DNS resolver init changes for NetBSD compatibility.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
23
24/* Structure for collecting random data for seeding. */
25
26typedef struct randstuff {
9e3331ea
TK
27 struct timeval tv;
28 pid_t p;
059ec3d9
PH
29} randstuff;
30
31/* Local static variables */
32
33static BOOL verify_callback_called = FALSE;
34static const uschar *sid_ctx = US"exim";
35
36static SSL_CTX *ctx = NULL;
7be682ca 37static SSL_CTX *ctx_sni = NULL;
059ec3d9
PH
38static SSL *ssl = NULL;
39
40static char ssl_errstring[256];
41
42static int ssl_session_timeout = 200;
43static BOOL verify_optional = FALSE;
44
7be682ca 45static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
46
47
7be682ca
PP
48typedef struct tls_ext_ctx_cb {
49 uschar *certificate;
50 uschar *privatekey;
51 uschar *dhparam;
52 /* these are cached from first expand */
53 uschar *server_cipher_list;
54 /* only passed down to tls_error: */
55 host_item *host;
56} tls_ext_ctx_cb;
57
58/* should figure out a cleanup of API to handle state preserved per
59implementation, for various reasons, which can be void * in the APIs.
60For now, we hack around it. */
61tls_ext_ctx_cb *static_cbinfo = NULL;
62
63static int
64setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9
PH
65
66
67/*************************************************
68* Handle TLS error *
69*************************************************/
70
71/* Called from lots of places when errors occur before actually starting to do
72the TLS handshake, that is, while the session is still in clear. Always returns
73DEFER for a server and FAIL for a client so that most calls can use "return
74tls_error(...)" to do this processing and then give an appropriate return. A
75single function is used for both server and client, because it is called from
76some shared functions.
77
78Argument:
79 prefix text to include in the logged error
80 host NULL if setting up a server;
81 the connected host if setting up a client
7199e1ee 82 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
83
84Returns: OK/DEFER/FAIL
85*/
86
87static int
7199e1ee 88tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 89{
7199e1ee
TF
90if (msg == NULL)
91 {
92 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 93 msg = (uschar *)ssl_errstring;
7199e1ee
TF
94 }
95
059ec3d9
PH
96if (host == NULL)
97 {
7199e1ee 98 uschar *conn_info = smtp_get_connection_info();
5ca6d115 99 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
100 conn_info += 5;
101 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
102 conn_info, prefix, msg);
059ec3d9
PH
103 return DEFER;
104 }
105else
106 {
107 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 108 host->name, host->address, prefix, msg);
059ec3d9
PH
109 return FAIL;
110 }
111}
112
113
114
115/*************************************************
116* Callback to generate RSA key *
117*************************************************/
118
119/*
120Arguments:
121 s SSL connection
122 export not used
123 keylength keylength
124
125Returns: pointer to generated key
126*/
127
128static RSA *
129rsa_callback(SSL *s, int export, int keylength)
130{
131RSA *rsa_key;
132export = export; /* Shut picky compilers up */
133DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
134rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
135if (rsa_key == NULL)
136 {
137 ERR_error_string(ERR_get_error(), ssl_errstring);
138 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
139 ssl_errstring);
140 return NULL;
141 }
142return rsa_key;
143}
144
145
146
147
148/*************************************************
149* Callback for verification *
150*************************************************/
151
152/* The SSL library does certificate verification if set up to do so. This
153callback has the current yes/no state is in "state". If verification succeeded,
154we set up the tls_peerdn string. If verification failed, what happens depends
155on whether the client is required to present a verifiable certificate or not.
156
157If verification is optional, we change the state to yes, but still log the
158verification error. For some reason (it really would help to have proper
159documentation of OpenSSL), this callback function then gets called again, this
160time with state = 1. In fact, that's useful, because we can set up the peerdn
161value, but we must take care not to set the private verified flag on the second
162time through.
163
164Note: this function is not called if the client fails to present a certificate
165when asked. We get here only if a certificate has been received. Handling of
166optional verification for this case is done when requesting SSL to verify, by
167setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
168
169Arguments:
170 state current yes/no state as 1/0
171 x509ctx certificate information.
172
173Returns: 1 if verified, 0 if not
174*/
175
176static int
177verify_callback(int state, X509_STORE_CTX *x509ctx)
178{
179static uschar txt[256];
180
181X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
182 CS txt, sizeof(txt));
183
184if (state == 0)
185 {
186 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
187 x509ctx->error_depth,
188 X509_verify_cert_error_string(x509ctx->error),
189 txt);
190 tls_certificate_verified = FALSE;
191 verify_callback_called = TRUE;
192 if (!verify_optional) return 0; /* reject */
193 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
194 "tls_try_verify_hosts)\n");
195 return 1; /* accept */
196 }
197
198if (x509ctx->error_depth != 0)
199 {
200 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
201 x509ctx->error_depth, txt);
202 }
203else
204 {
205 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
206 verify_callback_called? "" : " authenticated", txt);
207 tls_peerdn = txt;
208 }
209
059ec3d9
PH
210if (!verify_callback_called) tls_certificate_verified = TRUE;
211verify_callback_called = TRUE;
212
213return 1; /* accept */
214}
215
216
217
218/*************************************************
219* Information callback *
220*************************************************/
221
222/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
223are doing. We copy the string to the debugging output when TLS debugging has
224been requested.
