);
059ec3d9
PH
2653
2654if (rc <= 0)
2655 {
c31e16a5
JH
2656 int error = SSL_get_error(server_ssl, rc);
2657 switch(error)
2658 {
2659 case SSL_ERROR_NONE:
2660 break;
2661
2662 case SSL_ERROR_ZERO_RETURN:
2663 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2664 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2665
2666 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2667 SSL_shutdown(server_ssl);
2668
2669 tls_close(NULL, TLS_NO_SHUTDOWN);
2670 return FAIL;
2671
2672 /* Handle genuine errors */
2673 case SSL_ERROR_SSL:
2674 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2675 return FAIL;
2676
2677 default:
2678 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2679 if (error == SSL_ERROR_SYSCALL)
2680 {
2681 if (!errno)
2682 {
2683 *errstr = US"SSL_accept: TCP connection closed by peer";
2684 return FAIL;
2685 }
2686 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2687 }
2688 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2689 return FAIL;
2690 }
059ec3d9
PH
2691 }
2692
2693DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2694ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH
2695 anon-authentication ciphersuite negotiated. */
2696
2697#ifdef EXPERIMENTAL_TLS_RESUME
2698if (SSL_session_reused(server_ssl))
2699 {
2700 tls_in.resumption |= RESUME_USED;
2701 DEBUG(D_tls) debug_printf("Session reused\n");
2702 }
2703#endif
059ec3d9 2704
5b195d6b
JH
2705/* TLS has been set up. Record data for the connection,
2706adjust the input functions to read via TLS, and initialize things. */
059ec3d9 2707
f69979cf
JH
2708peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2709
5b195d6b
JH
2710tls_in.ver = tlsver_name(server_ssl);
2711tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits);
f1be21cf
JH
2712tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2713
059ec3d9
PH
2714DEBUG(D_tls)
2715 {
2716 uschar buf[2048];
f1be21cf 2717 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2718 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2719
2720#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2721 {
10ed27e0 2722 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2723 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2724 BIO_free(bp);
2725 }
2726#endif
b10c87b3
JH
2727
2728#ifdef EXIM_HAVE_SESSION_TICKET
2729 {
2730 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2731 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH
2732 debug_printf("The session has a ticket, life %lu seconds\n",
2733 SSL_SESSION_get_ticket_lifetime_hint(ss));
2734 }
2735#endif
059ec3d9
PH
2736 }
2737
9d1c15ef
JH
2738/* Record the certificate we presented */
2739 {
2740 X509 * crt = SSL_get_certificate(server_ssl);
2741 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2742 }
059ec3d9 2743
817d9f57
JH
2744/* Only used by the server-side tls (tls_in), including tls_getc.
2745 Client-side (tls_out) reads (seem to?) go via
2746 smtp_read_response()/ip_recv().
