Testsuite: make it compatible with ancient Perl versions.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
b038d456 49# define OPENSSL_AUTO_SHA256
c8dfb21d
JH
50#else
51# define EXIM_HAVE_EPHEM_RSA_KEX
52# define EXIM_HAVE_RAND_PSEUDO
53#endif
54#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 55# define EXIM_HAVE_SHA256
c8dfb21d 56#endif
34e3241d 57
d7978c0f
JH
58/* X509_check_host provides sane certificate hostname checking, but was added
59to OpenSSL late, after other projects forked off the code-base. So in
60addition to guarding against the base version number, beware that LibreSSL
61does not (at this time) support this function.
62
63If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64opt to disentangle and ask a LibreSSL user to provide glue for a third
65crypto provider for libtls instead of continuing to tie the OpenSSL glue
66into even twistier knots. If LibreSSL gains the same API, we can just
67change this guard and punt the issue for a while longer. */
68
34e3241d
PP
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 74# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 75# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 76# define EXIM_HAVE_SESSION_TICKET
e570d136 77# define EXIM_HAVE_OPESSL_TRACE
012dd02e 78# define EXIM_HAVE_OPESSL_GET0_SERIAL
97277c1f
JH
79# ifndef DISABLE_OCSP
80# define EXIM_HAVE_OCSP
81# endif
7434882d
JH
82# else
83# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
84# endif
85# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 86 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
87# define EXIM_HAVE_OPENSSL_CHECKHOST
88# endif
11aa88b0 89#endif
10ca4f1c 90
11aa88b0
RA
91#if !defined(LIBRESSL_VERSION_NUMBER) \
92 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
93# if !defined(OPENSSL_NO_ECDH)
94# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 95# define EXIM_HAVE_ECDH
10ca4f1c
JH
96# endif
97# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
98# define EXIM_HAVE_OPENSSL_EC_NIST2NID
99# endif
100# endif
2dfb468b 101#endif
3bcbbbe2 102
8a40db1c
JH
103#ifndef LIBRESSL_VERSION_NUMBER
104# if OPENSSL_VERSION_NUMBER >= 0x010101000L
105# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 106# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 107# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
97277c1f
JH
108# else
109# define OPENSSL_BAD_SRVR_OURCERT
8a40db1c
JH
110# endif
111#endif
112
67791ce4
JH
113#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
114# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
115# define DISABLE_OCSP
116#endif
43e2db44
JH
117
118#ifdef EXPERIMENTAL_TLS_RESUME
119# if OPENSSL_VERSION_NUMBER < 0x0101010L
120# error OpenSSL version too old for session-resumption
121# endif
122#endif
67791ce4 123
a6510420
JH
124#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
125# include <openssl/x509v3.h>
126#endif
127
f1be21cf
JH
128#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
129# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
130# define SSL_CIPHER_get_id(c) (c->id)
131# endif
dca6d121
JH
132# ifndef MACRO_PREDEF
133# include "tls-cipher-stdname.c"
134# endif
f1be21cf
JH
135#endif
136
8442641e
JH
137/*************************************************
138* OpenSSL option parse *
139*************************************************/
140
141typedef struct exim_openssl_option {
142 uschar *name;
143 long value;
144} exim_openssl_option;
145/* We could use a macro to expand, but we need the ifdef and not all the
146options document which version they were introduced in. Policylet: include
147all options unless explicitly for DTLS, let the administrator choose which
148to apply.
149
150This list is current as of:
151 ==> 1.0.1b <==
152Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
153Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
2043336d
JH
154Plus SSL_OP_NO_RENEGOTIATION for 1.1.1
155
156XXX could we autobuild this list, as with predefined-macros?
157Seems just parsing ssl.h for SSL_OP_.* would be enough.
158Also allow a numeric literal?
8442641e
JH
159*/
160static exim_openssl_option exim_openssl_options[] = {
161/* KEEP SORTED ALPHABETICALLY! */
162#ifdef SSL_OP_ALL
6d95688d 163 { US"all", (long) SSL_OP_ALL },
8442641e
JH
164#endif
165#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
166 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
167#endif
168#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
169 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
170#endif
171#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
172 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
173#endif
174#ifdef SSL_OP_EPHEMERAL_RSA
175 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
176#endif
177#ifdef SSL_OP_LEGACY_SERVER_CONNECT
178 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
179#endif
180#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
181 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
182#endif
183#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
184 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
185#endif
186#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
187 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
188#endif
189#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
190 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
191#endif
192#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
193 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
194#endif
195#ifdef SSL_OP_NO_COMPRESSION
196 { US"no_compression", SSL_OP_NO_COMPRESSION },
197#endif
2043336d
JH
198#ifdef SSL_OP_NO_RENEGOTIATION
199 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
200#endif
8442641e
JH
201#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
202 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
203#endif
204#ifdef SSL_OP_NO_SSLv2
205 { US"no_sslv2", SSL_OP_NO_SSLv2 },
206#endif
207#ifdef SSL_OP_NO_SSLv3
208 { US"no_sslv3", SSL_OP_NO_SSLv3 },
209#endif
210#ifdef SSL_OP_NO_TICKET
211 { US"no_ticket", SSL_OP_NO_TICKET },
212#endif
213#ifdef SSL_OP_NO_TLSv1
214 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
215#endif
216#ifdef SSL_OP_NO_TLSv1_1
217#if SSL_OP_NO_TLSv1_1 == 0x00000400L
218 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
219#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
220#else
221 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
222#endif
223#endif
224#ifdef SSL_OP_NO_TLSv1_2
225 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
226#endif
227#ifdef SSL_OP_NO_TLSv1_3
228 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
229#endif
230#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
231 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
232#endif
233#ifdef SSL_OP_SINGLE_DH_USE
234 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
235#endif
236#ifdef SSL_OP_SINGLE_ECDH_USE
237 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
238#endif
239#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
240 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
241#endif
242#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
243 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
244#endif
245#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
246 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
247#endif
248#ifdef SSL_OP_TLS_D5_BUG
249 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
250#endif
251#ifdef SSL_OP_TLS_ROLLBACK_BUG
252 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
253#endif
254};
255
256#ifndef MACRO_PREDEF
257static int exim_openssl_options_size = nelem(exim_openssl_options);
258#endif
259
260#ifdef MACRO_PREDEF
261void
262options_tls(void)
263{
8442641e
JH
264uschar buf[64];
265
d7978c0f 266for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
267 o < exim_openssl_options + nelem(exim_openssl_options); o++)
268 {
269 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
270 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
271
272 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
273 builtin_macro_create(buf);
274 }
b10c87b3
JH
275
276# ifdef EXPERIMENTAL_TLS_RESUME
277builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
278# endif
e326959e
JH
279# ifdef SSL_OP_NO_TLSv1_3
280builtin_macro_create(US"_HAVE_TLS1_3");
281# endif
97277c1f
JH
282# ifdef OPENSSL_BAD_SRVR_OURCERT
283builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
284# endif
285# ifdef EXIM_HAVE_OCSP
286builtin_macro_create(US"_HAVE_TLS_OCSP");
287builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
288# endif
8442641e
JH
289}
290#else
291
292/******************************************************************************/
293
059ec3d9
PH
294/* Structure for collecting random data for seeding. */
295
296typedef struct randstuff {
9e3331ea
TK
297 struct timeval tv;
298 pid_t p;
059ec3d9
PH
299} randstuff;
300
301/* Local static variables */
302
a2ff477a
JH
303static BOOL client_verify_callback_called = FALSE;
304static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
305static const uschar *sid_ctx = US"exim";
306
d4f09789
PP
307/* We have three different contexts to care about.
308
309Simple case: client, `client_ctx`
310 As a client, we can be doing a callout or cut-through delivery while receiving
311 a message. So we have a client context, which should have options initialised
74f1a423
JH
312 from the SMTP Transport. We may also concurrently want to make TLS connections
313 to utility daemons, so client-contexts are allocated and passed around in call
314 args rather than using a gobal.
d4f09789
PP
315
316Server:
317 There are two cases: with and without ServerNameIndication from the client.
318 Given TLS SNI, we can be using different keys, certs and various other
319 configuration settings, because they're re-expanded with $tls_sni set. This
320 allows vhosting with TLS. This SNI is sent in the handshake.
321 A client might not send SNI, so we need a fallback, and an initial setup too.
322 So as a server, we start out using `server_ctx`.
323 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
324 `server_sni` from `server_ctx` and then initialise settings by re-expanding
325 configuration.
326*/
327
74f1a423
JH
328typedef struct {
329 SSL_CTX * ctx;
330 SSL * ssl;
c09dbcfb 331 gstring * corked;
74f1a423
JH
332} exim_openssl_client_tls_ctx;
333
817d9f57 334static SSL_CTX *server_ctx = NULL;
817d9f57 335static SSL *server_ssl = NULL;
389ca47a 336
35731706 337#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 338static SSL_CTX *server_sni = NULL;
35731706 339#endif
059ec3d9
PH
340
341static char ssl_errstring[256];
342
dea4b568 343static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH
344static BOOL client_verify_optional = FALSE;
345static BOOL server_verify_optional = FALSE;
059ec3d9 346
f5d78688 347static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
348
349
5b2fd993
JH
350typedef struct ocsp_resp {
351 struct ocsp_resp * next;
352 OCSP_RESPONSE * resp;
353} ocsp_resplist;
354
7be682ca 355typedef struct tls_ext_ctx_cb {
b10c87b3 356 tls_support * tlsp;
7be682ca
PP
357 uschar *certificate;
358 uschar *privatekey;
f5d78688 359 BOOL is_server;
a6510420 360#ifndef DISABLE_OCSP
c3033f13 361 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
362 union {
363 struct {
364 uschar *file;
5b2fd993
JH
365 const uschar *file_expanded;
366 ocsp_resplist *olist;
f5d78688
JH
367 } server;
368 struct {
44662487
JH
369 X509_STORE *verify_store; /* non-null if status requested */
370 BOOL verify_required;
f5d78688
JH
371 } client;
372 } u_ocsp;
3f7eeb86 373#endif
7be682ca
PP
374 uschar *dhparam;
375 /* these are cached from first expand */
376 uschar *server_cipher_list;
377 /* only passed down to tls_error: */
378 host_item *host;
55414b25 379 const uschar * verify_cert_hostnames;
0cbf2b82 380#ifndef DISABLE_EVENT
a7538db1
JH
381 uschar * event_action;
382#endif
7be682ca
PP
383} tls_ext_ctx_cb;
384
385/* should figure out a cleanup of API to handle state preserved per
386implementation, for various reasons, which can be void * in the APIs.
