Docs: add notes on per-user SpamAssassin profiles. Bug 1579
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5a66c31b 5/* Copyright (c) University of Cambridge 1995 - 2014 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
f2de3a33 25#ifndef DISABLE_OCSP
e51c7be2 26# include <openssl/ocsp.h>
3f7eeb86 27#endif
85098ee7
JH
28#ifdef EXPERIMENTAL_DANE
29# include <danessl.h>
30#endif
31
3f7eeb86 32
f2de3a33
JH
33#ifndef DISABLE_OCSP
34# define EXIM_OCSP_SKEW_SECONDS (300L)
35# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 36#endif
059ec3d9 37
3bcbbbe2 38#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 39# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 40#endif
2dfb468b
JH
41#if OPENSSL_VERSION_NUMBER >= 0x010100000L
42# define EXIM_HAVE_OPENSSL_CHECKHOST
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
45 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
46# define EXIM_HAVE_OPENSSL_CHECKHOST
47#endif
3bcbbbe2 48
67791ce4
JH
49#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
50# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
51# define DISABLE_OCSP
52#endif
53
059ec3d9
PH
54/* Structure for collecting random data for seeding. */
55
56typedef struct randstuff {
9e3331ea
TK
57 struct timeval tv;
58 pid_t p;
059ec3d9
PH
59} randstuff;
60
61/* Local static variables */
62
a2ff477a
JH
63static BOOL client_verify_callback_called = FALSE;
64static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
65static const uschar *sid_ctx = US"exim";
66
d4f09789
PP
67/* We have three different contexts to care about.
68
69Simple case: client, `client_ctx`
70 As a client, we can be doing a callout or cut-through delivery while receiving
71 a message. So we have a client context, which should have options initialised
72 from the SMTP Transport.
73
74Server:
75 There are two cases: with and without ServerNameIndication from the client.
76 Given TLS SNI, we can be using different keys, certs and various other
77 configuration settings, because they're re-expanded with $tls_sni set. This
78 allows vhosting with TLS. This SNI is sent in the handshake.
79 A client might not send SNI, so we need a fallback, and an initial setup too.
80 So as a server, we start out using `server_ctx`.
81 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
82 `server_sni` from `server_ctx` and then initialise settings by re-expanding
83 configuration.
84*/
85
817d9f57
JH
86static SSL_CTX *client_ctx = NULL;
87static SSL_CTX *server_ctx = NULL;
88static SSL *client_ssl = NULL;
89static SSL *server_ssl = NULL;
389ca47a 90
35731706 91#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 92static SSL_CTX *server_sni = NULL;
35731706 93#endif
059ec3d9
PH
94
95static char ssl_errstring[256];
96
97static int ssl_session_timeout = 200;
a2ff477a
JH
98static BOOL client_verify_optional = FALSE;
99static BOOL server_verify_optional = FALSE;
059ec3d9 100
f5d78688 101static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
102
103
7be682ca
PP
104typedef struct tls_ext_ctx_cb {
105 uschar *certificate;
106 uschar *privatekey;
f2de3a33 107#ifndef DISABLE_OCSP
f5d78688
JH
108 BOOL is_server;
109 union {
110 struct {
111 uschar *file;
112 uschar *file_expanded;
113 OCSP_RESPONSE *response;
114 } server;
115 struct {
44662487
JH
116 X509_STORE *verify_store; /* non-null if status requested */
117 BOOL verify_required;
f5d78688
JH
118 } client;
119 } u_ocsp;
3f7eeb86 120#endif
7be682ca
PP
121 uschar *dhparam;
122 /* these are cached from first expand */
123 uschar *server_cipher_list;
124 /* only passed down to tls_error: */
125 host_item *host;
55414b25 126 const uschar * verify_cert_hostnames;
774ef2d7 127#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
128 uschar * event_action;
129#endif
7be682ca
PP
130} tls_ext_ctx_cb;
131
132/* should figure out a cleanup of API to handle state preserved per
133implementation, for various reasons, which can be void * in the APIs.
134For now, we hack around it. */
817d9f57
JH
135tls_ext_ctx_cb *client_static_cbinfo = NULL;
136tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
137
138static int
983207c1
JH
139setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
140 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
059ec3d9 141
3f7eeb86 142/* Callbacks */
3bcbbbe2 143#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 144static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 145#endif
f2de3a33 146#ifndef DISABLE_OCSP
f5d78688 147static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
148#endif
149
059ec3d9
PH
150
151/*************************************************
152* Handle TLS error *
153*************************************************/
154
155/* Called from lots of places when errors occur before actually starting to do
156the TLS handshake, that is, while the session is still in clear. Always returns
157DEFER for a server and FAIL for a client so that most calls can use "return
158tls_error(...)" to do this processing and then give an appropriate return. A
159single function is used for both server and client, because it is called from
160some shared functions.
161
162Argument:
163 prefix text to include in the logged error
164 host NULL if setting up a server;
165 the connected host if setting up a client
7199e1ee 166 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
167
168Returns: OK/DEFER/FAIL
169*/
170
171static int
b8b1b5cb 172tls_error(uschar * prefix, const host_item * host, uschar * msg)
059ec3d9 173{
c562fd30 174if (!msg)
7199e1ee
TF
175 {
176 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 177 msg = (uschar *)ssl_errstring;
7199e1ee
TF
178 }
179
c562fd30
JH
180if (host)
181 {
182 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
183 host->name, host->address, prefix, msg);
184 return FAIL;
185 }
186else
059ec3d9 187 {
7199e1ee 188 uschar *conn_info = smtp_get_connection_info();
5ca6d115 189 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee 190 conn_info += 5;
c562fd30 191 /* I'd like to get separated H= here, but too hard for now */
7199e1ee
TF
192 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
193 conn_info, prefix, msg);
059ec3d9
PH
194 return DEFER;
195 }
059ec3d9
PH
196}
197
198
199
200/*************************************************
201* Callback to generate RSA key *
202*************************************************/
203
204/*
205Arguments:
206 s SSL connection
207 export not used
208 keylength keylength
209
210Returns: pointer to generated key
211*/
212
213static RSA *
214rsa_callback(SSL *s, int export, int keylength)
215{
216RSA *rsa_key;
217export = export; /* Shut picky compilers up */
218DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
219rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
220if (rsa_key == NULL)
221 {
222 ERR_error_string(ERR_get_error(), ssl_errstring);
223 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
224 ssl_errstring);
225 return NULL;
226 }
227return rsa_key;
228}
229
230
231
f5d78688 232/* Extreme debug
f2de3a33 233#ifndef DISABLE_OCSP
f5d78688
JH
234void
235x509_store_dump_cert_s_names(X509_STORE * store)
236{
237STACK_OF(X509_OBJECT) * roots= store->objs;
238int i;
239static uschar name[256];
240
241for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
242 {
243 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
244 if(tmp_obj->type == X509_LU_X509)
245 {
246 X509 * current_cert= tmp_obj->data.x509;
247 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
4c01d6ab 248 txt[sizeof(name)-1] = '\0';
f5d78688
JH
249 debug_printf(" %s\n", name);
250 }
251 }
252}
253#endif
254*/
255
059ec3d9
PH
256
257/*************************************************
258* Callback for verification *
259*************************************************/
260
261/* The SSL library does certificate verification if set up to do so. This
262callback has the current yes/no state is in "state". If verification succeeded,
263we set up the tls_peerdn string. If verification failed, what happens depends
264on whether the client is required to present a verifiable certificate or not.
265
266If verification is optional, we change the state to yes, but still log the
267verification error. For some reason (it really would help to have proper
268documentation of OpenSSL), this callback function then gets called again, this
269time with state = 1. In fact, that's useful, because we can set up the peerdn
270value, but we must take care not to set the private verified flag on the second
271time through.
272
273Note: this function is not called if the client fails to present a certificate
274when asked. We get here only if a certificate has been received. Handling of
275optional verification for this case is done when requesting SSL to verify, by
276setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
277
a7538db1
JH
278May be called multiple times for different issues with a certificate, even
279for a given "depth" in the certificate chain.
280
059ec3d9
PH
281Arguments:
282 state current yes/no state as 1/0
283 x509ctx certificate information.