059ec3d9
PH
225
226Arguments:
227 s the SSL connection
228 where
229 ret
230
231Returns: nothing
232*/
233
234static void
235info_callback(SSL *s, int where, int ret)
236{
237where = where;
238ret = ret;
239DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
240}
241
242
243
244/*************************************************
245* Initialize for DH *
246*************************************************/
247
248/* If dhparam is set, expand it, and load up the parameters for DH encryption.
249
250Arguments:
251 dhparam DH parameter file
7199e1ee 252 host connected host, if client; NULL if server
059ec3d9
PH
253
254Returns: TRUE if OK (nothing to set up, or setup worked)
255*/
256
257static BOOL
7199e1ee 258init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH
259{
260BOOL yield = TRUE;
261BIO *bio;
262DH *dh;
263uschar *dhexpanded;
264
265if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
266 return FALSE;
267
268if (dhexpanded == NULL) return TRUE;
269
270if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
271 {
7199e1ee 272 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 273 host, (uschar *)strerror(errno));
059ec3d9
PH
274 yield = FALSE;
275 }
276else
277 {
278 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
279 {
7199e1ee
TF
280 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
281 host, NULL);
059ec3d9
PH
282 yield = FALSE;
283 }
284 else
285 {
286 SSL_CTX_set_tmp_dh(ctx, dh);
287 DEBUG(D_tls)
288 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
289 dhexpanded, 8*DH_size(dh));
290 DH_free(dh);
291 }
292 BIO_free(bio);
293 }
294
295return yield;
296}
297
298
299
300
301/*************************************************
7be682ca
PP
302* Expand key and cert file specs *
303*************************************************/
304
305/* Called once during tls_init and possibly againt during TLS setup, for a
306new context, if Server Name Indication was used and tls_sni was seen in
307the certificate string.
308
309Arguments:
310 sctx the SSL_CTX* to update
311 cbinfo various parts of session state
312
313Returns: OK/DEFER/FAIL
314*/
315
316static int
317tls_expand_session_files(SSL_CTX *sctx, const tls_ext_ctx_cb *cbinfo)
318{
319uschar *expanded;
320
321if (cbinfo->certificate == NULL)
322 return OK;
323
324if (Ustrstr(cbinfo->certificate, US"tls_sni"))
325 reexpand_tls_files_for_sni = TRUE;
326
327if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
328 return DEFER;
329
330if (expanded != NULL)
331 {
332 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
333 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
334 return tls_error(string_sprintf(
335 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
336 cbinfo->host, NULL);
337 }
338
339if (cbinfo->privatekey != NULL &&
340 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
341 return DEFER;
342
343/* If expansion was forced to fail, key_expanded will be NULL. If the result
344of the expansion is an empty string, ignore it also, and assume the private
345key is in the same file as the certificate. */
346
347if (expanded != NULL && *expanded != 0)
348 {
349 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
350 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
351 return tls_error(string_sprintf(
352 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
353 }
354
355return OK;
356}
357
358
359
360
361/*************************************************
362* Callback to handle SNI *
363*************************************************/
364
365/* Called when acting as server during the TLS session setup if a Server Name
366Indication extension was sent by the client.
367
368API documentation is OpenSSL s_server.c implementation.
369
370Arguments:
371 s SSL* of the current session
372 ad unknown (part of OpenSSL API) (unused)
373 arg Callback of "our" registered data
374
375Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
376*/
377
378static int
379tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
380/* pre-declared for SSL_CTX_set_tlsext_servername_callback call within func */
381
382static int
383tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
384{
385const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
386const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
387int rc;
3f0945ff 388int old_pool = store_pool;
7be682ca
PP
389
390if (!servername)
391 return SSL_TLSEXT_ERR_OK;
392
3f0945ff 393DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
394 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
395
396/* Make the extension value available for expansion */
3f0945ff
PP
397store_pool = POOL_PERM;
398tls_sni = string_copy(US servername);
399store_pool = old_pool;
7be682ca
PP
400
401if (!reexpand_tls_files_for_sni)
402 return SSL_TLSEXT_ERR_OK;
403
404/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
405not confident that memcpy wouldn't break some internal reference counting.
406Especially since there's a references struct member, which would be off. */
407
408ctx_sni = SSL_CTX_new(SSLv23_server_method());
409if (!ctx_sni)
410 {
411 ERR_error_string(ERR_get_error(), ssl_errstring);
412 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
413 return SSL_TLSEXT_ERR_NOACK;
414 }
415
416/* Not sure how many of these are actually needed, since SSL object
417already exists. Might even need this selfsame callback, for reneg? */
418
419SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
420SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
421SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
422SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
423SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
424SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
425if (cbinfo->server_cipher_list)
426 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
427
428rc = tls_expand_session_files(ctx_sni, cbinfo);
429if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
430
431rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
432if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
433
434DEBUG(D_tls) debug_printf("Switching SSL context.\n");
435SSL_set_SSL_CTX(s, ctx_sni);
436
437return SSL_TLSEXT_ERR_OK;
438}
439
440
441
442
443/*************************************************
059ec3d9
PH
444* Initialize for TLS *
445*************************************************/
446
447/* Called from both server and client code, to do preliminary initialization of
448the library.