387For now, we hack around it. */
b10c87b3 388tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 389tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
390
391static int
983207c1 392setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 393 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 394
3f7eeb86 395/* Callbacks */
3bcbbbe2 396#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 397static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 398#endif
f2de3a33 399#ifndef DISABLE_OCSP
f5d78688 400static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
401#endif
402
059ec3d9 403
b10c87b3 404
4d93129f 405/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH
406#ifdef EXPERIMENTAL_TLS_RESUME
407static void tk_init(void);
408static int tls_exdata_idx = -1;
409#endif
410
411void
412tls_daemon_init(void)
413{
414#ifdef EXPERIMENTAL_TLS_RESUME
415tk_init();
416#endif
417return;
418}
419
420
059ec3d9
PH
421/*************************************************
422* Handle TLS error *
423*************************************************/
424
425/* Called from lots of places when errors occur before actually starting to do
426the TLS handshake, that is, while the session is still in clear. Always returns
427DEFER for a server and FAIL for a client so that most calls can use "return
428tls_error(...)" to do this processing and then give an appropriate return. A
429single function is used for both server and client, because it is called from
430some shared functions.
431
432Argument:
433 prefix text to include in the logged error
434 host NULL if setting up a server;
435 the connected host if setting up a client
7199e1ee 436 msg error message or NULL if we should ask OpenSSL
cf0c6164 437 errstr pointer to output error message
059ec3d9
PH
438
439Returns: OK/DEFER/FAIL
440*/
441
442static int
cf0c6164 443tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 444{
c562fd30 445if (!msg)
7199e1ee 446 {
0abc5a13 447 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 448 msg = US ssl_errstring;
7199e1ee
TF
449 }
450
5a2a0989
JH
451msg = string_sprintf("(%s): %s", prefix, msg);
452DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
453if (errstr) *errstr = msg;
cf0c6164 454return host ? FAIL : DEFER;
059ec3d9
PH
455}
456
457
458
459/*************************************************
460* Callback to generate RSA key *
461*************************************************/
462
463/*
464Arguments:
3ae79556 465 s SSL connection (not used)
059ec3d9
PH
466 export not used
467 keylength keylength
468
469Returns: pointer to generated key
470*/
471
472static RSA *
473rsa_callback(SSL *s, int export, int keylength)
474{
475RSA *rsa_key;
c8dfb21d
JH
476#ifdef EXIM_HAVE_RSA_GENKEY_EX
477BIGNUM *bn = BN_new();
478#endif
479
059ec3d9
PH
480export = export; /* Shut picky compilers up */
481DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
482
483#ifdef EXIM_HAVE_RSA_GENKEY_EX
484if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 485 || !(rsa_key = RSA_new())
c8dfb21d
JH
486 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
487 )
488#else
23bb6982 489if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
490#endif
491
059ec3d9 492 {
0abc5a13 493 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
494 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
495 ssl_errstring);
496 return NULL;
497 }
498return rsa_key;
499}
500
501
502
f5d78688 503/* Extreme debug
f2de3a33 504#ifndef DISABLE_OCSP
f5d78688
JH
505void
506x509_store_dump_cert_s_names(X509_STORE * store)
507{
508STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
509static uschar name[256];
510
d7978c0f 511for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
512 {
513 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
514 if(tmp_obj->type == X509_LU_X509)
515 {
70e384dd
JH
516 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
517 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
518 {
519 name[sizeof(name)-1] = '\0';
520 debug_printf(" %s\n", name);
521 }
f5d78688
JH
522 }
523 }
524}
525#endif
526*/
527
059ec3d9 528
0cbf2b82 529#ifndef DISABLE_EVENT
f69979cf
JH
530static int
531verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
532 BOOL *calledp, const BOOL *optionalp, const uschar * what)
533{
534uschar * ev;
535uschar * yield;
536X509 * old_cert;
537
538ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
539if (ev)
540 {
aaba7d03 541 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
542 old_cert = tlsp->peercert;
543 tlsp->peercert = X509_dup(cert);
544 /* NB we do not bother setting peerdn */
545 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
546 {
547 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
548 "depth=%d cert=%s: %s",
549 tlsp == &tls_out ? deliver_host_address : sender_host_address,
550 what, depth, dn, yield);
551 *calledp = TRUE;
552 if (!*optionalp)
553 {
554 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
555 return 1; /* reject (leaving peercert set) */
556 }
557 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
558 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 559 tlsp->verify_override = TRUE;
f69979cf
JH
560 }
561 X509_free(tlsp->peercert);
562 tlsp->peercert = old_cert;
563 }
564return 0;
565}
566#endif
567
059ec3d9
PH
568/*************************************************
569* Callback for verification *
570*************************************************/
571
572/* The SSL library does certificate verification if set up to do so. This
573callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
574we set the certificate-verified flag. If verification failed, what happens
575depends on whether the client is required to present a verifiable certificate
576or not.
059ec3d9
PH
577
578If verification is optional, we change the state to yes, but still log the
579verification error. For some reason (it really would help to have proper
580documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
581time with state = 1. We must take care not to set the private verified flag on
582the second time through.
059ec3d9
PH
583
584Note: this function is not called if the client fails to present a certificate
585when asked. We get here only if a certificate has been received. Handling of
586optional verification for this case is done when requesting SSL to verify, by
587setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
588
a7538db1
JH
589May be called multiple times for different issues with a certificate, even
590for a given "depth" in the certificate chain.
591
059ec3d9 592Arguments:
f2f2c91b
JH
593 preverify_ok current yes/no state as 1/0
594 x509ctx certificate information.
595 tlsp per-direction (client vs. server) support data
596 calledp has-been-called flag
597 optionalp verification-is-optional flag
059ec3d9 598
f2f2c91b 599Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
600*/
601
602static int
70e384dd
JH
603verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
604 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 605{
421aff85 606X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 607int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 608uschar dn[256];
059ec3d9 609
70e384dd
JH
610if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
611 {
612 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
613 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
614 tlsp == &tls_out ? deliver_host_address : sender_host_address);
615 return 0;
616 }
f69979cf 617dn[sizeof(dn)-1] = '\0';
059ec3d9 618
f4e62a87 619tlsp->verify_override = FALSE;
f2f2c91b 620if (preverify_ok == 0)
059ec3d9 621 {
f77197ae
JH
622 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
623 *verify_mode, sender_host_address)
624 : US"";
625 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
626 tlsp == &tls_out ? deliver_host_address : sender_host_address,
627 extra, depth,
628 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 629 *calledp = TRUE;
9d1c15ef
JH
630 if (!*optionalp)
631 {
f69979cf
JH
632 if (!tlsp->peercert)
633 tlsp->peercert = X509_dup(cert); /* record failing cert */
634 return 0; /* reject */
9d1c15ef 635 }
059ec3d9
PH
636 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
637 "tls_try_verify_hosts)\n");
4a1bd6b9 638 tlsp->verify_override = TRUE;
059ec3d9
PH
639 }
640
a7538db1 641else if (depth != 0)
059ec3d9 642 {
f69979cf 643 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 644#ifndef DISABLE_OCSP
f5d78688
JH
645 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
646 { /* client, wanting stapling */
647 /* Add the server cert's signing chain as the one
648 for the verification of the OCSP stapled information. */
94431adb 649
f5d78688 650 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 651 cert))
f5d78688 652 ERR_clear_error();
c3033f13 653 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
654 }
655#endif
0cbf2b82 656#ifndef DISABLE_EVENT
f69979cf
JH
657 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
658 return 0; /* reject, with peercert set */
a7538db1 659#endif
059ec3d9
PH
660 }
661else
662 {
55414b25 663 const uschar * verify_cert_hostnames;
e51c7be2 664
e51c7be2
JH
665 if ( tlsp == &tls_out
666 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 667 /* client, wanting hostname check */
e51c7be2 668 {
f69979cf 669
740f36d4 670#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
671# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
672# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
673# endif
674# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
675# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
676# endif
e51c7be2 677 int sep = 0;
55414b25 678 const uschar * list = verify_cert_hostnames;
e51c7be2 679 uschar * name;
d8e7834a
JH
680 int rc;
681 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 682 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 683 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
684 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
685 NULL)))
d8e7834a
JH
686 {
687 if (rc < 0)
688 {
93a6fce2 689 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 690 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
691 name = NULL;
692 }
e51c7be2 693 break;
d8e7834a 694 }
e51c7be2 695 if (!name)
f69979cf 696#else
e51c7be2 697 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 698#endif
e51c7be2 699 {
f77197ae
JH
700 uschar * extra = verify_mode
701 ? string_sprintf(" (during %c-verify for [%s])",
702 *verify_mode, sender_host_address)
703 : US"";
e51c7be2 704 log_write(0, LOG_MAIN,
f77197ae
JH
705 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
706 tlsp == &tls_out ? deliver_host_address : sender_host_address,
707 extra, dn, verify_cert_hostnames);
a3ef7310
JH
708 *calledp = TRUE;
709 if (!*optionalp)
f69979cf
JH
710 {
711 if (!tlsp->peercert)
712 tlsp->peercert = X509_dup(cert); /* record failing cert */
713 return 0; /* reject */
714 }
4a1bd6b9 715 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 716 "tls_try_verify_hosts)\n");
4a1bd6b9 717 tlsp->verify_override = TRUE;
e51c7be2 718 }
f69979cf 719 }
e51c7be2 720
0cbf2b82 721#ifndef DISABLE_EVENT
f69979cf
JH
722 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
723 return 0; /* reject, with peercert set */
e51c7be2
JH
724#endif
725
93dcb1c2 726 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 727 *calledp ? "" : " authenticated", dn);
93dcb1c2 728 *calledp = TRUE;
059ec3d9
PH
729 }
730
a7538db1 731return 1; /* accept, at least for this level */
059ec3d9
PH
732}
733
a2ff477a 734static int
f2f2c91b 735verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 736{
f2f2c91b
JH
737return verify_callback(preverify_ok, x509ctx, &tls_out,
738 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
739}
740
741static int
f2f2c91b 742verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 743{
f2f2c91b
JH
744return verify_callback(preverify_ok, x509ctx, &tls_in,
745 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
746}
747
059ec3d9 748
c0635b6d 749#ifdef SUPPORT_DANE
53a7196b 750
e5cccda9
JH
751/* This gets called *by* the dane library verify callback, which interposes
752itself.
