TLS: Increase RSA keysize of autogen selfsign cert
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
7434882d
JH
74# else
75# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
76# endif
77# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 78 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
79# define EXIM_HAVE_OPENSSL_CHECKHOST
80# endif
11aa88b0 81#endif
10ca4f1c 82
11aa88b0
RA
83#if !defined(LIBRESSL_VERSION_NUMBER) \
84 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
85# if !defined(OPENSSL_NO_ECDH)
86# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 87# define EXIM_HAVE_ECDH
10ca4f1c
JH
88# endif
89# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
90# define EXIM_HAVE_OPENSSL_EC_NIST2NID
91# endif
92# endif
2dfb468b 93#endif
3bcbbbe2 94
67791ce4
JH
95#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
96# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
97# define DISABLE_OCSP
98#endif
99
a6510420
JH
100#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
101# include <openssl/x509v3.h>
102#endif
103
8442641e
JH
104/*************************************************
105* OpenSSL option parse *
106*************************************************/
107
108typedef struct exim_openssl_option {
109 uschar *name;
110 long value;
111} exim_openssl_option;
112/* We could use a macro to expand, but we need the ifdef and not all the
113options document which version they were introduced in. Policylet: include
114all options unless explicitly for DTLS, let the administrator choose which
115to apply.
116
117This list is current as of:
118 ==> 1.0.1b <==
119Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
120Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
121*/
122static exim_openssl_option exim_openssl_options[] = {
123/* KEEP SORTED ALPHABETICALLY! */
124#ifdef SSL_OP_ALL
125 { US"all", SSL_OP_ALL },
126#endif
127#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
128 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
129#endif
130#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
131 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
132#endif
133#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
134 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
135#endif
136#ifdef SSL_OP_EPHEMERAL_RSA
137 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
138#endif
139#ifdef SSL_OP_LEGACY_SERVER_CONNECT
140 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
141#endif
142#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
143 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
144#endif
145#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
146 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
147#endif
148#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
149 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
150#endif
151#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
152 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
153#endif
154#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
155 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
156#endif
157#ifdef SSL_OP_NO_COMPRESSION
158 { US"no_compression", SSL_OP_NO_COMPRESSION },
159#endif
160#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
161 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
162#endif
163#ifdef SSL_OP_NO_SSLv2
164 { US"no_sslv2", SSL_OP_NO_SSLv2 },
165#endif
166#ifdef SSL_OP_NO_SSLv3
167 { US"no_sslv3", SSL_OP_NO_SSLv3 },
168#endif
169#ifdef SSL_OP_NO_TICKET
170 { US"no_ticket", SSL_OP_NO_TICKET },
171#endif
172#ifdef SSL_OP_NO_TLSv1
173 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
174#endif
175#ifdef SSL_OP_NO_TLSv1_1
176#if SSL_OP_NO_TLSv1_1 == 0x00000400L
177 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
178#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
179#else
180 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
181#endif
182#endif
183#ifdef SSL_OP_NO_TLSv1_2
184 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
185#endif
186#ifdef SSL_OP_NO_TLSv1_3
187 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
188#endif
189#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
190 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
191#endif
192#ifdef SSL_OP_SINGLE_DH_USE
193 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
194#endif
195#ifdef SSL_OP_SINGLE_ECDH_USE
196 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
197#endif
198#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
199 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
200#endif
201#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
202 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
203#endif
204#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
205 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
206#endif
207#ifdef SSL_OP_TLS_D5_BUG
208 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
209#endif
210#ifdef SSL_OP_TLS_ROLLBACK_BUG
211 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
212#endif
213};
214
215#ifndef MACRO_PREDEF
216static int exim_openssl_options_size = nelem(exim_openssl_options);
217#endif
218
219#ifdef MACRO_PREDEF
220void
221options_tls(void)
222{
223struct exim_openssl_option * o;
224uschar buf[64];
225
226for (o = exim_openssl_options;
227 o < exim_openssl_options + nelem(exim_openssl_options); o++)
228 {
229 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
230 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
231
232 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
233 builtin_macro_create(buf);
234 }
235}
236#else
237
238/******************************************************************************/
239
059ec3d9
PH
240/* Structure for collecting random data for seeding. */
241
242typedef struct randstuff {
9e3331ea
TK
243 struct timeval tv;
244 pid_t p;
059ec3d9
PH
245} randstuff;
246
247/* Local static variables */
248
a2ff477a
JH
249static BOOL client_verify_callback_called = FALSE;
250static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
251static const uschar *sid_ctx = US"exim";
252
d4f09789
PP
253/* We have three different contexts to care about.
254
255Simple case: client, `client_ctx`
256 As a client, we can be doing a callout or cut-through delivery while receiving
257 a message. So we have a client context, which should have options initialised
74f1a423
JH
258 from the SMTP Transport. We may also concurrently want to make TLS connections
259 to utility daemons, so client-contexts are allocated and passed around in call
260 args rather than using a gobal.
d4f09789
PP
261
262Server:
263 There are two cases: with and without ServerNameIndication from the client.
264 Given TLS SNI, we can be using different keys, certs and various other
265 configuration settings, because they're re-expanded with $tls_sni set. This
266 allows vhosting with TLS. This SNI is sent in the handshake.
267 A client might not send SNI, so we need a fallback, and an initial setup too.
268 So as a server, we start out using `server_ctx`.
269 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
270 `server_sni` from `server_ctx` and then initialise settings by re-expanding
271 configuration.
272*/
273
74f1a423
JH
274typedef struct {
275 SSL_CTX * ctx;
276 SSL * ssl;
277} exim_openssl_client_tls_ctx;
278
817d9f57 279static SSL_CTX *server_ctx = NULL;
817d9f57 280static SSL *server_ssl = NULL;
389ca47a 281
35731706 282#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 283static SSL_CTX *server_sni = NULL;
35731706 284#endif
059ec3d9
PH
285
286static char ssl_errstring[256];
287
288static int ssl_session_timeout = 200;
a2ff477a
JH
289static BOOL client_verify_optional = FALSE;
290static BOOL server_verify_optional = FALSE;
059ec3d9 291
f5d78688 292static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
293
294
7be682ca
PP
295typedef struct tls_ext_ctx_cb {
296 uschar *certificate;
297 uschar *privatekey;
f5d78688 298 BOOL is_server;
a6510420 299#ifndef DISABLE_OCSP
c3033f13 300 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
301 union {
302 struct {
303 uschar *file;
304 uschar *file_expanded;
305 OCSP_RESPONSE *response;
306 } server;
307 struct {
44662487
JH
308 X509_STORE *verify_store; /* non-null if status requested */
309 BOOL verify_required;
f5d78688
JH
310 } client;
311 } u_ocsp;
3f7eeb86 312#endif
7be682ca
PP
313 uschar *dhparam;
314 /* these are cached from first expand */
315 uschar *server_cipher_list;
316 /* only passed down to tls_error: */
317 host_item *host;
55414b25 318 const uschar * verify_cert_hostnames;
0cbf2b82 319#ifndef DISABLE_EVENT
a7538db1
JH
320 uschar * event_action;
321#endif
7be682ca
PP
322} tls_ext_ctx_cb;
323
324/* should figure out a cleanup of API to handle state preserved per
325implementation, for various reasons, which can be void * in the APIs.
326For now, we hack around it. */
817d9f57
JH
327tls_ext_ctx_cb *client_static_cbinfo = NULL;
328tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
329
330static int
983207c1 331setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 332 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 333
3f7eeb86 334/* Callbacks */
3bcbbbe2 335#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 336static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 337#endif
f2de3a33 338#ifndef DISABLE_OCSP
f5d78688 339static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
340#endif
341
059ec3d9
PH
342
343/*************************************************
344* Handle TLS error *
345*************************************************/
346
347/* Called from lots of places when errors occur before actually starting to do
348the TLS handshake, that is, while the session is still in clear. Always returns
349DEFER for a server and FAIL for a client so that most calls can use "return
350tls_error(...)" to do this processing and then give an appropriate return. A
351single function is used for both server and client, because it is called from
352some shared functions.
353
354Argument:
355 prefix text to include in the logged error
356 host NULL if setting up a server;
357 the connected host if setting up a client
7199e1ee 358 msg error message or NULL if we should ask OpenSSL
cf0c6164 359 errstr pointer to output error message
059ec3d9
PH
360
361Returns: OK/DEFER/FAIL
362*/
363
364static int
cf0c6164 365tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 366{
c562fd30 367if (!msg)
7199e1ee 368 {
0abc5a13 369 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 370 msg = US ssl_errstring;
7199e1ee
TF
371 }
372
cf0c6164
JH
373if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
374return host ? FAIL : DEFER;
059ec3d9
PH
375}
376
377
378
379/*************************************************
380* Callback to generate RSA key *
381*************************************************/
382
383/*
384Arguments:
3ae79556 385 s SSL connection (not used)
059ec3d9
PH
386 export not used
387 keylength keylength
388
389Returns: pointer to generated key
390*/
391
392static RSA *
393rsa_callback(SSL *s, int export, int keylength)
394{
395RSA *rsa_key;
c8dfb21d
JH
396#ifdef EXIM_HAVE_RSA_GENKEY_EX
397BIGNUM *bn = BN_new();
398#endif
399
059ec3d9
PH
400export = export; /* Shut picky compilers up */
401DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
402
403#ifdef EXIM_HAVE_RSA_GENKEY_EX
404if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 405 || !(rsa_key = RSA_new())
c8dfb21d
JH
406 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
407 )
408#else
23bb6982 409if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
410#endif
411
059ec3d9 412 {
0abc5a13 413 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
414 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
415 ssl_errstring);
416 return NULL;
417 }
418return rsa_key;
419}
420
421
422
f5d78688 423/* Extreme debug
f2de3a33 424#ifndef DISABLE_OCSP
f5d78688
JH
425void
426x509_store_dump_cert_s_names(X509_STORE * store)
427{
428STACK_OF(X509_OBJECT) * roots= store->objs;
429int i;
430static uschar name[256];
431
432for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
433 {
434 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
435 if(tmp_obj->type == X509_LU_X509)
436 {
70e384dd
JH
437 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
438 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
439 {
440 name[sizeof(name)-1] = '\0';
441 debug_printf(" %s\n", name);
442 }
f5d78688
JH
443 }
444 }
445}
446#endif
447*/
448
059ec3d9 449
0cbf2b82 450#ifndef DISABLE_EVENT
f69979cf
JH
451static int
452verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
453 BOOL *calledp, const BOOL *optionalp, const uschar * what)
454{
455uschar * ev;
456uschar * yield;
457X509 * old_cert;
458
459ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
460if (ev)
461 {
aaba7d03 462 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
463 old_cert = tlsp->peercert;
464 tlsp->peercert = X509_dup(cert);
465 /* NB we do not bother setting peerdn */
466 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
467 {
468 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
469 "depth=%d cert=%s: %s",
470 tlsp == &tls_out ? deliver_host_address : sender_host_address,
471 what, depth, dn, yield);
472 *calledp = TRUE;
473 if (!*optionalp)
474 {
475 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
476 return 1; /* reject (leaving peercert set) */
477 }
478 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
479 "(host in tls_try_verify_hosts)\n");
480 }
481 X509_free(tlsp->peercert);
482 tlsp->peercert = old_cert;
483 }
484return 0;
485}
486#endif
487
059ec3d9
PH
488/*************************************************
489* Callback for verification *
490*************************************************/
491
492/* The SSL library does certificate verification if set up to do so. This
493callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
494we set the certificate-verified flag. If verification failed, what happens
495depends on whether the client is required to present a verifiable certificate
496or not.