449
450Arguments:
451 host connected host, if client; NULL if server
452 dhparam DH parameter file
453 certificate certificate file
454 privatekey private key
455 addr address if client; NULL if server (for some randomness)
456
457Returns: OK/DEFER/FAIL
458*/
459
460static int
c91535f3
PH
461tls_init(host_item *host, uschar *dhparam, uschar *certificate,
462 uschar *privatekey, address_item *addr)
059ec3d9 463{
77bb000f 464long init_options;
7be682ca 465int rc;
77bb000f 466BOOL okay;
7be682ca
PP
467tls_ext_ctx_cb *cbinfo;
468
469cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
470cbinfo->certificate = certificate;
471cbinfo->privatekey = privatekey;
472cbinfo->dhparam = dhparam;
473cbinfo->host = host;
77bb000f 474
059ec3d9
PH
475SSL_load_error_strings(); /* basic set up */
476OpenSSL_add_ssl_algorithms();
477
388d6564 478#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 479/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
480list of available digests. */
481EVP_add_digest(EVP_sha256());
cf1ef1a9 482#endif
a0475b69 483
059ec3d9
PH
484/* Create a context */
485
486ctx = SSL_CTX_new((host == NULL)?
487 SSLv23_server_method() : SSLv23_client_method());
488
7199e1ee 489if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
490
491/* It turns out that we need to seed the random number generator this early in
492order to get the full complement of ciphers to work. It took me roughly a day
493of work to discover this by experiment.
494
495On systems that have /dev/urandom, SSL may automatically seed itself from
496there. Otherwise, we have to make something up as best we can. Double check
497afterwards. */
498
499if (!RAND_status())
500 {
501 randstuff r;
9e3331ea 502 gettimeofday(&r.tv, NULL);
059ec3d9
PH
503 r.p = getpid();
504
505 RAND_seed((uschar *)(&r), sizeof(r));
506 RAND_seed((uschar *)big_buffer, big_buffer_size);
507 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
508
509 if (!RAND_status())
7199e1ee 510 return tls_error(US"RAND_status", host,
5ca6d115 511 US"unable to seed random number generator");
059ec3d9
PH
512 }
513
514/* Set up the information callback, which outputs if debugging is at a suitable
515level. */
516
58c01c94 517SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 518
c80c5570
PP
519/* Automatically re-try reads/writes after renegotiation. */
520(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
521
77bb000f
PP
522/* Apply administrator-supplied work-arounds.
523Historically we applied just one requested option,
524SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
525moved to an administrator-controlled list of options to specify and
526grandfathered in the first one as the default value for "openssl_options".
059ec3d9 527
77bb000f
PP
528No OpenSSL version number checks: the options we accept depend upon the
529availability of the option value macros from OpenSSL. */
059ec3d9 530
77bb000f
PP
531okay = tls_openssl_options_parse(openssl_options, &init_options);
532if (!okay)
73a46702 533 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
534
535if (init_options)
536 {
537 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
538 if (!(SSL_CTX_set_options(ctx, init_options)))
539 return tls_error(string_sprintf(
540 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
541 }
542else
543 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
544
545/* Initialize with DH parameters if supplied */
546
7199e1ee 547if (!init_dh(dhparam, host)) return DEFER;
059ec3d9
PH
548
549/* Set up certificate and key */
550
7be682ca
PP
551rc = tls_expand_session_files(ctx, cbinfo);
552if (rc != OK) return rc;
c91535f3 553
7be682ca
PP
554/* If we need to handle SNI, do so */
555#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
3f0945ff
PP
556if (host == NULL)
557 {
558 /* We always do this, so that $tls_sni is available even if not used in
559 tls_certificate */
560 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
561 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
562 }
7be682ca 563#endif
059ec3d9
PH
564
565/* Set up the RSA callback */
566
567SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
568
569/* Finally, set the timeout, and we are done */
570
571SSL_CTX_set_timeout(ctx, ssl_session_timeout);
572DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP
573
574static_cbinfo = cbinfo;
575
059ec3d9
PH
576return OK;
577}
578
579
580
581
582/*************************************************
583* Get name of cipher in use *
584*************************************************/
585
586/* The answer is left in a static buffer, and tls_cipher is set to point
587to it.