a2ff477a 284 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
285
286Returns: 1 if verified, 0 if not
287*/
288
289static int
421aff85
JH
290verify_callback(int state, X509_STORE_CTX *x509ctx,
291 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 292{
421aff85 293X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 294int depth = X509_STORE_CTX_get_error_depth(x509ctx);
059ec3d9 295static uschar txt[256];
b30275b8
JH
296#ifdef EXPERIMENTAL_EVENT
297uschar * ev;
298uschar * yield;
299#endif
059ec3d9 300
e51c7be2 301X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
4c01d6ab 302txt[sizeof(txt)-1] = '\0';
059ec3d9
PH
303
304if (state == 0)
305 {
4c01d6ab
JH
306 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
307 tlsp == &tls_out ? deliver_host_address : sender_host_address,
a7538db1 308 depth,
421aff85 309 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
059ec3d9 310 txt);
a2ff477a 311 *calledp = TRUE;
9d1c15ef
JH
312 if (!*optionalp)
313 {
421aff85 314 tlsp->peercert = X509_dup(cert);
9d1c15ef
JH
315 return 0; /* reject */
316 }
059ec3d9
PH
317 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
318 "tls_try_verify_hosts)\n");
059ec3d9
PH
319 }
320
a7538db1 321else if (depth != 0)
059ec3d9 322 {
a7538db1 323 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, txt);
f2de3a33 324#ifndef DISABLE_OCSP
f5d78688
JH
325 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
326 { /* client, wanting stapling */
327 /* Add the server cert's signing chain as the one
328 for the verification of the OCSP stapled information. */
329
330 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 331 cert))
f5d78688
JH
332 ERR_clear_error();
333 }
334#endif
774ef2d7 335#ifdef EXPERIMENTAL_EVENT
723fe533
JH
336 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
337 if (ev)
a7538db1
JH
338 {
339 tlsp->peercert = X509_dup(cert);
b30275b8 340 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
a7538db1 341 {
4c01d6ab
JH
342 log_write(0, LOG_MAIN, "[%s] SSL verify denied by event-action: "
343 "depth=%d cert=%s: %s",
344 tlsp == &tls_out ? deliver_host_address : sender_host_address,
345 depth, txt, yield);
a7538db1 346 *calledp = TRUE;
a3ef7310
JH
347 if (!*optionalp)
348 return 0; /* reject */
349 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
350 "(host in tls_try_verify_hosts)\n");
a7538db1
JH
351 }
352 X509_free(tlsp->peercert);
353 tlsp->peercert = NULL;
354 }
355#endif
059ec3d9
PH
356 }
357else
358 {
55414b25 359 const uschar * verify_cert_hostnames;
e51c7be2 360
a2ff477a 361 tlsp->peerdn = txt;
421aff85 362 tlsp->peercert = X509_dup(cert);
e51c7be2 363
e51c7be2
JH
364 if ( tlsp == &tls_out
365 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
366 /* client, wanting hostname check */
367
2dfb468b 368# if EXIM_HAVE_OPENSSL_CHECKHOST
d8e7834a
JH
369# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
370# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
371# endif
8d692470
JH
372# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
373# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
374# endif
e51c7be2
JH
375 {
376 int sep = 0;
55414b25 377 const uschar * list = verify_cert_hostnames;
e51c7be2 378 uschar * name;
d8e7834a
JH
379 int rc;
380 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
381 if ((rc = X509_check_host(cert, name, 0,
8d692470
JH
382 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
383 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS)))
d8e7834a
JH
384 {
385 if (rc < 0)
386 {
93a6fce2 387 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
4c01d6ab 388 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
389 name = NULL;
390 }
e51c7be2 391 break;
d8e7834a 392 }
e51c7be2
JH
393 if (!name)
394 {
395 log_write(0, LOG_MAIN,
93a6fce2 396 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
4c01d6ab
JH
397 tlsp == &tls_out ? deliver_host_address : sender_host_address,
398 txt);
a3ef7310
JH
399 *calledp = TRUE;
400 if (!*optionalp)
401 return 0; /* reject */
402 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
403 "tls_try_verify_hosts)\n");
e51c7be2
JH
404 }
405 }
406# else
407 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
408 {
409 log_write(0, LOG_MAIN,
93a6fce2 410 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
4c01d6ab
JH
411 tlsp == &tls_out ? deliver_host_address : sender_host_address,
412 txt);
a3ef7310
JH
413 *calledp = TRUE;
414 if (!*optionalp)
415 return 0; /* reject */
416 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
417 "tls_try_verify_hosts)\n");
e51c7be2
JH
418 }
419# endif
e51c7be2 420
774ef2d7 421#ifdef EXPERIMENTAL_EVENT
723fe533
JH
422 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
423 if (ev)
b30275b8 424 if ((yield = event_raise(ev, US"tls:cert", US"0")))
a7538db1 425 {
4c01d6ab
JH
426 log_write(0, LOG_MAIN, "[%s] SSL verify denied by event-action: "
427 "depth=0 cert=%s: %s",
428 tlsp == &tls_out ? deliver_host_address : sender_host_address,
429 txt, yield);
a7538db1 430 *calledp = TRUE;
a3ef7310
JH
431 if (!*optionalp)
432 return 0; /* reject */
433 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
434 "(host in tls_try_verify_hosts)\n");
a7538db1 435 }
e51c7be2
JH
436#endif
437
93dcb1c2
JH
438 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
439 *calledp ? "" : " authenticated", txt);
440 if (!*calledp) tlsp->certificate_verified = TRUE;
441 *calledp = TRUE;
059ec3d9
PH
442 }
443
a7538db1 444return 1; /* accept, at least for this level */
059ec3d9
PH
445}
446
a2ff477a
JH
447static int
448verify_callback_client(int state, X509_STORE_CTX *x509ctx)
449{
f5d78688 450return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
451}
452
453static int
454verify_callback_server(int state, X509_STORE_CTX *x509ctx)
455{
f5d78688 456return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
457}
458
059ec3d9 459
e5cccda9 460#ifdef EXPERIMENTAL_DANE
53a7196b 461
e5cccda9
JH
462/* This gets called *by* the dane library verify callback, which interposes
463itself.
464*/
465static int
466verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
467{
468X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
469static uschar txt[256];
774ef2d7 470#ifdef EXPERIMENTAL_EVENT
83b27293 471int depth = X509_STORE_CTX_get_error_depth(x509ctx);
b30275b8 472uschar * yield;
83b27293 473#endif
e5cccda9
JH
474
475X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
4c01d6ab 476txt[sizeof(txt)-1] = '\0';
e5cccda9
JH
477
478DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
479tls_out.peerdn = txt;
480tls_out.peercert = X509_dup(cert);
481
774ef2d7 482#ifdef EXPERIMENTAL_EVENT
83b27293
JH
483 if (client_static_cbinfo->event_action)
484 {
b30275b8
JH
485 if ((yield = event_raise(client_static_cbinfo->event_action,
486 US"tls:cert", string_sprintf("%d", depth))))
83b27293
JH
487 {
488 log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
b30275b8 489 "depth=%d cert=%s: %s", depth, txt, yield);
83b27293
JH
490 tls_out.certificate_verified = FALSE;
491 return 0; /* reject */
492 }
493 if (depth != 0)
494 {
495 X509_free(tls_out.peercert);
496 tls_out.peercert = NULL;
497 }
498 }
499#endif
500
e5cccda9 501if (state == 1)
53a7196b 502 tls_out.dane_verified =
e5cccda9
JH
503 tls_out.certificate_verified = TRUE;
504return 1;
505}
53a7196b
JH
506
507#endif /*EXPERIMENTAL_DANE*/
e5cccda9 508
059ec3d9
PH
509
510/*************************************************
511* Information callback *
512*************************************************/
513
514/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
515are doing. We copy the string to the debugging output when TLS debugging has
516been requested.
059ec3d9
PH
517
518Arguments:
519 s the SSL connection
520 where
521 ret
522
523Returns: nothing
524*/
525
526static void
527info_callback(SSL *s, int where, int ret)
528{
529where = where;
530ret = ret;
531DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
532}
533
534
535
536/*************************************************
537* Initialize for DH *
538*************************************************/
539
540/* If dhparam is set, expand it, and load up the parameters for DH encryption.
541
542Arguments:
a799883d 543 dhparam DH parameter file or fixed parameter identity string
7199e1ee 544 host connected host, if client; NULL if server
059ec3d9
PH
545
546Returns: TRUE if OK (nothing to set up, or setup worked)
547*/
548
549static BOOL
b8b1b5cb 550init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
059ec3d9 551{
059ec3d9
PH
552BIO *bio;
553DH *dh;
554uschar *dhexpanded;
a799883d 555const char *pem;
059ec3d9
PH
556
557if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
558 return FALSE;
559
0df4ab80 560if (!dhexpanded || !*dhexpanded)
a799883d 561 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 562else if (dhexpanded[0] == '/')
059ec3d9 563 {
0df4ab80 564 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 565 {
7199e1ee 566 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
567 host, US strerror(errno));
568 return FALSE;
059ec3d9 569 }
a799883d
PP
570 }
571else
572 {
573 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 574 {
a799883d
PP
575 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
576 return TRUE;
059ec3d9 577 }
a799883d 578
0df4ab80 579 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
580 {
581 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
582 host, US strerror(errno));
583 return FALSE;
584 }
585 bio = BIO_new_mem_buf(CS pem, -1);
586 }
587
0df4ab80 588if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 589 {
059ec3d9 590 BIO_free(bio);
a799883d
PP
591 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
592 host, NULL);
593 return FALSE;
594 }
595
596/* Even if it is larger, we silently return success rather than cause things
597 * to fail out, so that a too-large DH will not knock out all TLS; it's a
598 * debatable choice. */
599if ((8*DH_size(dh)) > tls_dh_max_bits)
600 {
601 DEBUG(D_tls)
602 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
603 8*DH_size(dh), tls_dh_max_bits);
604 }
605else
606 {
607 SSL_CTX_set_tmp_dh(sctx, dh);
608 DEBUG(D_tls)
609 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
610 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
611 }
612
a799883d
PP
613DH_free(dh);
614BIO_free(bio);
615
616return TRUE;
059ec3d9
PH
617}
618
619
620
621
f2de3a33 622#ifndef DISABLE_OCSP
3f7eeb86
PP
623/*************************************************
624* Load OCSP information into state *
625*************************************************/
626
f5d78688 627/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
628caller has determined this is needed. Checks validity. Debugs a message
629if invalid.
630
631ASSUMES: single response, for single cert.