2747 Hence no need to duplicate for _in and _out.
2748 */
b808677c 2749if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2750ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2751ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2752
2753receive_getc = tls_getc;
0d81dabc 2754receive_getbuf = tls_getbuf;
584e96c6 2755receive_get_cache = tls_get_cache;
059ec3d9
PH
2756receive_ungetc = tls_ungetc;
2757receive_feof = tls_feof;
2758receive_ferror = tls_ferror;
58eb016e 2759receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2760
74f1a423
JH
2761tls_in.active.sock = fileno(smtp_out);
2762tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2763return OK;
2764}
2765
2766
2767
2768
043b1248
JH
2769static int
2770tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2771 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2772 uschar ** errstr)
043b1248
JH
2773{
2774int rc;
94431adb 2775/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2776 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2777 the specified host patterns if one of them is defined */
2778
610ff438
JH
2779if ( ( !ob->tls_verify_hosts
2780 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2781 )
3c07dd2d 2782 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2783 )
043b1248 2784 client_verify_optional = FALSE;
3c07dd2d 2785else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2786 client_verify_optional = TRUE;
2787else
2788 return OK;
2789
2790if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2791 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2792 errstr)) != OK)
aa2a70ba 2793 return rc;
043b1248 2794
3c07dd2d 2795if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2796 {
4af0d74a 2797 cbinfo->verify_cert_hostnames =
8c5d388a 2798#ifdef SUPPORT_I18N
4af0d74a
JH
2799 string_domain_utf8_to_alabel(host->name, NULL);
2800#else
2801 host->name;
2802#endif
aa2a70ba
JH
2803 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2804 cbinfo->verify_cert_hostnames);
043b1248 2805 }
043b1248
JH
2806return OK;
2807}
059ec3d9 2808
fde080a4 2809
c0635b6d 2810#ifdef SUPPORT_DANE
fde080a4 2811static int
cf0c6164 2812dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2813{
fde080a4
JH
2814dns_scan dnss;
2815const char * hostnames[2] = { CS host->name, NULL };
2816int found = 0;
2817
2818if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2819 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2820
d7978c0f 2821for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2822 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2823 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2824 {
c3033f13 2825 const uschar * p = rr->data;
fde080a4
JH
2826 uint8_t usage, selector, mtype;
2827 const char * mdname;
2828
fde080a4 2829 usage = *p++;
133d2546
JH
2830
2831 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2832 if (usage != 2 && usage != 3) continue;
2833
fde080a4
JH
2834 selector = *p++;
2835 mtype = *p++;
2836
2837 switch (mtype)
2838 {
133d2546
JH
2839 default: continue; /* Only match-types 0, 1, 2 are supported */
2840 case 0: mdname = NULL; break;
2841 case 1: mdname = "sha256"; break;
2842 case 2: mdname = "sha512"; break;
fde080a4
JH
2843 }
2844
133d2546 2845 found++;
fde080a4
JH
2846 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2847 {
2848 default:
cf0c6164 2849 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2850 case 0: /* action not taken */
fde080a4
JH
2851 case 1: break;
2852 }
594706ea
JH
2853
2854 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2855 }
2856
2857if (found)
2858 return OK;
2859
133d2546 2860log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2861return DEFER;
fde080a4 2862}
c0635b6d 2863#endif /*SUPPORT_DANE*/
fde080a4
JH
2864
2865
2866
b10c87b3
JH
2867#ifdef EXPERIMENTAL_TLS_RESUME
2868/* On the client, get any stashed session for the given IP from hints db
2869and apply it to the ssl-connection for attempted resumption. */
2870
2871static void
2872tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2873{
2874tlsp->resumption |= RESUME_SUPPORTED;
2875if (tlsp->host_resumable)
2876 {
2877 dbdata_tls_session * dt;
2878 int len;
2879 open_db dbblock, * dbm_file;
2880
2881 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2882 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2883 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2884 {
2885 /* key for the db is the IP */
2886 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2887 {