753*/
754static int
f2f2c91b 755verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
756{
757X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 758uschar dn[256];
83b27293 759int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 760#ifndef DISABLE_EVENT
f69979cf 761BOOL dummy_called, optional = FALSE;
83b27293 762#endif
e5cccda9 763
70e384dd
JH
764if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
765 {
766 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
767 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
768 deliver_host_address);
769 return 0;
770 }
f69979cf 771dn[sizeof(dn)-1] = '\0';
e5cccda9 772
f2f2c91b
JH
773DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
774 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 775
0cbf2b82 776#ifndef DISABLE_EVENT
f69979cf
JH
777 if (verify_event(&tls_out, cert, depth, dn,
778 &dummy_called, &optional, US"DANE"))
779 return 0; /* reject, with peercert set */
83b27293
JH
780#endif
781
f2f2c91b 782if (preverify_ok == 1)
6fbf3599 783 {
4a1bd6b9 784 tls_out.dane_verified = TRUE;
6fbf3599
JH
785#ifndef DISABLE_OCSP
786 if (client_static_cbinfo->u_ocsp.client.verify_store)
787 { /* client, wanting stapling */
788 /* Add the server cert's signing chain as the one
789 for the verification of the OCSP stapled information. */
790
791 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
792 cert))
793 ERR_clear_error();
794 sk_X509_push(client_static_cbinfo->verify_stack, cert);
795 }
796#endif
797 }
f2f2c91b
JH
798else
799 {
800 int err = X509_STORE_CTX_get_error(x509ctx);
801 DEBUG(D_tls)
802 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 803 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
804 preverify_ok = 1;
805 }
806return preverify_ok;
e5cccda9 807}
53a7196b 808
c0635b6d 809#endif /*SUPPORT_DANE*/
e5cccda9 810
059ec3d9
PH
811
812/*************************************************
813* Information callback *
814*************************************************/
815
816/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
817are doing. We copy the string to the debugging output when TLS debugging has
818been requested.
059ec3d9
PH
819
820Arguments:
821 s the SSL connection
822 where
823 ret
824
825Returns: nothing
826*/
827
828static void
829info_callback(SSL *s, int where, int ret)
830{
0abc5a13
JH
831DEBUG(D_tls)
832 {
833 const uschar * str;
834
835 if (where & SSL_ST_CONNECT)
48224640 836 str = US"SSL_connect";
0abc5a13 837 else if (where & SSL_ST_ACCEPT)
48224640 838 str = US"SSL_accept";
0abc5a13 839 else
48224640 840 str = US"SSL info (undefined)";
0abc5a13
JH
841
842 if (where & SSL_CB_LOOP)
843 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
844 else if (where & SSL_CB_ALERT)
845 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 846 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
847 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
848 else if (where & SSL_CB_EXIT)
849 if (ret == 0)
850 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
851 else if (ret < 0)
852 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
853 else if (where & SSL_CB_HANDSHAKE_START)
854 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
855 else if (where & SSL_CB_HANDSHAKE_DONE)
856 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
857 }
059ec3d9
PH
858}
859
8238bc7b 860#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
861static void
862keylog_callback(const SSL *ssl, const char *line)
863{
2e5d9e71
JH
864char * filename;
865FILE * fp;
8a40db1c 866DEBUG(D_tls) debug_printf("%.200s\n", line);
2e5d9e71
JH
867if (!(filename = getenv("SSLKEYLOGFILE"))) return;
868if (!(fp = fopen(filename, "a"))) return;
869fprintf(fp, "%s\n", line);
870fclose(fp);
8a40db1c 871}
8238bc7b 872#endif
8a40db1c 873
059ec3d9 874
b10c87b3
JH
875#ifdef EXPERIMENTAL_TLS_RESUME
876/* Manage the keysets used for encrypting the session tickets, on the server. */
877
878typedef struct { /* Session ticket encryption key */
879 uschar name[16];
880
881 const EVP_CIPHER * aes_cipher;
4d93129f 882 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH
883 const EVP_MD * hmac_hash;
884 uschar hmac_key[16];
885 time_t renew;
886 time_t expire;
887} exim_stek;
888
4d93129f
JH
889static exim_stek exim_tk; /* current key */
890static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH
891
892static void
893tk_init(void)
894{
4d93129f
JH
895time_t t = time(NULL);
896
b10c87b3
JH
897if (exim_tk.name[0])
898 {
4d93129f 899 if (exim_tk.renew >= t) return;
b10c87b3
JH
900 exim_tk_old = exim_tk;
901 }
902
903if (f.running_in_test_harness) ssl_session_timeout = 6;
904
905DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
906if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
907if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
908if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
909
910exim_tk.name[0] = 'E';
4d93129f 911exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 912exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH
913exim_tk.expire = t + ssl_session_timeout;
914exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH
915}
916
917static exim_stek *
918tk_current(void)
919{
920if (!exim_tk.name[0]) return NULL;
921return &exim_tk;
922}
923
924static exim_stek *
925tk_find(const uschar * name)
926{
927return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
928 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
929 : NULL;
930}
931
932/* Callback for session tickets, on server */
933static int
934ticket_key_callback(SSL * ssl, uschar key_name[16],
935 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
936{
937tls_support * tlsp = server_static_cbinfo->tlsp;
938exim_stek * key;
939
940if (enc)
941 {
942 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
943 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
944
945 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
946 return -1; /* insufficient random */
947
948 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
949 return 0; /* key couldn't be created */
950 memcpy(key_name, key->name, 16);
d70fc283 951 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH
952
953 /*XXX will want these dependent on the ssl session strength */
954 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
955 key->hmac_hash, NULL);
956 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
957
958 DEBUG(D_tls) debug_printf("ticket created\n");
959 return 1;
960 }
961else
962 {
963 time_t now = time(NULL);
964
965 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
966 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
967
968 if (!(key = tk_find(key_name)) || key->expire < now)
969 {
970 DEBUG(D_tls)
971 {
972 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 973 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH
974 }
975 return 0;
976 }
977
978 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
979 key->hmac_hash, NULL);
980 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
981
d70fc283 982 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH
983
984 /* The ticket lifetime and renewal are the same as the STEK lifetime and
985 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
986 be better. To do that we'd have to encode ticket lifetime in the name as
987 we don't yet see the restored session. Could check posthandshake for TLS1.3
988 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH
989 return key->renew < now ? 2 : 1;
990 }
991}
992#endif
993
994
059ec3d9
PH
995
996/*************************************************
997* Initialize for DH *
998*************************************************/
999
1000/* If dhparam is set, expand it, and load up the parameters for DH encryption.
1001
1002Arguments:
038597d2 1003 sctx The current SSL CTX (inbound or outbound)
a799883d 1004 dhparam DH parameter file or fixed parameter identity string
7199e1ee 1005 host connected host, if client; NULL if server
cf0c6164 1006 errstr error string pointer
059ec3d9
PH
1007
1008Returns: TRUE if OK (nothing to set up, or setup worked)
1009*/
1010
1011static BOOL
cf0c6164 1012init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 1013{
059ec3d9
PH
1014BIO *bio;
1015DH *dh;
1016uschar *dhexpanded;
a799883d 1017const char *pem;
6600985a 1018int dh_bitsize;
059ec3d9 1019
cf0c6164 1020if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
1021 return FALSE;
1022
0df4ab80 1023if (!dhexpanded || !*dhexpanded)
a799883d 1024 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 1025else if (dhexpanded[0] == '/')
059ec3d9 1026 {
0df4ab80 1027 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 1028 {
7199e1ee 1029 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 1030 host, US strerror(errno), errstr);
a799883d 1031 return FALSE;
059ec3d9 1032 }
a799883d
PP
1033 }
1034else
1035 {
1036 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1037 {
a799883d
PP
1038 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1039 return TRUE;
059ec3d9 1040 }
a799883d 1041
0df4ab80 1042 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
1043 {
1044 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1045 host, US strerror(errno), errstr);
a799883d
PP
1046 return FALSE;
1047 }
1048 bio = BIO_new_mem_buf(CS pem, -1);
1049 }
1050
0df4ab80 1051if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1052 {
059ec3d9 1053 BIO_free(bio);
a799883d 1054 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1055 host, NULL, errstr);
a799883d
PP
1056 return FALSE;
1057 }
1058
6600985a
PP
1059/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1060 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1061 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1062 * If someone wants to dance at the edge, then they can raise the limit or use
1063 * current libraries. */
1064#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1065/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1066 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1067dh_bitsize = DH_bits(dh);
1068#else
1069dh_bitsize = 8 * DH_size(dh);
1070#endif
1071
a799883d
PP
1072/* Even if it is larger, we silently return success rather than cause things
1073 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1074 * debatable choice. */
6600985a 1075if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
1076 {
1077 DEBUG(D_tls)
170f4904 1078 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1079 dh_bitsize, tls_dh_max_bits);
a799883d
PP
1080 }
1081else
1082 {
1083 SSL_CTX_set_tmp_dh(sctx, dh);
1084 DEBUG(D_tls)
1085 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1086 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
1087 }
1088
a799883d
PP
1089DH_free(dh);
1090BIO_free(bio);
1091
1092return TRUE;
059ec3d9
PH
1093}
1094
1095
1096
1097
038597d2
PP
1098/*************************************************
1099* Initialize for ECDH *
1100*************************************************/
1101
1102/* Load parameters for ECDH encryption.
1103
1104For now, we stick to NIST P-256 because: it's simple and easy to configure;
1105it avoids any patent issues that might bite redistributors; despite events in
1106the news and concerns over curve choices, we're not cryptographers, we're not
1107pretending to be, and this is "good enough" to be better than no support,
1108protecting against most adversaries. Given another year or two, there might
1109be sufficient clarity about a "right" way forward to let us make an informed
1110decision, instead of a knee-jerk reaction.
1111
1112Longer-term, we should look at supporting both various named curves and
1113external files generated with "openssl ecparam", much as we do for init_dh().
1114We should also support "none" as a value, to explicitly avoid initialisation.
1115
1116Patches welcome.
