ARC: harden versus badly-formatted AMS line
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
b038d456 49# define OPENSSL_AUTO_SHA256
c8dfb21d
JH
50#else
51# define EXIM_HAVE_EPHEM_RSA_KEX
52# define EXIM_HAVE_RAND_PSEUDO
53#endif
54#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 55# define EXIM_HAVE_SHA256
c8dfb21d 56#endif
34e3241d 57
d7978c0f
JH
58/* X509_check_host provides sane certificate hostname checking, but was added
59to OpenSSL late, after other projects forked off the code-base. So in
60addition to guarding against the base version number, beware that LibreSSL
61does not (at this time) support this function.
62
63If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64opt to disentangle and ask a LibreSSL user to provide glue for a third
65crypto provider for libtls instead of continuing to tie the OpenSSL glue
66into even twistier knots. If LibreSSL gains the same API, we can just
67change this guard and punt the issue for a while longer. */
68
34e3241d
PP
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 74# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 75# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 76# define EXIM_HAVE_SESSION_TICKET
e570d136 77# define EXIM_HAVE_OPESSL_TRACE
012dd02e 78# define EXIM_HAVE_OPESSL_GET0_SERIAL
7434882d
JH
79# else
80# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
81# endif
82# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 83 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
84# define EXIM_HAVE_OPENSSL_CHECKHOST
85# endif
11aa88b0 86#endif
10ca4f1c 87
11aa88b0
RA
88#if !defined(LIBRESSL_VERSION_NUMBER) \
89 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
90# if !defined(OPENSSL_NO_ECDH)
91# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 92# define EXIM_HAVE_ECDH
10ca4f1c
JH
93# endif
94# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
95# define EXIM_HAVE_OPENSSL_EC_NIST2NID
96# endif
97# endif
2dfb468b 98#endif
3bcbbbe2 99
8a40db1c
JH
100#ifndef LIBRESSL_VERSION_NUMBER
101# if OPENSSL_VERSION_NUMBER >= 0x010101000L
102# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 103# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 104# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH
105# endif
106#endif
107
67791ce4
JH
108#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
109# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
110# define DISABLE_OCSP
111#endif
43e2db44
JH
112
113#ifdef EXPERIMENTAL_TLS_RESUME
114# if OPENSSL_VERSION_NUMBER < 0x0101010L
115# error OpenSSL version too old for session-resumption
116# endif
117#endif
67791ce4 118
a6510420
JH
119#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
120# include <openssl/x509v3.h>
121#endif
122
f1be21cf
JH
123#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
124# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
125# define SSL_CIPHER_get_id(c) (c->id)
126# endif
dca6d121
JH
127# ifndef MACRO_PREDEF
128# include "tls-cipher-stdname.c"
129# endif
f1be21cf
JH
130#endif
131
8442641e
JH
132/*************************************************
133* OpenSSL option parse *
134*************************************************/
135
136typedef struct exim_openssl_option {
137 uschar *name;
138 long value;
139} exim_openssl_option;
140/* We could use a macro to expand, but we need the ifdef and not all the
141options document which version they were introduced in. Policylet: include
142all options unless explicitly for DTLS, let the administrator choose which
143to apply.
144
145This list is current as of:
146 ==> 1.0.1b <==
147Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
148Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
149*/
150static exim_openssl_option exim_openssl_options[] = {
151/* KEEP SORTED ALPHABETICALLY! */
152#ifdef SSL_OP_ALL
6d95688d 153 { US"all", (long) SSL_OP_ALL },
8442641e
JH
154#endif
155#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
156 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
157#endif
158#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
159 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
160#endif
161#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
162 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
163#endif
164#ifdef SSL_OP_EPHEMERAL_RSA
165 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
166#endif
167#ifdef SSL_OP_LEGACY_SERVER_CONNECT
168 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
169#endif
170#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
171 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
172#endif
173#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
174 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
175#endif
176#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
177 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
178#endif
179#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
180 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
181#endif
182#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
183 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
184#endif
185#ifdef SSL_OP_NO_COMPRESSION
186 { US"no_compression", SSL_OP_NO_COMPRESSION },
187#endif
188#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
189 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
190#endif
191#ifdef SSL_OP_NO_SSLv2
192 { US"no_sslv2", SSL_OP_NO_SSLv2 },
193#endif
194#ifdef SSL_OP_NO_SSLv3
195 { US"no_sslv3", SSL_OP_NO_SSLv3 },
196#endif
197#ifdef SSL_OP_NO_TICKET
198 { US"no_ticket", SSL_OP_NO_TICKET },
199#endif
200#ifdef SSL_OP_NO_TLSv1
201 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
202#endif
203#ifdef SSL_OP_NO_TLSv1_1
204#if SSL_OP_NO_TLSv1_1 == 0x00000400L
205 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
206#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
207#else
208 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
209#endif
210#endif
211#ifdef SSL_OP_NO_TLSv1_2
212 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
213#endif
214#ifdef SSL_OP_NO_TLSv1_3
215 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
216#endif
217#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
218 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
219#endif
220#ifdef SSL_OP_SINGLE_DH_USE
221 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
222#endif
223#ifdef SSL_OP_SINGLE_ECDH_USE
224 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
225#endif
226#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
227 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
228#endif
229#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
230 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
231#endif
232#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
233 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
234#endif
235#ifdef SSL_OP_TLS_D5_BUG
236 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
237#endif
238#ifdef SSL_OP_TLS_ROLLBACK_BUG
239 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
240#endif
241};
242
243#ifndef MACRO_PREDEF
244static int exim_openssl_options_size = nelem(exim_openssl_options);
245#endif
246
247#ifdef MACRO_PREDEF
248void
249options_tls(void)
250{
8442641e
JH
251uschar buf[64];
252
d7978c0f 253for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
254 o < exim_openssl_options + nelem(exim_openssl_options); o++)
255 {
256 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
257 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
258
259 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
260 builtin_macro_create(buf);
261 }
b10c87b3
JH
262
263# ifdef EXPERIMENTAL_TLS_RESUME
264builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
265# endif
e326959e
JH
266# ifdef SSL_OP_NO_TLSv1_3
267builtin_macro_create(US"_HAVE_TLS1_3");
268# endif
8442641e
JH
269}
270#else
271
272/******************************************************************************/
273
059ec3d9
PH
274/* Structure for collecting random data for seeding. */
275
276typedef struct randstuff {
9e3331ea
TK
277 struct timeval tv;
278 pid_t p;
059ec3d9
PH
279} randstuff;
280
281/* Local static variables */
282
a2ff477a
JH
283static BOOL client_verify_callback_called = FALSE;
284static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
285static const uschar *sid_ctx = US"exim";
286
d4f09789
PP
287/* We have three different contexts to care about.
288
289Simple case: client, `client_ctx`
290 As a client, we can be doing a callout or cut-through delivery while receiving
291 a message. So we have a client context, which should have options initialised
74f1a423
JH
292 from the SMTP Transport. We may also concurrently want to make TLS connections
293 to utility daemons, so client-contexts are allocated and passed around in call
294 args rather than using a gobal.
d4f09789
PP
295
296Server:
297 There are two cases: with and without ServerNameIndication from the client.
298 Given TLS SNI, we can be using different keys, certs and various other
299 configuration settings, because they're re-expanded with $tls_sni set. This
300 allows vhosting with TLS. This SNI is sent in the handshake.
301 A client might not send SNI, so we need a fallback, and an initial setup too.
302 So as a server, we start out using `server_ctx`.
303 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
304 `server_sni` from `server_ctx` and then initialise settings by re-expanding
305 configuration.
306*/
307
74f1a423
JH
308typedef struct {
309 SSL_CTX * ctx;
310 SSL * ssl;
c09dbcfb 311 gstring * corked;
74f1a423
JH
312} exim_openssl_client_tls_ctx;
313
817d9f57 314static SSL_CTX *server_ctx = NULL;
817d9f57 315static SSL *server_ssl = NULL;
389ca47a 316
35731706 317#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 318static SSL_CTX *server_sni = NULL;
35731706 319#endif
059ec3d9
PH
320
321static char ssl_errstring[256];
322
dea4b568 323static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH
324static BOOL client_verify_optional = FALSE;
325static BOOL server_verify_optional = FALSE;
059ec3d9 326
f5d78688 327static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
328
329
5b2fd993
JH
330typedef struct ocsp_resp {
331 struct ocsp_resp * next;
332 OCSP_RESPONSE * resp;
333} ocsp_resplist;
334
7be682ca 335typedef struct tls_ext_ctx_cb {
b10c87b3 336 tls_support * tlsp;
7be682ca
PP
337 uschar *certificate;
338 uschar *privatekey;
f5d78688 339 BOOL is_server;
a6510420 340#ifndef DISABLE_OCSP
c3033f13 341 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
342 union {
343 struct {
344 uschar *file;
5b2fd993
JH
345 const uschar *file_expanded;
346 ocsp_resplist *olist;
f5d78688
JH
347 } server;
348 struct {
44662487
JH
349 X509_STORE *verify_store; /* non-null if status requested */
350 BOOL verify_required;
f5d78688
JH
351 } client;
352 } u_ocsp;
3f7eeb86 353#endif
7be682ca
PP
354 uschar *dhparam;
355 /* these are cached from first expand */
356 uschar *server_cipher_list;
357 /* only passed down to tls_error: */
358 host_item *host;
55414b25 359 const uschar * verify_cert_hostnames;
0cbf2b82 360#ifndef DISABLE_EVENT
a7538db1
JH
361 uschar * event_action;
362#endif
7be682ca
PP
363} tls_ext_ctx_cb;
364
365/* should figure out a cleanup of API to handle state preserved per
366implementation, for various reasons, which can be void * in the APIs.
367For now, we hack around it. */
b10c87b3 368tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 369tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
370
371static int
983207c1 372setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 373 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 374
3f7eeb86 375/* Callbacks */
3bcbbbe2 376#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 377static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 378#endif
f2de3a33 379#ifndef DISABLE_OCSP
f5d78688 380static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
381#endif
382
059ec3d9 383
b10c87b3 384
4d93129f 385/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH
386#ifdef EXPERIMENTAL_TLS_RESUME
387static void tk_init(void);
388static int tls_exdata_idx = -1;
389#endif
390
391void
392tls_daemon_init(void)
393{
394#ifdef EXPERIMENTAL_TLS_RESUME
395tk_init();
396#endif
397return;
398}
399
400
059ec3d9
PH
401/*************************************************
402* Handle TLS error *
403*************************************************/
404
405/* Called from lots of places when errors occur before actually starting to do
406the TLS handshake, that is, while the session is still in clear. Always returns
407DEFER for a server and FAIL for a client so that most calls can use "return
408tls_error(...)" to do this processing and then give an appropriate return. A
409single function is used for both server and client, because it is called from
410some shared functions.