059ec3d9
PH
497
498If verification is optional, we change the state to yes, but still log the
499verification error. For some reason (it really would help to have proper
500documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
501time with state = 1. We must take care not to set the private verified flag on
502the second time through.
059ec3d9
PH
503
504Note: this function is not called if the client fails to present a certificate
505when asked. We get here only if a certificate has been received. Handling of
506optional verification for this case is done when requesting SSL to verify, by
507setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
508
a7538db1
JH
509May be called multiple times for different issues with a certificate, even
510for a given "depth" in the certificate chain.
511
059ec3d9 512Arguments:
f2f2c91b
JH
513 preverify_ok current yes/no state as 1/0
514 x509ctx certificate information.
515 tlsp per-direction (client vs. server) support data
516 calledp has-been-called flag
517 optionalp verification-is-optional flag
059ec3d9 518
f2f2c91b 519Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
520*/
521
522static int
70e384dd
JH
523verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
524 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 525{
421aff85 526X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 527int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 528uschar dn[256];
059ec3d9 529
70e384dd
JH
530if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
531 {
532 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
533 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
534 tlsp == &tls_out ? deliver_host_address : sender_host_address);
535 return 0;
536 }
f69979cf 537dn[sizeof(dn)-1] = '\0';
059ec3d9 538
f2f2c91b 539if (preverify_ok == 0)
059ec3d9 540 {
f77197ae
JH
541 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
542 *verify_mode, sender_host_address)
543 : US"";
544 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
545 tlsp == &tls_out ? deliver_host_address : sender_host_address,
546 extra, depth,
547 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 548 *calledp = TRUE;
9d1c15ef
JH
549 if (!*optionalp)
550 {
f69979cf
JH
551 if (!tlsp->peercert)
552 tlsp->peercert = X509_dup(cert); /* record failing cert */
553 return 0; /* reject */
9d1c15ef 554 }
059ec3d9
PH
555 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
556 "tls_try_verify_hosts)\n");
059ec3d9
PH
557 }
558
a7538db1 559else if (depth != 0)
059ec3d9 560 {
f69979cf 561 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 562#ifndef DISABLE_OCSP
f5d78688
JH
563 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
564 { /* client, wanting stapling */
565 /* Add the server cert's signing chain as the one
566 for the verification of the OCSP stapled information. */
94431adb 567
f5d78688 568 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 569 cert))
f5d78688 570 ERR_clear_error();
c3033f13 571 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
572 }
573#endif
0cbf2b82 574#ifndef DISABLE_EVENT
f69979cf
JH
575 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
576 return 0; /* reject, with peercert set */
a7538db1 577#endif
059ec3d9
PH
578 }
579else
580 {
55414b25 581 const uschar * verify_cert_hostnames;
e51c7be2 582
e51c7be2
JH
583 if ( tlsp == &tls_out
584 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 585 /* client, wanting hostname check */
e51c7be2 586 {
f69979cf 587
740f36d4 588#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
589# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
590# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
591# endif
592# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
593# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
594# endif
e51c7be2 595 int sep = 0;
55414b25 596 const uschar * list = verify_cert_hostnames;
e51c7be2 597 uschar * name;
d8e7834a
JH
598 int rc;
599 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 600 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 601 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
602 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
603 NULL)))
d8e7834a
JH
604 {
605 if (rc < 0)
606 {
93a6fce2 607 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 608 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
609 name = NULL;
610 }
e51c7be2 611 break;
d8e7834a 612 }
e51c7be2 613 if (!name)
f69979cf 614#else
e51c7be2 615 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 616#endif
e51c7be2 617 {
f77197ae
JH
618 uschar * extra = verify_mode
619 ? string_sprintf(" (during %c-verify for [%s])",
620 *verify_mode, sender_host_address)
621 : US"";
e51c7be2 622 log_write(0, LOG_MAIN,
f77197ae
JH
623 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
624 tlsp == &tls_out ? deliver_host_address : sender_host_address,
625 extra, dn, verify_cert_hostnames);
a3ef7310
JH
626 *calledp = TRUE;
627 if (!*optionalp)
f69979cf
JH
628 {
629 if (!tlsp->peercert)
630 tlsp->peercert = X509_dup(cert); /* record failing cert */
631 return 0; /* reject */
632 }
a3ef7310
JH
633 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
634 "tls_try_verify_hosts)\n");
e51c7be2 635 }
f69979cf 636 }
e51c7be2 637
0cbf2b82 638#ifndef DISABLE_EVENT
f69979cf
JH
639 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
640 return 0; /* reject, with peercert set */
e51c7be2
JH
641#endif
642
93dcb1c2 643 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 644 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
645 if (!*calledp) tlsp->certificate_verified = TRUE;
646 *calledp = TRUE;
059ec3d9
PH
647 }
648
a7538db1 649return 1; /* accept, at least for this level */
059ec3d9
PH
650}
651
a2ff477a 652static int
f2f2c91b 653verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 654{
f2f2c91b
JH
655return verify_callback(preverify_ok, x509ctx, &tls_out,
656 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
657}
658
659static int
f2f2c91b 660verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 661{
f2f2c91b
JH
662return verify_callback(preverify_ok, x509ctx, &tls_in,
663 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
664}
665
059ec3d9 666
c0635b6d 667#ifdef SUPPORT_DANE
53a7196b 668
e5cccda9
JH
669/* This gets called *by* the dane library verify callback, which interposes
670itself.
671*/
672static int
f2f2c91b 673verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
674{
675X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 676uschar dn[256];
83b27293 677int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 678#ifndef DISABLE_EVENT
f69979cf 679BOOL dummy_called, optional = FALSE;
83b27293 680#endif
e5cccda9 681
70e384dd
JH
682if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
683 {
684 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
685 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
686 deliver_host_address);
687 return 0;
688 }
f69979cf 689dn[sizeof(dn)-1] = '\0';
e5cccda9 690
f2f2c91b
JH
691DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
692 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 693
0cbf2b82 694#ifndef DISABLE_EVENT
f69979cf
JH
695 if (verify_event(&tls_out, cert, depth, dn,
696 &dummy_called, &optional, US"DANE"))
697 return 0; /* reject, with peercert set */
83b27293
JH
698#endif
699
f2f2c91b 700if (preverify_ok == 1)
6fbf3599
JH
701 {
702 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
703#ifndef DISABLE_OCSP
704 if (client_static_cbinfo->u_ocsp.client.verify_store)
705 { /* client, wanting stapling */
706 /* Add the server cert's signing chain as the one
707 for the verification of the OCSP stapled information. */
708
709 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
710 cert))
711 ERR_clear_error();
712 sk_X509_push(client_static_cbinfo->verify_stack, cert);
713 }
714#endif
715 }
f2f2c91b
JH
716else
717 {
718 int err = X509_STORE_CTX_get_error(x509ctx);
719 DEBUG(D_tls)
720 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 721 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
722 preverify_ok = 1;
723 }
724return preverify_ok;
e5cccda9 725}
53a7196b 726
c0635b6d 727#endif /*SUPPORT_DANE*/
e5cccda9 728
059ec3d9
PH
729
730/*************************************************
731* Information callback *
732*************************************************/
733
734/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
735are doing. We copy the string to the debugging output when TLS debugging has
736been requested.
059ec3d9
PH
737
738Arguments:
739 s the SSL connection
740 where
741 ret
742
743Returns: nothing
744*/
745
746static void
747info_callback(SSL *s, int where, int ret)
748{
0abc5a13
JH
749DEBUG(D_tls)
750 {
751 const uschar * str;
752
753 if (where & SSL_ST_CONNECT)
48224640 754 str = US"SSL_connect";
0abc5a13 755 else if (where & SSL_ST_ACCEPT)
48224640 756 str = US"SSL_accept";
0abc5a13 757 else
48224640 758 str = US"SSL info (undefined)";
0abc5a13
JH
759
760 if (where & SSL_CB_LOOP)
761 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
762 else if (where & SSL_CB_ALERT)
763 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 764 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
765 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
766 else if (where & SSL_CB_EXIT)
767 if (ret == 0)
768 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
769 else if (ret < 0)
770 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
771 else if (where & SSL_CB_HANDSHAKE_START)
772 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
773 else if (where & SSL_CB_HANDSHAKE_DONE)
774 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
775 }
059ec3d9
PH
776}
777
778
779
780/*************************************************
781* Initialize for DH *
782*************************************************/
783
784/* If dhparam is set, expand it, and load up the parameters for DH encryption.
785
786Arguments:
038597d2 787 sctx The current SSL CTX (inbound or outbound)
a799883d 788 dhparam DH parameter file or fixed parameter identity string
7199e1ee 789 host connected host, if client; NULL if server
cf0c6164 790 errstr error string pointer
059ec3d9
PH
791
792Returns: TRUE if OK (nothing to set up, or setup worked)
793*/
794
795static BOOL
cf0c6164 796init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 797{
059ec3d9
PH
798BIO *bio;
799DH *dh;
800uschar *dhexpanded;
a799883d 801const char *pem;
6600985a 802int dh_bitsize;
059ec3d9 803
cf0c6164 804if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
805 return FALSE;
806
0df4ab80 807if (!dhexpanded || !*dhexpanded)
a799883d 808 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 809else if (dhexpanded[0] == '/')
059ec3d9 810 {
0df4ab80 811 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 812 {
7199e1ee 813 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 814 host, US strerror(errno), errstr);
a799883d 815 return FALSE;
059ec3d9 816 }
a799883d
PP
817 }
818else
819 {
820 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 821 {
a799883d
PP
822 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
823 return TRUE;
059ec3d9 824 }
a799883d 825
0df4ab80 826 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
827 {
828 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 829 host, US strerror(errno), errstr);
a799883d
PP
830 return FALSE;
831 }
832 bio = BIO_new_mem_buf(CS pem, -1);
833 }
834
0df4ab80 835if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 836 {
059ec3d9 837 BIO_free(bio);
a799883d 838 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 839 host, NULL, errstr);
a799883d
PP
840 return FALSE;
841 }
842
6600985a
PP
843/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
844 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
845 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
846 * If someone wants to dance at the edge, then they can raise the limit or use
847 * current libraries. */
848#ifdef EXIM_HAVE_OPENSSL_DH_BITS
849/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
850 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
851dh_bitsize = DH_bits(dh);
852#else
853dh_bitsize = 8 * DH_size(dh);
854#endif
855
a799883d
PP
856/* Even if it is larger, we silently return success rather than cause things
857 * to fail out, so that a too-large DH will not knock out all TLS; it's a
858 * debatable choice. */
6600985a 859if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
860 {
861 DEBUG(D_tls)
170f4904 862 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 863 dh_bitsize, tls_dh_max_bits);
a799883d
PP
864 }
865else
866 {
867 SSL_CTX_set_tmp_dh(sctx, dh);
868 DEBUG(D_tls)
869 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 870 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
871 }
872
a799883d
PP
873DH_free(dh);
874BIO_free(bio);
875
876return TRUE;
059ec3d9
PH
877}
878
879
880
881
038597d2
PP
882/*************************************************
883* Initialize for ECDH *
884*************************************************/
885
886/* Load parameters for ECDH encryption.
887
888For now, we stick to NIST P-256 because: it's simple and easy to configure;
889it avoids any patent issues that might bite redistributors; despite events in
890the news and concerns over curve choices, we're not cryptographers, we're not
891pretending to be, and this is "good enough" to be better than no support,
892protecting against most adversaries. Given another year or two, there might
893be sufficient clarity about a "right" way forward to let us make an informed
894decision, instead of a knee-jerk reaction.
895
896Longer-term, we should look at supporting both various named curves and
897external files generated with "openssl ecparam", much as we do for init_dh().
898We should also support "none" as a value, to explicitly avoid initialisation.