1117
1118Arguments:
1119 sctx The current SSL CTX (inbound or outbound)
1120 host connected host, if client; NULL if server
cf0c6164 1121 errstr error string pointer
038597d2
PP
1122
1123Returns: TRUE if OK (nothing to set up, or setup worked)
1124*/
1125
1126static BOOL
cf0c6164 1127init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1128{
63f0dbe0
JH
1129#ifdef OPENSSL_NO_ECDH
1130return TRUE;
1131#else
1132
10ca4f1c
JH
1133EC_KEY * ecdh;
1134uschar * exp_curve;
1135int nid;
1136BOOL rv;
1137
038597d2
PP
1138if (host) /* No ECDH setup for clients, only for servers */
1139 return TRUE;
1140
10ca4f1c 1141# ifndef EXIM_HAVE_ECDH
038597d2
PP
1142DEBUG(D_tls)
1143 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1144return TRUE;
038597d2 1145# else
10ca4f1c 1146
cf0c6164 1147if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
1148 return FALSE;
1149if (!exp_curve || !*exp_curve)
1150 return TRUE;
1151
8e53a4fc 1152/* "auto" needs to be handled carefully.
4c04137d 1153 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1154 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1155 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
1156 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1157 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1158 */
10ca4f1c 1159if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1160 {
8e53a4fc 1161#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1162 DEBUG(D_tls) debug_printf(
8e53a4fc 1163 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1164 exp_curve = US"prime256v1";
8e53a4fc
HSHR
1165#else
1166# if defined SSL_CTRL_SET_ECDH_AUTO
1167 DEBUG(D_tls) debug_printf(
1168 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
1169 SSL_CTX_set_ecdh_auto(sctx, 1);
1170 return TRUE;
8e53a4fc
HSHR
1171# else
1172 DEBUG(D_tls) debug_printf(
1173 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1174 return TRUE;
1175# endif
1176#endif
10ca4f1c 1177 }
038597d2 1178
10ca4f1c
JH
1179DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1180if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1181# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1182 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1183# endif
1184 )
1185 {
cf0c6164
JH
1186 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1187 host, NULL, errstr);
10ca4f1c
JH
1188 return FALSE;
1189 }
038597d2 1190
10ca4f1c
JH
1191if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1192 {
cf0c6164 1193 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1194 return FALSE;
038597d2 1195 }
10ca4f1c
JH
1196
1197/* The "tmp" in the name here refers to setting a temporary key
1198not to the stability of the interface. */
1199
1200if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1201 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1202else
1203 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1204
1205EC_KEY_free(ecdh);
1206return !rv;
1207
1208# endif /*EXIM_HAVE_ECDH*/
1209#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1210}
1211
1212
1213
1214
f2de3a33 1215#ifndef DISABLE_OCSP
3f7eeb86
PP
1216/*************************************************
1217* Load OCSP information into state *
1218*************************************************/
f5d78688 1219/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1220caller has determined this is needed. Checks validity. Debugs a message
1221if invalid.
1222
1223ASSUMES: single response, for single cert.
1224
1225Arguments:
1226 sctx the SSL_CTX* to update
1227 cbinfo various parts of session state
5b2fd993 1228 filename the filename putatively holding an OCSP response
86ede124 1229 is_pem file is PEM format; otherwise is DER
3f7eeb86
PP
1230
1231*/
1232
1233static void
5b2fd993 1234ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
86ede124 1235 const uschar * filename, BOOL is_pem)
3f7eeb86 1236{
ee5b1e28
JH
1237BIO * bio;
1238OCSP_RESPONSE * resp;
1239OCSP_BASICRESP * basic_response;
1240OCSP_SINGLERESP * single_response;
1241ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1242STACK_OF(X509) * sk;
3f7eeb86
PP
1243unsigned long verify_flags;
1244int status, reason, i;
1245
86ede124
JH
1246DEBUG(D_tls)
1247 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
3f7eeb86 1248
5b2fd993 1249if (!(bio = BIO_new_file(CS filename, "rb")))
3f7eeb86
PP
1250 {
1251 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
5b2fd993 1252 filename);
3f7eeb86
PP
1253 return;
1254 }
1255
86ede124
JH
1256if (is_pem)
1257 {
1258 uschar * data, * freep;
1259 char * dummy;
1260 long len;
1261 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1262 {
1263 DEBUG(D_tls) debug_printf("Failed to read PEM file \"%s\"\n",
1264 filename);
1265 return;
1266 }
1267debug_printf("read pem file\n");
1268 freep = data;
1269 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1270 OPENSSL_free(freep);
1271 }
1272else
1273 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
3f7eeb86 1274BIO_free(bio);
86ede124 1275
3f7eeb86
PP
1276if (!resp)
1277 {
1278 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1279 return;
1280 }
1281
ee5b1e28 1282if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1283 {
1284 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1285 OCSP_response_status_str(status), status);
f5d78688 1286 goto bad;
3f7eeb86
PP
1287 }
1288
5b2fd993
JH
1289#ifdef notdef
1290 {
1291 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1292 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1293 BIO_free(bp);
1294 }
1295#endif
1296
ee5b1e28 1297if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1298 {
1299 DEBUG(D_tls)
1300 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1301 goto bad;
3f7eeb86
PP
1302 }
1303
c3033f13 1304sk = cbinfo->verify_stack;
3f7eeb86
PP
1305verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1306
1307/* May need to expose ability to adjust those flags?
1308OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1309OCSP_TRUSTOTHER OCSP_NOINTERN */
1310
4c04137d 1311/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1312up; possibly overkill - just date-checks might be nice enough.
1313
1314OCSP_basic_verify takes a "store" arg, but does not
1315use it for the chain verification, which is all we do
1316when OCSP_NOVERIFY is set. The content from the wire
1317"basic_response" and a cert-stack "sk" are all that is used.
1318
c3033f13
JH
1319We have a stack, loaded in setup_certs() if tls_verify_certificates
1320was a file (not a directory, or "system"). It is unfortunate we
1321cannot used the connection context store, as that would neatly
1322handle the "system" case too, but there seems to be no library
1323function for getting a stack from a store.
e3555426 1324[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1325We do not free the stack since it could be needed a second time for
1326SNI handling.
1327
4c04137d 1328Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1329be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1330But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1331And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1332library does it for us anyway? */
1333
1334if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1335 {
ee5b1e28
JH
1336 DEBUG(D_tls)
1337 {
0abc5a13 1338 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1339 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1340 }
1341 goto bad;
3f7eeb86
PP
1342 }
1343
1344/* Here's the simplifying assumption: there's only one response, for the
1345one certificate we use, and nothing for anything else in a chain. If this
1346proves false, we need to extract a cert id from our issued cert
1347(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1348right cert in the stack and then calls OCSP_single_get0_status()).
1349
5b2fd993
JH
1350I'm hoping to avoid reworking a bunch more of how we handle state here.
1351
1352XXX that will change when we add support for (TLS1.3) whole-chain stapling
1353*/
ee5b1e28
JH
1354
1355if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1356 {
1357 DEBUG(D_tls)
1358 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1359 goto bad;
3f7eeb86
PP
1360 }
1361
1362status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1363if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1364 {
f5d78688
JH
1365 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1366 OCSP_cert_status_str(status), status,
1367 OCSP_crl_reason_str(reason), reason);
1368 goto bad;
3f7eeb86
PP
1369 }
1370
1371if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1372 {
1373 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1374 goto bad;
3f7eeb86
PP
1375 }
1376
f5d78688 1377supply_response:
5b2fd993
JH
1378 /* Add the resp to the list used by tls_server_stapling_cb() */
1379 {
1380 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1381 while (oentry = *op)
1382 op = &oentry->next;
1383 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1384 oentry->next = NULL;
1385 oentry->resp = resp;
1386 }
f5d78688
JH
1387return;
1388
1389bad:
8768d548 1390 if (f.running_in_test_harness)
018058b2
JH
1391 {
1392 extern char ** environ;
d7978c0f 1393 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1394 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1395 {
1396 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1397 goto supply_response;
1398 }
1399 }
f5d78688 1400return;
3f7eeb86 1401}
5b2fd993
JH
1402
1403
1404static void
1405ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1406{
1407for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1408 olist = olist->next)
1409 OCSP_RESPONSE_free(olist->resp);
1410cbinfo->u_ocsp.server.olist = NULL;
1411}
f2de3a33 1412#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1413
1414
1415
1416
23bb6982
JH
1417/* Create and install a selfsigned certificate, for use in server mode */
1418
1419static int
cf0c6164 1420tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1421{
1422X509 * x509 = NULL;
1423EVP_PKEY * pkey;
1424RSA * rsa;
1425X509_NAME * name;
1426uschar * where;
1427
1428where = US"allocating pkey";
1429if (!(pkey = EVP_PKEY_new()))
1430 goto err;
1431
1432where = US"allocating cert";
1433if (!(x509 = X509_new()))
1434 goto err;
1435
1436where = US"generating pkey";
6aac3239 1437if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1438 goto err;
1439
4c04137d 1440where = US"assigning pkey";
23bb6982
JH
1441if (!EVP_PKEY_assign_RSA(pkey, rsa))
1442 goto err;
1443
1444X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1445ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1446X509_gmtime_adj(X509_get_notBefore(x509), 0);
1447X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1448X509_set_pubkey(x509, pkey);
1449
1450name = X509_get_subject_name(x509);
1451X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1452 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1453X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1454 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1455X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1456 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1457X509_set_issuer_name(x509, name);
1458
1459where = US"signing cert";
1460if (!X509_sign(x509, pkey, EVP_md5()))
1461 goto err;
1462
1463where = US"installing selfsign cert";
1464if (!SSL_CTX_use_certificate(sctx, x509))
1465 goto err;
1466
1467where = US"installing selfsign key";
1468if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1469 goto err;
1470
1471return OK;
1472
1473err:
cf0c6164 1474 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1475 if (x509) X509_free(x509);
1476 if (pkey) EVP_PKEY_free(pkey);
1477 return DEFER;
1478}
1479
1480
1481
1482
ba86e143
JH
1483static int
1484tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1485 uschar ** errstr)
1486{
5b2fd993 1487DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
ba86e143
JH
1488if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1489 return tls_error(string_sprintf(
1490 "SSL_CTX_use_certificate_chain_file file=%s", file),
1491 cbinfo->host, NULL, errstr);
1492return 0;
1493}
1494
1495static int
1496tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1497 uschar ** errstr)
1498{
5b2fd993 1499DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
ba86e143
JH
1500if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1501 return tls_error(string_sprintf(
1502 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1503return 0;
1504}
1505
1506
059ec3d9 1507/*************************************************
7be682ca
PP
1508* Expand key and cert file specs *
1509*************************************************/
1510
f5d78688 1511/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1512new context, if Server Name Indication was used and tls_sni was seen in
1513the certificate string.