632
633Arguments:
634 sctx the SSL_CTX* to update
635 cbinfo various parts of session state
636 expanded the filename putatively holding an OCSP response
637
638*/
639
640static void
f5d78688 641ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86
PP
642{
643BIO *bio;
644OCSP_RESPONSE *resp;
645OCSP_BASICRESP *basic_response;
646OCSP_SINGLERESP *single_response;
647ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
648X509_STORE *store;
649unsigned long verify_flags;
650int status, reason, i;
651
f5d78688
JH
652cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
653if (cbinfo->u_ocsp.server.response)
3f7eeb86 654 {
f5d78688
JH
655 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
656 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
657 }
658
f5d78688 659bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
3f7eeb86
PP
660if (!bio)
661 {
662 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 663 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
664 return;
665 }
666
667resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
668BIO_free(bio);
669if (!resp)
670 {
671 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
672 return;
673 }
674
675status = OCSP_response_status(resp);
676if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
677 {
678 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
679 OCSP_response_status_str(status), status);
f5d78688 680 goto bad;
3f7eeb86
PP
681 }
682
683basic_response = OCSP_response_get1_basic(resp);
684if (!basic_response)
685 {
686 DEBUG(D_tls)
687 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 688 goto bad;
3f7eeb86
PP
689 }
690
691store = SSL_CTX_get_cert_store(sctx);
692verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
693
694/* May need to expose ability to adjust those flags?
695OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
696OCSP_TRUSTOTHER OCSP_NOINTERN */
697
698i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
699if (i <= 0)
700 {
701 DEBUG(D_tls) {
702 ERR_error_string(ERR_get_error(), ssl_errstring);
703 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
704 }
705 goto bad;
3f7eeb86
PP
706 }
707
708/* Here's the simplifying assumption: there's only one response, for the
709one certificate we use, and nothing for anything else in a chain. If this
710proves false, we need to extract a cert id from our issued cert
711(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
712right cert in the stack and then calls OCSP_single_get0_status()).
713
714I'm hoping to avoid reworking a bunch more of how we handle state here. */
715single_response = OCSP_resp_get0(basic_response, 0);
716if (!single_response)
717 {
718 DEBUG(D_tls)
719 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 720 goto bad;
3f7eeb86
PP
721 }
722
723status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 724if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 725 {
f5d78688
JH
726 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
727 OCSP_cert_status_str(status), status,
728 OCSP_crl_reason_str(reason), reason);
729 goto bad;
3f7eeb86
PP
730 }
731
732if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
733 {
734 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 735 goto bad;
3f7eeb86
PP
736 }
737
f5d78688 738supply_response:
018058b2 739 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
740return;
741
742bad:
018058b2
JH
743 if (running_in_test_harness)
744 {
745 extern char ** environ;
746 uschar ** p;
747 for (p = USS environ; *p != NULL; p++)
748 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
749 {
750 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
751 goto supply_response;
752 }
753 }
f5d78688 754return;
3f7eeb86 755}
f2de3a33 756#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
757
758
759
760
059ec3d9 761/*************************************************
7be682ca
PP
762* Expand key and cert file specs *
763*************************************************/
764
f5d78688 765/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
766new context, if Server Name Indication was used and tls_sni was seen in
767the certificate string.
768
769Arguments:
770 sctx the SSL_CTX* to update
771 cbinfo various parts of session state
772
773Returns: OK/DEFER/FAIL
774*/
775
776static int
3f7eeb86 777tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
778{
779uschar *expanded;
780
781if (cbinfo->certificate == NULL)
782 return OK;
783
d9b2312b
JH
784if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
785 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
786 Ustrstr(cbinfo->certificate, US"tls_out_sni")
787 )
7be682ca
PP
788 reexpand_tls_files_for_sni = TRUE;
789
790if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
791 return DEFER;
792
793if (expanded != NULL)
794 {
795 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
796 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
797 return tls_error(string_sprintf(
798 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
799 cbinfo->host, NULL);
800 }
801
802if (cbinfo->privatekey != NULL &&
803 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
804 return DEFER;
805
806/* If expansion was forced to fail, key_expanded will be NULL. If the result
807of the expansion is an empty string, ignore it also, and assume the private
808key is in the same file as the certificate. */
809
810if (expanded != NULL && *expanded != 0)
811 {
812 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
813 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
814 return tls_error(string_sprintf(
815 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
816 }
817
f2de3a33 818#ifndef DISABLE_OCSP
f5d78688 819if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
3f7eeb86 820 {
f5d78688 821 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
3f7eeb86
PP
822 return DEFER;
823
824 if (expanded != NULL && *expanded != 0)
825 {
826 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f5d78688
JH
827 if (cbinfo->u_ocsp.server.file_expanded &&
828 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86
PP
829 {
830 DEBUG(D_tls)
831 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
832 } else {
833 ocsp_load_response(sctx, cbinfo, expanded);
834 }
835 }
836 }
837#endif
838
7be682ca
PP
839return OK;
840}
841
842
843
844
845/*************************************************
846* Callback to handle SNI *
847*************************************************/
848
849/* Called when acting as server during the TLS session setup if a Server Name
850Indication extension was sent by the client.
851
852API documentation is OpenSSL s_server.c implementation.
853
854Arguments:
855 s SSL* of the current session
856 ad unknown (part of OpenSSL API) (unused)
857 arg Callback of "our" registered data
858
859Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
860*/
861
3bcbbbe2 862#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 863static int
7be682ca
PP
864tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
865{
866const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 867tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 868int rc;
3f0945ff 869int old_pool = store_pool;
7be682ca
PP
870
871if (!servername)
872 return SSL_TLSEXT_ERR_OK;
873
3f0945ff 874DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
875 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
876
877/* Make the extension value available for expansion */
3f0945ff 878store_pool = POOL_PERM;
817d9f57 879tls_in.sni = string_copy(US servername);
3f0945ff 880store_pool = old_pool;
7be682ca
PP
881
882if (!reexpand_tls_files_for_sni)
883 return SSL_TLSEXT_ERR_OK;
884
885/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
886not confident that memcpy wouldn't break some internal reference counting.
887Especially since there's a references struct member, which would be off. */
888
0df4ab80 889if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
890 {
891 ERR_error_string(ERR_get_error(), ssl_errstring);
892 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
893 return SSL_TLSEXT_ERR_NOACK;
894 }
895
896/* Not sure how many of these are actually needed, since SSL object
897already exists. Might even need this selfsame callback, for reneg? */
898
817d9f57
JH
899SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
900SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
901SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
902SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
903SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
904SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
7be682ca 905if (cbinfo->server_cipher_list)
817d9f57 906 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 907#ifndef DISABLE_OCSP
f5d78688 908if (cbinfo->u_ocsp.server.file)
3f7eeb86 909 {
f5d78688 910 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 911 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
912 }
913#endif
7be682ca 914
983207c1 915rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
7be682ca
PP
916if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
917
3f7eeb86
PP
918/* do this after setup_certs, because this can require the certs for verifying
919OCSP information. */
817d9f57 920rc = tls_expand_session_files(server_sni, cbinfo);
7be682ca
PP
921if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
922
0df4ab80
JH
923if (!init_dh(server_sni, cbinfo->dhparam, NULL))
924 return SSL_TLSEXT_ERR_NOACK;
a799883d 925
7be682ca 926DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 927SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
928
929return SSL_TLSEXT_ERR_OK;
930}
3bcbbbe2 931#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
932
933
934
935
f2de3a33 936#ifndef DISABLE_OCSP
f5d78688 937
3f7eeb86
PP
938/*************************************************
939* Callback to handle OCSP Stapling *
940*************************************************/
941
942/* Called when acting as server during the TLS session setup if the client
943requests OCSP information with a Certificate Status Request.
944
945Documentation via openssl s_server.c and the Apache patch from the OpenSSL
946project.