899
900Patches welcome.
901
902Arguments:
903 sctx The current SSL CTX (inbound or outbound)
904 host connected host, if client; NULL if server
cf0c6164 905 errstr error string pointer
038597d2
PP
906
907Returns: TRUE if OK (nothing to set up, or setup worked)
908*/
909
910static BOOL
cf0c6164 911init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 912{
63f0dbe0
JH
913#ifdef OPENSSL_NO_ECDH
914return TRUE;
915#else
916
10ca4f1c
JH
917EC_KEY * ecdh;
918uschar * exp_curve;
919int nid;
920BOOL rv;
921
038597d2
PP
922if (host) /* No ECDH setup for clients, only for servers */
923 return TRUE;
924
10ca4f1c 925# ifndef EXIM_HAVE_ECDH
038597d2
PP
926DEBUG(D_tls)
927 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
928return TRUE;
038597d2 929# else
10ca4f1c 930
cf0c6164 931if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
932 return FALSE;
933if (!exp_curve || !*exp_curve)
934 return TRUE;
935
8e53a4fc 936/* "auto" needs to be handled carefully.
4c04137d 937 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 938 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 939 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
940 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
941 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
942 */
10ca4f1c 943if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 944 {
8e53a4fc 945#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 946 DEBUG(D_tls) debug_printf(
8e53a4fc 947 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 948 exp_curve = US"prime256v1";
8e53a4fc
HSHR
949#else
950# if defined SSL_CTRL_SET_ECDH_AUTO
951 DEBUG(D_tls) debug_printf(
952 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
953 SSL_CTX_set_ecdh_auto(sctx, 1);
954 return TRUE;
8e53a4fc
HSHR
955# else
956 DEBUG(D_tls) debug_printf(
957 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
958 return TRUE;
959# endif
960#endif
10ca4f1c 961 }
038597d2 962
10ca4f1c
JH
963DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
964if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
965# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
966 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
967# endif
968 )
969 {
cf0c6164
JH
970 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
971 host, NULL, errstr);
10ca4f1c
JH
972 return FALSE;
973 }
038597d2 974
10ca4f1c
JH
975if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
976 {
cf0c6164 977 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 978 return FALSE;
038597d2 979 }
10ca4f1c
JH
980
981/* The "tmp" in the name here refers to setting a temporary key
982not to the stability of the interface. */
983
984if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 985 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
986else
987 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
988
989EC_KEY_free(ecdh);
990return !rv;
991
992# endif /*EXIM_HAVE_ECDH*/
993#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
994}
995
996
997
998
f2de3a33 999#ifndef DISABLE_OCSP
3f7eeb86
PP
1000/*************************************************
1001* Load OCSP information into state *
1002*************************************************/
f5d78688 1003/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1004caller has determined this is needed. Checks validity. Debugs a message
1005if invalid.
1006
1007ASSUMES: single response, for single cert.
1008
1009Arguments:
1010 sctx the SSL_CTX* to update
1011 cbinfo various parts of session state
1012 expanded the filename putatively holding an OCSP response
1013
1014*/
1015
1016static void
f5d78688 1017ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1018{
ee5b1e28
JH
1019BIO * bio;
1020OCSP_RESPONSE * resp;
1021OCSP_BASICRESP * basic_response;
1022OCSP_SINGLERESP * single_response;
1023ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1024STACK_OF(X509) * sk;
3f7eeb86
PP
1025unsigned long verify_flags;
1026int status, reason, i;
1027
f5d78688
JH
1028cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1029if (cbinfo->u_ocsp.server.response)
3f7eeb86 1030 {
f5d78688
JH
1031 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1032 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1033 }
1034
ee5b1e28 1035if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1036 {
1037 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1038 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1039 return;
1040 }
1041
1042resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1043BIO_free(bio);
1044if (!resp)
1045 {
1046 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1047 return;
1048 }
1049
ee5b1e28 1050if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1051 {
1052 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1053 OCSP_response_status_str(status), status);
f5d78688 1054 goto bad;
3f7eeb86
PP
1055 }
1056
ee5b1e28 1057if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1058 {
1059 DEBUG(D_tls)
1060 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1061 goto bad;
3f7eeb86
PP
1062 }
1063
c3033f13 1064sk = cbinfo->verify_stack;
3f7eeb86
PP
1065verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1066
1067/* May need to expose ability to adjust those flags?
1068OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1069OCSP_TRUSTOTHER OCSP_NOINTERN */
1070
4c04137d 1071/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1072up; possibly overkill - just date-checks might be nice enough.
1073
1074OCSP_basic_verify takes a "store" arg, but does not
1075use it for the chain verification, which is all we do
1076when OCSP_NOVERIFY is set. The content from the wire
1077"basic_response" and a cert-stack "sk" are all that is used.
1078
c3033f13
JH
1079We have a stack, loaded in setup_certs() if tls_verify_certificates
1080was a file (not a directory, or "system"). It is unfortunate we
1081cannot used the connection context store, as that would neatly
1082handle the "system" case too, but there seems to be no library
1083function for getting a stack from a store.
e3555426 1084[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1085We do not free the stack since it could be needed a second time for
1086SNI handling.
1087
4c04137d 1088Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1089be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1090But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1091And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1092library does it for us anyway? */
1093
1094if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1095 {
ee5b1e28
JH
1096 DEBUG(D_tls)
1097 {
0abc5a13 1098 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1099 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1100 }
1101 goto bad;
3f7eeb86
PP
1102 }
1103
1104/* Here's the simplifying assumption: there's only one response, for the
1105one certificate we use, and nothing for anything else in a chain. If this
1106proves false, we need to extract a cert id from our issued cert
1107(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1108right cert in the stack and then calls OCSP_single_get0_status()).
1109
1110I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1111
1112if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1113 {
1114 DEBUG(D_tls)
1115 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1116 goto bad;
3f7eeb86
PP
1117 }
1118
1119status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1120if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1121 {
f5d78688
JH
1122 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1123 OCSP_cert_status_str(status), status,
1124 OCSP_crl_reason_str(reason), reason);
1125 goto bad;
3f7eeb86
PP
1126 }
1127
1128if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1129 {
1130 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1131 goto bad;
3f7eeb86
PP
1132 }
1133
f5d78688 1134supply_response:
47195144 1135 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
1136return;
1137
1138bad:
8768d548 1139 if (f.running_in_test_harness)
018058b2
JH
1140 {
1141 extern char ** environ;
1142 uschar ** p;
47195144 1143 if (environ) for (p = USS environ; *p; p++)
018058b2
JH
1144 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1145 {
1146 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1147 goto supply_response;
1148 }
1149 }
f5d78688 1150return;
3f7eeb86 1151}
f2de3a33 1152#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1153
1154
1155
1156
23bb6982
JH
1157/* Create and install a selfsigned certificate, for use in server mode */
1158
1159static int
cf0c6164 1160tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1161{
1162X509 * x509 = NULL;
1163EVP_PKEY * pkey;
1164RSA * rsa;
1165X509_NAME * name;
1166uschar * where;
1167
1168where = US"allocating pkey";
1169if (!(pkey = EVP_PKEY_new()))
1170 goto err;
1171
1172where = US"allocating cert";
1173if (!(x509 = X509_new()))
1174 goto err;
1175
1176where = US"generating pkey";
6aac3239 1177if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1178 goto err;
1179
4c04137d 1180where = US"assigning pkey";
23bb6982
JH
1181if (!EVP_PKEY_assign_RSA(pkey, rsa))
1182 goto err;
1183
1184X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1185ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1186X509_gmtime_adj(X509_get_notBefore(x509), 0);
1187X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1188X509_set_pubkey(x509, pkey);
1189
1190name = X509_get_subject_name(x509);
1191X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1192 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1193X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1194 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1195X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1196 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1197X509_set_issuer_name(x509, name);
1198
1199where = US"signing cert";
1200if (!X509_sign(x509, pkey, EVP_md5()))
1201 goto err;
1202
1203where = US"installing selfsign cert";
1204if (!SSL_CTX_use_certificate(sctx, x509))
1205 goto err;
1206
1207where = US"installing selfsign key";
1208if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1209 goto err;
1210
1211return OK;
1212
1213err:
cf0c6164 1214 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1215 if (x509) X509_free(x509);
1216 if (pkey) EVP_PKEY_free(pkey);
1217 return DEFER;
1218}
1219
1220
1221
1222
ba86e143
JH
1223static int
1224tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1225 uschar ** errstr)
1226{
1227DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1228if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1229 return tls_error(string_sprintf(
1230 "SSL_CTX_use_certificate_chain_file file=%s", file),
1231 cbinfo->host, NULL, errstr);
1232return 0;
1233}
1234
1235static int
1236tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1237 uschar ** errstr)
1238{
1239DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1240if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1241 return tls_error(string_sprintf(
1242 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1243return 0;
1244}
1245
1246
059ec3d9 1247/*************************************************
7be682ca
PP
1248* Expand key and cert file specs *
1249*************************************************/
1250
f5d78688 1251/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1252new context, if Server Name Indication was used and tls_sni was seen in
1253the certificate string.
1254
1255Arguments:
1256 sctx the SSL_CTX* to update
1257 cbinfo various parts of session state
cf0c6164 1258 errstr error string pointer
7be682ca
PP
1259
1260Returns: OK/DEFER/FAIL
1261*/
1262
1263static int
cf0c6164
JH
1264tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1265 uschar ** errstr)
7be682ca
PP
1266{
1267uschar *expanded;
1268
23bb6982 1269if (!cbinfo->certificate)
7be682ca 1270 {
ba86e143 1271 if (!cbinfo->is_server) /* client */
23bb6982 1272 return OK;
afdb5e9c 1273 /* server */
cf0c6164 1274 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1275 return DEFER;
7be682ca 1276 }
23bb6982
JH
1277else
1278 {
ba86e143
JH
1279 int err;
1280
23bb6982
JH
1281 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1282 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1283 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1284 )
1285 reexpand_tls_files_for_sni = TRUE;
7be682ca 1286
cf0c6164 1287 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1288 return DEFER;
1289
ba86e143
JH
1290 if (expanded)
1291 if (cbinfo->is_server)
1292 {
1293 const uschar * file_list = expanded;
1294 int sep = 0;
1295 uschar * file;
1296
1297 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1298 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1299 return err;
1300 }
1301 else /* would there ever be a need for multiple client certs? */
1302 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1303 return err;
7be682ca 1304
23bb6982 1305 if (cbinfo->privatekey != NULL &&
cf0c6164 1306 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1307 return DEFER;
7be682ca 1308
23bb6982
JH
1309 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1310 of the expansion is an empty string, ignore it also, and assume the private
1311 key is in the same file as the certificate. */
1312
1313 if (expanded && *expanded)
ba86e143
JH
1314 if (cbinfo->is_server)
1315 {
1316 const uschar * file_list = expanded;
1317 int sep = 0;
1318 uschar * file;
1319
1320 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1321 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1322 return err;
1323 }
1324 else /* would there ever be a need for multiple client certs? */
1325 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1326 return err;
7be682ca
PP
1327 }
1328
f2de3a33 1329#ifndef DISABLE_OCSP
f40d5be3 1330if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1331 {
47195144 1332 /*XXX stack*/
cf0c6164 1333 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1334 return DEFER;
1335
f40d5be3 1336 if (expanded && *expanded)
3f7eeb86
PP
1337 {
1338 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1339 if ( cbinfo->u_ocsp.server.file_expanded
1340 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1341 {
f40d5be3
JH
1342 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1343 }
1344 else
f40d5be3 1345 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1346 }
1347 }
1348#endif
1349
7be682ca
PP
1350return OK;
1351}
1352
1353
1354
1355
1356/*************************************************
1357* Callback to handle SNI *
1358*************************************************/
1359
1360/* Called when acting as server during the TLS session setup if a Server Name
1361Indication extension was sent by the client.