411
412Argument:
413 prefix text to include in the logged error
414 host NULL if setting up a server;
415 the connected host if setting up a client
7199e1ee 416 msg error message or NULL if we should ask OpenSSL
cf0c6164 417 errstr pointer to output error message
059ec3d9
PH
418
419Returns: OK/DEFER/FAIL
420*/
421
422static int
cf0c6164 423tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 424{
c562fd30 425if (!msg)
7199e1ee 426 {
0abc5a13 427 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 428 msg = US ssl_errstring;
7199e1ee
TF
429 }
430
5a2a0989
JH
431msg = string_sprintf("(%s): %s", prefix, msg);
432DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
433if (errstr) *errstr = msg;
cf0c6164 434return host ? FAIL : DEFER;
059ec3d9
PH
435}
436
437
438
439/*************************************************
440* Callback to generate RSA key *
441*************************************************/
442
443/*
444Arguments:
3ae79556 445 s SSL connection (not used)
059ec3d9
PH
446 export not used
447 keylength keylength
448
449Returns: pointer to generated key
450*/
451
452static RSA *
453rsa_callback(SSL *s, int export, int keylength)
454{
455RSA *rsa_key;
c8dfb21d
JH
456#ifdef EXIM_HAVE_RSA_GENKEY_EX
457BIGNUM *bn = BN_new();
458#endif
459
059ec3d9
PH
460export = export; /* Shut picky compilers up */
461DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
462
463#ifdef EXIM_HAVE_RSA_GENKEY_EX
464if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 465 || !(rsa_key = RSA_new())
c8dfb21d
JH
466 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
467 )
468#else
23bb6982 469if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
470#endif
471
059ec3d9 472 {
0abc5a13 473 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
474 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
475 ssl_errstring);
476 return NULL;
477 }
478return rsa_key;
479}
480
481
482
f5d78688 483/* Extreme debug
f2de3a33 484#ifndef DISABLE_OCSP
f5d78688
JH
485void
486x509_store_dump_cert_s_names(X509_STORE * store)
487{
488STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
489static uschar name[256];
490
d7978c0f 491for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
492 {
493 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
494 if(tmp_obj->type == X509_LU_X509)
495 {
70e384dd
JH
496 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
497 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
498 {
499 name[sizeof(name)-1] = '\0';
500 debug_printf(" %s\n", name);
501 }
f5d78688
JH
502 }
503 }
504}
505#endif
506*/
507
059ec3d9 508
0cbf2b82 509#ifndef DISABLE_EVENT
f69979cf
JH
510static int
511verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
512 BOOL *calledp, const BOOL *optionalp, const uschar * what)
513{
514uschar * ev;
515uschar * yield;
516X509 * old_cert;
517
518ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
519if (ev)
520 {
aaba7d03 521 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
522 old_cert = tlsp->peercert;
523 tlsp->peercert = X509_dup(cert);
524 /* NB we do not bother setting peerdn */
525 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
526 {
527 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
528 "depth=%d cert=%s: %s",
529 tlsp == &tls_out ? deliver_host_address : sender_host_address,
530 what, depth, dn, yield);
531 *calledp = TRUE;
532 if (!*optionalp)
533 {
534 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
535 return 1; /* reject (leaving peercert set) */
536 }
537 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
538 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 539 tlsp->verify_override = TRUE;
f69979cf
JH
540 }
541 X509_free(tlsp->peercert);
542 tlsp->peercert = old_cert;
543 }
544return 0;
545}
546#endif
547
059ec3d9
PH
548/*************************************************
549* Callback for verification *
550*************************************************/
551
552/* The SSL library does certificate verification if set up to do so. This
553callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
554we set the certificate-verified flag. If verification failed, what happens
555depends on whether the client is required to present a verifiable certificate
556or not.
059ec3d9
PH
557
558If verification is optional, we change the state to yes, but still log the
559verification error. For some reason (it really would help to have proper
560documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
561time with state = 1. We must take care not to set the private verified flag on
562the second time through.
059ec3d9
PH
563
564Note: this function is not called if the client fails to present a certificate
565when asked. We get here only if a certificate has been received. Handling of
566optional verification for this case is done when requesting SSL to verify, by
567setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
568
a7538db1
JH
569May be called multiple times for different issues with a certificate, even
570for a given "depth" in the certificate chain.
571
059ec3d9 572Arguments:
f2f2c91b
JH
573 preverify_ok current yes/no state as 1/0
574 x509ctx certificate information.
575 tlsp per-direction (client vs. server) support data
576 calledp has-been-called flag
577 optionalp verification-is-optional flag
059ec3d9 578
f2f2c91b 579Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
580*/
581
582static int
70e384dd
JH
583verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
584 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 585{
421aff85 586X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 587int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 588uschar dn[256];
059ec3d9 589
70e384dd
JH
590if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
591 {
592 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
593 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
594 tlsp == &tls_out ? deliver_host_address : sender_host_address);
595 return 0;
596 }
f69979cf 597dn[sizeof(dn)-1] = '\0';
059ec3d9 598
f4e62a87 599tlsp->verify_override = FALSE;
f2f2c91b 600if (preverify_ok == 0)
059ec3d9 601 {
f77197ae
JH
602 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
603 *verify_mode, sender_host_address)
604 : US"";
605 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
606 tlsp == &tls_out ? deliver_host_address : sender_host_address,
607 extra, depth,
608 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 609 *calledp = TRUE;
9d1c15ef
JH
610 if (!*optionalp)
611 {
f69979cf
JH
612 if (!tlsp->peercert)
613 tlsp->peercert = X509_dup(cert); /* record failing cert */
614 return 0; /* reject */
9d1c15ef 615 }
059ec3d9
PH
616 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
617 "tls_try_verify_hosts)\n");
4a1bd6b9 618 tlsp->verify_override = TRUE;
059ec3d9
PH
619 }
620
a7538db1 621else if (depth != 0)
059ec3d9 622 {
f69979cf 623 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 624#ifndef DISABLE_OCSP
f5d78688
JH
625 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
626 { /* client, wanting stapling */
627 /* Add the server cert's signing chain as the one
628 for the verification of the OCSP stapled information. */
94431adb 629
f5d78688 630 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 631 cert))
f5d78688 632 ERR_clear_error();
c3033f13 633 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
634 }
635#endif
0cbf2b82 636#ifndef DISABLE_EVENT
f69979cf
JH
637 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
638 return 0; /* reject, with peercert set */
a7538db1 639#endif
059ec3d9
PH
640 }
641else
642 {
55414b25 643 const uschar * verify_cert_hostnames;
e51c7be2 644
e51c7be2
JH
645 if ( tlsp == &tls_out
646 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 647 /* client, wanting hostname check */
e51c7be2 648 {
f69979cf 649
740f36d4 650#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
651# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
652# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
653# endif
654# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
655# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
656# endif
e51c7be2 657 int sep = 0;
55414b25 658 const uschar * list = verify_cert_hostnames;
e51c7be2 659 uschar * name;
d8e7834a
JH
660 int rc;
661 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 662 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 663 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
664 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
665 NULL)))
d8e7834a
JH
666 {
667 if (rc < 0)
668 {
93a6fce2 669 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 670 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
671 name = NULL;
672 }
e51c7be2 673 break;
d8e7834a 674 }
e51c7be2 675 if (!name)
f69979cf 676#else
e51c7be2 677 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 678#endif
e51c7be2 679 {
f77197ae
JH
680 uschar * extra = verify_mode
681 ? string_sprintf(" (during %c-verify for [%s])",
682 *verify_mode, sender_host_address)
683 : US"";
e51c7be2 684 log_write(0, LOG_MAIN,
f77197ae
JH
685 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
686 tlsp == &tls_out ? deliver_host_address : sender_host_address,
687 extra, dn, verify_cert_hostnames);
a3ef7310
JH
688 *calledp = TRUE;
689 if (!*optionalp)
f69979cf
JH
690 {
691 if (!tlsp->peercert)
692 tlsp->peercert = X509_dup(cert); /* record failing cert */
693 return 0; /* reject */
694 }
4a1bd6b9 695 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 696 "tls_try_verify_hosts)\n");
4a1bd6b9 697 tlsp->verify_override = TRUE;
e51c7be2 698 }
f69979cf 699 }
e51c7be2 700
0cbf2b82 701#ifndef DISABLE_EVENT
f69979cf
JH
702 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
703 return 0; /* reject, with peercert set */
e51c7be2
JH
704#endif
705
93dcb1c2 706 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 707 *calledp ? "" : " authenticated", dn);
93dcb1c2 708 *calledp = TRUE;
059ec3d9
PH
709 }
710
a7538db1 711return 1; /* accept, at least for this level */
059ec3d9
PH
712}
713
a2ff477a 714static int
f2f2c91b 715verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 716{
f2f2c91b
JH
717return verify_callback(preverify_ok, x509ctx, &tls_out,
718 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
719}
720
721static int
f2f2c91b 722verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 723{
f2f2c91b
JH
724return verify_callback(preverify_ok, x509ctx, &tls_in,
725 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
726}
727
059ec3d9 728
c0635b6d 729#ifdef SUPPORT_DANE
53a7196b 730
e5cccda9
JH
731/* This gets called *by* the dane library verify callback, which interposes
732itself.
733*/
734static int
f2f2c91b 735verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
736{
737X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 738uschar dn[256];
83b27293 739int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 740#ifndef DISABLE_EVENT
f69979cf 741BOOL dummy_called, optional = FALSE;
83b27293 742#endif
e5cccda9 743
70e384dd
JH
744if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
745 {
746 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
747 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
748 deliver_host_address);
749 return 0;
750 }
f69979cf 751dn[sizeof(dn)-1] = '\0';
e5cccda9 752
f2f2c91b
JH
753DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
754 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 755
0cbf2b82 756#ifndef DISABLE_EVENT
f69979cf
JH
757 if (verify_event(&tls_out, cert, depth, dn,
758 &dummy_called, &optional, US"DANE"))
759 return 0; /* reject, with peercert set */
83b27293
JH
760#endif
761
f2f2c91b 762if (preverify_ok == 1)
6fbf3599 763 {
4a1bd6b9 764 tls_out.dane_verified = TRUE;
6fbf3599
JH
765#ifndef DISABLE_OCSP
766 if (client_static_cbinfo->u_ocsp.client.verify_store)
767 { /* client, wanting stapling */
768 /* Add the server cert's signing chain as the one
769 for the verification of the OCSP stapled information. */
770
771 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
772 cert))
773 ERR_clear_error();
774 sk_X509_push(client_static_cbinfo->verify_stack, cert);
775 }
776#endif
777 }
f2f2c91b
JH
778else
779 {
780 int err = X509_STORE_CTX_get_error(x509ctx);
781 DEBUG(D_tls)
782 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 783 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
784 preverify_ok = 1;
785 }
786return preverify_ok;
e5cccda9 787}
53a7196b 788
c0635b6d 789#endif /*SUPPORT_DANE*/
e5cccda9 790
059ec3d9
PH
791
792/*************************************************
793* Information callback *
794*************************************************/
795
796/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
797are doing. We copy the string to the debugging output when TLS debugging has
798been requested.