947
948*/
949
950static int
f5d78688 951tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
952{
953const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
954uschar *response_der;
955int response_der_len;
956
af4a1bca
JH
957DEBUG(D_tls)
958 debug_printf("Received TLS status request (OCSP stapling); %s response.",
f5d78688
JH
959 cbinfo->u_ocsp.server.response ? "have" : "lack");
960
44662487 961tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 962if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
963 return SSL_TLSEXT_ERR_NOACK;
964
965response_der = NULL;
44662487
JH
966response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
967 &response_der);
3f7eeb86
PP
968if (response_der_len <= 0)
969 return SSL_TLSEXT_ERR_NOACK;
970
5e55c7a9 971SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 972tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
973return SSL_TLSEXT_ERR_OK;
974}
975
3f7eeb86 976
f5d78688
JH
977static void
978time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
979{
980BIO_printf(bp, "\t%s: ", str);
981ASN1_GENERALIZEDTIME_print(bp, time);
982BIO_puts(bp, "\n");
983}
984
985static int
986tls_client_stapling_cb(SSL *s, void *arg)
987{
988tls_ext_ctx_cb * cbinfo = arg;
989const unsigned char * p;
990int len;
991OCSP_RESPONSE * rsp;
992OCSP_BASICRESP * bs;
993int i;
994
995DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
996len = SSL_get_tlsext_status_ocsp_resp(s, &p);
997if(!p)
998 {
44662487
JH
999 /* Expect this when we requested ocsp but got none */
1000 if ( cbinfo->u_ocsp.client.verify_required
1001 && log_extra_selector & LX_tls_cipher)
1002 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1003 else
1004 DEBUG(D_tls) debug_printf(" null\n");
44662487 1005 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1006 }
018058b2 1007
f5d78688
JH
1008if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1009 {
018058b2 1010 tls_out.ocsp = OCSP_FAILED;
f5d78688 1011 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1012 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1013 else
1014 DEBUG(D_tls) debug_printf(" parse error\n");
1015 return 0;
1016 }
1017
1018if(!(bs = OCSP_response_get1_basic(rsp)))
1019 {
018058b2 1020 tls_out.ocsp = OCSP_FAILED;
f5d78688 1021 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1022 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1023 else
1024 DEBUG(D_tls) debug_printf(" error parsing response\n");
1025 OCSP_RESPONSE_free(rsp);
1026 return 0;
1027 }
1028
1029/* We'd check the nonce here if we'd put one in the request. */
1030/* However that would defeat cacheability on the server so we don't. */
1031
f5d78688
JH
1032/* This section of code reworked from OpenSSL apps source;
1033 The OpenSSL Project retains copyright:
1034 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1035*/
1036 {
1037 BIO * bp = NULL;
f5d78688
JH
1038 int status, reason;
1039 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1040
1041 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1042
1043 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1044
1045 /* Use the chain that verified the server cert to verify the stapled info */
1046 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1047
44662487
JH
1048 if ((i = OCSP_basic_verify(bs, NULL,
1049 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1050 {
018058b2 1051 tls_out.ocsp = OCSP_FAILED;
1eca31ca
JH
1052 if (log_extra_selector & LX_tls_cipher)
1053 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH
1054 BIO_printf(bp, "OCSP response verify failure\n");
1055 ERR_print_errors(bp);
44662487 1056 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1057 goto out;
1058 }
1059
1060 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1061
1062 {
1063 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1064 OCSP_SINGLERESP * single;
1065
1066 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1067 {
018058b2 1068 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1069 log_write(0, LOG_MAIN, "OCSP stapling "
1070 "with multiple responses not handled");
1071 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1072 goto out;
1073 }
1074 single = OCSP_resp_get0(bs, 0);
44662487
JH
1075 status = OCSP_single_get0_status(single, &reason, &rev,
1076 &thisupd, &nextupd);
f5d78688
JH
1077 }
1078
f5d78688
JH
1079 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1080 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1081 if (!OCSP_check_validity(thisupd, nextupd,
1082 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1083 {
018058b2 1084 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1085 DEBUG(D_tls) ERR_print_errors(bp);
1086 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
44662487 1087 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1088 }
44662487 1089 else
f5d78688 1090 {
44662487
JH
1091 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1092 OCSP_cert_status_str(status));
1093 switch(status)
1094 {
1095 case V_OCSP_CERTSTATUS_GOOD:
44662487 1096 tls_out.ocsp = OCSP_VFIED;
018058b2 1097 i = 1;
44662487
JH
1098 break;
1099 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1100 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1101 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1102 reason != -1 ? "; reason: " : "",
1103 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1104 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1105 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1106 break;
1107 default:
018058b2 1108 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1109 log_write(0, LOG_MAIN,
1110 "Server certificate status unknown, in OCSP stapling");
1111 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1112 break;
1113 }
f5d78688
JH
1114 }
1115 out:
1116 BIO_free(bp);
1117 }
1118
1119OCSP_RESPONSE_free(rsp);
1120return i;
1121}
f2de3a33 1122#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1123
1124
7be682ca 1125/*************************************************
059ec3d9
PH
1126* Initialize for TLS *
1127*************************************************/
1128
e51c7be2
JH
1129/* Called from both server and client code, to do preliminary initialization
1130of the library. We allocate and return a context structure.
059ec3d9
PH
1131
1132Arguments:
946ecbe0 1133 ctxp returned SSL context
059ec3d9
PH
1134 host connected host, if client; NULL if server
1135 dhparam DH parameter file
1136 certificate certificate file
1137 privatekey private key
f5d78688 1138 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1139 addr address if client; NULL if server (for some randomness)
946ecbe0 1140 cbp place to put allocated callback context
059ec3d9
PH
1141
1142Returns: OK/DEFER/FAIL
1143*/
1144
1145static int
817d9f57 1146tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1147 uschar *privatekey,
f2de3a33 1148#ifndef DISABLE_OCSP
3f7eeb86
PP
1149 uschar *ocsp_file,
1150#endif
817d9f57 1151 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 1152{
77bb000f 1153long init_options;
7be682ca 1154int rc;
77bb000f 1155BOOL okay;
a7538db1 1156tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1157
1158cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1159cbinfo->certificate = certificate;
1160cbinfo->privatekey = privatekey;
f2de3a33 1161#ifndef DISABLE_OCSP
f5d78688
JH
1162if ((cbinfo->is_server = host==NULL))
1163 {
1164 cbinfo->u_ocsp.server.file = ocsp_file;
1165 cbinfo->u_ocsp.server.file_expanded = NULL;
1166 cbinfo->u_ocsp.server.response = NULL;
1167 }
1168else
1169 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1170#endif
7be682ca 1171cbinfo->dhparam = dhparam;
0df4ab80 1172cbinfo->server_cipher_list = NULL;
7be682ca 1173cbinfo->host = host;
774ef2d7 1174#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
1175cbinfo->event_action = NULL;
1176#endif
77bb000f 1177
059ec3d9
PH
1178SSL_load_error_strings(); /* basic set up */
1179OpenSSL_add_ssl_algorithms();
1180
388d6564 1181#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 1182/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1183list of available digests. */
1184EVP_add_digest(EVP_sha256());
cf1ef1a9 1185#endif
a0475b69 1186
f0f5a555
PP
1187/* Create a context.
1188The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1189negotiation in the different methods; as far as I can tell, the only
1190*_{server,client}_method which allows negotiation is SSLv23, which exists even
1191when OpenSSL is built without SSLv2 support.
1192By disabling with openssl_options, we can let admins re-enable with the
1193existing knob. */
059ec3d9 1194
817d9f57 1195*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
1196 SSLv23_server_method() : SSLv23_client_method());
1197
817d9f57 1198if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
1199
1200/* It turns out that we need to seed the random number generator this early in
1201order to get the full complement of ciphers to work. It took me roughly a day
1202of work to discover this by experiment.
1203
1204On systems that have /dev/urandom, SSL may automatically seed itself from
1205there. Otherwise, we have to make something up as best we can. Double check
1206afterwards. */
1207
1208if (!RAND_status())
1209 {
1210 randstuff r;
9e3331ea 1211 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1212 r.p = getpid();
1213
1214 RAND_seed((uschar *)(&r), sizeof(r));
1215 RAND_seed((uschar *)big_buffer, big_buffer_size);
1216 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1217
1218 if (!RAND_status())
7199e1ee 1219 return tls_error(US"RAND_status", host,
5ca6d115 1220 US"unable to seed random number generator");
059ec3d9
PH
1221 }
1222
1223/* Set up the information callback, which outputs if debugging is at a suitable
1224level. */
1225
817d9f57 1226SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 1227
c80c5570 1228/* Automatically re-try reads/writes after renegotiation. */
817d9f57 1229(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 1230
77bb000f
PP
1231/* Apply administrator-supplied work-arounds.
1232Historically we applied just one requested option,
1233SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1234moved to an administrator-controlled list of options to specify and
1235grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1236
77bb000f
PP
1237No OpenSSL version number checks: the options we accept depend upon the
1238availability of the option value macros from OpenSSL. */
059ec3d9 1239
77bb000f
PP
1240okay = tls_openssl_options_parse(openssl_options, &init_options);
1241if (!okay)
73a46702 1242 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
1243
1244if (init_options)
1245 {
1246 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 1247 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
1248 return tls_error(string_sprintf(
1249 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1250 }
1251else
1252 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
1253
1254/* Initialize with DH parameters if supplied */
1255
817d9f57 1256if (!init_dh(*ctxp, dhparam, host)) return DEFER;
059ec3d9 1257
3f7eeb86 1258/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1259
817d9f57 1260rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 1261if (rc != OK) return rc;
c91535f3 1262
7be682ca 1263/* If we need to handle SNI, do so */
3bcbbbe2 1264#ifdef EXIM_HAVE_OPENSSL_TLSEXT
f5d78688 1265if (host == NULL) /* server */
3f0945ff 1266 {
f2de3a33 1267# ifndef DISABLE_OCSP
f5d78688 1268 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1269 the option exists, not what the current expansion might be, as SNI might
1270 change the certificate and OCSP file in use between now and the time the
1271 callback is invoked. */
f5d78688 1272 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1273 {
f5d78688 1274 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
5e55c7a9 1275 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86 1276 }
f5d78688 1277# endif
3f0945ff
PP
1278 /* We always do this, so that $tls_sni is available even if not used in
1279 tls_certificate */
817d9f57
JH
1280 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1281 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 1282 }
f2de3a33 1283# ifndef DISABLE_OCSP
f5d78688
JH
1284else /* client */
1285 if(ocsp_file) /* wanting stapling */
1286 {
1287 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1288 {
1289 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1290 return FAIL;
1291 }
1292 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1293 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1294 }
1295# endif
7be682ca 1296#endif
059ec3d9 1297
e51c7be2 1298cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1299
059ec3d9
PH
1300/* Set up the RSA callback */
1301
817d9f57 1302SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
1303
1304/* Finally, set the timeout, and we are done */
1305
817d9f57 1306SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 1307DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1308
817d9f57 1309*cbp = cbinfo;
7be682ca 1310
059ec3d9
PH
1311return OK;
1312}
1313
1314
1315
1316
1317/*************************************************
1318* Get name of cipher in use *
1319*************************************************/
1320
817d9f57 1321/*
059ec3d9 1322Argument: pointer to an SSL structure for the connection
817d9f57
JH
1323 buffer to use for answer
1324 size of buffer
1325 pointer to number of bits for cipher
059ec3d9
PH
1326Returns: nothing
1327*/
1328
1329static void
817d9f57 1330construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1331{
57b3a7f5
PP
1332/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1333yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1334the accessor functions use const in the prototype. */
1335const SSL_CIPHER *c;
d9784128 1336const uschar *ver;
059ec3d9 1337
d9784128 1338ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1339
57b3a7f5 1340c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1341SSL_CIPHER_get_bits(c, bits);
059ec3d9 1342
817d9f57
JH
1343string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1344 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1345
1346DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1347}
1348
1349
1350
1351
1352
1353/*************************************************
1354* Set up for verifying certificates *
1355*************************************************/
1356
1357/* Called by both client and server startup
1358
1359Arguments:
7be682ca 1360 sctx SSL_CTX* to initialise
059ec3d9
PH
1361 certs certs file or NULL
1362 crl CRL file or NULL
1363 host NULL in a server; the remote host in a client
1364 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1365 otherwise passed as FALSE
983207c1 1366 cert_vfy_cb Callback function for certificate verification
059ec3d9
PH
1367
1368Returns: OK/DEFER/FAIL
1369*/
1370
1371static int
983207c1
JH
1372setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1373 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
059ec3d9
PH
1374{
1375uschar *expcerts, *expcrl;
1376
1377if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1378 return DEFER;
1379
26e72755 1380if (expcerts != NULL && *expcerts != '\0')
059ec3d9 1381 {
cb1d7830 1382 if (Ustrcmp(expcerts, "system") == 0)
059ec3d9 1383 {
cb1d7830
JH
1384 /* Tell the library to use its compiled-in location for the system default
1385 CA bundle, only */
1386
1387 if (!SSL_CTX_set_default_verify_paths(sctx))
1388 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1389 }
1390 else
1391 {
cb1d7830
JH
1392 struct stat statbuf;
1393
1394 /* Tell the library to use its compiled-in location for the system default
1395 CA bundle. Those given by the exim config are additional to these */
1396
1397 if (!SSL_CTX_set_default_verify_paths(sctx))
1398 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1399
1400 if (Ustat(expcerts, &statbuf) < 0)
1401 {
1402 log_write(0, LOG_MAIN|LOG_PANIC,
1403 "failed to stat %s for certificates", expcerts);
1404 return DEFER;
1405 }
059ec3d9 1406 else
059ec3d9 1407 {
cb1d7830
JH
1408 uschar *file, *dir;
1409 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1410 { file = NULL; dir = expcerts; }
1411 else
1412 { file = expcerts; dir = NULL; }
1413
1414 /* If a certificate file is empty, the next function fails with an
1415 unhelpful error message. If we skip it, we get the correct behaviour (no
1416 certificates are recognized, but the error message is still misleading (it
1417 says no certificate was supplied.) But this is better. */
1418
1419 if ((file == NULL || statbuf.st_size > 0) &&
1420 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1421 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1422
1423 /* Load the list of CAs for which we will accept certs, for sending
1424 to the client. This is only for the one-file tls_verify_certificates
1425 variant.