1362
1363API documentation is OpenSSL s_server.c implementation.
1364
1365Arguments:
1366 s SSL* of the current session
1367 ad unknown (part of OpenSSL API) (unused)
1368 arg Callback of "our" registered data
1369
1370Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1371*/
1372
3bcbbbe2 1373#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1374static int
7be682ca
PP
1375tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1376{
1377const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1378tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1379int rc;
3f0945ff 1380int old_pool = store_pool;
cf0c6164 1381uschar * dummy_errstr;
7be682ca
PP
1382
1383if (!servername)
1384 return SSL_TLSEXT_ERR_OK;
1385
3f0945ff 1386DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1387 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1388
1389/* Make the extension value available for expansion */
3f0945ff 1390store_pool = POOL_PERM;
817d9f57 1391tls_in.sni = string_copy(US servername);
3f0945ff 1392store_pool = old_pool;
7be682ca
PP
1393
1394if (!reexpand_tls_files_for_sni)
1395 return SSL_TLSEXT_ERR_OK;
1396
1397/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1398not confident that memcpy wouldn't break some internal reference counting.
1399Especially since there's a references struct member, which would be off. */
1400
7a8b9519
JH
1401#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1402if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1403#else
0df4ab80 1404if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1405#endif
7be682ca 1406 {
0abc5a13 1407 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca
PP
1408 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1409 return SSL_TLSEXT_ERR_NOACK;
1410 }
1411
1412/* Not sure how many of these are actually needed, since SSL object
1413already exists. Might even need this selfsame callback, for reneg? */
1414
817d9f57
JH
1415SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1416SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1417SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1418SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1419SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1420SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1421
cf0c6164
JH
1422if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1423 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP
1424 )
1425 return SSL_TLSEXT_ERR_NOACK;
1426
ca954d7f
JH
1427if ( cbinfo->server_cipher_list
1428 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1429 return SSL_TLSEXT_ERR_NOACK;
1430
f2de3a33 1431#ifndef DISABLE_OCSP
f5d78688 1432if (cbinfo->u_ocsp.server.file)
3f7eeb86 1433 {
f5d78688 1434 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1435 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1436 }
1437#endif
7be682ca 1438
c3033f13 1439if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1440 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1441 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1442
3f7eeb86
PP
1443/* do this after setup_certs, because this can require the certs for verifying
1444OCSP information. */
cf0c6164 1445if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1446 return SSL_TLSEXT_ERR_NOACK;
a799883d 1447
7be682ca 1448DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1449SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
1450
1451return SSL_TLSEXT_ERR_OK;
1452}
3bcbbbe2 1453#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1454
1455
1456
1457
f2de3a33 1458#ifndef DISABLE_OCSP
f5d78688 1459
3f7eeb86
PP
1460/*************************************************
1461* Callback to handle OCSP Stapling *
1462*************************************************/
1463
1464/* Called when acting as server during the TLS session setup if the client
1465requests OCSP information with a Certificate Status Request.
1466
1467Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1468project.
1469
1470*/
1471
1472static int
f5d78688 1473tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1474{
1475const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1476uschar *response_der; /*XXX blob */
3f7eeb86
PP
1477int response_der_len;
1478
47195144
JH
1479/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1480out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1481buggy in current OpenSSL; it returns the last cert loaded always rather than
1482the one actually presented. So we can't support a stack of OCSP proofs at
1483this time. */
1484
af4a1bca 1485DEBUG(D_tls)
b3ef41c9 1486 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1487 cbinfo->u_ocsp.server.response ? "have" : "lack");
1488
44662487 1489tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1490if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1491 return SSL_TLSEXT_ERR_NOACK;
1492
1493response_der = NULL;
47195144 1494response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1495 &response_der);
3f7eeb86
PP
1496if (response_der_len <= 0)
1497 return SSL_TLSEXT_ERR_NOACK;
1498
5e55c7a9 1499SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1500tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1501return SSL_TLSEXT_ERR_OK;
1502}
1503
3f7eeb86 1504
f5d78688
JH
1505static void
1506time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1507{
1508BIO_printf(bp, "\t%s: ", str);
1509ASN1_GENERALIZEDTIME_print(bp, time);
1510BIO_puts(bp, "\n");
1511}
1512
1513static int
1514tls_client_stapling_cb(SSL *s, void *arg)
1515{
1516tls_ext_ctx_cb * cbinfo = arg;
1517const unsigned char * p;
1518int len;
1519OCSP_RESPONSE * rsp;
1520OCSP_BASICRESP * bs;
1521int i;
1522
1523DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1524len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1525if(!p)
1526 {
44662487 1527 /* Expect this when we requested ocsp but got none */
6c6d6e48 1528 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1529 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1530 else
1531 DEBUG(D_tls) debug_printf(" null\n");
44662487 1532 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1533 }
018058b2 1534
f5d78688
JH
1535if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1536 {
018058b2 1537 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1538 if (LOGGING(tls_cipher))
1eca31ca 1539 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1540 else
1541 DEBUG(D_tls) debug_printf(" parse error\n");
1542 return 0;
1543 }
1544
1545if(!(bs = OCSP_response_get1_basic(rsp)))
1546 {
018058b2 1547 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1548 if (LOGGING(tls_cipher))
1eca31ca 1549 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1550 else
1551 DEBUG(D_tls) debug_printf(" error parsing response\n");
1552 OCSP_RESPONSE_free(rsp);
1553 return 0;
1554 }
1555
1556/* We'd check the nonce here if we'd put one in the request. */
1557/* However that would defeat cacheability on the server so we don't. */
1558
f5d78688
JH
1559/* This section of code reworked from OpenSSL apps source;
1560 The OpenSSL Project retains copyright:
1561 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1562*/
1563 {
1564 BIO * bp = NULL;
f5d78688
JH
1565 int status, reason;
1566 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1567
57887ecc 1568 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1569
1570 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1571
1572 /* Use the chain that verified the server cert to verify the stapled info */
1573 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1574
c3033f13 1575 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1576 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1577 {
018058b2 1578 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1579 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1580 "Received TLS cert status response, itself unverifiable: %s",
1581 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1582 BIO_printf(bp, "OCSP response verify failure\n");
1583 ERR_print_errors(bp);
57887ecc 1584 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1585 goto failed;
f5d78688
JH
1586 }
1587
1588 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1589
c8dfb21d
JH
1590 /*XXX So we have a good stapled OCSP status. How do we know
1591 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1592 OCSP_resp_find_status() which matches on a cert id, which presumably
1593 we should use. Making an id needs OCSP_cert_id_new(), which takes
1594 issuerName, issuerKey, serialNumber. Are they all in the cert?
1595
1596 For now, carry on blindly accepting the resp. */
1597
f5d78688 1598 {
f5d78688
JH
1599 OCSP_SINGLERESP * single;
1600
c8dfb21d
JH
1601#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1602 if (OCSP_resp_count(bs) != 1)
1603#else
1604 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1605 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1606#endif
f5d78688 1607 {
018058b2 1608 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1609 log_write(0, LOG_MAIN, "OCSP stapling "
1610 "with multiple responses not handled");
c8dfb21d 1611 goto failed;
f5d78688
JH
1612 }
1613 single = OCSP_resp_get0(bs, 0);
44662487
JH
1614 status = OCSP_single_get0_status(single, &reason, &rev,
1615 &thisupd, &nextupd);
f5d78688
JH
1616 }
1617
f5d78688
JH
1618 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1619 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1620 if (!OCSP_check_validity(thisupd, nextupd,
1621 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1622 {
018058b2 1623 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1624 DEBUG(D_tls) ERR_print_errors(bp);
1625 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1626 }
44662487 1627 else
f5d78688 1628 {
44662487
JH
1629 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1630 OCSP_cert_status_str(status));
1631 switch(status)
1632 {
1633 case V_OCSP_CERTSTATUS_GOOD:
44662487 1634 tls_out.ocsp = OCSP_VFIED;
018058b2 1635 i = 1;
c8dfb21d 1636 goto good;
44662487 1637 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1638 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1639 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1640 reason != -1 ? "; reason: " : "",
1641 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1642 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1643 break;
1644 default:
018058b2 1645 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1646 log_write(0, LOG_MAIN,
1647 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1648 break;
1649 }
f5d78688 1650 }
c8dfb21d
JH
1651 failed:
1652 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1653 good:
f5d78688
JH
1654 BIO_free(bp);
1655 }
1656
1657OCSP_RESPONSE_free(rsp);
1658return i;
1659}
f2de3a33 1660#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1661
1662
7be682ca 1663/*************************************************
059ec3d9
PH
1664* Initialize for TLS *
1665*************************************************/
1666
e51c7be2
JH
1667/* Called from both server and client code, to do preliminary initialization
1668of the library. We allocate and return a context structure.
059ec3d9
PH
1669
1670Arguments:
946ecbe0 1671 ctxp returned SSL context
059ec3d9
PH
1672 host connected host, if client; NULL if server
1673 dhparam DH parameter file
1674 certificate certificate file
1675 privatekey private key
f5d78688 1676 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1677 addr address if client; NULL if server (for some randomness)
946ecbe0 1678 cbp place to put allocated callback context
cf0c6164 1679 errstr error string pointer
059ec3d9
PH
1680
1681Returns: OK/DEFER/FAIL
1682*/
1683
1684static int
817d9f57 1685tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1686 uschar *privatekey,
f2de3a33 1687#ifndef DISABLE_OCSP
47195144 1688 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1689#endif
cf0c6164 1690 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1691{
7006ee24 1692SSL_CTX * ctx;
77bb000f 1693long init_options;
7be682ca 1694int rc;
a7538db1 1695tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1696
1697cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1698cbinfo->certificate = certificate;
1699cbinfo->privatekey = privatekey;
a6510420 1700cbinfo->is_server = host==NULL;
f2de3a33 1701#ifndef DISABLE_OCSP
c3033f13 1702cbinfo->verify_stack = NULL;
a6510420 1703if (!host)
f5d78688
JH
1704 {
1705 cbinfo->u_ocsp.server.file = ocsp_file;
1706 cbinfo->u_ocsp.server.file_expanded = NULL;
1707 cbinfo->u_ocsp.server.response = NULL;
1708 }
1709else
1710 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1711#endif
7be682ca 1712cbinfo->dhparam = dhparam;
0df4ab80 1713cbinfo->server_cipher_list = NULL;
7be682ca 1714cbinfo->host = host;
0cbf2b82 1715#ifndef DISABLE_EVENT
a7538db1
JH
1716cbinfo->event_action = NULL;
1717#endif
77bb000f 1718
7434882d 1719#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
1720SSL_load_error_strings(); /* basic set up */
1721OpenSSL_add_ssl_algorithms();
7434882d 1722#endif
059ec3d9 1723
c8dfb21d 1724#ifdef EXIM_HAVE_SHA256
77bb000f 1725/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1726list of available digests. */
1727EVP_add_digest(EVP_sha256());
cf1ef1a9 1728#endif
a0475b69 1729
f0f5a555
PP
1730/* Create a context.
1731The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1732negotiation in the different methods; as far as I can tell, the only
1733*_{server,client}_method which allows negotiation is SSLv23, which exists even
1734when OpenSSL is built without SSLv2 support.
1735By disabling with openssl_options, we can let admins re-enable with the
1736existing knob. */
059ec3d9 1737
7a8b9519
JH
1738#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1739if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1740#else
7006ee24 1741if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1742#endif
7006ee24 1743 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1744
1745/* It turns out that we need to seed the random number generator this early in
1746order to get the full complement of ciphers to work. It took me roughly a day
1747of work to discover this by experiment.