059ec3d9
PH
799
800Arguments:
801 s the SSL connection
802 where
803 ret
804
805Returns: nothing
806*/
807
808static void
809info_callback(SSL *s, int where, int ret)
810{
0abc5a13
JH
811DEBUG(D_tls)
812 {
813 const uschar * str;
814
815 if (where & SSL_ST_CONNECT)
48224640 816 str = US"SSL_connect";
0abc5a13 817 else if (where & SSL_ST_ACCEPT)
48224640 818 str = US"SSL_accept";
0abc5a13 819 else
48224640 820 str = US"SSL info (undefined)";
0abc5a13
JH
821
822 if (where & SSL_CB_LOOP)
823 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
824 else if (where & SSL_CB_ALERT)
825 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 826 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
827 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
828 else if (where & SSL_CB_EXIT)
829 if (ret == 0)
830 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
831 else if (ret < 0)
832 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
833 else if (where & SSL_CB_HANDSHAKE_START)
834 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
835 else if (where & SSL_CB_HANDSHAKE_DONE)
836 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
837 }
059ec3d9
PH
838}
839
8238bc7b 840#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
841static void
842keylog_callback(const SSL *ssl, const char *line)
843{
2e5d9e71
JH
844char * filename;
845FILE * fp;
8a40db1c 846DEBUG(D_tls) debug_printf("%.200s\n", line);
2e5d9e71
JH
847if (!(filename = getenv("SSLKEYLOGFILE"))) return;
848if (!(fp = fopen(filename, "a"))) return;
849fprintf(fp, "%s\n", line);
850fclose(fp);
8a40db1c 851}
8238bc7b 852#endif
8a40db1c 853
059ec3d9 854
b10c87b3
JH
855#ifdef EXPERIMENTAL_TLS_RESUME
856/* Manage the keysets used for encrypting the session tickets, on the server. */
857
858typedef struct { /* Session ticket encryption key */
859 uschar name[16];
860
861 const EVP_CIPHER * aes_cipher;
4d93129f 862 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH
863 const EVP_MD * hmac_hash;
864 uschar hmac_key[16];
865 time_t renew;
866 time_t expire;
867} exim_stek;
868
4d93129f
JH
869static exim_stek exim_tk; /* current key */
870static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH
871
872static void
873tk_init(void)
874{
4d93129f
JH
875time_t t = time(NULL);
876
b10c87b3
JH
877if (exim_tk.name[0])
878 {
4d93129f 879 if (exim_tk.renew >= t) return;
b10c87b3
JH
880 exim_tk_old = exim_tk;
881 }
882
883if (f.running_in_test_harness) ssl_session_timeout = 6;
884
885DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
886if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
887if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
888if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
889
890exim_tk.name[0] = 'E';
4d93129f 891exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 892exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH
893exim_tk.expire = t + ssl_session_timeout;
894exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH
895}
896
897static exim_stek *
898tk_current(void)
899{
900if (!exim_tk.name[0]) return NULL;
901return &exim_tk;
902}
903
904static exim_stek *
905tk_find(const uschar * name)
906{
907return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
908 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
909 : NULL;
910}
911
912/* Callback for session tickets, on server */
913static int
914ticket_key_callback(SSL * ssl, uschar key_name[16],
915 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
916{
917tls_support * tlsp = server_static_cbinfo->tlsp;
918exim_stek * key;
919
920if (enc)
921 {
922 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
923 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
924
925 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
926 return -1; /* insufficient random */
927
928 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
929 return 0; /* key couldn't be created */
930 memcpy(key_name, key->name, 16);
d70fc283 931 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH
932
933 /*XXX will want these dependent on the ssl session strength */
934 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
935 key->hmac_hash, NULL);
936 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
937
938 DEBUG(D_tls) debug_printf("ticket created\n");
939 return 1;
940 }
941else
942 {
943 time_t now = time(NULL);
944
945 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
946 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
947
948 if (!(key = tk_find(key_name)) || key->expire < now)
949 {
950 DEBUG(D_tls)
951 {
952 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 953 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH
954 }
955 return 0;
956 }
957
958 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
959 key->hmac_hash, NULL);
960 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
961
d70fc283 962 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH
963
964 /* The ticket lifetime and renewal are the same as the STEK lifetime and
965 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
966 be better. To do that we'd have to encode ticket lifetime in the name as
967 we don't yet see the restored session. Could check posthandshake for TLS1.3
968 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH
969 return key->renew < now ? 2 : 1;
970 }
971}
972#endif
973
974
059ec3d9
PH
975
976/*************************************************
977* Initialize for DH *
978*************************************************/
979
980/* If dhparam is set, expand it, and load up the parameters for DH encryption.
981
982Arguments:
038597d2 983 sctx The current SSL CTX (inbound or outbound)
a799883d 984 dhparam DH parameter file or fixed parameter identity string
7199e1ee 985 host connected host, if client; NULL if server
cf0c6164 986 errstr error string pointer
059ec3d9
PH
987
988Returns: TRUE if OK (nothing to set up, or setup worked)
989*/
990
991static BOOL
cf0c6164 992init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 993{
059ec3d9
PH
994BIO *bio;
995DH *dh;
996uschar *dhexpanded;
a799883d 997const char *pem;
6600985a 998int dh_bitsize;
059ec3d9 999
cf0c6164 1000if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
1001 return FALSE;
1002
0df4ab80 1003if (!dhexpanded || !*dhexpanded)
a799883d 1004 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 1005else if (dhexpanded[0] == '/')
059ec3d9 1006 {
0df4ab80 1007 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 1008 {
7199e1ee 1009 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 1010 host, US strerror(errno), errstr);
a799883d 1011 return FALSE;
059ec3d9 1012 }
a799883d
PP
1013 }
1014else
1015 {
1016 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1017 {
a799883d
PP
1018 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1019 return TRUE;
059ec3d9 1020 }
a799883d 1021
0df4ab80 1022 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
1023 {
1024 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1025 host, US strerror(errno), errstr);
a799883d
PP
1026 return FALSE;
1027 }
1028 bio = BIO_new_mem_buf(CS pem, -1);
1029 }
1030
0df4ab80 1031if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1032 {
059ec3d9 1033 BIO_free(bio);
a799883d 1034 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1035 host, NULL, errstr);
a799883d
PP
1036 return FALSE;
1037 }
1038
6600985a
PP
1039/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1040 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1041 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1042 * If someone wants to dance at the edge, then they can raise the limit or use
1043 * current libraries. */
1044#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1045/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1046 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1047dh_bitsize = DH_bits(dh);
1048#else
1049dh_bitsize = 8 * DH_size(dh);
1050#endif
1051
a799883d
PP
1052/* Even if it is larger, we silently return success rather than cause things
1053 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1054 * debatable choice. */
6600985a 1055if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
1056 {
1057 DEBUG(D_tls)
170f4904 1058 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1059 dh_bitsize, tls_dh_max_bits);
a799883d
PP
1060 }
1061else
1062 {
1063 SSL_CTX_set_tmp_dh(sctx, dh);
1064 DEBUG(D_tls)
1065 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1066 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
1067 }
1068
a799883d
PP
1069DH_free(dh);
1070BIO_free(bio);
1071
1072return TRUE;
059ec3d9
PH
1073}
1074
1075
1076
1077
038597d2
PP
1078/*************************************************
1079* Initialize for ECDH *
1080*************************************************/
1081
1082/* Load parameters for ECDH encryption.
1083
1084For now, we stick to NIST P-256 because: it's simple and easy to configure;
1085it avoids any patent issues that might bite redistributors; despite events in
1086the news and concerns over curve choices, we're not cryptographers, we're not
1087pretending to be, and this is "good enough" to be better than no support,
1088protecting against most adversaries. Given another year or two, there might
1089be sufficient clarity about a "right" way forward to let us make an informed
1090decision, instead of a knee-jerk reaction.
1091
1092Longer-term, we should look at supporting both various named curves and
1093external files generated with "openssl ecparam", much as we do for init_dh().
1094We should also support "none" as a value, to explicitly avoid initialisation.
1095
1096Patches welcome.
1097
1098Arguments:
1099 sctx The current SSL CTX (inbound or outbound)
1100 host connected host, if client; NULL if server
cf0c6164 1101 errstr error string pointer
038597d2
PP
1102
1103Returns: TRUE if OK (nothing to set up, or setup worked)
1104*/
1105
1106static BOOL
cf0c6164 1107init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1108{
63f0dbe0
JH
1109#ifdef OPENSSL_NO_ECDH
1110return TRUE;
1111#else
1112
10ca4f1c
JH
1113EC_KEY * ecdh;
1114uschar * exp_curve;
1115int nid;
1116BOOL rv;
1117
038597d2
PP
1118if (host) /* No ECDH setup for clients, only for servers */
1119 return TRUE;
1120
10ca4f1c 1121# ifndef EXIM_HAVE_ECDH
038597d2
PP
1122DEBUG(D_tls)
1123 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1124return TRUE;
038597d2 1125# else
10ca4f1c 1126
cf0c6164 1127if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
1128 return FALSE;
1129if (!exp_curve || !*exp_curve)
1130 return TRUE;
1131
8e53a4fc 1132/* "auto" needs to be handled carefully.
4c04137d 1133 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1134 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1135 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
1136 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1137 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1138 */
10ca4f1c 1139if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1140 {
8e53a4fc 1141#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1142 DEBUG(D_tls) debug_printf(
8e53a4fc 1143 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1144 exp_curve = US"prime256v1";
8e53a4fc
HSHR
1145#else
1146# if defined SSL_CTRL_SET_ECDH_AUTO
1147 DEBUG(D_tls) debug_printf(
1148 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
1149 SSL_CTX_set_ecdh_auto(sctx, 1);
1150 return TRUE;
8e53a4fc
HSHR
1151# else
1152 DEBUG(D_tls) debug_printf(
1153 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1154 return TRUE;
1155# endif
1156#endif
10ca4f1c 1157 }
038597d2 1158
10ca4f1c
JH
1159DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1160if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1161# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1162 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1163# endif
1164 )
1165 {
cf0c6164
JH
1166 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1167 host, NULL, errstr);
10ca4f1c
JH
1168 return FALSE;
1169 }
038597d2 1170
10ca4f1c
JH
1171if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1172 {
cf0c6164 1173 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1174 return FALSE;
038597d2 1175 }
10ca4f1c
JH
1176
1177/* The "tmp" in the name here refers to setting a temporary key
1178not to the stability of the interface. */
1179
1180if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1181 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1182else
1183 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1184
1185EC_KEY_free(ecdh);
1186return !rv;
1187
1188# endif /*EXIM_HAVE_ECDH*/
1189#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1190}
1191
1192
1193
1194
f2de3a33 1195#ifndef DISABLE_OCSP
3f7eeb86
PP
1196/*************************************************
1197* Load OCSP information into state *
1198*************************************************/
f5d78688 1199/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1200caller has determined this is needed. Checks validity. Debugs a message
1201if invalid.
1202
1203ASSUMES: single response, for single cert.
1204
1205Arguments:
1206 sctx the SSL_CTX* to update
1207 cbinfo various parts of session state
5b2fd993 1208 filename the filename putatively holding an OCSP response
3f7eeb86
PP
1209
1210*/
1211
1212static void
5b2fd993
JH
1213ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1214 const uschar * filename)
3f7eeb86 1215{
ee5b1e28
JH
1216BIO * bio;
1217OCSP_RESPONSE * resp;
1218OCSP_BASICRESP * basic_response;
1219OCSP_SINGLERESP * single_response;
1220ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1221STACK_OF(X509) * sk;
3f7eeb86
PP
1222unsigned long verify_flags;
1223int status, reason, i;
1224
5b2fd993 1225DEBUG(D_tls) debug_printf("tls_ocsp_file '%s'\n", filename);
3f7eeb86 1226
5b2fd993 1227if (!(bio = BIO_new_file(CS filename, "rb")))
3f7eeb86
PP
1228 {
1229 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
5b2fd993 1230 filename);
3f7eeb86
PP
1231 return;
1232 }
1233
1234resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1235BIO_free(bio);
1236if (!resp)
1237 {
1238 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1239 return;
1240 }
1241
ee5b1e28 1242if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1243 {
1244 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1245 OCSP_response_status_str(status), status);
f5d78688 1246 goto bad;
3f7eeb86
PP
1247 }
1248
5b2fd993
JH
1249#ifdef notdef
1250 {
1251 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1252 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1253 BIO_free(bp);
1254 }
1255#endif
1256
ee5b1e28 1257if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1258 {
1259 DEBUG(D_tls)
1260 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1261 goto bad;
3f7eeb86
PP
1262 }
1263
c3033f13 1264sk = cbinfo->verify_stack;
3f7eeb86
PP
1265verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1266
1267/* May need to expose ability to adjust those flags?
1268OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1269OCSP_TRUSTOTHER OCSP_NOINTERN */
1270
4c04137d 1271/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1272up; possibly overkill - just date-checks might be nice enough.
1273
1274OCSP_basic_verify takes a "store" arg, but does not
1275use it for the chain verification, which is all we do
1276when OCSP_NOVERIFY is set. The content from the wire
1277"basic_response" and a cert-stack "sk" are all that is used.
1278
c3033f13
JH
1279We have a stack, loaded in setup_certs() if tls_verify_certificates
1280was a file (not a directory, or "system"). It is unfortunate we
1281cannot used the connection context store, as that would neatly
1282handle the "system" case too, but there seems to be no library
1283function for getting a stack from a store.
e3555426 1284[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1285We do not free the stack since it could be needed a second time for
1286SNI handling.