588
589Argument: pointer to an SSL structure for the connection
590Returns: nothing
591*/
592
593static void
594construct_cipher_name(SSL *ssl)
595{
596static uschar cipherbuf[256];
57b3a7f5
PP
597/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
598yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
599the accessor functions use const in the prototype. */
600const SSL_CIPHER *c;
059ec3d9 601uschar *ver;
059ec3d9
PH
602
603switch (ssl->session->ssl_version)
604 {
605 case SSL2_VERSION:
606 ver = US"SSLv2";
607 break;
608
609 case SSL3_VERSION:
610 ver = US"SSLv3";
611 break;
612
613 case TLS1_VERSION:
614 ver = US"TLSv1";
615 break;
616
c80c5570
PP
617#ifdef TLS1_1_VERSION
618 case TLS1_1_VERSION:
619 ver = US"TLSv1.1";
620 break;
621#endif
622
623#ifdef TLS1_2_VERSION
624 case TLS1_2_VERSION:
625 ver = US"TLSv1.2";
626 break;
627#endif
628
059ec3d9
PH
629 default:
630 ver = US"UNKNOWN";
631 }
632
57b3a7f5 633c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 634SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH
635
636string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 637 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH
638tls_cipher = cipherbuf;
639
640DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
641}
642
643
644
645
646
647/*************************************************
648* Set up for verifying certificates *
649*************************************************/
650
651/* Called by both client and server startup
652
653Arguments:
7be682ca 654 sctx SSL_CTX* to initialise
059ec3d9
PH
655 certs certs file or NULL
656 crl CRL file or NULL
657 host NULL in a server; the remote host in a client
658 optional TRUE if called from a server for a host in tls_try_verify_hosts;
659 otherwise passed as FALSE
660
661Returns: OK/DEFER/FAIL
662*/
663
664static int
7be682ca 665setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH
666{
667uschar *expcerts, *expcrl;
668
669if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
670 return DEFER;
671
672if (expcerts != NULL)
673 {
674 struct stat statbuf;
7be682ca 675 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 676 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
677
678 if (Ustat(expcerts, &statbuf) < 0)
679 {
680 log_write(0, LOG_MAIN|LOG_PANIC,
681 "failed to stat %s for certificates", expcerts);
682 return DEFER;
683 }
684 else
685 {
686 uschar *file, *dir;
687 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
688 { file = NULL; dir = expcerts; }
689 else
690 { file = expcerts; dir = NULL; }
691
692 /* If a certificate file is empty, the next function fails with an
693 unhelpful error message. If we skip it, we get the correct behaviour (no
694 certificates are recognized, but the error message is still misleading (it
695 says no certificate was supplied.) But this is better. */
696
697 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 698 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 699 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
700
701 if (file != NULL)
702 {
7be682ca 703 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
704 }
705 }
706
707 /* Handle a certificate revocation list. */
708
709 #if OPENSSL_VERSION_NUMBER > 0x00907000L
710
8b417f2c
PH
711 /* This bit of code is now the version supplied by Lars Mainka. (I have
712 * merely reformatted it into the Exim code style.)
713
714 * "From here I changed the code to add support for multiple crl's
715 * in pem format in one file or to support hashed directory entries in
716 * pem format instead of a file. This method now uses the library function
717 * X509_STORE_load_locations to add the CRL location to the SSL context.
718 * OpenSSL will then handle the verify against CA certs and CRLs by
719 * itself in the verify callback." */
720
059ec3d9
PH
721 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
722 if (expcrl != NULL && *expcrl != 0)
723 {
8b417f2c
PH
724 struct stat statbufcrl;
725 if (Ustat(expcrl, &statbufcrl) < 0)
726 {
727 log_write(0, LOG_MAIN|LOG_PANIC,
728 "failed to stat %s for certificates revocation lists", expcrl);
729 return DEFER;
730 }
731 else
059ec3d9 732 {
8b417f2c
PH
733 /* is it a file or directory? */
734 uschar *file, *dir;
7be682ca 735 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 736 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 737 {
8b417f2c
PH
738 file = NULL;
739 dir = expcrl;
740 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
741 }
742 else
743 {
8b417f2c
PH
744 file = expcrl;
745 dir = NULL;
746 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 747 }
8b417f2c 748 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 749 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
750
751 /* setting the flags to check against the complete crl chain */
752
753 X509_STORE_set_flags(cvstore,
754 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 755 }
059ec3d9
PH
756 }
757
758 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
759
760 /* If verification is optional, don't fail if no certificate */
761
7be682ca 762 SSL_CTX_set_verify(sctx,
059ec3d9
PH
763 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
764 verify_callback);
765 }
766
767return OK;
768}
769
770
771
772/*************************************************
773* Start a TLS session in a server *
774*************************************************/
775
776/* This is called when Exim is running as a server, after having received
777the STARTTLS command. It must respond to that command, and then negotiate
778a TLS session.
779
780Arguments:
781 require_ciphers allowed ciphers
83da1223
PH
782 ------------------------------------------------------
783 require_mac list of allowed MACs ) Not used
784 require_kx list of allowed key_exchange methods ) for
785 require_proto list of allowed protocols ) OpenSSL
786 ------------------------------------------------------
059ec3d9
PH
787
788Returns: OK on success
789 DEFER for errors before the start of the negotiation
790 FAIL for errors during the negotation; the server can't
791 continue running.