1426 If a list isn't loaded into the server, but
1427 some verify locations are set, the server end appears to make
1428 a wildcard reqest for client certs.
1429 Meanwhile, the client library as deafult behaviour *ignores* the list
1430 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1431 Because of this, and that the dir variant is likely only used for
1432 the public-CA bundle (not for a private CA), not worth fixing.
1433 */
1434 if (file != NULL)
1435 {
1436 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1437 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1438 sk_X509_NAME_num(names));
1439 SSL_CTX_set_client_CA_list(sctx, names);
1440 }
059ec3d9
PH
1441 }
1442 }
1443
1444 /* Handle a certificate revocation list. */
1445
1446 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1447
8b417f2c
PH
1448 /* This bit of code is now the version supplied by Lars Mainka. (I have
1449 * merely reformatted it into the Exim code style.)
1450
1451 * "From here I changed the code to add support for multiple crl's
1452 * in pem format in one file or to support hashed directory entries in
1453 * pem format instead of a file. This method now uses the library function
1454 * X509_STORE_load_locations to add the CRL location to the SSL context.
1455 * OpenSSL will then handle the verify against CA certs and CRLs by
1456 * itself in the verify callback." */
1457
059ec3d9
PH
1458 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1459 if (expcrl != NULL && *expcrl != 0)
1460 {
8b417f2c
PH
1461 struct stat statbufcrl;
1462 if (Ustat(expcrl, &statbufcrl) < 0)
1463 {
1464 log_write(0, LOG_MAIN|LOG_PANIC,
1465 "failed to stat %s for certificates revocation lists", expcrl);
1466 return DEFER;
1467 }
1468 else
059ec3d9 1469 {
8b417f2c
PH
1470 /* is it a file or directory? */
1471 uschar *file, *dir;
7be682ca 1472 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1473 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1474 {
8b417f2c
PH
1475 file = NULL;
1476 dir = expcrl;
1477 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1478 }
1479 else
1480 {
8b417f2c
PH
1481 file = expcrl;
1482 dir = NULL;
1483 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1484 }
8b417f2c 1485 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1486 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1487
1488 /* setting the flags to check against the complete crl chain */
1489
1490 X509_STORE_set_flags(cvstore,
1491 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1492 }
059ec3d9
PH
1493 }
1494
1495 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1496
1497 /* If verification is optional, don't fail if no certificate */
1498
7be682ca 1499 SSL_CTX_set_verify(sctx,
059ec3d9 1500 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1501 cert_vfy_cb);
059ec3d9
PH
1502 }
1503
1504return OK;
1505}
1506
1507
1508
1509/*************************************************
1510* Start a TLS session in a server *
1511*************************************************/
1512
1513/* This is called when Exim is running as a server, after having received
1514the STARTTLS command. It must respond to that command, and then negotiate
1515a TLS session.
1516
1517Arguments:
1518 require_ciphers allowed ciphers
1519
1520Returns: OK on success
1521 DEFER for errors before the start of the negotiation
1522 FAIL for errors during the negotation; the server can't
1523 continue running.
1524*/
1525
1526int
17c76198 1527tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1528{
1529int rc;
1530uschar *expciphers;
7be682ca 1531tls_ext_ctx_cb *cbinfo;
817d9f57 1532static uschar cipherbuf[256];
059ec3d9
PH
1533
1534/* Check for previous activation */
1535
817d9f57 1536if (tls_in.active >= 0)
059ec3d9 1537 {
5ca6d115 1538 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1539 smtp_printf("554 Already in TLS\r\n");
1540 return FAIL;
1541 }
1542
1543/* Initialize the SSL library. If it fails, it will already have logged
1544the error. */
1545
817d9f57 1546rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1547#ifndef DISABLE_OCSP
3f7eeb86
PP
1548 tls_ocsp_file,
1549#endif
817d9f57 1550 NULL, &server_static_cbinfo);
059ec3d9 1551if (rc != OK) return rc;
817d9f57 1552cbinfo = server_static_cbinfo;
059ec3d9
PH
1553
1554if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1555 return FAIL;
1556
1557/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1558were historically separated by underscores. So that I can use either form in my
1559tests, and also for general convenience, we turn underscores into hyphens here.
1560*/
059ec3d9
PH
1561
1562if (expciphers != NULL)
1563 {
1564 uschar *s = expciphers;
1565 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1566 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1567 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1568 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1569 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1570 }
1571
1572/* If this is a host for which certificate verification is mandatory or
1573optional, set up appropriately. */
1574
817d9f57 1575tls_in.certificate_verified = FALSE;
53a7196b
JH
1576#ifdef EXPERIMENTAL_DANE
1577tls_in.dane_verified = FALSE;
1578#endif
a2ff477a 1579server_verify_callback_called = FALSE;
059ec3d9
PH
1580
1581if (verify_check_host(&tls_verify_hosts) == OK)
1582 {
983207c1
JH
1583 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1584 FALSE, verify_callback_server);
059ec3d9 1585 if (rc != OK) return rc;
a2ff477a 1586 server_verify_optional = FALSE;
059ec3d9
PH
1587 }
1588else if (verify_check_host(&tls_try_verify_hosts) == OK)
1589 {
983207c1
JH
1590 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1591 TRUE, verify_callback_server);
059ec3d9 1592 if (rc != OK) return rc;
a2ff477a 1593 server_verify_optional = TRUE;
059ec3d9
PH
1594 }
1595
1596/* Prepare for new connection */
1597
817d9f57 1598if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1599
1600/* Warning: we used to SSL_clear(ssl) here, it was removed.
1601 *
1602 * With the SSL_clear(), we get strange interoperability bugs with
1603 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1604 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1605 *
1606 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1607 * session shutdown. In this case, we have a brand new object and there's no
1608 * obvious reason to immediately clear it. I'm guessing that this was
1609 * originally added because of incomplete initialisation which the clear fixed,
1610 * in some historic release.
1611 */
059ec3d9
PH
1612
1613/* Set context and tell client to go ahead, except in the case of TLS startup
1614on connection, where outputting anything now upsets the clients and tends to
1615make them disconnect. We need to have an explicit fflush() here, to force out
1616the response. Other smtp_printf() calls do not need it, because in non-TLS
1617mode, the fflush() happens when smtp_getc() is called. */
1618
817d9f57
JH
1619SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1620if (!tls_in.on_connect)
059ec3d9
PH
1621 {
1622 smtp_printf("220 TLS go ahead\r\n");
1623 fflush(smtp_out);
1624 }
1625
1626/* Now negotiate the TLS session. We put our own timer on it, since it seems
1627that the OpenSSL library doesn't. */
1628
817d9f57
JH
1629SSL_set_wfd(server_ssl, fileno(smtp_out));
1630SSL_set_rfd(server_ssl, fileno(smtp_in));
1631SSL_set_accept_state(server_ssl);
059ec3d9
PH
1632
1633DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1634
1635sigalrm_seen = FALSE;
1636if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1637rc = SSL_accept(server_ssl);
059ec3d9
PH
1638alarm(0);
1639
1640if (rc <= 0)
1641 {
7199e1ee 1642 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1643 if (ERR_get_error() == 0)
1644 log_write(0, LOG_MAIN,
a053d125 1645 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1646 return FAIL;
1647 }
1648
1649DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1650
1651/* TLS has been set up. Adjust the input functions to read via TLS,
1652and initialize things. */
1653
817d9f57
JH
1654construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1655tls_in.cipher = cipherbuf;
059ec3d9
PH
1656
1657DEBUG(D_tls)
1658 {
1659 uschar buf[2048];
817d9f57 1660 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1661 debug_printf("Shared ciphers: %s\n", buf);
1662 }
1663
9d1c15ef
JH
1664/* Record the certificate we presented */
1665 {
1666 X509 * crt = SSL_get_certificate(server_ssl);
1667 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1668 }
059ec3d9 1669
817d9f57
JH
1670/* Only used by the server-side tls (tls_in), including tls_getc.