1287
4c04137d 1288Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1289be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1290But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1291And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1292library does it for us anyway? */
1293
1294if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1295 {
ee5b1e28
JH
1296 DEBUG(D_tls)
1297 {
0abc5a13 1298 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1299 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1300 }
1301 goto bad;
3f7eeb86
PP
1302 }
1303
1304/* Here's the simplifying assumption: there's only one response, for the
1305one certificate we use, and nothing for anything else in a chain. If this
1306proves false, we need to extract a cert id from our issued cert
1307(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1308right cert in the stack and then calls OCSP_single_get0_status()).
1309
5b2fd993
JH
1310I'm hoping to avoid reworking a bunch more of how we handle state here.
1311
1312XXX that will change when we add support for (TLS1.3) whole-chain stapling
1313*/
ee5b1e28
JH
1314
1315if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1316 {
1317 DEBUG(D_tls)
1318 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1319 goto bad;
3f7eeb86
PP
1320 }
1321
1322status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1323if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1324 {
f5d78688
JH
1325 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1326 OCSP_cert_status_str(status), status,
1327 OCSP_crl_reason_str(reason), reason);
1328 goto bad;
3f7eeb86
PP
1329 }
1330
1331if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1332 {
1333 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1334 goto bad;
3f7eeb86
PP
1335 }
1336
f5d78688 1337supply_response:
5b2fd993
JH
1338 /* Add the resp to the list used by tls_server_stapling_cb() */
1339 {
1340 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1341 while (oentry = *op)
1342 op = &oentry->next;
1343 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1344 oentry->next = NULL;
1345 oentry->resp = resp;
1346 }
f5d78688
JH
1347return;
1348
1349bad:
8768d548 1350 if (f.running_in_test_harness)
018058b2
JH
1351 {
1352 extern char ** environ;
d7978c0f 1353 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1354 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1355 {
1356 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1357 goto supply_response;
1358 }
1359 }
f5d78688 1360return;
3f7eeb86 1361}
5b2fd993
JH
1362
1363
1364static void
1365ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1366{
1367for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1368 olist = olist->next)
1369 OCSP_RESPONSE_free(olist->resp);
1370cbinfo->u_ocsp.server.olist = NULL;
1371}
f2de3a33 1372#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1373
1374
1375
1376
23bb6982
JH
1377/* Create and install a selfsigned certificate, for use in server mode */
1378
1379static int
cf0c6164 1380tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1381{
1382X509 * x509 = NULL;
1383EVP_PKEY * pkey;
1384RSA * rsa;
1385X509_NAME * name;
1386uschar * where;
1387
1388where = US"allocating pkey";
1389if (!(pkey = EVP_PKEY_new()))
1390 goto err;
1391
1392where = US"allocating cert";
1393if (!(x509 = X509_new()))
1394 goto err;
1395
1396where = US"generating pkey";
6aac3239 1397if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1398 goto err;
1399
4c04137d 1400where = US"assigning pkey";
23bb6982
JH
1401if (!EVP_PKEY_assign_RSA(pkey, rsa))
1402 goto err;
1403
1404X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1405ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1406X509_gmtime_adj(X509_get_notBefore(x509), 0);
1407X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1408X509_set_pubkey(x509, pkey);
1409
1410name = X509_get_subject_name(x509);
1411X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1412 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1413X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1414 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1415X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1416 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1417X509_set_issuer_name(x509, name);
1418
1419where = US"signing cert";
1420if (!X509_sign(x509, pkey, EVP_md5()))
1421 goto err;
1422
1423where = US"installing selfsign cert";
1424if (!SSL_CTX_use_certificate(sctx, x509))
1425 goto err;
1426
1427where = US"installing selfsign key";
1428if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1429 goto err;
1430
1431return OK;
1432
1433err:
cf0c6164 1434 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1435 if (x509) X509_free(x509);
1436 if (pkey) EVP_PKEY_free(pkey);
1437 return DEFER;
1438}
1439
1440
1441
1442
ba86e143
JH
1443static int
1444tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1445 uschar ** errstr)
1446{
5b2fd993 1447DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
ba86e143
JH
1448if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1449 return tls_error(string_sprintf(
1450 "SSL_CTX_use_certificate_chain_file file=%s", file),
1451 cbinfo->host, NULL, errstr);
1452return 0;
1453}
1454
1455static int
1456tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1457 uschar ** errstr)
1458{
5b2fd993 1459DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
ba86e143
JH
1460if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1461 return tls_error(string_sprintf(
1462 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1463return 0;
1464}
1465
1466
059ec3d9 1467/*************************************************
7be682ca
PP
1468* Expand key and cert file specs *
1469*************************************************/
1470
f5d78688 1471/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1472new context, if Server Name Indication was used and tls_sni was seen in
1473the certificate string.
1474
1475Arguments:
1476 sctx the SSL_CTX* to update
1477 cbinfo various parts of session state
cf0c6164 1478 errstr error string pointer
7be682ca
PP
1479
1480Returns: OK/DEFER/FAIL
1481*/
1482
1483static int
5b2fd993 1484tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
cf0c6164 1485 uschar ** errstr)
7be682ca 1486{
5b2fd993 1487uschar * expanded;
7be682ca 1488
23bb6982 1489if (!cbinfo->certificate)
7be682ca 1490 {
ba86e143 1491 if (!cbinfo->is_server) /* client */
23bb6982 1492 return OK;
afdb5e9c 1493 /* server */
cf0c6164 1494 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1495 return DEFER;
7be682ca 1496 }
23bb6982
JH
1497else
1498 {
ba86e143
JH
1499 int err;
1500
5b2fd993
JH
1501 if ( !reexpand_tls_files_for_sni
1502 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1503 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1504 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1505 ) )
23bb6982 1506 reexpand_tls_files_for_sni = TRUE;
7be682ca 1507
cf0c6164 1508 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1509 return DEFER;
1510
ba86e143
JH
1511 if (expanded)
1512 if (cbinfo->is_server)
1513 {
1514 const uschar * file_list = expanded;
1515 int sep = 0;
1516 uschar * file;
5b2fd993
JH
1517#ifndef DISABLE_OCSP
1518 const uschar * olist = cbinfo->u_ocsp.server.file;
1519 int osep = 0;
1520 uschar * ofile;
1521
1522 if (olist)
1523 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1524 return DEFER;
1525 if (olist && !*olist)
1526 olist = NULL;
1527
1528 if ( cbinfo->u_ocsp.server.file_expanded && olist
1529 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1530 {
1531 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1532 olist = NULL;
1533 }
1534 else
1535 {
1536 ocsp_free_response_list(cbinfo);
1537 cbinfo->u_ocsp.server.file_expanded = olist;
1538 }
1539#endif
ba86e143
JH
1540
1541 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
5b2fd993 1542 {
ba86e143
JH
1543 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1544 return err;
5b2fd993
JH
1545
1546#ifndef DISABLE_OCSP
1547 if (olist)
1548 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1549 ocsp_load_response(sctx, cbinfo, ofile);
1550 else
1551 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1552#endif
1553 }
ba86e143
JH
1554 }
1555 else /* would there ever be a need for multiple client certs? */
1556 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1557 return err;
7be682ca 1558
5a2a0989
JH
1559 if ( cbinfo->privatekey
1560 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1561 return DEFER;
7be682ca 1562
23bb6982
JH
1563 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1564 of the expansion is an empty string, ignore it also, and assume the private
1565 key is in the same file as the certificate. */
1566
1567 if (expanded && *expanded)
ba86e143
JH
1568 if (cbinfo->is_server)
1569 {
1570 const uschar * file_list = expanded;
1571 int sep = 0;
1572 uschar * file;
1573
1574 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1575 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1576 return err;
1577 }
1578 else /* would there ever be a need for multiple client certs? */
1579 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1580 return err;
7be682ca
PP
1581 }
1582
1583return OK;
1584}
1585
1586
1587
1588
1589/*************************************************
1590* Callback to handle SNI *
1591*************************************************/
1592
1593/* Called when acting as server during the TLS session setup if a Server Name
1594Indication extension was sent by the client.
1595
1596API documentation is OpenSSL s_server.c implementation.
1597
1598Arguments:
1599 s SSL* of the current session
1600 ad unknown (part of OpenSSL API) (unused)
1601 arg Callback of "our" registered data
1602
1603Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH
1604
1605XXX might need to change to using ClientHello callback,
1606per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP
1607*/
1608
3bcbbbe2 1609#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1610static int
7be682ca
PP
1611tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1612{
1613const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1614tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1615int rc;
3f0945ff 1616int old_pool = store_pool;
cf0c6164 1617uschar * dummy_errstr;
7be682ca
PP
1618
1619if (!servername)
1620 return SSL_TLSEXT_ERR_OK;
1621
3f0945ff 1622DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1623 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1624
1625/* Make the extension value available for expansion */
3f0945ff 1626store_pool = POOL_PERM;
89a80675 1627tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1628store_pool = old_pool;
7be682ca
PP
1629
1630if (!reexpand_tls_files_for_sni)
1631 return SSL_TLSEXT_ERR_OK;
1632
1633/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1634not confident that memcpy wouldn't break some internal reference counting.
1635Especially since there's a references struct member, which would be off. */
1636
7a8b9519
JH
1637#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1638if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1639#else
0df4ab80 1640if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1641#endif
7be682ca 1642 {
0abc5a13 1643 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1644 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1645 goto bad;
7be682ca
PP
1646 }
1647
1648/* Not sure how many of these are actually needed, since SSL object
1649already exists. Might even need this selfsame callback, for reneg? */
1650
817d9f57
JH
1651SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1652SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1653SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1654SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1655SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1656SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1657
cf0c6164
JH
1658if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1659 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1660 )
5a2a0989 1661 goto bad;
038597d2 1662
ca954d7f
JH
1663if ( cbinfo->server_cipher_list
1664 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1665 goto bad;
ca954d7f 1666
f2de3a33 1667#ifndef DISABLE_OCSP
f5d78688 1668if (cbinfo->u_ocsp.server.file)
3f7eeb86 1669 {
f5d78688 1670 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1671 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1672 }
1673#endif
7be682ca 1674
c3033f13 1675if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1676 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1677 goto bad;
7be682ca 1678
3f7eeb86
PP
1679/* do this after setup_certs, because this can require the certs for verifying
1680OCSP information. */
cf0c6164 1681if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1682 goto bad;
a799883d 1683
7be682ca 1684DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1685SSL_set_SSL_CTX(s, server_sni);
7be682ca 1686return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1687
1688bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1689}
3bcbbbe2 1690#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1691
1692
1693
1694
f2de3a33 1695#ifndef DISABLE_OCSP
f5d78688 1696
3f7eeb86
PP
1697/*************************************************
1698* Callback to handle OCSP Stapling *
1699*************************************************/
1700
1701/* Called when acting as server during the TLS session setup if the client
1702requests OCSP information with a Certificate Status Request.
1703
1704Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1705project.
1706
1707*/
1708
1709static int
f5d78688 1710tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86 1711{
5b2fd993
JH
1712const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1713ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1714uschar * response_der; /*XXX blob */
3f7eeb86
PP
1715int response_der_len;
1716
af4a1bca 1717DEBUG(D_tls)
5b2fd993
JH
1718 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1719 olist ? "have" : "lack");
f5d78688 1720
44662487 1721tls_in.ocsp = OCSP_NOT_RESP;
5b2fd993 1722if (!olist)
3f7eeb86
PP
1723 return SSL_TLSEXT_ERR_NOACK;
1724
012dd02e 1725#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
5b2fd993
JH
1726 {
1727 const X509 * cert_sent = SSL_get_certificate(s);
1728 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1729 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1730 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1731 uschar * chash;
1732 uint chash_len;
1733
1734 for (; olist; olist = olist->next)
1735 {
1736 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1737 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1738 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1739 ASN1_INTEGER * res_cert_serial;
1740 const BIGNUM * resp_bn;
1741 ASN1_OCTET_STRING * res_cert_iNameHash;
1742
1743
1744 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1745 (OCSP_CERTID *) cid);
1746 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1747
1748 DEBUG(D_tls)
1749 {
1750 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1751 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1752 }
1753
1754 if (BN_cmp(cert_bn, resp_bn) == 0)
1755 {
1756 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1757
1758 /*XXX TODO: check the rest of the list for duplicate matches.