1514
1515Arguments:
1516 sctx the SSL_CTX* to update
1517 cbinfo various parts of session state
cf0c6164 1518 errstr error string pointer
7be682ca
PP
1519
1520Returns: OK/DEFER/FAIL
1521*/
1522
1523static int
5b2fd993 1524tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
cf0c6164 1525 uschar ** errstr)
7be682ca 1526{
5b2fd993 1527uschar * expanded;
7be682ca 1528
23bb6982 1529if (!cbinfo->certificate)
7be682ca 1530 {
ba86e143 1531 if (!cbinfo->is_server) /* client */
23bb6982 1532 return OK;
afdb5e9c 1533 /* server */
cf0c6164 1534 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1535 return DEFER;
7be682ca 1536 }
23bb6982
JH
1537else
1538 {
ba86e143
JH
1539 int err;
1540
5b2fd993
JH
1541 if ( !reexpand_tls_files_for_sni
1542 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1543 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1544 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1545 ) )
23bb6982 1546 reexpand_tls_files_for_sni = TRUE;
7be682ca 1547
cf0c6164 1548 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1549 return DEFER;
1550
ba86e143
JH
1551 if (expanded)
1552 if (cbinfo->is_server)
1553 {
1554 const uschar * file_list = expanded;
1555 int sep = 0;
1556 uschar * file;
5b2fd993
JH
1557#ifndef DISABLE_OCSP
1558 const uschar * olist = cbinfo->u_ocsp.server.file;
1559 int osep = 0;
1560 uschar * ofile;
86ede124 1561 BOOL fmt_pem = FALSE;
5b2fd993
JH
1562
1563 if (olist)
1564 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1565 return DEFER;
1566 if (olist && !*olist)
1567 olist = NULL;
1568
1569 if ( cbinfo->u_ocsp.server.file_expanded && olist
1570 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1571 {
1572 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1573 olist = NULL;
1574 }
1575 else
1576 {
1577 ocsp_free_response_list(cbinfo);
1578 cbinfo->u_ocsp.server.file_expanded = olist;
1579 }
1580#endif
ba86e143
JH
1581
1582 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
5b2fd993 1583 {
ba86e143
JH
1584 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1585 return err;
5b2fd993
JH
1586
1587#ifndef DISABLE_OCSP
1588 if (olist)
1589 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
86ede124
JH
1590 {
1591 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1592 {
1593 fmt_pem = TRUE;
1594 ofile += 4;
1595 }
1596 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1597 {
1598 fmt_pem = FALSE;
1599 ofile += 4;
1600 }
1601 ocsp_load_response(sctx, cbinfo, ofile, fmt_pem);
1602 }
5b2fd993
JH
1603 else
1604 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1605#endif
1606 }
ba86e143
JH
1607 }
1608 else /* would there ever be a need for multiple client certs? */
1609 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1610 return err;
7be682ca 1611
5a2a0989
JH
1612 if ( cbinfo->privatekey
1613 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1614 return DEFER;
7be682ca 1615
23bb6982
JH
1616 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1617 of the expansion is an empty string, ignore it also, and assume the private
1618 key is in the same file as the certificate. */
1619
1620 if (expanded && *expanded)
ba86e143
JH
1621 if (cbinfo->is_server)
1622 {
1623 const uschar * file_list = expanded;
1624 int sep = 0;
1625 uschar * file;
1626
1627 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1628 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1629 return err;
1630 }
1631 else /* would there ever be a need for multiple client certs? */
1632 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1633 return err;
7be682ca
PP
1634 }
1635
1636return OK;
1637}
1638
1639
1640
1641
1642/*************************************************
1643* Callback to handle SNI *
1644*************************************************/
1645
1646/* Called when acting as server during the TLS session setup if a Server Name
1647Indication extension was sent by the client.
1648
1649API documentation is OpenSSL s_server.c implementation.
1650
1651Arguments:
1652 s SSL* of the current session
1653 ad unknown (part of OpenSSL API) (unused)
1654 arg Callback of "our" registered data
1655
1656Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH
1657
1658XXX might need to change to using ClientHello callback,
1659per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP
1660*/
1661
3bcbbbe2 1662#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1663static int
7be682ca
PP
1664tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1665{
1666const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1667tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1668int rc;
3f0945ff 1669int old_pool = store_pool;
cf0c6164 1670uschar * dummy_errstr;
7be682ca
PP
1671
1672if (!servername)
1673 return SSL_TLSEXT_ERR_OK;
1674
3f0945ff 1675DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1676 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1677
1678/* Make the extension value available for expansion */
3f0945ff 1679store_pool = POOL_PERM;
89a80675 1680tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1681store_pool = old_pool;
7be682ca
PP
1682
1683if (!reexpand_tls_files_for_sni)
1684 return SSL_TLSEXT_ERR_OK;
1685
1686/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1687not confident that memcpy wouldn't break some internal reference counting.
1688Especially since there's a references struct member, which would be off. */
1689
7a8b9519
JH
1690#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1691if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1692#else
0df4ab80 1693if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1694#endif
7be682ca 1695 {
0abc5a13 1696 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1697 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1698 goto bad;
7be682ca
PP
1699 }
1700
1701/* Not sure how many of these are actually needed, since SSL object
1702already exists. Might even need this selfsame callback, for reneg? */
1703
817d9f57
JH
1704SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1705SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1706SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1707SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1708SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1709SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1710
cf0c6164
JH
1711if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1712 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1713 )
5a2a0989 1714 goto bad;
038597d2 1715
ca954d7f
JH
1716if ( cbinfo->server_cipher_list
1717 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1718 goto bad;
ca954d7f 1719
f2de3a33 1720#ifndef DISABLE_OCSP
f5d78688 1721if (cbinfo->u_ocsp.server.file)
3f7eeb86 1722 {
f5d78688 1723 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1724 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1725 }
1726#endif
7be682ca 1727
c3033f13 1728if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1729 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1730 goto bad;
7be682ca 1731
3f7eeb86
PP
1732/* do this after setup_certs, because this can require the certs for verifying
1733OCSP information. */
cf0c6164 1734if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1735 goto bad;
a799883d 1736
7be682ca 1737DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1738SSL_set_SSL_CTX(s, server_sni);
7be682ca 1739return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1740
1741bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1742}
3bcbbbe2 1743#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1744
1745
1746
1747
f2de3a33 1748#ifndef DISABLE_OCSP
f5d78688 1749
3f7eeb86
PP
1750/*************************************************
1751* Callback to handle OCSP Stapling *
1752*************************************************/
1753
1754/* Called when acting as server during the TLS session setup if the client
1755requests OCSP information with a Certificate Status Request.
1756
1757Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1758project.
1759
1760*/
1761
1762static int
f5d78688 1763tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86 1764{
5b2fd993
JH
1765const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1766ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1767uschar * response_der; /*XXX blob */
3f7eeb86
PP
1768int response_der_len;
1769
af4a1bca 1770DEBUG(D_tls)
5b2fd993
JH
1771 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1772 olist ? "have" : "lack");
f5d78688 1773
44662487 1774tls_in.ocsp = OCSP_NOT_RESP;
5b2fd993 1775if (!olist)
3f7eeb86
PP
1776 return SSL_TLSEXT_ERR_NOACK;
1777
012dd02e 1778#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
5b2fd993
JH
1779 {
1780 const X509 * cert_sent = SSL_get_certificate(s);
1781 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1782 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1783 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1784 uschar * chash;
1785 uint chash_len;
1786
1787 for (; olist; olist = olist->next)
1788 {
1789 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1790 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1791 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1792 ASN1_INTEGER * res_cert_serial;
1793 const BIGNUM * resp_bn;
1794 ASN1_OCTET_STRING * res_cert_iNameHash;
1795
1796
1797 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1798 (OCSP_CERTID *) cid);
1799 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1800
1801 DEBUG(D_tls)
1802 {
1803 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1804 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1805 }
1806
1807 if (BN_cmp(cert_bn, resp_bn) == 0)
1808 {
1809 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1810
1811 /*XXX TODO: check the rest of the list for duplicate matches.
1812 If any, need to also check the Issuer Name hash.
1813 Without this, we will provide the wrong status in the case of
1814 duplicate id. */
1815
1816 break;
1817 }
1818 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1819 }
1820 if (!olist)
1821 {
1822 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1823 return SSL_TLSEXT_ERR_NOACK;
1824 }
1825 }
012dd02e
JH
1826#else
1827if (olist->next)
1828 {
1829 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1830 return SSL_TLSEXT_ERR_NOACK;
1831 }
1832#endif
5b2fd993
JH
1833
1834/*XXX could we do the i2d earlier, rather than during the callback? */
3f7eeb86 1835response_der = NULL;
5b2fd993 1836response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
3f7eeb86
PP
1837if (response_der_len <= 0)
1838 return SSL_TLSEXT_ERR_NOACK;
1839
5e55c7a9 1840SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1841tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1842return SSL_TLSEXT_ERR_OK;
1843}
1844
3f7eeb86 1845
f5d78688
JH
1846static void
1847time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1848{
1849BIO_printf(bp, "\t%s: ", str);
1850ASN1_GENERALIZEDTIME_print(bp, time);
1851BIO_puts(bp, "\n");
1852}
1853
1854static int
1855tls_client_stapling_cb(SSL *s, void *arg)
1856{
1857tls_ext_ctx_cb * cbinfo = arg;
1858const unsigned char * p;
1859int len;
1860OCSP_RESPONSE * rsp;
1861OCSP_BASICRESP * bs;
1862int i;
1863
14003634 1864DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
f5d78688
JH
1865len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1866if(!p)
1867 {
44662487 1868 /* Expect this when we requested ocsp but got none */
6c6d6e48 1869 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
14003634 1870 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
f5d78688
JH
1871 else
1872 DEBUG(D_tls) debug_printf(" null\n");
44662487 1873 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1874 }
018058b2 1875
c82de233
JH
1876if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1877 {
1878 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1879 if (LOGGING(tls_cipher))
1eca31ca 1880 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1881 else
1882 DEBUG(D_tls) debug_printf(" parse error\n");
1883 return 0;
c82de233 1884 }
f5d78688 1885
c82de233 1886if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1887 {
018058b2 1888 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1889 if (LOGGING(tls_cipher))
1eca31ca 1890 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1891 else
1892 DEBUG(D_tls) debug_printf(" error parsing response\n");
1893 OCSP_RESPONSE_free(rsp);
1894 return 0;
1895 }
1896
1897/* We'd check the nonce here if we'd put one in the request. */
1898/* However that would defeat cacheability on the server so we don't. */
1899
f5d78688
JH
1900/* This section of code reworked from OpenSSL apps source;
1901 The OpenSSL Project retains copyright:
1902 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1903*/
1904 {
1905 BIO * bp = NULL;
86ede124
JH
1906#ifndef EXIM_HAVE_OCSP_RESP_COUNT
1907 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1908#endif
f5d78688 1909
57887ecc 1910 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1911
1912 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1913
1914 /* Use the chain that verified the server cert to verify the stapled info */
1915 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1916
c3033f13 1917 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
86ede124
JH
1918 cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
1919 if (ERR_peek_error())
1920 {
1921 tls_out.ocsp = OCSP_FAILED;
1922 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1923 "Received TLS cert status response, itself unverifiable: %s",
1924 ERR_reason_error_string(ERR_peek_error()));
1925 BIO_printf(bp, "OCSP response verify failure\n");
1926 ERR_print_errors(bp);
1927 OCSP_RESPONSE_print(bp, rsp, 0);
1928 goto failed;
1929 }
1930 else
1931 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
1932 " in the root CA certificate; ignoring\n");
f5d78688 1933
86ede124 1934 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
f5d78688 1935
c8dfb21d
JH
1936 /*XXX So we have a good stapled OCSP status. How do we know
1937 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1938 OCSP_resp_find_status() which matches on a cert id, which presumably
1939 we should use. Making an id needs OCSP_cert_id_new(), which takes
1940 issuerName, issuerKey, serialNumber. Are they all in the cert?