1748
1749On systems that have /dev/urandom, SSL may automatically seed itself from
1750there. Otherwise, we have to make something up as best we can. Double check
1751afterwards. */
1752
1753if (!RAND_status())
1754 {
1755 randstuff r;
9e3331ea 1756 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1757 r.p = getpid();
1758
5903c6ff
JH
1759 RAND_seed(US (&r), sizeof(r));
1760 RAND_seed(US big_buffer, big_buffer_size);
1761 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1762
1763 if (!RAND_status())
7199e1ee 1764 return tls_error(US"RAND_status", host,
cf0c6164 1765 US"unable to seed random number generator", errstr);
059ec3d9
PH
1766 }
1767
1768/* Set up the information callback, which outputs if debugging is at a suitable
1769level. */
1770
7006ee24 1771DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1772
c80c5570 1773/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1774(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1775
77bb000f
PP
1776/* Apply administrator-supplied work-arounds.
1777Historically we applied just one requested option,
1778SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1779moved to an administrator-controlled list of options to specify and
1780grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1781
77bb000f
PP
1782No OpenSSL version number checks: the options we accept depend upon the
1783availability of the option value macros from OpenSSL. */
059ec3d9 1784
7006ee24 1785if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1786 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1787
1788if (init_options)
1789 {
1790 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1791 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1792 return tls_error(string_sprintf(
cf0c6164 1793 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1794 }
1795else
1796 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1797
a28050f8
JH
1798/* We'd like to disable session cache unconditionally, but foolish Outlook
1799Express clients then give up the first TLS connection and make a second one
1800(which works). Only when there is an IMAP service on the same machine.
1801Presumably OE is trying to use the cache for A on B. Leave it enabled for
1802now, until we work out a decent way of presenting control to the config. It
1803will never be used because we use a new context every time. */
1804#ifdef notdef
7006ee24 1805(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1806#endif
7006ee24 1807
059ec3d9 1808/* Initialize with DH parameters if supplied */
10ca4f1c 1809/* Initialize ECDH temp key parameter selection */
059ec3d9 1810
7006ee24
JH
1811if ( !init_dh(ctx, dhparam, host, errstr)
1812 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1813 )
1814 return DEFER;
059ec3d9 1815
3f7eeb86 1816/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1817
7006ee24 1818if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1819 return rc;
c91535f3 1820
c3033f13
JH
1821/* If we need to handle SNI or OCSP, do so */
1822
3bcbbbe2 1823#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1824# ifndef DISABLE_OCSP
1825 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1826 {
1827 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1828 return FAIL;
1829 }
1830# endif
1831
7a8b9519 1832if (!host) /* server */
3f0945ff 1833 {
f2de3a33 1834# ifndef DISABLE_OCSP
f5d78688 1835 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1836 the option exists, not what the current expansion might be, as SNI might
1837 change the certificate and OCSP file in use between now and the time the
1838 callback is invoked. */
f5d78688 1839 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1840 {
7006ee24
JH
1841 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1842 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1843 }
f5d78688 1844# endif
3f0945ff
PP
1845 /* We always do this, so that $tls_sni is available even if not used in
1846 tls_certificate */
7006ee24
JH
1847 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1848 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1849 }
f2de3a33 1850# ifndef DISABLE_OCSP
f5d78688
JH
1851else /* client */
1852 if(ocsp_file) /* wanting stapling */
1853 {
1854 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1855 {
1856 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1857 return FAIL;
1858 }
7006ee24
JH
1859 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1860 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1861 }
1862# endif
7be682ca 1863#endif
059ec3d9 1864
e51c7be2 1865cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1866
c8dfb21d 1867#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1868/* Set up the RSA callback */
7006ee24 1869SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1870#endif
059ec3d9
PH
1871
1872/* Finally, set the timeout, and we are done */
1873
7006ee24 1874SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1875DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1876
817d9f57 1877*cbp = cbinfo;
7006ee24 1878*ctxp = ctx;
7be682ca 1879
059ec3d9
PH
1880return OK;
1881}
1882
1883
1884
1885
1886/*************************************************
1887* Get name of cipher in use *
1888*************************************************/
1889
817d9f57 1890/*
059ec3d9 1891Argument: pointer to an SSL structure for the connection
817d9f57
JH
1892 buffer to use for answer
1893 size of buffer
1894 pointer to number of bits for cipher
059ec3d9
PH
1895Returns: nothing
1896*/
1897
1898static void
817d9f57 1899construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1900{
7a8b9519 1901/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1902yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1903the accessor functions use const in the prototype. */
059ec3d9 1904
7a8b9519
JH
1905const uschar * ver = CUS SSL_get_version(ssl);
1906const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1907
817d9f57 1908SSL_CIPHER_get_bits(c, bits);
059ec3d9 1909
817d9f57
JH
1910string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1911 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1912
1913DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1914}
1915
1916
f69979cf 1917static void
70e384dd 1918peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
1919{
1920/*XXX we might consider a list-of-certs variable for the cert chain.
1921SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1922in list-handling functions, also consider the difference between the entire
1923chain and the elements sent by the peer. */
1924
70e384dd
JH
1925tlsp->peerdn = NULL;
1926
f69979cf
JH
1927/* Will have already noted peercert on a verify fail; possibly not the leaf */
1928if (!tlsp->peercert)
1929 tlsp->peercert = SSL_get_peer_certificate(ssl);
1930/* Beware anonymous ciphers which lead to server_cert being NULL */
1931if (tlsp->peercert)
70e384dd
JH
1932 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1933 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1934 else
1935 {
1936 peerdn[siz-1] = '\0';
1937 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1938 }
f69979cf
JH
1939}
1940
1941
059ec3d9
PH
1942
1943
1944
1945/*************************************************
1946* Set up for verifying certificates *
1947*************************************************/
1948
0e8aed8a 1949#ifndef DISABLE_OCSP
c3033f13
JH
1950/* Load certs from file, return TRUE on success */
1951
1952static BOOL
1953chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1954{
1955BIO * bp;
1956X509 * x;
1957
dec766a1
WB
1958while (sk_X509_num(verify_stack) > 0)
1959 X509_free(sk_X509_pop(verify_stack));
1960
c3033f13
JH
1961if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1962while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1963 sk_X509_push(verify_stack, x);
1964BIO_free(bp);
1965return TRUE;
1966}
0e8aed8a 1967#endif
c3033f13
JH
1968
1969
1970
dec766a1
WB
1971/* Called by both client and server startup; on the server possibly
1972repeated after a Server Name Indication.
059ec3d9
PH
1973
1974Arguments:
7be682ca 1975 sctx SSL_CTX* to initialise
059ec3d9
PH
1976 certs certs file or NULL
1977 crl CRL file or NULL
1978 host NULL in a server; the remote host in a client
1979 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1980 otherwise passed as FALSE
983207c1 1981 cert_vfy_cb Callback function for certificate verification
cf0c6164 1982 errstr error string pointer
059ec3d9
PH
1983
1984Returns: OK/DEFER/FAIL
1985*/
1986
1987static int
983207c1 1988setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1989 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1990{
1991uschar *expcerts, *expcrl;
1992
cf0c6164 1993if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1994 return DEFER;
57cc2785 1995DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1996
10a831a3 1997if (expcerts && *expcerts)
059ec3d9 1998 {
10a831a3
JH
1999 /* Tell the library to use its compiled-in location for the system default
2000 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2001
10a831a3 2002 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2003 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2004
2005 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2006 {
cb1d7830
JH
2007 struct stat statbuf;
2008
cb1d7830
JH
2009 if (Ustat(expcerts, &statbuf) < 0)
2010 {
2011 log_write(0, LOG_MAIN|LOG_PANIC,
2012 "failed to stat %s for certificates", expcerts);
2013 return DEFER;
2014 }
059ec3d9 2015 else
059ec3d9 2016 {
cb1d7830
JH
2017 uschar *file, *dir;
2018 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2019 { file = NULL; dir = expcerts; }
2020 else
c3033f13
JH
2021 {
2022 file = expcerts; dir = NULL;
2023#ifndef DISABLE_OCSP
2024 /* In the server if we will be offering an OCSP proof, load chain from
2025 file for verifying the OCSP proof at load time. */
2026
2027 if ( !host
2028 && statbuf.st_size > 0
2029 && server_static_cbinfo->u_ocsp.server.file
2030 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2031 )
2032 {
2033 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2034 "failed to load cert chain from %s", file);
c3033f13
JH
2035 return DEFER;
2036 }
2037#endif
2038 }
cb1d7830
JH
2039
2040 /* If a certificate file is empty, the next function fails with an
2041 unhelpful error message. If we skip it, we get the correct behaviour (no
2042 certificates are recognized, but the error message is still misleading (it
c3033f13 2043 says no certificate was supplied). But this is better. */
cb1d7830 2044
f2f2c91b
JH
2045 if ( (!file || statbuf.st_size > 0)
2046 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2047 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2048
2049 /* Load the list of CAs for which we will accept certs, for sending
2050 to the client. This is only for the one-file tls_verify_certificates
2051 variant.
2052 If a list isn't loaded into the server, but
2053 some verify locations are set, the server end appears to make
4c04137d 2054 a wildcard request for client certs.
10a831a3 2055 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2056 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2057 Because of this, and that the dir variant is likely only used for
2058 the public-CA bundle (not for a private CA), not worth fixing.
2059 */
f2f2c91b 2060 if (file)
cb1d7830 2061 {
2009ecca 2062 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2063
2064 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2065 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2066 sk_X509_NAME_num(names));
cb1d7830 2067 }
059ec3d9
PH
2068 }
2069 }
2070
2071 /* Handle a certificate revocation list. */
2072
10a831a3 2073#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2074
8b417f2c 2075 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2076 merely reformatted it into the Exim code style.)
8b417f2c 2077
10a831a3
JH
2078 "From here I changed the code to add support for multiple crl's
2079 in pem format in one file or to support hashed directory entries in
2080 pem format instead of a file. This method now uses the library function
2081 X509_STORE_load_locations to add the CRL location to the SSL context.
2082 OpenSSL will then handle the verify against CA certs and CRLs by
2083 itself in the verify callback." */
8b417f2c 2084
cf0c6164 2085 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2086 if (expcrl && *expcrl)
059ec3d9 2087 {
8b417f2c
PH
2088 struct stat statbufcrl;
2089 if (Ustat(expcrl, &statbufcrl) < 0)
2090 {
2091 log_write(0, LOG_MAIN|LOG_PANIC,
2092 "failed to stat %s for certificates revocation lists", expcrl);
2093 return DEFER;
2094 }
2095 else
059ec3d9 2096 {
8b417f2c
PH
2097 /* is it a file or directory? */
2098 uschar *file, *dir;
7be682ca 2099 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2100 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2101 {
8b417f2c
PH
2102 file = NULL;
2103 dir = expcrl;
2104 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2105 }
2106 else
2107 {
8b417f2c
PH
2108 file = expcrl;
2109 dir = NULL;
2110 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2111 }
8b417f2c 2112 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2113 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2114
2115 /* setting the flags to check against the complete crl chain */
2116
2117 X509_STORE_set_flags(cvstore,
2118 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2119 }
059ec3d9
PH
2120 }
2121
10a831a3 2122#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2123
2124 /* If verification is optional, don't fail if no certificate */
2125
7be682ca 2126 SSL_CTX_set_verify(sctx,
059ec3d9 2127 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2128 cert_vfy_cb);
059ec3d9
PH
2129 }
2130
2131return OK;
2132}
2133
2134
2135
2136/*************************************************
2137* Start a TLS session in a server *
2138*************************************************/
2139
2140/* This is called when Exim is running as a server, after having received
2141the STARTTLS command. It must respond to that command, and then negotiate
2142a TLS session.