792*/
793
794int
83da1223
PH
795tls_server_start(uschar *require_ciphers, uschar *require_mac,
796 uschar *require_kx, uschar *require_proto)
059ec3d9
PH
797{
798int rc;
799uschar *expciphers;
7be682ca 800tls_ext_ctx_cb *cbinfo;
059ec3d9
PH
801
802/* Check for previous activation */
803
804if (tls_active >= 0)
805 {
5ca6d115 806 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
807 smtp_printf("554 Already in TLS\r\n");
808 return FAIL;
809 }
810
811/* Initialize the SSL library. If it fails, it will already have logged
812the error. */
813
814rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
815if (rc != OK) return rc;
7be682ca 816cbinfo = static_cbinfo;
059ec3d9
PH
817
818if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
819 return FAIL;
820
821/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
822are separated by underscores. So that I can use either form in my tests, and
823also for general convenience, we turn underscores into hyphens here. */
824
825if (expciphers != NULL)
826 {
827 uschar *s = expciphers;
828 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
829 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
830 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 831 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 832 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
833 }
834
835/* If this is a host for which certificate verification is mandatory or
836optional, set up appropriately. */
837
838tls_certificate_verified = FALSE;
839verify_callback_called = FALSE;
840
841if (verify_check_host(&tls_verify_hosts) == OK)
842 {
7be682ca 843 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH
844 if (rc != OK) return rc;
845 verify_optional = FALSE;
846 }
847else if (verify_check_host(&tls_try_verify_hosts) == OK)
848 {
7be682ca 849 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH
850 if (rc != OK) return rc;
851 verify_optional = TRUE;
852 }
853
854/* Prepare for new connection */
855
7199e1ee 856if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
857
858/* Warning: we used to SSL_clear(ssl) here, it was removed.
859 *
860 * With the SSL_clear(), we get strange interoperability bugs with
861 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
862 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
863 *
864 * The SSL_clear() call is to let an existing SSL* be reused, typically after
865 * session shutdown. In this case, we have a brand new object and there's no
866 * obvious reason to immediately clear it. I'm guessing that this was
867 * originally added because of incomplete initialisation which the clear fixed,
868 * in some historic release.
869 */
059ec3d9
PH
870
871/* Set context and tell client to go ahead, except in the case of TLS startup
872on connection, where outputting anything now upsets the clients and tends to
873make them disconnect. We need to have an explicit fflush() here, to force out
874the response. Other smtp_printf() calls do not need it, because in non-TLS
875mode, the fflush() happens when smtp_getc() is called. */
876
877SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
878if (!tls_on_connect)
879 {
880 smtp_printf("220 TLS go ahead\r\n");
881 fflush(smtp_out);
882 }
883
884/* Now negotiate the TLS session. We put our own timer on it, since it seems
885that the OpenSSL library doesn't. */
886
56f5d9bd
PH
887SSL_set_wfd(ssl, fileno(smtp_out));
888SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
889SSL_set_accept_state(ssl);
890
891DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
892
893sigalrm_seen = FALSE;
894if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
895rc = SSL_accept(ssl);
896alarm(0);
897
898if (rc <= 0)
899 {
7199e1ee 900 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
901 if (ERR_get_error() == 0)
902 log_write(0, LOG_MAIN,
a053d125 903 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
904 return FAIL;
905 }
906
907DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
908
909/* TLS has been set up. Adjust the input functions to read via TLS,
910and initialize things. */
911
912construct_cipher_name(ssl);
913
914DEBUG(D_tls)
915 {
916 uschar buf[2048];
917 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
918 debug_printf("Shared ciphers: %s\n", buf);
919 }
920
921
922ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
923ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
924ssl_xfer_eof = ssl_xfer_error = 0;
925
926receive_getc = tls_getc;
927receive_ungetc = tls_ungetc;
928receive_feof = tls_feof;
929receive_ferror = tls_ferror;
58eb016e 930receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
931
932tls_active = fileno(smtp_out);
933return OK;
934}
935
936
937
938
939
940/*************************************************
941* Start a TLS session in a client *
942*************************************************/
943
944/* Called from the smtp transport after STARTTLS has been accepted.