1941
1942 For now, carry on blindly accepting the resp. */
1943
86ede124 1944 for (int idx =
c8dfb21d 1945#ifdef EXIM_HAVE_OCSP_RESP_COUNT
86ede124 1946 OCSP_resp_count(bs) - 1;
c8dfb21d 1947#else
86ede124 1948 sk_OCSP_SINGLERESP_num(sresp) - 1;
c8dfb21d 1949#endif
86ede124
JH
1950 idx >= 0; idx--)
1951 {
1952 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
1953 int status, reason;
1954 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1955
1956 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
1957 - but what happens with a GnuTLS-style input?
1958
1959 we could do with a debug label for each singleresp
1960 - it has a certID with a serialNumber, but I see no API to get that
1961 */
44662487
JH
1962 status = OCSP_single_get0_status(single, &reason, &rev,
1963 &thisupd, &nextupd);
f5d78688 1964
86ede124
JH
1965 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1966 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1967 if (!OCSP_check_validity(thisupd, nextupd,
1968 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1969 {
1970 tls_out.ocsp = OCSP_FAILED;
1971 DEBUG(D_tls) ERR_print_errors(bp);
1972 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1973 goto failed;
1974 }
1975
44662487
JH
1976 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1977 OCSP_cert_status_str(status));
1978 switch(status)
1979 {
1980 case V_OCSP_CERTSTATUS_GOOD:
86ede124 1981 continue; /* the idx loop */
44662487
JH
1982 case V_OCSP_CERTSTATUS_REVOKED:
1983 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1984 reason != -1 ? "; reason: " : "",
1985 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1986 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1987 break;
1988 default:
1989 log_write(0, LOG_MAIN,
1990 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1991 break;
1992 }
86ede124
JH
1993
1994 goto failed;
f5d78688 1995 }
86ede124
JH
1996
1997 i = 1;
1998 tls_out.ocsp = OCSP_VFIED;
1999 goto good;
2000
c8dfb21d 2001 failed:
86ede124 2002 tls_out.ocsp = OCSP_FAILED;
c8dfb21d
JH
2003 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2004 good:
f5d78688
JH
2005 BIO_free(bp);
2006 }
2007
2008OCSP_RESPONSE_free(rsp);
2009return i;
2010}
f2de3a33 2011#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
2012
2013
7be682ca 2014/*************************************************
059ec3d9
PH
2015* Initialize for TLS *
2016*************************************************/
2017
b038d456
JH
2018static void
2019tls_openssl_init(void)
2020{
2021#ifdef EXIM_NEED_OPENSSL_INIT
2022SSL_load_error_strings(); /* basic set up */
2023OpenSSL_add_ssl_algorithms();
2024#endif
2025
2026#if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
2027/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2028list of available digests. */
2029EVP_add_digest(EVP_sha256());
2030#endif
2031}
2032
2033
2034
e51c7be2
JH
2035/* Called from both server and client code, to do preliminary initialization
2036of the library. We allocate and return a context structure.
059ec3d9
PH
2037
2038Arguments:
946ecbe0 2039 ctxp returned SSL context
059ec3d9
PH
2040 host connected host, if client; NULL if server
2041 dhparam DH parameter file
2042 certificate certificate file
2043 privatekey private key
f5d78688 2044 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 2045 addr address if client; NULL if server (for some randomness)
946ecbe0 2046 cbp place to put allocated callback context
cf0c6164 2047 errstr error string pointer
059ec3d9
PH
2048
2049Returns: OK/DEFER/FAIL
2050*/
2051
2052static int
817d9f57 2053tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 2054 uschar *privatekey,
f2de3a33 2055#ifndef DISABLE_OCSP
5b2fd993 2056 uschar *ocsp_file,
3f7eeb86 2057#endif
b10c87b3
JH
2058 address_item *addr, tls_ext_ctx_cb ** cbp,
2059 tls_support * tlsp,
2060 uschar ** errstr)
059ec3d9 2061{
7006ee24 2062SSL_CTX * ctx;
77bb000f 2063long init_options;
7be682ca 2064int rc;
a7538db1 2065tls_ext_ctx_cb * cbinfo;
7be682ca
PP
2066
2067cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 2068cbinfo->tlsp = tlsp;
7be682ca
PP
2069cbinfo->certificate = certificate;
2070cbinfo->privatekey = privatekey;
a6510420 2071cbinfo->is_server = host==NULL;
f2de3a33 2072#ifndef DISABLE_OCSP
c3033f13 2073cbinfo->verify_stack = NULL;
a6510420 2074if (!host)
f5d78688
JH
2075 {
2076 cbinfo->u_ocsp.server.file = ocsp_file;
2077 cbinfo->u_ocsp.server.file_expanded = NULL;
5b2fd993 2078 cbinfo->u_ocsp.server.olist = NULL;
f5d78688
JH
2079 }
2080else
2081 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 2082#endif
7be682ca 2083cbinfo->dhparam = dhparam;
0df4ab80 2084cbinfo->server_cipher_list = NULL;
7be682ca 2085cbinfo->host = host;
0cbf2b82 2086#ifndef DISABLE_EVENT
a7538db1
JH
2087cbinfo->event_action = NULL;
2088#endif
77bb000f 2089
b038d456 2090tls_openssl_init();
a0475b69 2091
f0f5a555
PP
2092/* Create a context.
2093The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2094negotiation in the different methods; as far as I can tell, the only
2095*_{server,client}_method which allows negotiation is SSLv23, which exists even
2096when OpenSSL is built without SSLv2 support.
2097By disabling with openssl_options, we can let admins re-enable with the
2098existing knob. */
059ec3d9 2099
7a8b9519
JH
2100#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2101if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2102#else
7006ee24 2103if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 2104#endif
7006ee24 2105 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
2106
2107/* It turns out that we need to seed the random number generator this early in
2108order to get the full complement of ciphers to work. It took me roughly a day
2109of work to discover this by experiment.
2110
2111On systems that have /dev/urandom, SSL may automatically seed itself from
2112there. Otherwise, we have to make something up as best we can. Double check
2113afterwards. */
2114
2115if (!RAND_status())
2116 {
2117 randstuff r;
9e3331ea 2118 gettimeofday(&r.tv, NULL);
059ec3d9
PH
2119 r.p = getpid();
2120
5903c6ff
JH
2121 RAND_seed(US (&r), sizeof(r));
2122 RAND_seed(US big_buffer, big_buffer_size);
2123 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
2124
2125 if (!RAND_status())
7199e1ee 2126 return tls_error(US"RAND_status", host,
cf0c6164 2127 US"unable to seed random number generator", errstr);
059ec3d9
PH
2128 }
2129
2130/* Set up the information callback, which outputs if debugging is at a suitable
2131level. */
2132
b10c87b3
JH
2133DEBUG(D_tls)
2134 {
2135 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH
2136#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2137 /* this needs a debug build of OpenSSL */
b10c87b3
JH
2138 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2139#endif
8a40db1c 2140#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 2141 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 2142#endif
b10c87b3 2143 }
059ec3d9 2144
c80c5570 2145/* Automatically re-try reads/writes after renegotiation. */
7006ee24 2146(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 2147
77bb000f
PP
2148/* Apply administrator-supplied work-arounds.
2149Historically we applied just one requested option,
2150SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2151moved to an administrator-controlled list of options to specify and
2152grandfathered in the first one as the default value for "openssl_options".
059ec3d9 2153
77bb000f
PP
2154No OpenSSL version number checks: the options we accept depend upon the
2155availability of the option value macros from OpenSSL. */
059ec3d9 2156
7006ee24 2157if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 2158 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 2159
b10c87b3
JH
2160#ifdef EXPERIMENTAL_TLS_RESUME
2161tlsp->resumption = RESUME_SUPPORTED;
2162#endif
77bb000f
PP
2163if (init_options)
2164 {
b10c87b3
JH
2165#ifdef EXPERIMENTAL_TLS_RESUME
2166 /* Should the server offer session resumption? */
2167 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2168 {
2169 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2170 init_options &= ~SSL_OP_NO_TICKET;
2171 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2172 tlsp->host_resumable = TRUE;
2173 }
2174#endif
2175
77bb000f 2176 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2177 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2178 return tls_error(string_sprintf(
cf0c6164 2179 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
2180 }
2181else
2182 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2183
a28050f8
JH
2184/* We'd like to disable session cache unconditionally, but foolish Outlook
2185Express clients then give up the first TLS connection and make a second one
2186(which works). Only when there is an IMAP service on the same machine.