1759 If any, need to also check the Issuer Name hash.
1760 Without this, we will provide the wrong status in the case of
1761 duplicate id. */
1762
1763 break;
1764 }
1765 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1766 }
1767 if (!olist)
1768 {
1769 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1770 return SSL_TLSEXT_ERR_NOACK;
1771 }
1772 }
012dd02e
JH
1773#else
1774if (olist->next)
1775 {
1776 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1777 return SSL_TLSEXT_ERR_NOACK;
1778 }
1779#endif
5b2fd993
JH
1780
1781/*XXX could we do the i2d earlier, rather than during the callback? */
3f7eeb86 1782response_der = NULL;
5b2fd993 1783response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
3f7eeb86
PP
1784if (response_der_len <= 0)
1785 return SSL_TLSEXT_ERR_NOACK;
1786
5e55c7a9 1787SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1788tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1789return SSL_TLSEXT_ERR_OK;
1790}
1791
3f7eeb86 1792
f5d78688
JH
1793static void
1794time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1795{
1796BIO_printf(bp, "\t%s: ", str);
1797ASN1_GENERALIZEDTIME_print(bp, time);
1798BIO_puts(bp, "\n");
1799}
1800
1801static int
1802tls_client_stapling_cb(SSL *s, void *arg)
1803{
1804tls_ext_ctx_cb * cbinfo = arg;
1805const unsigned char * p;
1806int len;
1807OCSP_RESPONSE * rsp;
1808OCSP_BASICRESP * bs;
1809int i;
1810
1811DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1812len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1813if(!p)
1814 {
44662487 1815 /* Expect this when we requested ocsp but got none */
6c6d6e48 1816 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1817 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1818 else
1819 DEBUG(D_tls) debug_printf(" null\n");
44662487 1820 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1821 }
018058b2 1822
c82de233
JH
1823if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1824 {
1825 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1826 if (LOGGING(tls_cipher))
1eca31ca 1827 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1828 else
1829 DEBUG(D_tls) debug_printf(" parse error\n");
1830 return 0;
c82de233 1831 }
f5d78688 1832
c82de233 1833if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1834 {
018058b2 1835 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1836 if (LOGGING(tls_cipher))
1eca31ca 1837 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1838 else
1839 DEBUG(D_tls) debug_printf(" error parsing response\n");
1840 OCSP_RESPONSE_free(rsp);
1841 return 0;
1842 }
1843
1844/* We'd check the nonce here if we'd put one in the request. */
1845/* However that would defeat cacheability on the server so we don't. */
1846
f5d78688
JH
1847/* This section of code reworked from OpenSSL apps source;
1848 The OpenSSL Project retains copyright:
1849 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1850*/
1851 {
1852 BIO * bp = NULL;
f5d78688
JH
1853 int status, reason;
1854 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1855
57887ecc 1856 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1857
1858 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1859
1860 /* Use the chain that verified the server cert to verify the stapled info */
1861 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1862
c3033f13 1863 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1864 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1865 {
018058b2 1866 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1867 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1868 "Received TLS cert status response, itself unverifiable: %s",
1869 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1870 BIO_printf(bp, "OCSP response verify failure\n");
1871 ERR_print_errors(bp);
57887ecc 1872 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1873 goto failed;
f5d78688
JH
1874 }
1875
1876 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1877
c8dfb21d
JH
1878 /*XXX So we have a good stapled OCSP status. How do we know
1879 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1880 OCSP_resp_find_status() which matches on a cert id, which presumably
1881 we should use. Making an id needs OCSP_cert_id_new(), which takes
1882 issuerName, issuerKey, serialNumber. Are they all in the cert?
1883
1884 For now, carry on blindly accepting the resp. */
1885
f5d78688 1886 {
f5d78688
JH
1887 OCSP_SINGLERESP * single;
1888
c8dfb21d
JH
1889#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1890 if (OCSP_resp_count(bs) != 1)
1891#else
1892 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1893 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1894#endif
f5d78688 1895 {
018058b2 1896 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1897 log_write(0, LOG_MAIN, "OCSP stapling "
1898 "with multiple responses not handled");
c8dfb21d 1899 goto failed;
f5d78688
JH
1900 }
1901 single = OCSP_resp_get0(bs, 0);
44662487
JH
1902 status = OCSP_single_get0_status(single, &reason, &rev,
1903 &thisupd, &nextupd);
f5d78688
JH
1904 }
1905
f5d78688
JH
1906 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1907 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1908 if (!OCSP_check_validity(thisupd, nextupd,
1909 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1910 {
018058b2 1911 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1912 DEBUG(D_tls) ERR_print_errors(bp);
1913 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1914 }
44662487 1915 else
f5d78688 1916 {
44662487
JH
1917 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1918 OCSP_cert_status_str(status));
1919 switch(status)
1920 {
1921 case V_OCSP_CERTSTATUS_GOOD:
44662487 1922 tls_out.ocsp = OCSP_VFIED;
018058b2 1923 i = 1;
c8dfb21d 1924 goto good;
44662487 1925 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1926 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1927 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1928 reason != -1 ? "; reason: " : "",
1929 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1930 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1931 break;
1932 default:
018058b2 1933 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1934 log_write(0, LOG_MAIN,
1935 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1936 break;
1937 }
f5d78688 1938 }
c8dfb21d
JH
1939 failed:
1940 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1941 good:
f5d78688
JH
1942 BIO_free(bp);
1943 }
1944
1945OCSP_RESPONSE_free(rsp);
1946return i;
1947}
f2de3a33 1948#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1949
1950
7be682ca 1951/*************************************************
059ec3d9
PH
1952* Initialize for TLS *
1953*************************************************/
1954
b038d456
JH
1955static void
1956tls_openssl_init(void)
1957{
1958#ifdef EXIM_NEED_OPENSSL_INIT
1959SSL_load_error_strings(); /* basic set up */
1960OpenSSL_add_ssl_algorithms();
1961#endif
1962
1963#if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
1964/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1965list of available digests. */
1966EVP_add_digest(EVP_sha256());
1967#endif
1968}
1969
1970
1971
e51c7be2
JH
1972/* Called from both server and client code, to do preliminary initialization
1973of the library. We allocate and return a context structure.
059ec3d9
PH
1974
1975Arguments:
946ecbe0 1976 ctxp returned SSL context
059ec3d9
PH
1977 host connected host, if client; NULL if server
1978 dhparam DH parameter file
1979 certificate certificate file
1980 privatekey private key
f5d78688 1981 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1982 addr address if client; NULL if server (for some randomness)
946ecbe0 1983 cbp place to put allocated callback context
cf0c6164 1984 errstr error string pointer
059ec3d9
PH
1985
1986Returns: OK/DEFER/FAIL
1987*/
1988
1989static int
817d9f57 1990tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1991 uschar *privatekey,
f2de3a33 1992#ifndef DISABLE_OCSP
5b2fd993 1993 uschar *ocsp_file,
3f7eeb86 1994#endif
b10c87b3
JH
1995 address_item *addr, tls_ext_ctx_cb ** cbp,
1996 tls_support * tlsp,
1997 uschar ** errstr)
059ec3d9 1998{
7006ee24 1999SSL_CTX * ctx;
77bb000f 2000long init_options;
7be682ca 2001int rc;
a7538db1 2002tls_ext_ctx_cb * cbinfo;
7be682ca
PP
2003
2004cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 2005cbinfo->tlsp = tlsp;
7be682ca
PP
2006cbinfo->certificate = certificate;
2007cbinfo->privatekey = privatekey;
a6510420 2008cbinfo->is_server = host==NULL;
f2de3a33 2009#ifndef DISABLE_OCSP
c3033f13 2010cbinfo->verify_stack = NULL;
a6510420 2011if (!host)
f5d78688
JH
2012 {
2013 cbinfo->u_ocsp.server.file = ocsp_file;
2014 cbinfo->u_ocsp.server.file_expanded = NULL;
5b2fd993 2015 cbinfo->u_ocsp.server.olist = NULL;
f5d78688
JH
2016 }
2017else
2018 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 2019#endif
7be682ca 2020cbinfo->dhparam = dhparam;
0df4ab80 2021cbinfo->server_cipher_list = NULL;
7be682ca 2022cbinfo->host = host;
0cbf2b82 2023#ifndef DISABLE_EVENT
a7538db1
JH
2024cbinfo->event_action = NULL;
2025#endif
77bb000f 2026
b038d456 2027tls_openssl_init();
a0475b69 2028
f0f5a555
PP
2029/* Create a context.
2030The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2031negotiation in the different methods; as far as I can tell, the only
2032*_{server,client}_method which allows negotiation is SSLv23, which exists even
2033when OpenSSL is built without SSLv2 support.
2034By disabling with openssl_options, we can let admins re-enable with the
2035existing knob. */
059ec3d9 2036
7a8b9519
JH
2037#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2038if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2039#else
7006ee24 2040if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 2041#endif
7006ee24 2042 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
2043
2044/* It turns out that we need to seed the random number generator this early in
2045order to get the full complement of ciphers to work. It took me roughly a day
2046of work to discover this by experiment.
2047
2048On systems that have /dev/urandom, SSL may automatically seed itself from
2049there. Otherwise, we have to make something up as best we can. Double check
2050afterwards. */
2051
2052if (!RAND_status())
2053 {
2054 randstuff r;
9e3331ea 2055 gettimeofday(&r.tv, NULL);
059ec3d9
PH
2056 r.p = getpid();
2057
5903c6ff
JH
2058 RAND_seed(US (&r), sizeof(r));
2059 RAND_seed(US big_buffer, big_buffer_size);
2060 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
2061
2062 if (!RAND_status())
7199e1ee 2063 return tls_error(US"RAND_status", host,
cf0c6164 2064 US"unable to seed random number generator", errstr);
059ec3d9
PH
2065 }
2066
2067/* Set up the information callback, which outputs if debugging is at a suitable
2068level. */
2069
b10c87b3
JH
2070DEBUG(D_tls)
2071 {
2072 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH
2073#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2074 /* this needs a debug build of OpenSSL */
b10c87b3
JH
2075 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2076#endif
8a40db1c 2077#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 2078 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 2079#endif
b10c87b3 2080 }
059ec3d9 2081
c80c5570 2082/* Automatically re-try reads/writes after renegotiation. */
7006ee24 2083(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 2084
77bb000f
PP
2085/* Apply administrator-supplied work-arounds.
2086Historically we applied just one requested option,
2087SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2088moved to an administrator-controlled list of options to specify and
2089grandfathered in the first one as the default value for "openssl_options".
059ec3d9 2090
77bb000f
PP
2091No OpenSSL version number checks: the options we accept depend upon the
2092availability of the option value macros from OpenSSL. */
059ec3d9 2093
7006ee24 2094if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 2095 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 2096
b10c87b3
JH
2097#ifdef EXPERIMENTAL_TLS_RESUME
2098tlsp->resumption = RESUME_SUPPORTED;
2099#endif
77bb000f
PP
2100if (init_options)
2101 {
b10c87b3
JH
2102#ifdef EXPERIMENTAL_TLS_RESUME
2103 /* Should the server offer session resumption? */
2104 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2105 {
2106 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2107 init_options &= ~SSL_OP_NO_TICKET;
2108 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2109 tlsp->host_resumable = TRUE;
2110 }
2111#endif
2112
77bb000f 2113 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2114 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2115 return tls_error(string_sprintf(
cf0c6164 2116 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
2117 }
2118else
2119 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2120
a28050f8
JH
2121/* We'd like to disable session cache unconditionally, but foolish Outlook
2122Express clients then give up the first TLS connection and make a second one
2123(which works). Only when there is an IMAP service on the same machine.