945
946Argument:
947 fd the fd of the connection
948 host connected host (for messages)
83da1223 949 addr the first address
059ec3d9
PH
950 dhparam DH parameter file
951 certificate certificate file
952 privatekey private key file
3f0945ff 953 sni TLS SNI to send to remote host
059ec3d9
PH
954 verify_certs file for certificate verify
955 crl file containing CRL
956 require_ciphers list of allowed ciphers
83da1223
PH
957 ------------------------------------------------------
958 require_mac list of allowed MACs ) Not used
959 require_kx list of allowed key_exchange methods ) for
960 require_proto list of allowed protocols ) OpenSSL
961 ------------------------------------------------------
962 timeout startup timeout
059ec3d9
PH
963
964Returns: OK on success
965 FAIL otherwise - note that tls_error() will not give DEFER
966 because this is not a server
967*/
968
969int
970tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
971 uschar *certificate, uschar *privatekey, uschar *sni,
972 uschar *verify_certs, uschar *crl,
83da1223
PH
973 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
974 uschar *require_proto, int timeout)
059ec3d9
PH
975{
976static uschar txt[256];
977uschar *expciphers;
978X509* server_cert;
979int rc;
980
981rc = tls_init(host, dhparam, certificate, privatekey, addr);
982if (rc != OK) return rc;
983
984tls_certificate_verified = FALSE;
985verify_callback_called = FALSE;
986
987if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
988 return FAIL;
989
990/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
991are separated by underscores. So that I can use either form in my tests, and
992also for general convenience, we turn underscores into hyphens here. */
993
994if (expciphers != NULL)
995 {
996 uschar *s = expciphers;
997 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
998 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
999 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1000 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1001 }
1002
7be682ca 1003rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH
1004if (rc != OK) return rc;
1005
7199e1ee 1006if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
1007SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1008SSL_set_fd(ssl, fd);
1009SSL_set_connect_state(ssl);
1010
3f0945ff
PP
1011if (sni)
1012 {
1013 if (!expand_check(sni, US"tls_sni", &tls_sni))
1014 return FAIL;
1015 if (!Ustrlen(tls_sni))
1016 tls_sni = NULL;
1017 else
1018 {
1019 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1020 SSL_set_tlsext_host_name(ssl, tls_sni);
1021 }
1022 }
1023
059ec3d9
PH
1024/* There doesn't seem to be a built-in timeout on connection. */
1025
1026DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1027sigalrm_seen = FALSE;
1028alarm(timeout);
1029rc = SSL_connect(ssl);
1030alarm(0);
1031
1032if (rc <= 0)
7199e1ee 1033 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1034
1035DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1036
453a6645 1037/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1038server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
1039if (server_cert)
1040 {
1041 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1042 CS txt, sizeof(txt));
1043 tls_peerdn = txt;
1044 }
1045else
1046 tls_peerdn = NULL;
059ec3d9
PH
1047
1048construct_cipher_name(ssl); /* Sets tls_cipher */
1049
1050tls_active = fd;
1051return OK;
1052}
1053
1054
1055
1056
1057
1058/*************************************************
1059* TLS version of getc *
1060*************************************************/
1061
1062/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1063it refills the buffer via the SSL reading function.
1064
1065Arguments: none
1066Returns: the next character or EOF
1067*/
1068
1069int
1070tls_getc(void)
1071{
1072if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1073 {
1074 int error;
1075 int inbytes;
1076
c80c5570
PP
1077 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1078 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1079
1080 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1081 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1082 error = SSL_get_error(ssl, inbytes);
1083 alarm(0);
1084
1085 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1086 closed down, not that the socket itself has been closed down. Revert to
1087 non-SSL handling. */
1088
1089 if (error == SSL_ERROR_ZERO_RETURN)
1090 {
1091 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1092
1093 receive_getc = smtp_getc;
1094 receive_ungetc = smtp_ungetc;
1095 receive_feof = smtp_feof;
1096 receive_ferror = smtp_ferror;
58eb016e 1097 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1098
1099 SSL_free(ssl);
1100 ssl = NULL;
1101 tls_active = -1;
3f0945ff 1102 tls_bits = 0;
059ec3d9
PH
1103 tls_cipher = NULL;
1104 tls_peerdn = NULL;
3f0945ff 1105 tls_sni = NULL;
059ec3d9
PH
1106
1107 return smtp_getc();
1108 }
1109
1110 /* Handle genuine errors */
1111
ba084640
PP
1112 else if (error == SSL_ERROR_SSL)
1113 {
1114 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1115 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1116 ssl_xfer_error = 1;
1117 return EOF;
1118 }
1119
059ec3d9
PH
1120 else if (error != SSL_ERROR_NONE)
1121 {
1122 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1123 ssl_xfer_error = 1;
1124 return EOF;
1125 }
c80c5570 1126
80a47a2c
TK
1127#ifndef DISABLE_DKIM
1128 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1129#endif
059ec3d9
PH
1130 ssl_xfer_buffer_hwm = inbytes;
1131 ssl_xfer_buffer_lwm = 0;
1132 }
1133
1134/* Something in the buffer; return next uschar */
1135
1136return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1137}
1138
1139
1140
1141/*************************************************
1142* Read bytes from TLS channel *
1143*************************************************/
1144
1145/*
1146Arguments:
1147 buff buffer of data
1148 len size of buffer
1149
1150Returns: the number of bytes read
1151 -1 after a failed read
1152*/
1153
1154int
1155tls_read(uschar *buff, size_t len)
1156{
1157int inbytes;
1158int error;
1159
c80c5570
PP