2888 SSL_SESSION * ss = NULL;
2889 const uschar * sess_asn1 = dt->session;
2890
2891 len -= sizeof(dbdata_tls_session);
2892 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2893 {
2894 DEBUG(D_tls)
2895 {
2896 ERR_error_string_n(ERR_get_error(),
2897 ssl_errstring, sizeof(ssl_errstring));
2898 debug_printf("decoding session: %s\n", ssl_errstring);
2899 }
2900 }
a775dd1d 2901#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH
2902 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2903 < time(NULL))
2904 {
2905 DEBUG(D_tls) debug_printf("session expired\n");
2906 dbfn_delete(dbm_file, key);
2907 }
a775dd1d 2908#endif
b10c87b3
JH
2909 else if (!SSL_set_session(ssl, ss))
2910 {
2911 DEBUG(D_tls)
2912 {
2913 ERR_error_string_n(ERR_get_error(),
2914 ssl_errstring, sizeof(ssl_errstring));
2915 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2916 }
2917 }
2918 else
2919 {
2920 DEBUG(D_tls) debug_printf("good session\n");
2921 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2922 tlsp->verify_override = dt->verify_override;
c82de233 2923 tlsp->ocsp = dt->ocsp;
b10c87b3
JH
2924 }
2925 }
2926 else
2927 DEBUG(D_tls) debug_printf("no session record\n");
2928 dbfn_close(dbm_file);
2929 }
2930 }
2931}
2932
2933
2934/* On the client, save the session for later resumption */
2935
2936static int
2937tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2938{
2939tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2940tls_support * tlsp;
2941
2942DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2943
2944if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2945
40618fb6
JH
2946# ifdef OPENSSL_HAVE_NUM_TICKETS
2947if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2948# endif
b10c87b3
JH
2949 {
2950 int len = i2d_SSL_SESSION(ss, NULL);
2951 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 2952 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
2953 uschar * s = dt->session;
2954 open_db dbblock, * dbm_file;
2955
2956 DEBUG(D_tls) debug_printf("session is resumable\n");
2957 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2958
f4e62a87 2959 dt->verify_override = tlsp->verify_override;
c82de233 2960 dt->ocsp = tlsp->ocsp;
f4e62a87 2961 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH
2962
2963 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2964 {
2965 const uschar * key = cbinfo->host->address;
2966 dbfn_delete(dbm_file, key);
2967 dbfn_write(dbm_file, key, dt, dlen);
2968 dbfn_close(dbm_file);
2969 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2970 (unsigned)dlen);
2971 }
2972 }
b10c87b3
JH
2973return 1;
2974}
2975
2976
2977static void
2978tls_client_ctx_resume_prehandshake(
2979 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2980 smtp_transport_options_block * ob, host_item * host)
2981{
2982/* Should the client request a session resumption ticket? */
2983if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2984 {
2985 tlsp->host_resumable = TRUE;
2986
2987 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2988 SSL_SESS_CACHE_CLIENT
2989 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2990 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2991 }
2992}
2993
2994static BOOL
2995tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2996 host_item * host, uschar ** errstr)
2997{
2998if (tlsp->host_resumable)
2999 {
3000 DEBUG(D_tls)
3001 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3002 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3003
3004 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3005 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
3006 {
3007 tls_error(US"set ex_data", host, NULL, errstr);
3008 return FALSE;
3009 }
3010 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3011 }
3012
3013tlsp->resumption = RESUME_SUPPORTED;
3014/* Pick up a previous session, saved on an old ticket */
3015tls_retrieve_session(tlsp, ssl, host->address);
3016return TRUE;
3017}
3018
3019static void
3020tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3021 tls_support * tlsp)
3022{
3023if (SSL_session_reused(exim_client_ctx->ssl))
3024 {
3025 DEBUG(D_tls) debug_printf("The session was reused\n");
3026 tlsp->resumption |= RESUME_USED;
3027 }
3028}
3029#endif /* EXPERIMENTAL_TLS_RESUME */
3030
3031
059ec3d9
PH
3032/*************************************************
3033* Start a TLS session in a client *
3034*************************************************/
3035
3036/* Called from the smtp transport after STARTTLS has been accepted.