2124Presumably OE is trying to use the cache for A on B. Leave it enabled for
2125now, until we work out a decent way of presenting control to the config. It
2126will never be used because we use a new context every time. */
2127#ifdef notdef
7006ee24 2128(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2129#endif
7006ee24 2130
059ec3d9 2131/* Initialize with DH parameters if supplied */
10ca4f1c 2132/* Initialize ECDH temp key parameter selection */
059ec3d9 2133
7006ee24
JH
2134if ( !init_dh(ctx, dhparam, host, errstr)
2135 || !init_ecdh(ctx, host, errstr)
038597d2
PP
2136 )
2137 return DEFER;
059ec3d9 2138
3f7eeb86 2139/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2140
7006ee24 2141if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2142 return rc;
c91535f3 2143
c3033f13
JH
2144/* If we need to handle SNI or OCSP, do so */
2145
3bcbbbe2 2146#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
2147# ifndef DISABLE_OCSP
2148 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2149 {
2150 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2151 return FAIL;
2152 }
2153# endif
2154
7a8b9519 2155if (!host) /* server */
3f0945ff 2156 {
f2de3a33 2157# ifndef DISABLE_OCSP
5b2fd993 2158 /* We check u_ocsp.server.file, not server.olist, because we care about if
3f7eeb86
PP
2159 the option exists, not what the current expansion might be, as SNI might
2160 change the certificate and OCSP file in use between now and the time the
2161 callback is invoked. */
f5d78688 2162 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2163 {
7006ee24
JH
2164 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2165 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2166 }
f5d78688 2167# endif
3f0945ff
PP
2168 /* We always do this, so that $tls_sni is available even if not used in
2169 tls_certificate */
7006ee24
JH
2170 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2171 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2172 }
f2de3a33 2173# ifndef DISABLE_OCSP
f5d78688
JH
2174else /* client */
2175 if(ocsp_file) /* wanting stapling */
2176 {
2177 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2178 {
2179 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2180 return FAIL;
2181 }
7006ee24
JH
2182 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2183 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
2184 }
2185# endif
7be682ca 2186#endif
059ec3d9 2187
e51c7be2 2188cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2189
c8dfb21d 2190#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2191/* Set up the RSA callback */
7006ee24 2192SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2193#endif
059ec3d9 2194
b10c87b3
JH
2195/* Finally, set the session cache timeout, and we are done.
2196The period appears to be also used for (server-generated) session tickets */
059ec3d9 2197
7006ee24 2198SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2199DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2200
817d9f57 2201*cbp = cbinfo;
7006ee24 2202*ctxp = ctx;
7be682ca 2203
059ec3d9
PH
2204return OK;
2205}
2206
2207
2208
2209
2210/*************************************************
2211* Get name of cipher in use *
2212*************************************************/
2213
817d9f57 2214/*
059ec3d9 2215Argument: pointer to an SSL structure for the connection
817d9f57 2216 pointer to number of bits for cipher
f1be21cf 2217Returns: pointer to allocated string in perm-pool
059ec3d9
PH
2218*/
2219
f1be21cf
JH
2220static uschar *
2221construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2222{
f1be21cf 2223int pool = store_pool;
7a8b9519 2224/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
2225yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2226the accessor functions use const in the prototype. */
059ec3d9 2227
7a8b9519
JH
2228const uschar * ver = CUS SSL_get_version(ssl);
2229const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2230uschar * s;
059ec3d9 2231
817d9f57 2232SSL_CIPHER_get_bits(c, bits);
059ec3d9 2233
f1be21cf
JH
2234store_pool = POOL_PERM;
2235s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2236store_pool = pool;
2237DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2238return s;
2239}
2240
059ec3d9 2241
f1be21cf
JH
2242/* Get IETF-standard name for ciphersuite.
2243Argument: pointer to an SSL structure for the connection
2244Returns: pointer to string
2245*/
2246
2247static const uschar *
2248cipher_stdname_ssl(SSL * ssl)
2249{
2250#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2251return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2252#else
2253ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2254return cipher_stdname(id >> 8, id & 0xff);
2255#endif
059ec3d9
PH
2256}
2257
2258
f69979cf 2259static void
70e384dd 2260peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
2261{
2262/*XXX we might consider a list-of-certs variable for the cert chain.
2263SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2264in list-handling functions, also consider the difference between the entire
2265chain and the elements sent by the peer. */
2266
70e384dd
JH
2267tlsp->peerdn = NULL;
2268
f69979cf
JH
2269/* Will have already noted peercert on a verify fail; possibly not the leaf */
2270if (!tlsp->peercert)
2271 tlsp->peercert = SSL_get_peer_certificate(ssl);
2272/* Beware anonymous ciphers which lead to server_cert being NULL */
2273if (tlsp->peercert)
70e384dd
JH
2274 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2275 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2276 else
2277 {
4a1bd6b9
JH
2278 int oldpool = store_pool;
2279
2280 peerdn[siz-1] = '\0'; /* paranoia */
2281 store_pool = POOL_PERM;
2282 tlsp->peerdn = string_copy(peerdn);
2283 store_pool = oldpool;
2284
2285 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2286 but they don't get called on session-resumption. So use the official
2287 interface, which uses the resumed value. Unfortunately this claims verified
2288 when it actually failed but we're in try-verify mode, due to us wanting the
2289 knowlege that it failed so needing to have the callback and forcing a
2290 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH
2291 The extra bit of information is set in verify_override in the cb, stashed
2292 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH
2293
2294 if (!tlsp->verify_override)
2295 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2296 }
f69979cf
JH
2297}
2298
2299
059ec3d9
PH
2300
2301
2302
2303/*************************************************
2304* Set up for verifying certificates *
2305*************************************************/
2306
0e8aed8a 2307#ifndef DISABLE_OCSP
c3033f13
JH
2308/* Load certs from file, return TRUE on success */
2309
2310static BOOL
2311chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2312{
2313BIO * bp;
2314X509 * x;
2315
dec766a1
WB
2316while (sk_X509_num(verify_stack) > 0)
2317 X509_free(sk_X509_pop(verify_stack));
2318
c3033f13
JH
2319if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2320while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2321 sk_X509_push(verify_stack, x);
2322BIO_free(bp);
2323return TRUE;
2324}
0e8aed8a 2325#endif
c3033f13
JH
2326
2327
2328
dec766a1
WB
2329/* Called by both client and server startup; on the server possibly
2330repeated after a Server Name Indication.
059ec3d9
PH
2331
2332Arguments:
7be682ca 2333 sctx SSL_CTX* to initialise
059ec3d9
PH
2334 certs certs file or NULL
2335 crl CRL file or NULL
2336 host NULL in a server; the remote host in a client
2337 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2338 otherwise passed as FALSE
983207c1 2339 cert_vfy_cb Callback function for certificate verification
cf0c6164 2340 errstr error string pointer
059ec3d9
PH
2341
2342Returns: OK/DEFER/FAIL
2343*/
2344
2345static int
983207c1 2346setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2347 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2348{
2349uschar *expcerts, *expcrl;
2350
cf0c6164 2351if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2352 return DEFER;
57cc2785 2353DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2354
10a831a3 2355if (expcerts && *expcerts)
059ec3d9 2356 {
10a831a3
JH
2357 /* Tell the library to use its compiled-in location for the system default
2358 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2359
10a831a3 2360 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2361 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2362
2363 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2364 {
cb1d7830
JH
2365 struct stat statbuf;
2366
cb1d7830
JH
2367 if (Ustat(expcerts, &statbuf) < 0)
2368 {
2369 log_write(0, LOG_MAIN|LOG_PANIC,
2370 "failed to stat %s for certificates", expcerts);
2371 return DEFER;
2372 }
059ec3d9 2373 else
059ec3d9 2374 {
cb1d7830
JH
2375 uschar *file, *dir;
2376 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2377 { file = NULL; dir = expcerts; }
2378 else
c3033f13
JH
2379 {
2380 file = expcerts; dir = NULL;
2381#ifndef DISABLE_OCSP
2382 /* In the server if we will be offering an OCSP proof, load chain from
2383 file for verifying the OCSP proof at load time. */
2384
5b2fd993
JH
2385/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2386This is inconsistent with the need to verify the OCSP proof of the server cert.
2387*/
2388
c3033f13
JH
2389 if ( !host
2390 && statbuf.st_size > 0
2391 && server_static_cbinfo->u_ocsp.server.file
2392 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2393 )
2394 {
2395 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2396 "failed to load cert chain from %s", file);
c3033f13
JH
2397 return DEFER;
2398 }
2399#endif
2400 }
cb1d7830
JH
2401
2402 /* If a certificate file is empty, the next function fails with an
2403 unhelpful error message. If we skip it, we get the correct behaviour (no
2404 certificates are recognized, but the error message is still misleading (it
c3033f13 2405 says no certificate was supplied). But this is better. */
cb1d7830 2406
f2f2c91b
JH
2407 if ( (!file || statbuf.st_size > 0)
2408 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2409 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2410
2411 /* Load the list of CAs for which we will accept certs, for sending
2412 to the client. This is only for the one-file tls_verify_certificates
2413 variant.
d7978c0f
JH
2414 If a list isn't loaded into the server, but some verify locations are set,
2415 the server end appears to make a wildcard request for client certs.
10a831a3 2416 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2417 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2418 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2419 the public-CA bundle (not for a private CA), not worth fixing. */
2420
f2f2c91b 2421 if (file)
cb1d7830 2422 {
2009ecca 2423 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2424
2425 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2426 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2427 sk_X509_NAME_num(names));
cb1d7830 2428 }
059ec3d9
PH
2429 }
2430 }
2431
2432 /* Handle a certificate revocation list. */
2433
10a831a3 2434#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2435
8b417f2c 2436 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2437 merely reformatted it into the Exim code style.)
8b417f2c 2438
10a831a3
JH
2439 "From here I changed the code to add support for multiple crl's
2440 in pem format in one file or to support hashed directory entries in
2441 pem format instead of a file. This method now uses the library function
2442 X509_STORE_load_locations to add the CRL location to the SSL context.
2443 OpenSSL will then handle the verify against CA certs and CRLs by
2444 itself in the verify callback." */
8b417f2c 2445
cf0c6164 2446 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2447 if (expcrl && *expcrl)
059ec3d9 2448 {
8b417f2c
PH
2449 struct stat statbufcrl;
2450 if (Ustat(expcrl, &statbufcrl) < 0)
2451 {
2452 log_write(0, LOG_MAIN|LOG_PANIC,
2453 "failed to stat %s for certificates revocation lists", expcrl);
2454 return DEFER;
2455 }
2456 else
059ec3d9 2457 {
8b417f2c
PH
2458 /* is it a file or directory? */
2459 uschar *file, *dir;
7be682ca 2460 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2461 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2462 {
8b417f2c
PH
2463 file = NULL;
2464 dir = expcrl;
2465 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2466 }
2467 else
2468 {
8b417f2c
PH
2469 file = expcrl;
2470 dir = NULL;
2471 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2472 }
8b417f2c 2473 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2474 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2475
2476 /* setting the flags to check against the complete crl chain */
2477
2478 X509_STORE_set_flags(cvstore,
2479 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2480 }
059ec3d9
PH
2481 }
2482
10a831a3 2483#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2484
2485 /* If verification is optional, don't fail if no certificate */
2486
7be682ca 2487 SSL_CTX_set_verify(sctx,
5a2a0989 2488 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2489 cert_vfy_cb);
059ec3d9
PH
2490 }
2491
2492return OK;
2493}
2494
2495
2496
2497/*************************************************
2498* Start a TLS session in a server *
2499*************************************************/
2500
2501/* This is called when Exim is running as a server, after having received
2502the STARTTLS command. It must respond to that command, and then negotiate
2503a TLS session.
2504
2505Arguments:
2506 require_ciphers allowed ciphers
cf0c6164 2507 errstr pointer to error message
059ec3d9
PH
2508
2509Returns: OK on success
2510 DEFER for errors before the start of the negotiation
4c04137d 2511 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2512 continue running.