2187Presumably OE is trying to use the cache for A on B. Leave it enabled for
2188now, until we work out a decent way of presenting control to the config. It
2189will never be used because we use a new context every time. */
2190#ifdef notdef
7006ee24 2191(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2192#endif
7006ee24 2193
059ec3d9 2194/* Initialize with DH parameters if supplied */
10ca4f1c 2195/* Initialize ECDH temp key parameter selection */
059ec3d9 2196
7006ee24
JH
2197if ( !init_dh(ctx, dhparam, host, errstr)
2198 || !init_ecdh(ctx, host, errstr)
038597d2
PP
2199 )
2200 return DEFER;
059ec3d9 2201
3f7eeb86 2202/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2203
7006ee24 2204if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2205 return rc;
c91535f3 2206
c3033f13
JH
2207/* If we need to handle SNI or OCSP, do so */
2208
3bcbbbe2 2209#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
2210# ifndef DISABLE_OCSP
2211 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2212 {
2213 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2214 return FAIL;
2215 }
2216# endif
2217
7a8b9519 2218if (!host) /* server */
3f0945ff 2219 {
f2de3a33 2220# ifndef DISABLE_OCSP
5b2fd993 2221 /* We check u_ocsp.server.file, not server.olist, because we care about if
3f7eeb86
PP
2222 the option exists, not what the current expansion might be, as SNI might
2223 change the certificate and OCSP file in use between now and the time the
2224 callback is invoked. */
f5d78688 2225 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2226 {
7006ee24
JH
2227 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2228 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2229 }
f5d78688 2230# endif
3f0945ff
PP
2231 /* We always do this, so that $tls_sni is available even if not used in
2232 tls_certificate */
7006ee24
JH
2233 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2234 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2235 }
f2de3a33 2236# ifndef DISABLE_OCSP
f5d78688
JH
2237else /* client */
2238 if(ocsp_file) /* wanting stapling */
2239 {
2240 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2241 {
2242 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2243 return FAIL;
2244 }
7006ee24
JH
2245 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2246 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
2247 }
2248# endif
7be682ca 2249#endif
059ec3d9 2250
e51c7be2 2251cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2252
c8dfb21d 2253#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2254/* Set up the RSA callback */
7006ee24 2255SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2256#endif
059ec3d9 2257
b10c87b3
JH
2258/* Finally, set the session cache timeout, and we are done.
2259The period appears to be also used for (server-generated) session tickets */
059ec3d9 2260
7006ee24 2261SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2262DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2263
817d9f57 2264*cbp = cbinfo;
7006ee24 2265*ctxp = ctx;
7be682ca 2266
059ec3d9
PH
2267return OK;
2268}
2269
2270
2271
2272
2273/*************************************************
2274* Get name of cipher in use *
2275*************************************************/
2276
817d9f57 2277/*
059ec3d9 2278Argument: pointer to an SSL structure for the connection
817d9f57 2279 pointer to number of bits for cipher
f1be21cf 2280Returns: pointer to allocated string in perm-pool
059ec3d9
PH
2281*/
2282
f1be21cf
JH
2283static uschar *
2284construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2285{
f1be21cf 2286int pool = store_pool;
7a8b9519 2287/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
2288yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2289the accessor functions use const in the prototype. */
059ec3d9 2290
7a8b9519
JH
2291const uschar * ver = CUS SSL_get_version(ssl);
2292const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2293uschar * s;
059ec3d9 2294
817d9f57 2295SSL_CIPHER_get_bits(c, bits);
059ec3d9 2296
f1be21cf
JH
2297store_pool = POOL_PERM;
2298s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2299store_pool = pool;
2300DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2301return s;
2302}
2303
059ec3d9 2304
f1be21cf
JH
2305/* Get IETF-standard name for ciphersuite.
2306Argument: pointer to an SSL structure for the connection
2307Returns: pointer to string
2308*/
2309
2310static const uschar *
2311cipher_stdname_ssl(SSL * ssl)
2312{
2313#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2314return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2315#else
2316ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2317return cipher_stdname(id >> 8, id & 0xff);
2318#endif
059ec3d9
PH
2319}
2320
2321
f69979cf 2322static void
70e384dd 2323peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
2324{
2325/*XXX we might consider a list-of-certs variable for the cert chain.
2326SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2327in list-handling functions, also consider the difference between the entire
2328chain and the elements sent by the peer. */
2329
70e384dd
JH
2330tlsp->peerdn = NULL;
2331
f69979cf
JH
2332/* Will have already noted peercert on a verify fail; possibly not the leaf */
2333if (!tlsp->peercert)
2334 tlsp->peercert = SSL_get_peer_certificate(ssl);
2335/* Beware anonymous ciphers which lead to server_cert being NULL */
2336if (tlsp->peercert)
70e384dd
JH
2337 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2338 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2339 else
2340 {
4a1bd6b9
JH
2341 int oldpool = store_pool;
2342
2343 peerdn[siz-1] = '\0'; /* paranoia */
2344 store_pool = POOL_PERM;
2345 tlsp->peerdn = string_copy(peerdn);
2346 store_pool = oldpool;
2347
2348 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2349 but they don't get called on session-resumption. So use the official
2350 interface, which uses the resumed value. Unfortunately this claims verified
2351 when it actually failed but we're in try-verify mode, due to us wanting the
2352 knowlege that it failed so needing to have the callback and forcing a
2353 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH
2354 The extra bit of information is set in verify_override in the cb, stashed
2355 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH
2356
2357 if (!tlsp->verify_override)
4ed67f68
JH
2358 tlsp->certificate_verified =
2359#ifdef SUPPORT_DANE
2360 tlsp->dane_verified ||
2361#endif
2362 SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2363 }
f69979cf
JH
2364}
2365
2366
059ec3d9
PH
2367
2368
2369
2370/*************************************************
2371* Set up for verifying certificates *
2372*************************************************/
2373
0e8aed8a 2374#ifndef DISABLE_OCSP
c3033f13
JH
2375/* Load certs from file, return TRUE on success */
2376
2377static BOOL
2378chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2379{
2380BIO * bp;
2381X509 * x;
2382
dec766a1
WB
2383while (sk_X509_num(verify_stack) > 0)
2384 X509_free(sk_X509_pop(verify_stack));
2385
c3033f13
JH
2386if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2387while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2388 sk_X509_push(verify_stack, x);
2389BIO_free(bp);
2390return TRUE;
2391}
0e8aed8a 2392#endif
c3033f13
JH
2393
2394
2395
dec766a1
WB
2396/* Called by both client and server startup; on the server possibly
2397repeated after a Server Name Indication.
059ec3d9
PH
2398
2399Arguments:
7be682ca 2400 sctx SSL_CTX* to initialise
059ec3d9
PH
2401 certs certs file or NULL
2402 crl CRL file or NULL
2403 host NULL in a server; the remote host in a client
2404 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2405 otherwise passed as FALSE
983207c1 2406 cert_vfy_cb Callback function for certificate verification
cf0c6164 2407 errstr error string pointer
059ec3d9
PH
2408
2409Returns: OK/DEFER/FAIL
2410*/
2411
2412static int
983207c1 2413setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2414 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2415{
2416uschar *expcerts, *expcrl;
2417
cf0c6164 2418if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2419 return DEFER;
57cc2785 2420DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2421
10a831a3 2422if (expcerts && *expcerts)
059ec3d9 2423 {
10a831a3
JH
2424 /* Tell the library to use its compiled-in location for the system default
2425 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2426
10a831a3 2427 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2428 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2429
2430 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2431 {
cb1d7830
JH
2432 struct stat statbuf;
2433
cb1d7830
JH
2434 if (Ustat(expcerts, &statbuf) < 0)
2435 {
2436 log_write(0, LOG_MAIN|LOG_PANIC,
2437 "failed to stat %s for certificates", expcerts);
2438 return DEFER;
2439 }
059ec3d9 2440 else
059ec3d9 2441 {
cb1d7830
JH
2442 uschar *file, *dir;
2443 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2444 { file = NULL; dir = expcerts; }
2445 else
c3033f13
JH
2446 {
2447 file = expcerts; dir = NULL;
2448#ifndef DISABLE_OCSP
2449 /* In the server if we will be offering an OCSP proof, load chain from
2450 file for verifying the OCSP proof at load time. */
2451
5b2fd993
JH
2452/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2453This is inconsistent with the need to verify the OCSP proof of the server cert.
2454*/
2455
c3033f13
JH
2456 if ( !host
2457 && statbuf.st_size > 0
2458 && server_static_cbinfo->u_ocsp.server.file
2459 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2460 )
2461 {
2462 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2463 "failed to load cert chain from %s", file);
c3033f13
JH
2464 return DEFER;
2465 }
2466#endif
2467 }
cb1d7830
JH
2468
2469 /* If a certificate file is empty, the next function fails with an
2470 unhelpful error message. If we skip it, we get the correct behaviour (no
2471 certificates are recognized, but the error message is still misleading (it
c3033f13 2472 says no certificate was supplied). But this is better. */
cb1d7830 2473
f2f2c91b
JH
2474 if ( (!file || statbuf.st_size > 0)
2475 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2476 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2477
2478 /* Load the list of CAs for which we will accept certs, for sending
2479 to the client. This is only for the one-file tls_verify_certificates
2480 variant.
d7978c0f
JH
2481 If a list isn't loaded into the server, but some verify locations are set,
2482 the server end appears to make a wildcard request for client certs.
10a831a3 2483 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2484 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2485 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2486 the public-CA bundle (not for a private CA), not worth fixing. */
2487
f2f2c91b 2488 if (file)
cb1d7830 2489 {
2009ecca 2490 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2491
2492 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2493 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2494 sk_X509_NAME_num(names));
cb1d7830 2495 }
059ec3d9
PH
2496 }
2497 }
2498
2499 /* Handle a certificate revocation list. */
2500
10a831a3 2501#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2502
8b417f2c 2503 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2504 merely reformatted it into the Exim code style.)