2143
2144Arguments:
2145 require_ciphers allowed ciphers
cf0c6164 2146 errstr pointer to error message
059ec3d9
PH
2147
2148Returns: OK on success
2149 DEFER for errors before the start of the negotiation
4c04137d 2150 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2151 continue running.
2152*/
2153
2154int
cf0c6164 2155tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2156{
2157int rc;
cf0c6164
JH
2158uschar * expciphers;
2159tls_ext_ctx_cb * cbinfo;
f69979cf 2160static uschar peerdn[256];
817d9f57 2161static uschar cipherbuf[256];
059ec3d9
PH
2162
2163/* Check for previous activation */
2164
74f1a423 2165if (tls_in.active.sock >= 0)
059ec3d9 2166 {
cf0c6164 2167 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2168 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2169 return FAIL;
2170 }
2171
2172/* Initialize the SSL library. If it fails, it will already have logged
2173the error. */
2174
817d9f57 2175rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2176#ifndef DISABLE_OCSP
47195144 2177 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2178#endif
cf0c6164 2179 NULL, &server_static_cbinfo, errstr);
059ec3d9 2180if (rc != OK) return rc;
817d9f57 2181cbinfo = server_static_cbinfo;
059ec3d9 2182
cf0c6164 2183if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2184 return FAIL;
2185
2186/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2187were historically separated by underscores. So that I can use either form in my
2188tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2189
2190XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2191for TLS 1.3 . Since we do not call it at present we get the default list:
2192TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2193*/
059ec3d9 2194
c3033f13 2195if (expciphers)
059ec3d9 2196 {
c3033f13 2197 uschar * s = expciphers;
059ec3d9
PH
2198 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2199 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2200 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2201 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2202 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2203 }
2204
2205/* If this is a host for which certificate verification is mandatory or
2206optional, set up appropriately. */
2207
817d9f57 2208tls_in.certificate_verified = FALSE;
c0635b6d 2209#ifdef SUPPORT_DANE
53a7196b
JH
2210tls_in.dane_verified = FALSE;
2211#endif
a2ff477a 2212server_verify_callback_called = FALSE;
059ec3d9
PH
2213
2214if (verify_check_host(&tls_verify_hosts) == OK)
2215 {
983207c1 2216 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2217 FALSE, verify_callback_server, errstr);
059ec3d9 2218 if (rc != OK) return rc;
a2ff477a 2219 server_verify_optional = FALSE;
059ec3d9
PH
2220 }
2221else if (verify_check_host(&tls_try_verify_hosts) == OK)
2222 {
983207c1 2223 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2224 TRUE, verify_callback_server, errstr);
059ec3d9 2225 if (rc != OK) return rc;
a2ff477a 2226 server_verify_optional = TRUE;
059ec3d9
PH
2227 }
2228
2229/* Prepare for new connection */
2230
cf0c6164
JH
2231if (!(server_ssl = SSL_new(server_ctx)))
2232 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2233
2234/* Warning: we used to SSL_clear(ssl) here, it was removed.
2235 *
2236 * With the SSL_clear(), we get strange interoperability bugs with
2237 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2238 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2239 *
2240 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2241 * session shutdown. In this case, we have a brand new object and there's no
2242 * obvious reason to immediately clear it. I'm guessing that this was
2243 * originally added because of incomplete initialisation which the clear fixed,
2244 * in some historic release.
2245 */
059ec3d9
PH
2246
2247/* Set context and tell client to go ahead, except in the case of TLS startup
2248on connection, where outputting anything now upsets the clients and tends to
2249make them disconnect. We need to have an explicit fflush() here, to force out
2250the response. Other smtp_printf() calls do not need it, because in non-TLS
2251mode, the fflush() happens when smtp_getc() is called. */
2252
817d9f57
JH
2253SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2254if (!tls_in.on_connect)
059ec3d9 2255 {
925ac8e4 2256 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2257 fflush(smtp_out);
2258 }
2259
2260/* Now negotiate the TLS session. We put our own timer on it, since it seems
2261that the OpenSSL library doesn't. */
2262
817d9f57
JH
2263SSL_set_wfd(server_ssl, fileno(smtp_out));
2264SSL_set_rfd(server_ssl, fileno(smtp_in));
2265SSL_set_accept_state(server_ssl);
059ec3d9
PH
2266
2267DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2268
2269sigalrm_seen = FALSE;
c2a1bba0 2270if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2271rc = SSL_accept(server_ssl);
c2a1bba0 2272ALARM_CLR(0);
059ec3d9
PH
2273
2274if (rc <= 0)
2275 {
cf0c6164 2276 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2277 return FAIL;
2278 }
2279
2280DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2281
2282/* TLS has been set up. Adjust the input functions to read via TLS,
2283and initialize things. */
2284
f69979cf
JH
2285peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2286
817d9f57
JH
2287construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2288tls_in.cipher = cipherbuf;
059ec3d9
PH
2289
2290DEBUG(D_tls)
2291 {
2292 uschar buf[2048];
817d9f57 2293 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2294 debug_printf("Shared ciphers: %s\n", buf);
2295 }
2296
9d1c15ef
JH
2297/* Record the certificate we presented */
2298 {
2299 X509 * crt = SSL_get_certificate(server_ssl);
2300 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2301 }
059ec3d9 2302
817d9f57
JH
2303/* Only used by the server-side tls (tls_in), including tls_getc.
2304 Client-side (tls_out) reads (seem to?) go via
2305 smtp_read_response()/ip_recv().
2306 Hence no need to duplicate for _in and _out.
2307 */
b808677c 2308if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2309ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2310ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2311
2312receive_getc = tls_getc;
0d81dabc 2313receive_getbuf = tls_getbuf;
584e96c6 2314receive_get_cache = tls_get_cache;
059ec3d9
PH
2315receive_ungetc = tls_ungetc;
2316receive_feof = tls_feof;
2317receive_ferror = tls_ferror;
58eb016e 2318receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2319
74f1a423
JH
2320tls_in.active.sock = fileno(smtp_out);
2321tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2322return OK;
2323}
2324
2325
2326
2327
043b1248
JH
2328static int
2329tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2330 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2331 uschar ** errstr)
043b1248
JH
2332{
2333int rc;
94431adb 2334/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2335 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2336 the specified host patterns if one of them is defined */
2337
610ff438
JH
2338if ( ( !ob->tls_verify_hosts
2339 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2340 )
3c07dd2d 2341 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2342 )
043b1248 2343 client_verify_optional = FALSE;
3c07dd2d 2344else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2345 client_verify_optional = TRUE;
2346else
2347 return OK;
2348
2349if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2350 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2351 errstr)) != OK)
aa2a70ba 2352 return rc;
043b1248 2353
3c07dd2d 2354if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2355 {
4af0d74a 2356 cbinfo->verify_cert_hostnames =
8c5d388a 2357#ifdef SUPPORT_I18N
4af0d74a
JH
2358 string_domain_utf8_to_alabel(host->name, NULL);
2359#else
2360 host->name;
2361#endif
aa2a70ba
JH
2362 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2363 cbinfo->verify_cert_hostnames);
043b1248 2364 }
043b1248
JH
2365return OK;
2366}
059ec3d9 2367
fde080a4 2368
c0635b6d 2369#ifdef SUPPORT_DANE
fde080a4 2370static int
cf0c6164 2371dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2372{
2373dns_record * rr;
2374dns_scan dnss;
2375const char * hostnames[2] = { CS host->name, NULL };
2376int found = 0;
2377
2378if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2379 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2380
2381for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2382 rr;
2383 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2384 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2385 {
c3033f13 2386 const uschar * p = rr->data;
fde080a4
JH
2387 uint8_t usage, selector, mtype;
2388 const char * mdname;
2389
fde080a4 2390 usage = *p++;
133d2546
JH
2391
2392 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2393 if (usage != 2 && usage != 3) continue;
2394
fde080a4
JH
2395 selector = *p++;
2396 mtype = *p++;
2397
2398 switch (mtype)
2399 {
133d2546
JH
2400 default: continue; /* Only match-types 0, 1, 2 are supported */
2401 case 0: mdname = NULL; break;
2402 case 1: mdname = "sha256"; break;
2403 case 2: mdname = "sha512"; break;
fde080a4
JH
2404 }
2405
133d2546 2406 found++;
fde080a4
JH
2407 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2408 {
2409 default:
cf0c6164 2410 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2411 case 0: /* action not taken */
fde080a4
JH
2412 case 1: break;
2413 }
594706ea
JH
2414
2415 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2416 }
2417
2418if (found)
2419 return OK;
2420
133d2546 2421log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2422return DEFER;
fde080a4 2423}
c0635b6d 2424#endif /*SUPPORT_DANE*/
fde080a4
JH
2425
2426
2427
059ec3d9
PH
2428/*************************************************
2429* Start a TLS session in a client *
2430*************************************************/
2431
2432/* Called from the smtp transport after STARTTLS has been accepted.