1671 Client-side (tls_out) reads (seem to?) go via
1672 smtp_read_response()/ip_recv().
1673 Hence no need to duplicate for _in and _out.
1674 */
059ec3d9
PH
1675ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1676ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1677ssl_xfer_eof = ssl_xfer_error = 0;
1678
1679receive_getc = tls_getc;
1680receive_ungetc = tls_ungetc;
1681receive_feof = tls_feof;
1682receive_ferror = tls_ferror;
58eb016e 1683receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1684
817d9f57 1685tls_in.active = fileno(smtp_out);
059ec3d9
PH
1686return OK;
1687}
1688
1689
1690
1691
043b1248
JH
1692static int
1693tls_client_basic_ctx_init(SSL_CTX * ctx,
01a4a5c5 1694 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
043b1248
JH
1695 )
1696{
1697int rc;
1698/* stick to the old behaviour for compatibility if tls_verify_certificates is
1699 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1700 the specified host patterns if one of them is defined */
1701
610ff438
JH
1702if ( ( !ob->tls_verify_hosts
1703 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1704 )
5130845b 1705 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 1706 )
043b1248 1707 client_verify_optional = FALSE;
5130845b 1708else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
1709 client_verify_optional = TRUE;
1710else
1711 return OK;
1712
1713if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1714 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1715 return rc;
043b1248 1716
5130845b 1717if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 1718 {
aa2a70ba
JH
1719 cbinfo->verify_cert_hostnames = host->name;
1720 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1721 cbinfo->verify_cert_hostnames);
043b1248 1722 }
043b1248
JH
1723return OK;
1724}
059ec3d9 1725
fde080a4
JH
1726
1727#ifdef EXPERIMENTAL_DANE
1728static int
fde080a4
JH
1729dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1730{
1731dns_record * rr;
1732dns_scan dnss;
1733const char * hostnames[2] = { CS host->name, NULL };
1734int found = 0;
1735
1736if (DANESSL_init(ssl, NULL, hostnames) != 1)
1737 return tls_error(US"hostnames load", host, NULL);
1738
1739for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1740 rr;
1741 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1742 ) if (rr->type == T_TLSA)
1743 {
1744 uschar * p = rr->data;
1745 uint8_t usage, selector, mtype;
1746 const char * mdname;
1747
fde080a4 1748 usage = *p++;
133d2546
JH
1749
1750 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1751 if (usage != 2 && usage != 3) continue;
1752
fde080a4
JH
1753 selector = *p++;
1754 mtype = *p++;
1755
1756 switch (mtype)
1757 {
133d2546
JH
1758 default: continue; /* Only match-types 0, 1, 2 are supported */
1759 case 0: mdname = NULL; break;
1760 case 1: mdname = "sha256"; break;
1761 case 2: mdname = "sha512"; break;
fde080a4
JH
1762 }
1763
133d2546 1764 found++;
fde080a4
JH
1765 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1766 {
1767 default:
1768 case 0: /* action not taken */
1769 return tls_error(US"tlsa load", host, NULL);
1770 case 1: break;
1771 }
594706ea
JH
1772
1773 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
1774 }
1775
1776if (found)
1777 return OK;
1778
133d2546 1779log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 1780return DEFER;
fde080a4
JH
1781}
1782#endif /*EXPERIMENTAL_DANE*/
1783
1784
1785
059ec3d9
PH
1786/*************************************************
1787* Start a TLS session in a client *
1788*************************************************/
1789
1790/* Called from the smtp transport after STARTTLS has been accepted.
1791
1792Argument:
1793 fd the fd of the connection
1794 host connected host (for messages)
83da1223 1795 addr the first address
a7538db1 1796 tb transport (always smtp)
0e66b3b6 1797 tlsa_dnsa tlsa lookup, if DANE, else null
059ec3d9
PH
1798
1799Returns: OK on success
1800 FAIL otherwise - note that tls_error() will not give DEFER
1801 because this is not a server
1802*/
1803
1804int
f5d78688 1805tls_client_start(int fd, host_item *host, address_item *addr,
0e66b3b6
JH
1806 transport_instance *tb
1807#ifdef EXPERIMENTAL_DANE
1808 , dns_answer * tlsa_dnsa
1809#endif
1810 )
059ec3d9 1811{
a7538db1
JH
1812smtp_transport_options_block * ob =
1813 (smtp_transport_options_block *)tb->options_block;
059ec3d9 1814static uschar txt[256];
868f5672
JH
1815uschar * expciphers;
1816X509 * server_cert;
059ec3d9 1817int rc;
817d9f57 1818static uschar cipherbuf[256];
043b1248
JH
1819
1820#ifndef DISABLE_OCSP
043b1248 1821BOOL request_ocsp = FALSE;
6634ac8d 1822BOOL require_ocsp = FALSE;
043b1248 1823#endif
043b1248
JH
1824
1825#ifdef EXPERIMENTAL_DANE
594706ea 1826tls_out.tlsa_usage = 0;
043b1248
JH
1827#endif
1828
f2de3a33 1829#ifndef DISABLE_OCSP
043b1248 1830 {
4f59c424
JH
1831# ifdef EXPERIMENTAL_DANE
1832 if ( tlsa_dnsa
1833 && ob->hosts_request_ocsp[0] == '*'
1834 && ob->hosts_request_ocsp[1] == '\0'
1835 )
1836 {
1837 /* Unchanged from default. Use a safer one under DANE */
1838 request_ocsp = TRUE;
1839 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
1840 " {= {4}{$tls_out_tlsa_usage}} } "
1841 " {*}{}}";
1842 }
1843# endif
1844
5130845b
JH
1845 if ((require_ocsp =
1846 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
1847 request_ocsp = TRUE;
1848 else
fca41d5a 1849# ifdef EXPERIMENTAL_DANE
4f59c424 1850 if (!request_ocsp)
fca41d5a 1851# endif
5130845b
JH
1852 request_ocsp =
1853 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 1854 }
f5d78688 1855#endif
059ec3d9 1856
65867078
JH
1857rc = tls_init(&client_ctx, host, NULL,
1858 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 1859#ifndef DISABLE_OCSP
44662487 1860 (void *)(long)request_ocsp,
3f7eeb86 1861#endif
817d9f57 1862 addr, &client_static_cbinfo);
059ec3d9
PH
1863if (rc != OK) return rc;
1864
817d9f57 1865tls_out.certificate_verified = FALSE;
a2ff477a 1866client_verify_callback_called = FALSE;
059ec3d9 1867
65867078
JH
1868if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1869 &expciphers))
059ec3d9
PH
1870 return FAIL;
1871
1872/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1873are separated by underscores. So that I can use either form in my tests, and
1874also for general convenience, we turn underscores into hyphens here. */
1875
1876if (expciphers != NULL)
1877 {
1878 uschar *s = expciphers;
1879 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1880 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1881 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1882 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1883 }
1884
043b1248 1885#ifdef EXPERIMENTAL_DANE
0e66b3b6 1886if (tlsa_dnsa)
a63be306 1887 {
02af313d
JH
1888 SSL_CTX_set_verify(client_ctx,
1889 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1890 verify_callback_client_dane);
e5cccda9 1891
043b1248 1892 if (!DANESSL_library_init())
b4161d10 1893 return tls_error(US"library init", host, NULL);
043b1248 1894 if (DANESSL_CTX_init(client_ctx) <= 0)
b4161d10 1895 return tls_error(US"context init", host, NULL);
043b1248
JH
1896 }
1897else
e51c7be2 1898
043b1248
JH
1899#endif
1900
01a4a5c5
JH
1901 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
1902 != OK)
65867078 1903 return rc;
059ec3d9 1904
65867078
JH
1905if ((client_ssl = SSL_new(client_ctx)) == NULL)
1906 return tls_error(US"SSL_new", host, NULL);
817d9f57
JH
1907SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1908SSL_set_fd(client_ssl, fd);
1909SSL_set_connect_state(client_ssl);
059ec3d9 1910
65867078 1911if (ob->tls_sni)
3f0945ff 1912 {
65867078 1913 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
3f0945ff 1914 return FAIL;
ec4b68e5 1915 if (tls_out.sni == NULL)
2c9a0e86
PP
1916 {
1917 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1918 }
ec4b68e5 1919 else if (!Ustrlen(tls_out.sni))
817d9f57 1920 tls_out.sni = NULL;
3f0945ff
PP
1921 else
1922 {
35731706 1923#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
1924 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1925 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
1926#else
1927 DEBUG(D_tls)
1928 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
02d9264f 1929 tls_out.sni);
35731706 1930#endif
3f0945ff
PP
1931 }
1932 }
1933
594706ea 1934#ifdef EXPERIMENTAL_DANE
0e66b3b6
JH
1935if (tlsa_dnsa)
1936 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
594706ea
JH
1937 return rc;
1938#endif
1939
f2de3a33 1940#ifndef DISABLE_OCSP
f5d78688
JH
1941/* Request certificate status at connection-time. If the server
1942does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 1943# ifdef EXPERIMENTAL_DANE
44662487
JH
1944if (request_ocsp)
1945 {
594706ea 1946 const uschar * s;
41afb5cb
JH
1947 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
1948 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
1949 )
1950 { /* Re-eval now $tls_out_tlsa_usage is populated. If
1951 this means we avoid the OCSP request, we wasted the setup
1952 cost in tls_init(). */
5130845b
JH
1953 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
1954 request_ocsp = require_ocsp
1955 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
1956 }
1957 }
b50c8b84
JH
1958# endif
1959
594706ea
JH
1960if (request_ocsp)
1961 {
f5d78688 1962 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
1963 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
1964 tls_out.ocsp = OCSP_NOT_RESP;
1965 }
f5d78688
JH
1966#endif
1967
774ef2d7
JH
1968#ifdef EXPERIMENTAL_EVENT
1969client_static_cbinfo->event_action = tb->event_action;
a7538db1 1970#endif
043b1248 1971
059ec3d9
PH
1972/* There doesn't seem to be a built-in timeout on connection. */
1973
1974DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1975sigalrm_seen = FALSE;
65867078 1976alarm(ob->command_timeout);
817d9f57 1977rc = SSL_connect(client_ssl);
059ec3d9
PH
1978alarm(0);
1979
043b1248 1980#ifdef EXPERIMENTAL_DANE
0e66b3b6 1981if (tlsa_dnsa)
fde080a4 1982 DANESSL_cleanup(client_ssl);
043b1248
JH
1983#endif
1984
059ec3d9 1985if (rc <= 0)
7199e1ee 1986 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1987
1988DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1989
453a6645 1990/* Beware anonymous ciphers which lead to server_cert being NULL */
9d1c15ef 1991/*XXX server_cert is never freed... use X509_free() */
817d9f57 1992server_cert = SSL_get_peer_certificate (client_ssl);
453a6645
PP
1993if (server_cert)
1994 {
817d9f57 1995 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
453a6645 1996 CS txt, sizeof(txt));
4c01d6ab 1997 txt[sizeof(txt)-1] = '\0';
9d1c15ef 1998 tls_out.peerdn = txt; /*XXX a static buffer... */
453a6645
PP
1999 }
2000else
817d9f57 2001 tls_out.peerdn = NULL;
059ec3d9 2002
817d9f57
JH
2003construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2004tls_out.cipher = cipherbuf;
059ec3d9 2005
9d1c15ef
JH
2006/* Record the certificate we presented */
2007 {
2008 X509 * crt = SSL_get_certificate(client_ssl);
2009 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2010 }
2011
817d9f57 2012tls_out.active = fd;
059ec3d9
PH
2013return OK;
2014}
2015
2016
2017
2018
2019
2020/*************************************************
2021* TLS version of getc *
2022*************************************************/
2023
2024/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2025it refills the buffer via the SSL reading function.