3037
c05bdbd6
JH
3038Arguments:
3039 cctx connection context
3040 conn_args connection details
3041 cookie datum for randomness; can be NULL
3042 tlsp record details of TLS channel configuration here; must be non-NULL
3043 errstr error string pointer
3044
3045Returns: TRUE for success with TLS session context set in connection context,
3046 FALSE on error
059ec3d9
PH
3047*/
3048
c05bdbd6
JH
3049BOOL
3050tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3051 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 3052{
c05bdbd6
JH
3053host_item * host = conn_args->host; /* for msgs and option-tests */
3054transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
3055smtp_transport_options_block * ob = tb
3056 ? (smtp_transport_options_block *)tb->options_block
3057 : &smtp_transport_option_defaults;
74f1a423 3058exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 3059uschar * expciphers;
059ec3d9 3060int rc;
c05bdbd6 3061static uschar peerdn[256];
043b1248
JH
3062
3063#ifndef DISABLE_OCSP
043b1248 3064BOOL request_ocsp = FALSE;
6634ac8d 3065BOOL require_ocsp = FALSE;
043b1248 3066#endif
043b1248 3067
74f1a423
JH
3068rc = store_pool;
3069store_pool = POOL_PERM;
f3ebb786 3070exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 3071exim_client_ctx->corked = NULL;
74f1a423
JH
3072store_pool = rc;
3073
c0635b6d 3074#ifdef SUPPORT_DANE
74f1a423 3075tlsp->tlsa_usage = 0;
043b1248
JH
3076#endif
3077
f2de3a33 3078#ifndef DISABLE_OCSP
043b1248 3079 {
c0635b6d 3080# ifdef SUPPORT_DANE
c05bdbd6 3081 if ( conn_args->dane
4f59c424
JH
3082 && ob->hosts_request_ocsp[0] == '*'
3083 && ob->hosts_request_ocsp[1] == '\0'
3084 )
3085 {
3086 /* Unchanged from default. Use a safer one under DANE */
3087 request_ocsp = TRUE;
3088 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3089 " {= {4}{$tls_out_tlsa_usage}} } "
3090 " {*}{}}";
3091 }
3092# endif
3093
5130845b 3094 if ((require_ocsp =
3c07dd2d 3095 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
3096 request_ocsp = TRUE;
3097 else
c0635b6d 3098# ifdef SUPPORT_DANE
4f59c424 3099 if (!request_ocsp)
fca41d5a 3100# endif
5130845b 3101 request_ocsp =
3c07dd2d 3102 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 3103 }
f5d78688 3104#endif
059ec3d9 3105
74f1a423 3106rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 3107 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 3108#ifndef DISABLE_OCSP
44662487 3109 (void *)(long)request_ocsp,
3f7eeb86 3110#endif
b10c87b3 3111 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 3112if (rc != OK) return FALSE;
059ec3d9 3113
74f1a423 3114tlsp->certificate_verified = FALSE;
a2ff477a 3115client_verify_callback_called = FALSE;
059ec3d9 3116
5ec37a55
PP
3117expciphers = NULL;
3118#ifdef SUPPORT_DANE
c05bdbd6 3119if (conn_args->dane)
5ec37a55
PP
3120 {
3121 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3122 other failures should be treated as problems. */
3123 if (ob->dane_require_tls_ciphers &&
3124 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3125 &expciphers, errstr))
c05bdbd6 3126 return FALSE;
5ec37a55
PP
3127 if (expciphers && *expciphers == '\0')
3128 expciphers = NULL;
3129 }
3130#endif
3131if (!expciphers &&
3132 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3133 &expciphers, errstr))
c05bdbd6 3134 return FALSE;
059ec3d9
PH
3135
3136/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3137are separated by underscores. So that I can use either form in my tests, and
3138also for general convenience, we turn underscores into hyphens here. */
3139
cf0c6164 3140if (expciphers)
059ec3d9
PH
3141 {
3142 uschar *s = expciphers;
cf0c6164 3143 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 3144 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
3145 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3146 {
3147 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 3148 return FALSE;
74f1a423 3149 }
059ec3d9
PH
3150 }
3151
c0635b6d 3152#ifdef SUPPORT_DANE
c05bdbd6 3153if (conn_args->dane)
a63be306 3154 {
74f1a423 3155 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
3156 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3157 verify_callback_client_dane);
e5cccda9 3158
043b1248 3159 if (!DANESSL_library_init())
74f1a423
JH
3160 {
3161 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3162 return FALSE;
74f1a423
JH
3163 }
3164 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3165 {
3166 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3167 return FALSE;
74f1a423 3168 }
043b1248
JH
3169 }
3170else
e51c7be2 3171
043b1248
JH
3172#endif
3173
74f1a423
JH
3174 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3175 client_static_cbinfo, errstr) != OK)