1160DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1161 buff, (unsigned int)len);
059ec3d9
PH
1162
1163inbytes = SSL_read(ssl, CS buff, len);
1164error = SSL_get_error(ssl, inbytes);
1165
1166if (error == SSL_ERROR_ZERO_RETURN)
1167 {
1168 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1169 return -1;
1170 }
1171else if (error != SSL_ERROR_NONE)
1172 {
1173 return -1;
1174 }
1175
1176return inbytes;
1177}
1178
1179
1180
1181
1182
1183/*************************************************
1184* Write bytes down TLS channel *
1185*************************************************/
1186
1187/*
1188Arguments:
1189 buff buffer of data
1190 len number of bytes
1191
1192Returns: the number of bytes after a successful write,
1193 -1 after a failed write
1194*/
1195
1196int
1197tls_write(const uschar *buff, size_t len)
1198{
1199int outbytes;
1200int error;
1201int left = len;
1202
c80c5570 1203DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1204while (left > 0)
1205 {
c80c5570 1206 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1207 outbytes = SSL_write(ssl, CS buff, left);
1208 error = SSL_get_error(ssl, outbytes);
1209 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1210 switch (error)
1211 {
1212 case SSL_ERROR_SSL:
1213 ERR_error_string(ERR_get_error(), ssl_errstring);
1214 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1215 return -1;
1216
1217 case SSL_ERROR_NONE:
1218 left -= outbytes;
1219 buff += outbytes;
1220 break;
1221
1222 case SSL_ERROR_ZERO_RETURN:
1223 log_write(0, LOG_MAIN, "SSL channel closed on write");
1224 return -1;
1225
1226 default:
1227 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1228 return -1;
1229 }
1230 }
1231return len;
1232}
1233
1234
1235
1236/*************************************************
1237* Close down a TLS session *
1238*************************************************/
1239
1240/* This is also called from within a delivery subprocess forked from the
1241daemon, to shut down the TLS library, without actually doing a shutdown (which
1242would tamper with the SSL session in the parent process).
1243
1244Arguments: TRUE if SSL_shutdown is to be called
1245Returns: nothing
1246*/
1247
1248void
1249tls_close(BOOL shutdown)
1250{
1251if (tls_active < 0) return; /* TLS was not active */
1252
1253if (shutdown)
1254 {
1255 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1256 SSL_shutdown(ssl);
1257 }
1258
1259SSL_free(ssl);
1260ssl = NULL;
1261
1262tls_active = -1;
1263}
1264
36f12725
NM
1265
1266
1267
1268/*************************************************
1269* Report the library versions. *
1270*************************************************/
1271
1272/* There have historically been some issues with binary compatibility in
1273OpenSSL libraries; if Exim (like many other applications) is built against
1274one version of OpenSSL but the run-time linker picks up another version,
1275it can result in serious failures, including crashing with a SIGSEGV. So
1276report the version found by the compiler and the run-time version.
1277
1278Arguments: a FILE* to print the results to
1279Returns: nothing
1280*/
1281
1282void
1283tls_version_report(FILE *f)
1284{
754a0503
PP
1285fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1286 " Runtime: %s\n",
1287 OPENSSL_VERSION_TEXT,
1288 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1289}
1290
9e3331ea
TK
1291
1292
1293
1294/*************************************************
1295* Pseudo-random number generation *
1296*************************************************/
1297
1298/* Pseudo-random number generation. The result is not expected to be
1299cryptographically strong but not so weak that someone will shoot themselves
1300in the foot using it as a nonce in input in some email header scheme or
1301whatever weirdness they'll twist this into. The result should handle fork()
1302and avoid repeating sequences. OpenSSL handles that for us.
1303
1304Arguments:
1305 max range maximum
1306Returns a random number in range [0, max-1]
1307*/
1308
1309int
1310pseudo_random_number(int max)
1311{
1312unsigned int r;
1313int i, needed_len;
1314uschar *p;
1315uschar smallbuf[sizeof(r)];
1316
1317if (max <= 1)
1318 return 0;
1319
1320/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1321if (!RAND_status())
1322 {
1323 randstuff r;
1324 gettimeofday(&r.tv, NULL);
1325 r.p = getpid();
1326
1327 RAND_seed((uschar *)(&r), sizeof(r));
1328 }
1329/* We're after pseudo-random, not random; if we still don't have enough data
1330in the internal PRNG then our options are limited. We could sleep and hope
1331for entropy to come along (prayer technique) but if the system is so depleted
1332in the first place then something is likely to just keep taking it. Instead,
1333we'll just take whatever little bit of pseudo-random we can still manage to
1334get. */
1335
1336needed_len = sizeof(r);
1337/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1338asked for a number less than 10. */
1339for (r = max, i = 0; r; ++i)
1340 r >>= 1;
1341i = (i + 7) / 8;
1342if (i < needed_len)
1343 needed_len = i;
1344
1345/* We do not care if crypto-strong */
1346(void) RAND_pseudo_bytes(smallbuf, needed_len);
1347r = 0;
1348for (p = smallbuf; needed_len; --needed_len, ++p)
1349 {
1350 r *= 256;
1351 r += *p;
1352 }
1353
1354/* We don't particularly care about weighted results; if someone wants
1355smooth distribution and cares enough then they should submit a patch then. */
1356return r % max;
1357}
1358
77bb000f
PP
1359
1360
1361
1362/*************************************************
1363* OpenSSL option parse *
1364*************************************************/
1365
1366/* Parse one option for tls_openssl_options_parse below
1367
1368Arguments:
1369 name one option name
1370 value place to store a value for it
1371Returns success or failure in parsing
1372*/
1373
1374struct exim_openssl_option {
1375 uschar *name;
1376 long value;
1377};
1378/* We could use a macro to expand, but we need the ifdef and not all the
1379options document which version they were introduced in. Policylet: include
1380all options unless explicitly for DTLS, let the administrator choose which
1381to apply.