2026
2027Arguments: none
2028Returns: the next character or EOF
817d9f57
JH
2029
2030Only used by the server-side TLS.
059ec3d9
PH
2031*/
2032
2033int
2034tls_getc(void)
2035{
2036if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2037 {
2038 int error;
2039 int inbytes;
2040
817d9f57 2041 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 2042 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
2043
2044 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
2045 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2046 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
2047 alarm(0);
2048
2049 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2050 closed down, not that the socket itself has been closed down. Revert to
2051 non-SSL handling. */
2052
2053 if (error == SSL_ERROR_ZERO_RETURN)
2054 {
2055 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2056
2057 receive_getc = smtp_getc;
2058 receive_ungetc = smtp_ungetc;
2059 receive_feof = smtp_feof;
2060 receive_ferror = smtp_ferror;
58eb016e 2061 receive_smtp_buffered = smtp_buffered;
059ec3d9 2062
817d9f57
JH
2063 SSL_free(server_ssl);
2064 server_ssl = NULL;
2065 tls_in.active = -1;
2066 tls_in.bits = 0;
2067 tls_in.cipher = NULL;
2068 tls_in.peerdn = NULL;
2069 tls_in.sni = NULL;
059ec3d9
PH
2070
2071 return smtp_getc();
2072 }
2073
2074 /* Handle genuine errors */
2075
ba084640
PP
2076 else if (error == SSL_ERROR_SSL)
2077 {
2078 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 2079 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
2080 ssl_xfer_error = 1;
2081 return EOF;
2082 }
2083
059ec3d9
PH
2084 else if (error != SSL_ERROR_NONE)
2085 {
2086 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2087 ssl_xfer_error = 1;
2088 return EOF;
2089 }
c80c5570 2090
80a47a2c
TK
2091#ifndef DISABLE_DKIM
2092 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2093#endif
059ec3d9
PH
2094 ssl_xfer_buffer_hwm = inbytes;
2095 ssl_xfer_buffer_lwm = 0;
2096 }
2097
2098/* Something in the buffer; return next uschar */
2099
2100return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2101}
2102
2103
2104
2105/*************************************************
2106* Read bytes from TLS channel *
2107*************************************************/
2108
2109/*
2110Arguments:
2111 buff buffer of data
2112 len size of buffer
2113
2114Returns: the number of bytes read
2115 -1 after a failed read
817d9f57
JH
2116
2117Only used by the client-side TLS.
059ec3d9
PH
2118*/
2119
2120int
389ca47a 2121tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2122{
389ca47a 2123SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2124int inbytes;
2125int error;
2126
389ca47a 2127DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2128 buff, (unsigned int)len);
059ec3d9 2129
389ca47a
JH
2130inbytes = SSL_read(ssl, CS buff, len);
2131error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2132
2133if (error == SSL_ERROR_ZERO_RETURN)
2134 {
2135 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2136 return -1;
2137 }
2138else if (error != SSL_ERROR_NONE)
2139 {
2140 return -1;
2141 }
2142
2143return inbytes;
2144}
2145
2146
2147
2148
2149
2150/*************************************************
2151* Write bytes down TLS channel *
2152*************************************************/
2153
2154/*
2155Arguments:
817d9f57 2156 is_server channel specifier
059ec3d9
PH
2157 buff buffer of data
2158 len number of bytes
2159
2160Returns: the number of bytes after a successful write,
2161 -1 after a failed write
817d9f57
JH
2162
2163Used by both server-side and client-side TLS.
059ec3d9
PH
2164*/
2165
2166int
817d9f57 2167tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
2168{
2169int outbytes;
2170int error;
2171int left = len;
817d9f57 2172SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 2173
c80c5570 2174DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
2175while (left > 0)
2176 {
c80c5570 2177 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2178 outbytes = SSL_write(ssl, CS buff, left);
2179 error = SSL_get_error(ssl, outbytes);
2180 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2181 switch (error)
2182 {
2183 case SSL_ERROR_SSL:
2184 ERR_error_string(ERR_get_error(), ssl_errstring);
2185 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2186 return -1;
2187
2188 case SSL_ERROR_NONE:
2189 left -= outbytes;
2190 buff += outbytes;
2191 break;
2192
2193 case SSL_ERROR_ZERO_RETURN:
2194 log_write(0, LOG_MAIN, "SSL channel closed on write");
2195 return -1;
2196
817d9f57
JH
2197 case SSL_ERROR_SYSCALL:
2198 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2199 sender_fullhost ? sender_fullhost : US"<unknown>",
2200 strerror(errno));
2201
059ec3d9
PH
2202 default:
2203 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2204 return -1;
2205 }
2206 }
2207return len;
2208}
2209
2210
2211
2212/*************************************************
2213* Close down a TLS session *
2214*************************************************/
2215
2216/* This is also called from within a delivery subprocess forked from the
2217daemon, to shut down the TLS library, without actually doing a shutdown (which
2218would tamper with the SSL session in the parent process).
2219
2220Arguments: TRUE if SSL_shutdown is to be called
2221Returns: nothing
817d9f57
JH
2222
2223Used by both server-side and client-side TLS.
059ec3d9
PH
2224*/
2225
2226void
817d9f57 2227tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2228{
817d9f57 2229SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2230int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2231
2232if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2233
2234if (shutdown)
2235 {
2236 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2237 SSL_shutdown(*sslp);
059ec3d9
PH
2238 }
2239
817d9f57
JH
2240SSL_free(*sslp);
2241*sslp = NULL;
059ec3d9 2242
817d9f57 2243*fdp = -1;
059ec3d9
PH
2244}
2245
36f12725
NM
2246
2247
2248
2249/*************************************************
3375e053
PP
2250* Let tls_require_ciphers be checked at startup *
2251*************************************************/
2252
2253/* The tls_require_ciphers option, if set, must be something which the
2254library can parse.
2255
2256Returns: NULL on success, or error message
2257*/
2258
2259uschar *
2260tls_validate_require_cipher(void)
2261{
2262SSL_CTX *ctx;
2263uschar *s, *expciphers, *err;
2264
2265/* this duplicates from tls_init(), we need a better "init just global
2266state, for no specific purpose" singleton function of our own */
2267
2268SSL_load_error_strings();
2269OpenSSL_add_ssl_algorithms();
2270#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2271/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2272list of available digests. */
2273EVP_add_digest(EVP_sha256());
2274#endif
2275
2276if (!(tls_require_ciphers && *tls_require_ciphers))
2277 return NULL;
2278
2279if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2280 return US"failed to expand tls_require_ciphers";
2281
2282if (!(expciphers && *expciphers))
2283 return NULL;
2284
2285/* normalisation ripped from above */
2286s = expciphers;
2287while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2288
2289err = NULL;
2290
2291ctx = SSL_CTX_new(SSLv23_server_method());
2292if (!ctx)
2293 {
2294 ERR_error_string(ERR_get_error(), ssl_errstring);
2295 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2296 }
2297
2298DEBUG(D_tls)
2299 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2300
2301if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2302 {
2303 ERR_error_string(ERR_get_error(), ssl_errstring);
2304 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2305 }
2306
2307SSL_CTX_free(ctx);
2308
2309return err;
2310}
2311
2312
2313
2314
2315/*************************************************
36f12725
NM
2316* Report the library versions. *
2317*************************************************/
2318
2319/* There have historically been some issues with binary compatibility in
2320OpenSSL libraries; if Exim (like many other applications) is built against
2321one version of OpenSSL but the run-time linker picks up another version,
2322it can result in serious failures, including crashing with a SIGSEGV. So
2323report the version found by the compiler and the run-time version.