c05bdbd6 3176 return FALSE;
059ec3d9 3177
b10c87b3
JH
3178#ifdef EXPERIMENTAL_TLS_RESUME
3179tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3180#endif
3181
3182
74f1a423
JH
3183if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3184 {
3185 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3186 return FALSE;
74f1a423
JH
3187 }
3188SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3189
c05bdbd6 3190SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3191SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3192
65867078 3193if (ob->tls_sni)
3f0945ff 3194 {
74f1a423 3195 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3196 return FALSE;
74f1a423 3197 if (!tlsp->sni)
2c9a0e86
PP
3198 {
3199 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3200 }
74f1a423
JH
3201 else if (!Ustrlen(tlsp->sni))
3202 tlsp->sni = NULL;
3f0945ff
PP
3203 else
3204 {
35731706 3205#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
3206 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3207 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3208#else
66802652 3209 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3210 tlsp->sni);
35731706 3211#endif
3f0945ff
PP
3212 }
3213 }
3214
c0635b6d 3215#ifdef SUPPORT_DANE
c05bdbd6
JH
3216if (conn_args->dane)
3217 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3218 return FALSE;
594706ea
JH
3219#endif
3220
f2de3a33 3221#ifndef DISABLE_OCSP
f5d78688
JH
3222/* Request certificate status at connection-time. If the server
3223does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3224# ifdef SUPPORT_DANE
44662487
JH
3225if (request_ocsp)
3226 {
594706ea 3227 const uschar * s;
41afb5cb
JH
3228 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3229 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
3230 )
3231 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3232 this means we avoid the OCSP request, we wasted the setup
3233 cost in tls_init(). */
3c07dd2d 3234 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3235 request_ocsp = require_ocsp
3c07dd2d 3236 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
3237 }
3238 }
b50c8b84
JH
3239# endif
3240
594706ea
JH
3241if (request_ocsp)
3242 {
74f1a423 3243 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3244 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3245 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3246 }
f5d78688
JH
3247#endif
3248
c82de233
JH
3249#ifdef EXPERIMENTAL_TLS_RESUME
3250if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3251 errstr))
3252 return FALSE;
3253#endif
3254
0cbf2b82 3255#ifndef DISABLE_EVENT
afdb5e9c 3256client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3257#endif
043b1248 3258
059ec3d9
PH
3259/* There doesn't seem to be a built-in timeout on connection. */
3260
3261DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3262sigalrm_seen = FALSE;
c2a1bba0 3263ALARM(ob->command_timeout);
74f1a423 3264rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3265ALARM_CLR(0);
059ec3d9 3266
c0635b6d 3267#ifdef SUPPORT_DANE
c05bdbd6 3268if (conn_args->dane)
74f1a423 3269 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
3270#endif
3271
059ec3d9 3272if (rc <= 0)
74f1a423
JH
3273 {
3274 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3275 return FALSE;
74f1a423 3276 }
059ec3d9 3277
f20cfa4a
JH
3278DEBUG(D_tls)
3279 {
3280 debug_printf("SSL_connect succeeded\n");
3281#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3282 {
10ed27e0
JH
3283 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3284 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3285 BIO_free(bp);
f20cfa4a
JH
3286 }
3287#endif
3288 }
059ec3d9 3289
b10c87b3
JH
3290#ifdef EXPERIMENTAL_TLS_RESUME
3291tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3292#endif
3293
74f1a423 3294peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3295
5b195d6b
JH
3296tlsp->ver = tlsver_name(exim_client_ctx->ssl);
3297tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
f1be21cf 3298tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3299
9d1c15ef
JH
3300/* Record the certificate we presented */
3301 {
74f1a423
JH
3302 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3303 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
3304 }
3305
c05bdbd6 3306tlsp->active.sock = cctx->sock;
74f1a423 3307tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH
3308cctx->tls_ctx = exim_client_ctx;
3309return TRUE;
059ec3d9
PH
3310}
3311
3312
3313
3314
3315
0d81dabc
JH
3316static BOOL
3317tls_refill(unsigned lim)
3318{
3319int error;
3320int inbytes;
3321
3322DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,