2433
2434Argument:
2435 fd the fd of the connection
afdb5e9c
JH
2436 host connected host (for messages and option-tests)
2437 addr the first address (for some randomness; can be NULL)
a7538db1 2438 tb transport (always smtp)
0e66b3b6 2439 tlsa_dnsa tlsa lookup, if DANE, else null
afdb5e9c 2440 tlsp record details of channel configuration here; must be non-NULL
cf0c6164 2441 errstr error string pointer
059ec3d9 2442
74f1a423 2443Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH
2444*/
2445
74f1a423 2446void *
f5d78688 2447tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2448 transport_instance * tb,
c0635b6d 2449#ifdef SUPPORT_DANE
cf0c6164 2450 dns_answer * tlsa_dnsa,
0e66b3b6 2451#endif
74f1a423 2452 tls_support * tlsp, uschar ** errstr)
059ec3d9 2453{
afdb5e9c
JH
2454smtp_transport_options_block * ob = tb
2455 ? (smtp_transport_options_block *)tb->options_block
2456 : &smtp_transport_option_defaults;
74f1a423 2457exim_openssl_client_tls_ctx * exim_client_ctx;
f69979cf 2458static uschar peerdn[256];
868f5672 2459uschar * expciphers;
059ec3d9 2460int rc;
817d9f57 2461static uschar cipherbuf[256];
043b1248
JH
2462
2463#ifndef DISABLE_OCSP
043b1248 2464BOOL request_ocsp = FALSE;
6634ac8d 2465BOOL require_ocsp = FALSE;
043b1248 2466#endif
043b1248 2467
74f1a423
JH
2468rc = store_pool;
2469store_pool = POOL_PERM;
2470exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2471store_pool = rc;
2472
c0635b6d 2473#ifdef SUPPORT_DANE
74f1a423 2474tlsp->tlsa_usage = 0;
043b1248
JH
2475#endif
2476
f2de3a33 2477#ifndef DISABLE_OCSP
043b1248 2478 {
c0635b6d 2479# ifdef SUPPORT_DANE
4f59c424
JH
2480 if ( tlsa_dnsa
2481 && ob->hosts_request_ocsp[0] == '*'
2482 && ob->hosts_request_ocsp[1] == '\0'
2483 )
2484 {
2485 /* Unchanged from default. Use a safer one under DANE */
2486 request_ocsp = TRUE;
2487 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2488 " {= {4}{$tls_out_tlsa_usage}} } "
2489 " {*}{}}";
2490 }
2491# endif
2492
5130845b 2493 if ((require_ocsp =
3c07dd2d 2494 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2495 request_ocsp = TRUE;
2496 else
c0635b6d 2497# ifdef SUPPORT_DANE
4f59c424 2498 if (!request_ocsp)
fca41d5a 2499# endif
5130845b 2500 request_ocsp =
3c07dd2d 2501 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2502 }
f5d78688 2503#endif
059ec3d9 2504
74f1a423 2505rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2506 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2507#ifndef DISABLE_OCSP
44662487 2508 (void *)(long)request_ocsp,
3f7eeb86 2509#endif
cf0c6164 2510 addr, &client_static_cbinfo, errstr);
74f1a423 2511if (rc != OK) return NULL;
059ec3d9 2512
74f1a423 2513tlsp->certificate_verified = FALSE;
a2ff477a 2514client_verify_callback_called = FALSE;
059ec3d9 2515
5ec37a55
PP
2516expciphers = NULL;
2517#ifdef SUPPORT_DANE
2518if (tlsa_dnsa)
2519 {
2520 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2521 other failures should be treated as problems. */
2522 if (ob->dane_require_tls_ciphers &&
2523 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2524 &expciphers, errstr))
74f1a423 2525 return NULL;
5ec37a55
PP
2526 if (expciphers && *expciphers == '\0')
2527 expciphers = NULL;
2528 }
2529#endif
2530if (!expciphers &&
2531 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2532 &expciphers, errstr))
74f1a423 2533 return NULL;
059ec3d9
PH
2534
2535/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2536are separated by underscores. So that I can use either form in my tests, and
2537also for general convenience, we turn underscores into hyphens here. */
2538
cf0c6164 2539if (expciphers)
059ec3d9
PH
2540 {
2541 uschar *s = expciphers;
cf0c6164 2542 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2543 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2544 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2545 {
2546 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2547 return NULL;
2548 }
059ec3d9
PH
2549 }
2550
c0635b6d 2551#ifdef SUPPORT_DANE
0e66b3b6 2552if (tlsa_dnsa)
a63be306 2553 {
74f1a423 2554 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
2555 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2556 verify_callback_client_dane);
e5cccda9 2557
043b1248 2558 if (!DANESSL_library_init())
74f1a423
JH
2559 {
2560 tls_error(US"library init", host, NULL, errstr);
2561 return NULL;
2562 }
2563 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2564 {
2565 tls_error(US"context init", host, NULL, errstr);
2566 return NULL;
2567 }
043b1248
JH
2568 }
2569else
e51c7be2 2570
043b1248
JH
2571#endif
2572
74f1a423
JH
2573 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2574 client_static_cbinfo, errstr) != OK)
2575 return NULL;
059ec3d9 2576
74f1a423
JH
2577if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2578 {
2579 tls_error(US"SSL_new", host, NULL, errstr);
2580 return NULL;
2581 }
2582SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2583SSL_set_fd(exim_client_ctx->ssl, fd);
2584SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2585
65867078 2586if (ob->tls_sni)
3f0945ff 2587 {
74f1a423
JH
2588 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2589 return NULL;
2590 if (!tlsp->sni)
2c9a0e86
PP
2591 {
2592 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2593 }
74f1a423
JH
2594 else if (!Ustrlen(tlsp->sni))
2595 tlsp->sni = NULL;
3f0945ff
PP
2596 else
2597 {
35731706 2598#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
2599 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2600 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2601#else
66802652 2602 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2603 tlsp->sni);
35731706 2604#endif
3f0945ff
PP
2605 }
2606 }
2607
c0635b6d 2608#ifdef SUPPORT_DANE
0e66b3b6 2609if (tlsa_dnsa)
74f1a423
JH
2610 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2611 return NULL;
594706ea
JH
2612#endif
2613
f2de3a33 2614#ifndef DISABLE_OCSP
f5d78688
JH
2615/* Request certificate status at connection-time. If the server
2616does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2617# ifdef SUPPORT_DANE
44662487
JH
2618if (request_ocsp)
2619 {
594706ea 2620 const uschar * s;
41afb5cb
JH
2621 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2622 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2623 )
2624 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2625 this means we avoid the OCSP request, we wasted the setup
2626 cost in tls_init(). */
3c07dd2d 2627 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2628 request_ocsp = require_ocsp
3c07dd2d 2629 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2630 }
2631 }
b50c8b84
JH
2632# endif
2633
594706ea
JH
2634if (request_ocsp)
2635 {
74f1a423 2636 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2637 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2638 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2639 }
f5d78688
JH
2640#endif
2641
0cbf2b82 2642#ifndef DISABLE_EVENT
afdb5e9c 2643client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2644#endif
043b1248 2645
059ec3d9
PH
2646/* There doesn't seem to be a built-in timeout on connection. */
2647
2648DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2649sigalrm_seen = FALSE;
c2a1bba0 2650ALARM(ob->command_timeout);
74f1a423 2651rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 2652ALARM_CLR(0);
059ec3d9 2653
c0635b6d 2654#ifdef SUPPORT_DANE
0e66b3b6 2655if (tlsa_dnsa)
74f1a423 2656 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
2657#endif
2658
059ec3d9 2659if (rc <= 0)
74f1a423
JH
2660 {
2661 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2662 return NULL;
2663 }
059ec3d9
PH
2664
2665DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2666
74f1a423 2667peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2668
74f1a423
JH
2669construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2670tlsp->cipher = cipherbuf;
059ec3d9 2671
9d1c15ef
JH
2672/* Record the certificate we presented */
2673 {
74f1a423
JH
2674 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2675 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
2676 }
2677
74f1a423
JH
2678tlsp->active.sock = fd;
2679tlsp->active.tls_ctx = exim_client_ctx;
2680return exim_client_ctx;
059ec3d9
PH
2681}
2682
2683
2684
2685
2686
0d81dabc
JH
2687static BOOL
2688tls_refill(unsigned lim)
2689{
2690int error;
2691int inbytes;
2692
2693DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2694 ssl_xfer_buffer, ssl_xfer_buffer_size);
2695
c2a1bba0 2696if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
2697inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2698 MIN(ssl_xfer_buffer_size, lim));
2699error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 2700if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
2701
2702if (had_command_timeout) /* set by signal handler */
2703 smtp_command_timeout_exit(); /* does not return */
2704if (had_command_sigterm)
2705 smtp_command_sigterm_exit();
2706if (had_data_timeout)
2707 smtp_data_timeout_exit();
2708if (had_data_sigint)
2709 smtp_data_sigint_exit();
0d81dabc
JH
2710
2711/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2712closed down, not that the socket itself has been closed down. Revert to
2713non-SSL handling. */
2714
74f1a423 2715switch(error)
0d81dabc 2716 {
74f1a423
JH
2717 case SSL_ERROR_NONE:
2718 break;
2719
2720 case SSL_ERROR_ZERO_RETURN:
2721 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2722
74f1a423
JH
2723 receive_getc = smtp_getc;
2724 receive_getbuf = smtp_getbuf;
2725 receive_get_cache = smtp_get_cache;
2726 receive_ungetc = smtp_ungetc;
2727 receive_feof = smtp_feof;
2728 receive_ferror = smtp_ferror;
2729 receive_smtp_buffered = smtp_buffered;
0d81dabc 2730
74f1a423
JH
2731 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2732 SSL_shutdown(server_ssl);
dec766a1 2733
37f0ce65 2734#ifndef DISABLE_OCSP
74f1a423
JH
2735 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2736 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2737#endif
74f1a423
JH
2738 SSL_free(server_ssl);
2739 SSL_CTX_free(server_ctx);
2740 server_ctx = NULL;
2741 server_ssl = NULL;
2742 tls_in.active.sock = -1;
2743 tls_in.active.tls_ctx = NULL;
2744 tls_in.bits = 0;
2745 tls_in.cipher = NULL;
2746 tls_in.peerdn = NULL;
2747 tls_in.sni = NULL;
0d81dabc 2748
74f1a423 2749 return FALSE;
0d81dabc 2750
74f1a423
JH
2751 /* Handle genuine errors */
2752 case SSL_ERROR_SSL:
0abc5a13 2753 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
2754 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2755 ssl_xfer_error = TRUE;
2756 return FALSE;
0d81dabc 2757
74f1a423
JH
2758 default:
2759 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2760 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2761 debug_printf(" - syscall %s\n", strerror(errno));
2762 ssl_xfer_error = TRUE;
2763 return FALSE;
0d81dabc
JH
2764 }
2765
2766#ifndef DISABLE_DKIM
2767dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2768#endif
2769ssl_xfer_buffer_hwm = inbytes;
2770ssl_xfer_buffer_lwm = 0;
2771return TRUE;
2772}
2773
2774
059ec3d9
PH
2775/*************************************************
2776* TLS version of getc *
2777*************************************************/
2778
2779/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2780it refills the buffer via the SSL reading function.
2781
bd8fbe36 2782Arguments: lim Maximum amount to read/buffer
059ec3d9 2783Returns: the next character or EOF
817d9f57
JH
2784
2785Only used by the server-side TLS.
059ec3d9
PH
2786*/
2787
2788int
bd8fbe36 2789tls_getc(unsigned lim)
059ec3d9
PH
2790{
2791if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2792 if (!tls_refill(lim))
2793 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2794
0d81dabc 2795/* Something in the buffer; return next uschar */
059ec3d9 2796
0d81dabc
JH
2797return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2798}
059ec3d9 2799
0d81dabc
JH
2800uschar *
2801tls_getbuf(unsigned * len)
2802{
2803unsigned size;
2804uschar * buf;
ba084640 2805
0d81dabc
JH
2806if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2807 if (!tls_refill(*len))
059ec3d9 2808 {
0d81dabc
JH
2809 if (!ssl_xfer_error) return smtp_getbuf(len);
2810 *len = 0;
2811 return NULL;
059ec3d9 2812 }
c80c5570 2813
0d81dabc
JH
2814if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2815 size = *len;
2816buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2817ssl_xfer_buffer_lwm += size;
2818*len = size;
2819return buf;
059ec3d9
PH
2820}
2821
0d81dabc 2822
584e96c6
JH
2823void
2824tls_get_cache()
2825{
9960d1e5 2826#ifndef DISABLE_DKIM
584e96c6
JH
2827int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2828if (n > 0)
2829 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2830#endif
9960d1e5 2831}
584e96c6 2832
059ec3d9 2833
925ac8e4
JH
2834BOOL
2835tls_could_read(void)
2836{
a5ffa9b4 2837return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2838}
2839
059ec3d9
PH
2840
2841/*************************************************
2842* Read bytes from TLS channel *
2843*************************************************/
2844
2845/*
2846Arguments:
74f1a423 2847 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2848 buff buffer of data
2849 len size of buffer
2850
2851Returns: the number of bytes read
afdb5e9c 2852 -1 after a failed read, including EOF
817d9f57
JH
2853
2854Only used by the client-side TLS.
059ec3d9
PH
2855*/
2856
2857int
74f1a423 2858tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2859{
74f1a423 2860SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH
2861int inbytes;
2862int error;
2863
389ca47a 2864DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2865 buff, (unsigned int)len);
059ec3d9 2866
389ca47a
JH
2867inbytes = SSL_read(ssl, CS buff, len);
2868error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2869
2870if (error == SSL_ERROR_ZERO_RETURN)
2871 {
2872 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2873 return -1;
2874 }
2875else if (error != SSL_ERROR_NONE)
059ec3d9 2876 return -1;
059ec3d9
PH
2877
2878return inbytes;
2879}
2880
2881
2882
2883
2884
2885/*************************************************
2886* Write bytes down TLS channel *
2887*************************************************/
2888
2889/*
2890Arguments:
74f1a423 2891 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2892 buff buffer of data
2893 len number of bytes
925ac8e4 2894 more further data expected soon
059ec3d9
PH
2895
2896Returns: the number of bytes after a successful write,
2897 -1 after a failed write
817d9f57
JH
2898
2899Used by both server-side and client-side TLS.