2324
f64a1e23
PP
2325Note: some OS vendors backport security fixes without changing the version
2326number/string, and the version date remains unchanged. The _build_ date
2327will change, so we can more usefully assist with version diagnosis by also
2328reporting the build date.
2329
36f12725
NM
2330Arguments: a FILE* to print the results to
2331Returns: nothing
2332*/
2333
2334void
2335tls_version_report(FILE *f)
2336{
754a0503 2337fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2338 " Runtime: %s\n"
2339 " : %s\n",
754a0503 2340 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2341 SSLeay_version(SSLEAY_VERSION),
2342 SSLeay_version(SSLEAY_BUILT_ON));
2343/* third line is 38 characters for the %s and the line is 73 chars long;
2344the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2345}
2346
9e3331ea
TK
2347
2348
2349
2350/*************************************************
17c76198 2351* Random number generation *
9e3331ea
TK
2352*************************************************/
2353
2354/* Pseudo-random number generation. The result is not expected to be
2355cryptographically strong but not so weak that someone will shoot themselves
2356in the foot using it as a nonce in input in some email header scheme or
2357whatever weirdness they'll twist this into. The result should handle fork()
2358and avoid repeating sequences. OpenSSL handles that for us.
2359
2360Arguments:
2361 max range maximum
2362Returns a random number in range [0, max-1]
2363*/
2364
2365int
17c76198 2366vaguely_random_number(int max)
9e3331ea
TK
2367{
2368unsigned int r;
2369int i, needed_len;
de6135a0
PP
2370static pid_t pidlast = 0;
2371pid_t pidnow;
9e3331ea
TK
2372uschar *p;
2373uschar smallbuf[sizeof(r)];
2374
2375if (max <= 1)
2376 return 0;
2377
de6135a0
PP
2378pidnow = getpid();
2379if (pidnow != pidlast)
2380 {
2381 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2382 is unique for each thread", this doesn't apparently apply across processes,
2383 so our own warning from vaguely_random_number_fallback() applies here too.
2384 Fix per PostgreSQL. */
2385 if (pidlast != 0)
2386 RAND_cleanup();
2387 pidlast = pidnow;
2388 }
2389
9e3331ea
TK
2390/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2391if (!RAND_status())
2392 {
2393 randstuff r;
2394 gettimeofday(&r.tv, NULL);
2395 r.p = getpid();
2396
2397 RAND_seed((uschar *)(&r), sizeof(r));
2398 }
2399/* We're after pseudo-random, not random; if we still don't have enough data
2400in the internal PRNG then our options are limited. We could sleep and hope
2401for entropy to come along (prayer technique) but if the system is so depleted
2402in the first place then something is likely to just keep taking it. Instead,
2403we'll just take whatever little bit of pseudo-random we can still manage to
2404get. */
2405
2406needed_len = sizeof(r);
2407/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2408asked for a number less than 10. */
2409for (r = max, i = 0; r; ++i)
2410 r >>= 1;
2411i = (i + 7) / 8;
2412if (i < needed_len)
2413 needed_len = i;
2414
2415/* We do not care if crypto-strong */
17c76198
PP
2416i = RAND_pseudo_bytes(smallbuf, needed_len);
2417if (i < 0)
2418 {
2419 DEBUG(D_all)
2420 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2421 return vaguely_random_number_fallback(max);
2422 }
2423
9e3331ea
TK
2424r = 0;
2425for (p = smallbuf; needed_len; --needed_len, ++p)
2426 {
2427 r *= 256;
2428 r += *p;
2429 }
2430
2431/* We don't particularly care about weighted results; if someone wants
2432smooth distribution and cares enough then they should submit a patch then. */
2433return r % max;
2434}
2435
77bb000f
PP
2436
2437
2438
2439/*************************************************
2440* OpenSSL option parse *
2441*************************************************/
2442
2443/* Parse one option for tls_openssl_options_parse below
2444
2445Arguments:
2446 name one option name
2447 value place to store a value for it
2448Returns success or failure in parsing
2449*/
2450
2451struct exim_openssl_option {
2452 uschar *name;
2453 long value;
2454};
2455/* We could use a macro to expand, but we need the ifdef and not all the
2456options document which version they were introduced in. Policylet: include
2457all options unless explicitly for DTLS, let the administrator choose which
2458to apply.
2459
2460This list is current as of:
e2fbf4a2
PP
2461 ==> 1.0.1b <==
2462Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2463*/
77bb000f
PP
2464static struct exim_openssl_option exim_openssl_options[] = {
2465/* KEEP SORTED ALPHABETICALLY! */
2466#ifdef SSL_OP_ALL
73a46702 2467 { US"all", SSL_OP_ALL },
77bb000f
PP
2468#endif
2469#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2470 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2471#endif
2472#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2473 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2474#endif
2475#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2476 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2477#endif
2478#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2479 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2480#endif
2481#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2482 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2483#endif
2484#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2485 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2486#endif
2487#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2488 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2489#endif
2490#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2491 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2492#endif
2493#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2494 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2495#endif
2496#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2497 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2498#endif
c80c5570
PP
2499#ifdef SSL_OP_NO_COMPRESSION
2500 { US"no_compression", SSL_OP_NO_COMPRESSION },
2501#endif
77bb000f 2502#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2503 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2504#endif
c0c7b2da
PP
2505#ifdef SSL_OP_NO_SSLv2
2506 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2507#endif
2508#ifdef SSL_OP_NO_SSLv3
2509 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2510#endif
2511#ifdef SSL_OP_NO_TICKET
2512 { US"no_ticket", SSL_OP_NO_TICKET },
2513#endif
2514#ifdef SSL_OP_NO_TLSv1
2515 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2516#endif
c80c5570
PP
2517#ifdef SSL_OP_NO_TLSv1_1
2518#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2519 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2520#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2521#else
2522 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2523#endif
2524#endif
2525#ifdef SSL_OP_NO_TLSv1_2
2526 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2527#endif
e2fbf4a2
PP
2528#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2529 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2530#endif
77bb000f 2531#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2532 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2533#endif
2534#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2535 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2536#endif
2537#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2538 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2539#endif
2540#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2541 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2542#endif
2543#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2544 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2545#endif
2546#ifdef SSL_OP_TLS_D5_BUG
73a46702 2547 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2548#endif
2549#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2550 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2551#endif
2552};
2553static int exim_openssl_options_size =
2554 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2555
c80c5570 2556
77bb000f
PP
2557static BOOL
2558tls_openssl_one_option_parse(uschar *name, long *value)
2559{
2560int first = 0;
2561int last = exim_openssl_options_size;
2562while (last > first)
2563 {
2564 int middle = (first + last)/2;
2565 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2566 if (c == 0)
2567 {
2568 *value = exim_openssl_options[middle].value;
2569 return TRUE;
2570 }
2571 else if (c > 0)
2572 first = middle + 1;
2573 else
2574 last = middle;
2575 }
2576return FALSE;
2577}
2578
2579
2580
2581
2582/*************************************************
2583* OpenSSL option parsing logic *
2584*************************************************/
2585
2586/* OpenSSL has a number of compatibility options which an administrator might
2587reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2588we look like log_selector.
2589
2590Arguments:
2591 option_spec the administrator-supplied string of options
2592 results ptr to long storage for the options bitmap
2593Returns success or failure
2594*/
2595
2596BOOL
2597tls_openssl_options_parse(uschar *option_spec, long *results)
2598{
2599long result, item;
2600uschar *s, *end;
2601uschar keep_c;
2602BOOL adding, item_parsed;
2603
0e944a0d 2604result = 0L;
b1770b6e 2605/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 2606 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
2607#ifdef SSL_OP_NO_SSLv2
2608result |= SSL_OP_NO_SSLv2;
2609#endif
77bb000f
PP
2610
2611if (option_spec == NULL)
2612 {
2613 *results = result;
2614 return TRUE;
2615 }
2616
2617for (s=option_spec; *s != '\0'; /**/)
2618 {
2619 while (isspace(*s)) ++s;
2620 if (*s == '\0')
2621 break;
2622 if (*s != '+' && *s != '-')
2623 {
2624 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 2625 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
2626 return FALSE;
2627 }
2628 adding = *s++ == '+';
2629 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2630 keep_c = *end;
2631 *end = '\0';
2632 item_parsed = tls_openssl_one_option_parse(s, &item);
2633 if (!item_parsed)
2634 {
0e944a0d 2635 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
2636 return FALSE;
2637 }
2638 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2639 adding ? "adding" : "removing", result, item, s);
2640 if (adding)
2641 result |= item;
2642 else
2643 result &= ~item;
2644 *end = keep_c;
2645 s = end;
2646 }
2647
2648*results = result;
2649return TRUE;
2650}
2651
9d1c15ef
JH
2652/* vi: aw ai sw=2
2653*/
059ec3d9 2654/* End of tls-openssl.c */