1382
1383This list is current as of:
c80c5570 1384 ==> 1.0.1b <== */
77bb000f
PP
1385static struct exim_openssl_option exim_openssl_options[] = {
1386/* KEEP SORTED ALPHABETICALLY! */
1387#ifdef SSL_OP_ALL
73a46702 1388 { US"all", SSL_OP_ALL },
77bb000f
PP
1389#endif
1390#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1391 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1392#endif
1393#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1394 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1395#endif
1396#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1397 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1398#endif
1399#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1400 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1401#endif
1402#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1403 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1404#endif
1405#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1406 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1407#endif
1408#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1409 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1410#endif
1411#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1412 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1413#endif
1414#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1415 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1416#endif
1417#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1418 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1419#endif
c80c5570
PP
1420#ifdef SSL_OP_NO_COMPRESSION
1421 { US"no_compression", SSL_OP_NO_COMPRESSION },
1422#endif
77bb000f 1423#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1424 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1425#endif
c0c7b2da
PP
1426#ifdef SSL_OP_NO_SSLv2
1427 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1428#endif
1429#ifdef SSL_OP_NO_SSLv3
1430 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1431#endif
1432#ifdef SSL_OP_NO_TICKET
1433 { US"no_ticket", SSL_OP_NO_TICKET },
1434#endif
1435#ifdef SSL_OP_NO_TLSv1
1436 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1437#endif
c80c5570
PP
1438#ifdef SSL_OP_NO_TLSv1_1
1439#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1440 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1441#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1442#else
1443 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1444#endif
1445#endif
1446#ifdef SSL_OP_NO_TLSv1_2
1447 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1448#endif
77bb000f 1449#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1450 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1451#endif
1452#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1453 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1454#endif
1455#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1456 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1457#endif
1458#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1459 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1460#endif
1461#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1462 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1463#endif
1464#ifdef SSL_OP_TLS_D5_BUG
73a46702 1465 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1466#endif
1467#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1468 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1469#endif
1470};
1471static int exim_openssl_options_size =
1472 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1473
c80c5570 1474
77bb000f
PP
1475static BOOL
1476tls_openssl_one_option_parse(uschar *name, long *value)
1477{
1478int first = 0;
1479int last = exim_openssl_options_size;
1480while (last > first)
1481 {
1482 int middle = (first + last)/2;
1483 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1484 if (c == 0)
1485 {
1486 *value = exim_openssl_options[middle].value;
1487 return TRUE;
1488 }
1489 else if (c > 0)
1490 first = middle + 1;
1491 else
1492 last = middle;
1493 }
1494return FALSE;
1495}
1496
1497
1498
1499
1500/*************************************************
1501* OpenSSL option parsing logic *
1502*************************************************/
1503
1504/* OpenSSL has a number of compatibility options which an administrator might
1505reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1506we look like log_selector.
1507
1508Arguments:
1509 option_spec the administrator-supplied string of options
1510 results ptr to long storage for the options bitmap
1511Returns success or failure
1512*/
1513
1514BOOL
1515tls_openssl_options_parse(uschar *option_spec, long *results)
1516{
1517long result, item;
1518uschar *s, *end;
1519uschar keep_c;
1520BOOL adding, item_parsed;
1521
0e944a0d 1522result = 0L;
da3ad30d
PP
1523/* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1524 * from default because it increases BEAST susceptibility. */
77bb000f
PP
1525
1526if (option_spec == NULL)
1527 {
1528 *results = result;
1529 return TRUE;
1530 }
1531
1532for (s=option_spec; *s != '\0'; /**/)
1533 {
1534 while (isspace(*s)) ++s;
1535 if (*s == '\0')
1536 break;
1537 if (*s != '+' && *s != '-')
1538 {
1539 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1540 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1541 return FALSE;
1542 }
1543 adding = *s++ == '+';
1544 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1545 keep_c = *end;
1546 *end = '\0';
1547 item_parsed = tls_openssl_one_option_parse(s, &item);
1548 if (!item_parsed)
1549 {
0e944a0d 1550 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1551 return FALSE;
1552 }
1553 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1554 adding ? "adding" : "removing", result, item, s);
1555 if (adding)
1556 result |= item;
1557 else
1558 result &= ~item;
1559 *end = keep_c;
1560 s = end;
1561 }
1562
1563*results = result;
1564return TRUE;
1565}
1566
059ec3d9 1567/* End of tls-openssl.c */