059ec3d9
PH
2900*/
2901
2902int
74f1a423 2903tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2904{
a5ffa9b4 2905int outbytes, error, left;
74f1a423 2906SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
acec9514 2907static gstring * corked = NULL;
a5ffa9b4 2908
ef698bf6 2909DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2910 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2911
2912/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2913"more" is notified. This hack is only ok if small amounts are involved AND only
2914one stream does it, in one context (i.e. no store reset). Currently it is used
2915for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
ee8b8090
JH
2916/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2917a store reset there. */
a5ffa9b4 2918
74f1a423 2919if (!ct_ctx && (more || corked))
a5ffa9b4 2920 {
ee8b8090
JH
2921#ifdef EXPERIMENTAL_PIPE_CONNECT
2922 int save_pool = store_pool;
2923 store_pool = POOL_PERM;
2924#endif
2925
acec9514 2926 corked = string_catn(corked, buff, len);
ee8b8090
JH
2927
2928#ifdef EXPERIMENTAL_PIPE_CONNECT
2929 store_pool = save_pool;
2930#endif
2931
a5ffa9b4
JH
2932 if (more)
2933 return len;
acec9514
JH
2934 buff = CUS corked->s;
2935 len = corked->ptr;
2936 corked = NULL;
a5ffa9b4 2937 }
059ec3d9 2938
a5ffa9b4 2939for (left = len; left > 0;)
059ec3d9 2940 {
74f1a423 2941 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH
2942 outbytes = SSL_write(ssl, CS buff, left);
2943 error = SSL_get_error(ssl, outbytes);
2944 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2945 switch (error)
2946 {
2947 case SSL_ERROR_SSL:
0abc5a13 2948 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH
2949 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2950 return -1;
059ec3d9
PH
2951
2952 case SSL_ERROR_NONE:
96f5fe4c
JH
2953 left -= outbytes;
2954 buff += outbytes;
2955 break;
059ec3d9
PH
2956
2957 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2958 log_write(0, LOG_MAIN, "SSL channel closed on write");
2959 return -1;
059ec3d9 2960
817d9f57 2961 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2962 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2963 sender_fullhost ? sender_fullhost : US"<unknown>",
2964 strerror(errno));
2965 return -1;
817d9f57 2966
059ec3d9 2967 default:
96f5fe4c
JH
2968 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2969 return -1;
059ec3d9
PH
2970 }
2971 }
2972return len;
2973}
2974
2975
2976
2977/*************************************************
2978* Close down a TLS session *
2979*************************************************/
2980
2981/* This is also called from within a delivery subprocess forked from the
2982daemon, to shut down the TLS library, without actually doing a shutdown (which
2983would tamper with the SSL session in the parent process).
2984
dec766a1 2985Arguments:
74f1a423 2986 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB
2987 shutdown 1 if TLS close-alert is to be sent,
2988 2 if also response to be waited for
2989
059ec3d9 2990Returns: nothing
817d9f57
JH
2991
2992Used by both server-side and client-side TLS.
059ec3d9
PH
2993*/
2994
2995void
74f1a423 2996tls_close(void * ct_ctx, int shutdown)
059ec3d9 2997{
74f1a423
JH
2998exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
2999SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3000SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3001int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH
3002
3003if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
3004
3005if (shutdown)
3006 {
dec766a1
WB
3007 int rc;
3008 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3009 shutdown > 1 ? " (with response-wait)" : "");
3010
3011 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3012 && shutdown > 1)
3013 {
c2a1bba0 3014 ALARM(2);
dec766a1 3015 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3016 ALARM_CLR(0);
dec766a1
WB
3017 }
3018
3019 if (rc < 0) DEBUG(D_tls)
3020 {
0abc5a13 3021 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB
3022 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3023 }
3024 }
3025
37f0ce65 3026#ifndef DISABLE_OCSP
74f1a423 3027if (!o_ctx) /* server side */
dec766a1
WB
3028 {
3029 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3030 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3031 }
37f0ce65 3032#endif
059ec3d9 3033
dec766a1 3034SSL_CTX_free(*ctxp);
817d9f57 3035SSL_free(*sslp);
dec766a1 3036*ctxp = NULL;
817d9f57 3037*sslp = NULL;
817d9f57 3038*fdp = -1;
059ec3d9
PH
3039}
3040
36f12725
NM
3041
3042
3043
3044/*************************************************
3375e053
PP
3045* Let tls_require_ciphers be checked at startup *
3046*************************************************/
3047
3048/* The tls_require_ciphers option, if set, must be something which the
3049library can parse.
3050
3051Returns: NULL on success, or error message
3052*/
3053
3054uschar *
3055tls_validate_require_cipher(void)
3056{
3057SSL_CTX *ctx;
3058uschar *s, *expciphers, *err;
3059
3060/* this duplicates from tls_init(), we need a better "init just global
3061state, for no specific purpose" singleton function of our own */
3062
7434882d 3063#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP
3064SSL_load_error_strings();
3065OpenSSL_add_ssl_algorithms();
7434882d 3066#endif
3375e053
PP
3067#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3068/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3069list of available digests. */
3070EVP_add_digest(EVP_sha256());
3071#endif
3072
3073if (!(tls_require_ciphers && *tls_require_ciphers))
3074 return NULL;
3075
cf0c6164
JH
3076if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3077 &err))
3375e053
PP
3078 return US"failed to expand tls_require_ciphers";
3079
3080if (!(expciphers && *expciphers))
3081 return NULL;
3082
3083/* normalisation ripped from above */
3084s = expciphers;
3085while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3086
3087err = NULL;
3088
7a8b9519
JH
3089#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3090if (!(ctx = SSL_CTX_new(TLS_server_method())))
3091#else
3092if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3093#endif
3375e053 3094 {
0abc5a13 3095 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP
3096 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3097 }
3098
3099DEBUG(D_tls)
3100 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3101
3102if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3103 {
0abc5a13 3104 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH
3105 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3106 expciphers, ssl_errstring);
3375e053
PP
3107 }
3108
3109SSL_CTX_free(ctx);
3110
3111return err;
3112}
3113
3114
3115
3116
3117/*************************************************
36f12725
NM
3118* Report the library versions. *
3119*************************************************/
3120
3121/* There have historically been some issues with binary compatibility in
3122OpenSSL libraries; if Exim (like many other applications) is built against
3123one version of OpenSSL but the run-time linker picks up another version,
3124it can result in serious failures, including crashing with a SIGSEGV. So
3125report the version found by the compiler and the run-time version.
3126
f64a1e23
PP
3127Note: some OS vendors backport security fixes without changing the version
3128number/string, and the version date remains unchanged. The _build_ date
3129will change, so we can more usefully assist with version diagnosis by also
3130reporting the build date.
3131
36f12725
NM
3132Arguments: a FILE* to print the results to
3133Returns: nothing
3134*/
3135
3136void
3137tls_version_report(FILE *f)
3138{
754a0503 3139fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
3140 " Runtime: %s\n"
3141 " : %s\n",
754a0503 3142 OPENSSL_VERSION_TEXT,
f64a1e23
PP
3143 SSLeay_version(SSLEAY_VERSION),
3144 SSLeay_version(SSLEAY_BUILT_ON));
3145/* third line is 38 characters for the %s and the line is 73 chars long;
3146the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
3147}
3148
9e3331ea
TK
3149
3150
3151
3152/*************************************************
17c76198 3153* Random number generation *
9e3331ea
TK
3154*************************************************/
3155
3156/* Pseudo-random number generation. The result is not expected to be
3157cryptographically strong but not so weak that someone will shoot themselves
3158in the foot using it as a nonce in input in some email header scheme or
3159whatever weirdness they'll twist this into. The result should handle fork()
3160and avoid repeating sequences. OpenSSL handles that for us.
3161
3162Arguments:
3163 max range maximum
3164Returns a random number in range [0, max-1]
3165*/
3166
3167int
17c76198 3168vaguely_random_number(int max)
9e3331ea
TK
3169{
3170unsigned int r;
3171int i, needed_len;
de6135a0
PP
3172static pid_t pidlast = 0;
3173pid_t pidnow;
9e3331ea
TK
3174uschar *p;
3175uschar smallbuf[sizeof(r)];
3176
3177if (max <= 1)
3178 return 0;
3179
de6135a0
PP
3180pidnow = getpid();
3181if (pidnow != pidlast)
3182 {
3183 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3184 is unique for each thread", this doesn't apparently apply across processes,
3185 so our own warning from vaguely_random_number_fallback() applies here too.
3186 Fix per PostgreSQL. */
3187 if (pidlast != 0)
3188 RAND_cleanup();
3189 pidlast = pidnow;
3190 }
3191
9e3331ea
TK
3192/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3193if (!RAND_status())
3194 {
3195 randstuff r;
3196 gettimeofday(&r.tv, NULL);
3197 r.p = getpid();
3198
5903c6ff 3199 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
3200 }
3201/* We're after pseudo-random, not random; if we still don't have enough data
3202in the internal PRNG then our options are limited. We could sleep and hope
3203for entropy to come along (prayer technique) but if the system is so depleted
3204in the first place then something is likely to just keep taking it. Instead,
3205we'll just take whatever little bit of pseudo-random we can still manage to
3206get. */
3207
3208needed_len = sizeof(r);
3209/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3210asked for a number less than 10. */
3211for (r = max, i = 0; r; ++i)
3212 r >>= 1;
3213i = (i + 7) / 8;
3214if (i < needed_len)
3215 needed_len = i;
3216
c8dfb21d 3217#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3218/* We do not care if crypto-strong */
17c76198 3219i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
3220#else
3221i = RAND_bytes(smallbuf, needed_len);
3222#endif
3223
17c76198
PP
3224if (i < 0)
3225 {
3226 DEBUG(D_all)
3227 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3228 return vaguely_random_number_fallback(max);
3229 }
3230
9e3331ea
TK
3231r = 0;
3232for (p = smallbuf; needed_len; --needed_len, ++p)
3233 {
3234 r *= 256;
3235 r += *p;
3236 }
3237
3238/* We don't particularly care about weighted results; if someone wants
3239smooth distribution and cares enough then they should submit a patch then. */
3240return r % max;
3241}
3242
77bb000f
PP
3243
3244
3245
3246/*************************************************
3247* OpenSSL option parse *
3248*************************************************/
3249
3250/* Parse one option for tls_openssl_options_parse below
3251
3252Arguments:
3253 name one option name
3254 value place to store a value for it
3255Returns success or failure in parsing
3256*/
3257
77bb000f 3258
c80c5570 3259
77bb000f
PP
3260static BOOL
3261tls_openssl_one_option_parse(uschar *name, long *value)
3262{
3263int first = 0;
3264int last = exim_openssl_options_size;
3265while (last > first)
3266 {
3267 int middle = (first + last)/2;
3268 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3269 if (c == 0)
3270 {
3271 *value = exim_openssl_options[middle].value;
3272 return TRUE;
3273 }
3274 else if (c > 0)
3275 first = middle + 1;
3276 else
3277 last = middle;
3278 }
3279return FALSE;
3280}
3281
3282
3283
3284
3285/*************************************************
3286* OpenSSL option parsing logic *
3287*************************************************/
3288
3289/* OpenSSL has a number of compatibility options which an administrator might
3290reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3291we look like log_selector.
3292
3293Arguments:
3294 option_spec the administrator-supplied string of options
3295 results ptr to long storage for the options bitmap
3296Returns success or failure
3297*/
3298
3299BOOL
3300tls_openssl_options_parse(uschar *option_spec, long *results)
3301{
3302long result, item;
3303uschar *s, *end;
3304uschar keep_c;