2513*/
2514
2515int
cf0c6164 2516tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2517{
2518int rc;
cf0c6164
JH
2519uschar * expciphers;
2520tls_ext_ctx_cb * cbinfo;
f69979cf 2521static uschar peerdn[256];
059ec3d9
PH
2522
2523/* Check for previous activation */
2524
74f1a423 2525if (tls_in.active.sock >= 0)
059ec3d9 2526 {
cf0c6164 2527 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2528 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2529 return FAIL;
2530 }
2531
2532/* Initialize the SSL library. If it fails, it will already have logged
2533the error. */
2534
817d9f57 2535rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2536#ifndef DISABLE_OCSP
5b2fd993 2537 tls_ocsp_file,
3f7eeb86 2538#endif
b10c87b3 2539 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2540if (rc != OK) return rc;
817d9f57 2541cbinfo = server_static_cbinfo;
059ec3d9 2542
cf0c6164 2543if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2544 return FAIL;
2545
2546/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2547were historically separated by underscores. So that I can use either form in my
2548tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2549
2550XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2551for TLS 1.3 . Since we do not call it at present we get the default list:
2552TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2553*/
059ec3d9 2554
c3033f13 2555if (expciphers)
059ec3d9 2556 {
b10c87b3 2557 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2558 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2559 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2560 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2561 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2562 }
2563
2564/* If this is a host for which certificate verification is mandatory or
2565optional, set up appropriately. */
2566
817d9f57 2567tls_in.certificate_verified = FALSE;
c0635b6d 2568#ifdef SUPPORT_DANE
53a7196b
JH
2569tls_in.dane_verified = FALSE;
2570#endif
a2ff477a 2571server_verify_callback_called = FALSE;
059ec3d9
PH
2572
2573if (verify_check_host(&tls_verify_hosts) == OK)
2574 {
983207c1 2575 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2576 FALSE, verify_callback_server, errstr);
059ec3d9 2577 if (rc != OK) return rc;
a2ff477a 2578 server_verify_optional = FALSE;
059ec3d9
PH
2579 }
2580else if (verify_check_host(&tls_try_verify_hosts) == OK)
2581 {
983207c1 2582 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2583 TRUE, verify_callback_server, errstr);
059ec3d9 2584 if (rc != OK) return rc;
a2ff477a 2585 server_verify_optional = TRUE;
059ec3d9
PH
2586 }
2587
b10c87b3
JH
2588#ifdef EXPERIMENTAL_TLS_RESUME
2589SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2590/* despite working, appears to always return failure, so ignoring */
2591#endif
2592#ifdef OPENSSL_HAVE_NUM_TICKETS
2593# ifdef EXPERIMENTAL_TLS_RESUME
2594SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2595# else
2596SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2597# endif
2598#endif
2599
2600
059ec3d9
PH
2601/* Prepare for new connection */
2602
cf0c6164
JH
2603if (!(server_ssl = SSL_new(server_ctx)))
2604 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2605
2606/* Warning: we used to SSL_clear(ssl) here, it was removed.
2607 *
2608 * With the SSL_clear(), we get strange interoperability bugs with
2609 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2610 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2611 *
2612 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2613 * session shutdown. In this case, we have a brand new object and there's no
2614 * obvious reason to immediately clear it. I'm guessing that this was
2615 * originally added because of incomplete initialisation which the clear fixed,
2616 * in some historic release.
2617 */
059ec3d9
PH
2618
2619/* Set context and tell client to go ahead, except in the case of TLS startup
2620on connection, where outputting anything now upsets the clients and tends to
2621make them disconnect. We need to have an explicit fflush() here, to force out
2622the response. Other smtp_printf() calls do not need it, because in non-TLS
2623mode, the fflush() happens when smtp_getc() is called. */
2624
817d9f57
JH
2625SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2626if (!tls_in.on_connect)
059ec3d9 2627 {
925ac8e4 2628 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2629 fflush(smtp_out);
2630 }
2631
2632/* Now negotiate the TLS session. We put our own timer on it, since it seems
2633that the OpenSSL library doesn't. */
2634
817d9f57
JH
2635SSL_set_wfd(server_ssl, fileno(smtp_out));
2636SSL_set_rfd(server_ssl, fileno(smtp_in));
2637SSL_set_accept_state(server_ssl);
059ec3d9
PH
2638
2639DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2640
2641sigalrm_seen = FALSE;
c2a1bba0 2642if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2643rc = SSL_accept(server_ssl);
c2a1bba0 2644ALARM_CLR(0);
059ec3d9
PH
2645
2646if (rc <= 0)
2647 {
c31e16a5
JH
2648 int error = SSL_get_error(server_ssl, rc);
2649 switch(error)
2650 {
2651 case SSL_ERROR_NONE:
2652 break;
2653
2654 case SSL_ERROR_ZERO_RETURN:
2655 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2656 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2657
2658 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2659 SSL_shutdown(server_ssl);
2660
2661 tls_close(NULL, TLS_NO_SHUTDOWN);
2662 return FAIL;
2663
2664 /* Handle genuine errors */
2665 case SSL_ERROR_SSL:
2666 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2667 return FAIL;
2668
2669 default:
2670 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2671 if (error == SSL_ERROR_SYSCALL)
2672 {
2673 if (!errno)
2674 {
2675 *errstr = US"SSL_accept: TCP connection closed by peer";
2676 return FAIL;
2677 }
2678 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2679 }
2680 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2681 return FAIL;
2682 }
059ec3d9
PH
2683 }
2684
2685DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2686ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH
2687 anon-authentication ciphersuite negotiated. */
2688
2689#ifdef EXPERIMENTAL_TLS_RESUME
2690if (SSL_session_reused(server_ssl))
2691 {
2692 tls_in.resumption |= RESUME_USED;
2693 DEBUG(D_tls) debug_printf("Session reused\n");
2694 }
2695#endif
059ec3d9
PH
2696
2697/* TLS has been set up. Adjust the input functions to read via TLS,
2698and initialize things. */
2699
f69979cf
JH
2700peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2701
f1be21cf
JH
2702tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2703tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2704
059ec3d9
PH
2705DEBUG(D_tls)
2706 {
2707 uschar buf[2048];
f1be21cf 2708 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2709 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2710
2711#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2712 {
10ed27e0 2713 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2714 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2715 BIO_free(bp);
2716 }
2717#endif
b10c87b3
JH
2718
2719#ifdef EXIM_HAVE_SESSION_TICKET
2720 {
2721 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2722 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH
2723 debug_printf("The session has a ticket, life %lu seconds\n",
2724 SSL_SESSION_get_ticket_lifetime_hint(ss));
2725 }
2726#endif
059ec3d9
PH
2727 }
2728
9d1c15ef
JH
2729/* Record the certificate we presented */
2730 {
2731 X509 * crt = SSL_get_certificate(server_ssl);
2732 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2733 }
059ec3d9 2734
817d9f57
JH
2735/* Only used by the server-side tls (tls_in), including tls_getc.
2736 Client-side (tls_out) reads (seem to?) go via
2737 smtp_read_response()/ip_recv().
2738 Hence no need to duplicate for _in and _out.
2739 */
b808677c 2740if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2741ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2742ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2743
2744receive_getc = tls_getc;
0d81dabc 2745receive_getbuf = tls_getbuf;
584e96c6 2746receive_get_cache = tls_get_cache;
059ec3d9
PH
2747receive_ungetc = tls_ungetc;
2748receive_feof = tls_feof;
2749receive_ferror = tls_ferror;
58eb016e 2750receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2751
74f1a423
JH
2752tls_in.active.sock = fileno(smtp_out);
2753tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2754return OK;
2755}
2756
2757
2758
2759
043b1248
JH
2760static int
2761tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2762 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2763 uschar ** errstr)
043b1248
JH
2764{
2765int rc;
94431adb 2766/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2767 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2768 the specified host patterns if one of them is defined */
2769
610ff438
JH
2770if ( ( !ob->tls_verify_hosts
2771 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2772 )
3c07dd2d 2773 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2774 )
043b1248 2775 client_verify_optional = FALSE;
3c07dd2d 2776else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2777 client_verify_optional = TRUE;
2778else
2779 return OK;
2780
2781if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2782 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2783 errstr)) != OK)
aa2a70ba 2784 return rc;
043b1248 2785
3c07dd2d 2786if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2787 {
4af0d74a 2788 cbinfo->verify_cert_hostnames =
8c5d388a 2789#ifdef SUPPORT_I18N
4af0d74a
JH
2790 string_domain_utf8_to_alabel(host->name, NULL);
2791#else
2792 host->name;
2793#endif
aa2a70ba
JH
2794 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2795 cbinfo->verify_cert_hostnames);
043b1248 2796 }
043b1248
JH
2797return OK;
2798}
059ec3d9 2799
fde080a4 2800
c0635b6d 2801#ifdef SUPPORT_DANE
fde080a4 2802static int
cf0c6164 2803dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2804{
fde080a4
JH
2805dns_scan dnss;
2806const char * hostnames[2] = { CS host->name, NULL };
2807int found = 0;
2808
2809if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2810 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2811
d7978c0f 2812for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2813 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2814 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2815 {
c3033f13 2816 const uschar * p = rr->data;
fde080a4
JH
2817 uint8_t usage, selector, mtype;
2818 const char * mdname;
2819
fde080a4 2820 usage = *p++;
133d2546
JH
2821
2822 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2823 if (usage != 2 && usage != 3) continue;
2824
fde080a4
JH
2825 selector = *p++;
2826 mtype = *p++;
2827
2828 switch (mtype)
2829 {
133d2546
JH
2830 default: continue; /* Only match-types 0, 1, 2 are supported */
2831 case 0: mdname = NULL; break;
2832 case 1: mdname = "sha256"; break;
2833 case 2: mdname = "sha512"; break;
fde080a4
JH
2834 }
2835
133d2546 2836 found++;
fde080a4
JH
2837 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2838 {
2839 default:
cf0c6164 2840 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2841 case 0: /* action not taken */
fde080a4
JH
2842 case 1: break;
2843 }
594706ea
JH
2844
2845 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2846 }
2847
2848if (found)
2849 return OK;
2850
133d2546 2851log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2852return DEFER;
fde080a4 2853}
c0635b6d 2854#endif /*SUPPORT_DANE*/
fde080a4
JH
2855
2856
2857
b10c87b3
JH
2858#ifdef EXPERIMENTAL_TLS_RESUME
2859/* On the client, get any stashed session for the given IP from hints db
2860and apply it to the ssl-connection for attempted resumption. */
2861
2862static void
2863tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2864{
2865tlsp->resumption |= RESUME_SUPPORTED;
2866if (tlsp->host_resumable)
2867 {
2868 dbdata_tls_session * dt;
2869 int len;
2870 open_db dbblock, * dbm_file;
2871
2872 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2873 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2874 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2875 {
2876 /* key for the db is the IP */
2877 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2878 {
2879 SSL_SESSION * ss = NULL;
2880 const uschar * sess_asn1 = dt->session;
2881
2882 len -= sizeof(dbdata_tls_session);
2883 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2884 {
2885 DEBUG(D_tls)
2886 {
2887 ERR_error_string_n(ERR_get_error(),
2888 ssl_errstring, sizeof(ssl_errstring));
2889 debug_printf("decoding session: %s\n", ssl_errstring);
2890 }
2891 }
a775dd1d 2892#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH
2893 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2894 < time(NULL))
2895 {
2896 DEBUG(D_tls) debug_printf("session expired\n");
2897 dbfn_delete(dbm_file, key);
2898 }
a775dd1d 2899#endif
b10c87b3
JH
2900 else if (!SSL_set_session(ssl, ss))
2901 {
2902 DEBUG(D_tls)
2903 {
2904 ERR_error_string_n(ERR_get_error(),
2905 ssl_errstring, sizeof(ssl_errstring));
2906 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2907 }
2908 }
2909 else
2910 {
2911 DEBUG(D_tls) debug_printf("good session\n");
2912 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2913 tlsp->verify_override = dt->verify_override;
c82de233 2914 tlsp->ocsp = dt->ocsp;
b10c87b3
JH
2915 }
2916 }
2917 else
2918 DEBUG(D_tls) debug_printf("no session record\n");
2919 dbfn_close(dbm_file);
2920 }
2921 }
2922}
2923
2924
2925/* On the client, save the session for later resumption */
2926
2927static int
2928tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2929{
2930tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2931tls_support * tlsp;
2932
2933DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2934
2935if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2936
40618fb6
JH
2937# ifdef OPENSSL_HAVE_NUM_TICKETS
2938if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2939# endif
b10c87b3
JH
2940 {
2941 int len = i2d_SSL_SESSION(ss, NULL);
2942 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 2943 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
2944 uschar * s = dt->session;
2945 open_db dbblock, * dbm_file;
2946
2947 DEBUG(D_tls) debug_printf("session is resumable\n");
2948 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2949
f4e62a87 2950 dt->verify_override = tlsp->verify_override;
c82de233 2951 dt->ocsp = tlsp->ocsp;
f4e62a87 2952 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH
2953
2954 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2955 {
2956 const uschar * key = cbinfo->host->address;
2957 dbfn_delete(dbm_file, key);
2958 dbfn_write(dbm_file, key, dt, dlen);
2959 dbfn_close(dbm_file);
2960 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2961 (unsigned)dlen);
2962 }
2963 }
b10c87b3
JH
2964return 1;
2965}
2966
2967
2968static void
2969tls_client_ctx_resume_prehandshake(
2970 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2971 smtp_transport_options_block * ob, host_item * host)
2972{
2973/* Should the client request a session resumption ticket? */
2974if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2975 {
2976 tlsp->host_resumable = TRUE;
2977
2978 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2979 SSL_SESS_CACHE_CLIENT
2980 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2981 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2982 }
2983}
2984
2985static BOOL
2986tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2987 host_item * host, uschar ** errstr)
2988{
2989if (tlsp->host_resumable)
2990 {
2991 DEBUG(D_tls)
2992 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2993 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2994
2995 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2996 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2997 {
2998 tls_error(US"set ex_data", host, NULL, errstr);
2999 return FALSE;
3000 }
3001 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3002 }
3003
3004tlsp->resumption = RESUME_SUPPORTED;
3005/* Pick up a previous session, saved on an old ticket */
3006tls_retrieve_session(tlsp, ssl, host->address);
3007return TRUE;
3008}
3009
3010static void
3011tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3012 tls_support * tlsp)
3013{
3014if (SSL_session_reused(exim_client_ctx->ssl))
3015 {
3016 DEBUG(D_tls) debug_printf("The session was reused\n");
3017 tlsp->resumption |= RESUME_USED;
3018 }
3019}
3020#endif /* EXPERIMENTAL_TLS_RESUME */
3021
3022
059ec3d9
PH
3023/*************************************************
3024* Start a TLS session in a client *
3025*************************************************/
3026
3027/* Called from the smtp transport after STARTTLS has been accepted.
3028
c05bdbd6
JH
3029Arguments:
3030 cctx connection context
3031 conn_args connection details
3032 cookie datum for randomness; can be NULL
3033 tlsp record details of TLS channel configuration here; must be non-NULL
3034 errstr error string pointer
3035
3036Returns: TRUE for success with TLS session context set in connection context,
3037 FALSE on error
059ec3d9
PH
3038*/
3039
c05bdbd6
JH
3040BOOL
3041tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3042 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 3043{
c05bdbd6
JH
3044host_item * host = conn_args->host; /* for msgs and option-tests */
3045transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
3046smtp_transport_options_block * ob = tb
3047 ? (smtp_transport_options_block *)tb->options_block
3048 : &smtp_transport_option_defaults;
74f1a423 3049exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 3050uschar * expciphers;
059ec3d9 3051int rc;
c05bdbd6 3052static uschar peerdn[256];
043b1248
JH
3053
3054#ifndef DISABLE_OCSP
043b1248 3055BOOL request_ocsp = FALSE;
6634ac8d 3056BOOL require_ocsp = FALSE;
043b1248 3057#endif
043b1248 3058
74f1a423
JH
3059rc = store_pool;
3060store_pool = POOL_PERM;
f3ebb786 3061exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 3062exim_client_ctx->corked = NULL;
74f1a423
JH
3063store_pool = rc;
3064
c0635b6d 3065#ifdef SUPPORT_DANE
74f1a423 3066tlsp->tlsa_usage = 0;
043b1248
JH
3067#endif
3068
f2de3a33 3069#ifndef DISABLE_OCSP
043b1248 3070 {
c0635b6d 3071# ifdef SUPPORT_DANE
c05bdbd6 3072 if ( conn_args->dane
4f59c424
JH
3073 && ob->hosts_request_ocsp[0] == '*'
3074 && ob->hosts_request_ocsp[1] == '\0'
3075 )
3076 {
3077 /* Unchanged from default. Use a safer one under DANE */
3078 request_ocsp = TRUE;
3079 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3080 " {= {4}{$tls_out_tlsa_usage}} } "
3081 " {*}{}}";
3082 }
3083# endif
3084
5130845b 3085 if ((require_ocsp =
3c07dd2d 3086 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
3087 request_ocsp = TRUE;
3088 else
c0635b6d 3089# ifdef SUPPORT_DANE
4f59c424 3090 if (!request_ocsp)
fca41d5a 3091# endif
5130845b 3092 request_ocsp =
3c07dd2d 3093 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 3094 }
f5d78688 3095#endif
059ec3d9 3096
74f1a423 3097rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 3098 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 3099#ifndef DISABLE_OCSP
44662487 3100 (void *)(long)request_ocsp,
3f7eeb86 3101#endif
b10c87b3 3102 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 3103if (rc != OK) return FALSE;
059ec3d9 3104
74f1a423 3105tlsp->certificate_verified = FALSE;
a2ff477a 3106client_verify_callback_called = FALSE;
059ec3d9 3107
5ec37a55
PP
3108expciphers = NULL;
3109#ifdef SUPPORT_DANE
c05bdbd6 3110if (conn_args->dane)
5ec37a55
PP
3111 {
3112 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3113 other failures should be treated as problems. */
3114 if (ob->dane_require_tls_ciphers &&
3115 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3116 &expciphers, errstr))
c05bdbd6 3117 return FALSE;
5ec37a55
PP
3118 if (expciphers && *expciphers == '\0')
3119 expciphers = NULL;
3120 }
3121#endif
3122if (!expciphers &&
3123 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3124 &expciphers, errstr))
c05bdbd6 3125 return FALSE;
059ec3d9
PH
3126
3127/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3128are separated by underscores. So that I can use either form in my tests, and
3129also for general convenience, we turn underscores into hyphens here. */
3130
cf0c6164 3131if (expciphers)
059ec3d9
PH
3132 {
3133 uschar *s = expciphers;
cf0c6164 3134 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 3135 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
3136 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3137 {
3138 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 3139 return FALSE;
74f1a423 3140 }
059ec3d9
PH
3141 }
3142
c0635b6d 3143#ifdef SUPPORT_DANE
c05bdbd6 3144if (conn_args->dane)
a63be306 3145 {
74f1a423 3146 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
3147 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3148 verify_callback_client_dane);
e5cccda9 3149
043b1248 3150 if (!DANESSL_library_init())
74f1a423
JH
3151 {
3152 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3153 return FALSE;
74f1a423
JH
3154 }
3155 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3156 {
3157 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3158 return FALSE;
74f1a423 3159 }
043b1248
JH
3160 }
3161else
e51c7be2 3162
043b1248
JH
3163#endif
3164
74f1a423
JH
3165 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3166 client_static_cbinfo, errstr) != OK)
c05bdbd6 3167 return FALSE;
059ec3d9 3168
b10c87b3
JH
3169#ifdef EXPERIMENTAL_TLS_RESUME
3170tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3171#endif
3172
3173
74f1a423
JH
3174if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3175 {
3176 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3177 return FALSE;
74f1a423
JH
3178 }
3179SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3180
c05bdbd6 3181SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3182SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3183
65867078 3184if (ob->tls_sni)
3f0945ff 3185 {
74f1a423 3186 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3187 return FALSE;
74f1a423 3188 if (!tlsp->sni)
2c9a0e86
PP
3189 {
3190 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3191 }
74f1a423
JH
3192 else if (!Ustrlen(tlsp->sni))
3193 tlsp->sni = NULL;
3f0945ff
PP
3194 else
3195 {
35731706 3196#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
3197 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3198 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3199#else
66802652 3200 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3201 tlsp->sni);
35731706 3202#endif
3f0945ff
PP
3203 }
3204 }
3205
c0635b6d 3206#ifdef SUPPORT_DANE
c05bdbd6
JH
3207if (conn_args->dane)
3208 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3209 return FALSE;
594706ea
JH
3210#endif
3211
f2de3a33 3212#ifndef DISABLE_OCSP
f5d78688
JH
3213/* Request certificate status at connection-time. If the server
3214does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3215# ifdef SUPPORT_DANE
44662487
JH
3216if (request_ocsp)
3217 {
594706ea 3218 const uschar * s;
41afb5cb
JH
3219 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3220 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
3221 )
3222 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3223 this means we avoid the OCSP request, we wasted the setup
3224 cost in tls_init(). */
3c07dd2d 3225 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3226 request_ocsp = require_ocsp
3c07dd2d 3227 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
3228 }
3229 }
b50c8b84
JH
3230# endif
3231
594706ea
JH
3232if (request_ocsp)
3233 {
74f1a423 3234 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3235 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3236 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3237 }
f5d78688
JH
3238#endif
3239
c82de233
JH
3240#ifdef EXPERIMENTAL_TLS_RESUME
3241if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3242 errstr))
3243 return FALSE;
3244#endif
3245
0cbf2b82 3246#ifndef DISABLE_EVENT
afdb5e9c 3247client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3248#endif
043b1248 3249
059ec3d9
PH
3250/* There doesn't seem to be a built-in timeout on connection. */
3251
3252DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3253sigalrm_seen = FALSE;
c2a1bba0 3254ALARM(ob->command_timeout);
74f1a423 3255rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3256ALARM_CLR(0);
059ec3d9 3257
c0635b6d 3258#ifdef SUPPORT_DANE
c05bdbd6 3259if (conn_args->dane)
74f1a423 3260 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
3261#endif
3262
059ec3d9 3263if (rc <= 0)
74f1a423
JH
3264 {
3265 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3266 return FALSE;
74f1a423 3267 }
059ec3d9 3268
f20cfa4a
JH
3269DEBUG(D_tls)
3270 {
3271 debug_printf("SSL_connect succeeded\n");
3272#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3273 {
10ed27e0
JH
3274 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3275 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3276 BIO_free(bp);
f20cfa4a
JH
3277 }
3278#endif
3279 }
059ec3d9 3280
b10c87b3
JH
3281#ifdef EXPERIMENTAL_TLS_RESUME
3282tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3283#endif
3284
74f1a423 3285peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3286
f1be21cf
JH
3287tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3288tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3289
9d1c15ef
JH
3290/* Record the certificate we presented */
3291 {
74f1a423
JH
3292 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3293 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
3294 }
3295
c05bdbd6 3296tlsp->active.sock = cctx->sock;
74f1a423 3297tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH
3298cctx->tls_ctx = exim_client_ctx;
3299return TRUE;
059ec3d9
PH
3300}
3301
3302
3303
3304
3305
0d81dabc
JH
3306static BOOL
3307tls_refill(unsigned lim)
3308{
3309int error;
3310int inbytes;
3311
3312DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3313 ssl_xfer_buffer, ssl_xfer_buffer_size);
3314
c2a1bba0 3315if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
3316inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3317 MIN(ssl_xfer_buffer_size, lim));
3318error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3319if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
3320<