8b417f2c 2505
10a831a3
JH
2506 "From here I changed the code to add support for multiple crl's
2507 in pem format in one file or to support hashed directory entries in
2508 pem format instead of a file. This method now uses the library function
2509 X509_STORE_load_locations to add the CRL location to the SSL context.
2510 OpenSSL will then handle the verify against CA certs and CRLs by
2511 itself in the verify callback." */
8b417f2c 2512
cf0c6164 2513 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2514 if (expcrl && *expcrl)
059ec3d9 2515 {
8b417f2c
PH
2516 struct stat statbufcrl;
2517 if (Ustat(expcrl, &statbufcrl) < 0)
2518 {
2519 log_write(0, LOG_MAIN|LOG_PANIC,
2520 "failed to stat %s for certificates revocation lists", expcrl);
2521 return DEFER;
2522 }
2523 else
059ec3d9 2524 {
8b417f2c
PH
2525 /* is it a file or directory? */
2526 uschar *file, *dir;
7be682ca 2527 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2528 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2529 {
8b417f2c
PH
2530 file = NULL;
2531 dir = expcrl;
2532 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2533 }
2534 else
2535 {
8b417f2c
PH
2536 file = expcrl;
2537 dir = NULL;
2538 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2539 }
8b417f2c 2540 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2541 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2542
2543 /* setting the flags to check against the complete crl chain */
2544
2545 X509_STORE_set_flags(cvstore,
2546 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2547 }
059ec3d9
PH
2548 }
2549
10a831a3 2550#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2551
2552 /* If verification is optional, don't fail if no certificate */
2553
7be682ca 2554 SSL_CTX_set_verify(sctx,
5a2a0989 2555 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2556 cert_vfy_cb);
059ec3d9
PH
2557 }
2558
2559return OK;
2560}
2561
2562
2563
2564/*************************************************
2565* Start a TLS session in a server *
2566*************************************************/
2567
2568/* This is called when Exim is running as a server, after having received
2569the STARTTLS command. It must respond to that command, and then negotiate
2570a TLS session.
2571
2572Arguments:
2573 require_ciphers allowed ciphers
cf0c6164 2574 errstr pointer to error message
059ec3d9
PH
2575
2576Returns: OK on success
2577 DEFER for errors before the start of the negotiation
4c04137d 2578 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2579 continue running.
2580*/
2581
2582int
cf0c6164 2583tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2584{
2585int rc;
cf0c6164
JH
2586uschar * expciphers;
2587tls_ext_ctx_cb * cbinfo;
f69979cf 2588static uschar peerdn[256];
059ec3d9
PH
2589
2590/* Check for previous activation */
2591
74f1a423 2592if (tls_in.active.sock >= 0)
059ec3d9 2593 {
cf0c6164 2594 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2595 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2596 return FAIL;
2597 }
2598
2599/* Initialize the SSL library. If it fails, it will already have logged
2600the error. */
2601
817d9f57 2602rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2603#ifndef DISABLE_OCSP
5b2fd993 2604 tls_ocsp_file,
3f7eeb86 2605#endif
b10c87b3 2606 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2607if (rc != OK) return rc;
817d9f57 2608cbinfo = server_static_cbinfo;
059ec3d9 2609
cf0c6164 2610if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2611 return FAIL;
2612
2613/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2614were historically separated by underscores. So that I can use either form in my
2615tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2616
2617XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2618for TLS 1.3 . Since we do not call it at present we get the default list:
2619TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2620*/
059ec3d9 2621
c3033f13 2622if (expciphers)
059ec3d9 2623 {
b10c87b3 2624 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2625 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2626 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2627 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2628 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2629 }
2630
2631/* If this is a host for which certificate verification is mandatory or
2632optional, set up appropriately. */
2633
817d9f57 2634tls_in.certificate_verified = FALSE;
c0635b6d 2635#ifdef SUPPORT_DANE
53a7196b
JH
2636tls_in.dane_verified = FALSE;
2637#endif
a2ff477a 2638server_verify_callback_called = FALSE;
059ec3d9
PH
2639
2640if (verify_check_host(&tls_verify_hosts) == OK)
2641 {
983207c1 2642 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2643 FALSE, verify_callback_server, errstr);
059ec3d9 2644 if (rc != OK) return rc;
a2ff477a 2645 server_verify_optional = FALSE;
059ec3d9
PH
2646 }
2647else if (verify_check_host(&tls_try_verify_hosts) == OK)
2648 {
983207c1 2649 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2650 TRUE, verify_callback_server, errstr);
059ec3d9 2651 if (rc != OK) return rc;
a2ff477a 2652 server_verify_optional = TRUE;
059ec3d9
PH
2653 }
2654
b10c87b3
JH
2655#ifdef EXPERIMENTAL_TLS_RESUME
2656SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2657/* despite working, appears to always return failure, so ignoring */
2658#endif
2659#ifdef OPENSSL_HAVE_NUM_TICKETS
2660# ifdef EXPERIMENTAL_TLS_RESUME
2661SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2662# else
2663SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2664# endif
2665#endif
2666
2667
059ec3d9
PH
2668/* Prepare for new connection */
2669
cf0c6164
JH
2670if (!(server_ssl = SSL_new(server_ctx)))
2671 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2672
2673/* Warning: we used to SSL_clear(ssl) here, it was removed.
2674 *
2675 * With the SSL_clear(), we get strange interoperability bugs with
2676 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2677 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2678 *
2679 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2680 * session shutdown. In this case, we have a brand new object and there's no
2681 * obvious reason to immediately clear it. I'm guessing that this was
2682 * originally added because of incomplete initialisation which the clear fixed,
2683 * in some historic release.
2684 */
059ec3d9
PH
2685
2686/* Set context and tell client to go ahead, except in the case of TLS startup
2687on connection, where outputting anything now upsets the clients and tends to
2688make them disconnect. We need to have an explicit fflush() here, to force out
2689the response. Other smtp_printf() calls do not need it, because in non-TLS
2690mode, the fflush() happens when smtp_getc() is called. */
2691
817d9f57
JH
2692SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2693if (!tls_in.on_connect)
059ec3d9 2694 {
925ac8e4 2695 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2696 fflush(smtp_out);
2697 }
2698
2699/* Now negotiate the TLS session. We put our own timer on it, since it seems
2700that the OpenSSL library doesn't. */
2701
817d9f57
JH
2702SSL_set_wfd(server_ssl, fileno(smtp_out));
2703SSL_set_rfd(server_ssl, fileno(smtp_in));
2704SSL_set_accept_state(server_ssl);
059ec3d9
PH
2705
2706DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2707
2708sigalrm_seen = FALSE;
c2a1bba0 2709if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2710rc = SSL_accept(server_ssl);
c2a1bba0 2711ALARM_CLR(0);
059ec3d9
PH
2712
2713if (rc <= 0)
2714 {
c31e16a5
JH
2715 int error = SSL_get_error(server_ssl, rc);
2716 switch(error)
2717 {
2718 case SSL_ERROR_NONE:
2719 break;
2720
2721 case SSL_ERROR_ZERO_RETURN:
2722 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2723 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2724
2725 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2726 SSL_shutdown(server_ssl);
2727
2728 tls_close(NULL, TLS_NO_SHUTDOWN);
2729 return FAIL;
2730
2731 /* Handle genuine errors */
2732 case SSL_ERROR_SSL:
fa9e4a1d
JH
2733 {
2734 uschar * s = US"SSL_accept";
4ed67f68 2735 unsigned long e = ERR_peek_error();
fa9e4a1d
JH
2736 if (ERR_GET_REASON(e) == SSL_R_WRONG_VERSION_NUMBER)
2737 s = string_sprintf("%s (%s)", s, SSL_get_version(server_ssl));
2738 (void) tls_error(s, NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
c31e16a5 2739 return FAIL;
fa9e4a1d 2740 }
c31e16a5
JH
2741
2742 default:
2743 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2744 if (error == SSL_ERROR_SYSCALL)
2745 {
2746 if (!errno)
2747 {
2748 *errstr = US"SSL_accept: TCP connection closed by peer";
2749 return FAIL;
2750 }
2751 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2752 }
2753 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2754 return FAIL;
2755 }
059ec3d9
PH
2756 }
2757
2758DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2759ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH
2760 anon-authentication ciphersuite negotiated. */
2761
2762#ifdef EXPERIMENTAL_TLS_RESUME
2763if (SSL_session_reused(server_ssl))
2764 {
2765 tls_in.resumption |= RESUME_USED;
2766 DEBUG(D_tls) debug_printf("Session reused\n");
2767 }
2768#endif
059ec3d9
PH
2769
2770/* TLS has been set up. Adjust the input functions to read via TLS,
2771and initialize things. */
2772
f69979cf
JH
2773peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2774
f1be21cf
JH
2775tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2776tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2777
059ec3d9
PH
2778DEBUG(D_tls)
2779 {
2780 uschar buf[2048];
f1be21cf 2781 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2782 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2783
2784#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2785 {
10ed27e0 2786 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2787 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2788 BIO_free(bp);
2789 }
2790#endif
b10c87b3
JH
2791
2792#ifdef EXIM_HAVE_SESSION_TICKET
2793 {
2794 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2795 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH
2796 debug_printf("The session has a ticket, life %lu seconds\n",
2797 SSL_SESSION_get_ticket_lifetime_hint(ss));
2798 }
2799#endif
059ec3d9
PH
2800 }
2801
9d1c15ef
JH
2802/* Record the certificate we presented */
2803 {
2804 X509 * crt = SSL_get_certificate(server_ssl);
2805 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2806 }
059ec3d9 2807
817d9f57
JH
2808/* Only used by the server-side tls (tls_in), including tls_getc.
2809 Client-side (tls_out) reads (seem to?) go via
2810 smtp_read_response()/ip_recv().
2811 Hence no need to duplicate for _in and _out.
2812 */
b808677c 2813if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2814ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2815ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2816
2817receive_getc = tls_getc;
0d81dabc 2818receive_getbuf = tls_getbuf;
584e96c6 2819receive_get_cache = tls_get_cache;
059ec3d9
PH
2820receive_ungetc = tls_ungetc;
2821receive_feof = tls_feof;
2822receive_ferror = tls_ferror;
58eb016e 2823receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2824
74f1a423
JH
2825tls_in.active.sock = fileno(smtp_out);
2826tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2827return OK;
2828}
2829
2830
2831
2832
043b1248
JH
2833static int
2834tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2835 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2836 uschar ** errstr)
043b1248
JH
2837{
2838int rc;
94431adb 2839/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2840 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2841 the specified host patterns if one of them is defined */
2842
610ff438
JH
2843if ( ( !ob->tls_verify_hosts
2844 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2845 )
3c07dd2d 2846 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2847 )
043b1248 2848 client_verify_optional = FALSE;
3c07dd2d 2849else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2850 client_verify_optional = TRUE;
2851else
2852 return OK;
2853
2854if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2855 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2856 errstr)) != OK)
aa2a70ba 2857 return rc;
043b1248 2858
3c07dd2d 2859if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2860 {
4af0d74a 2861 cbinfo->verify_cert_hostnames =
8c5d388a 2862#ifdef SUPPORT_I18N
4af0d74a
JH
2863 string_domain_utf8_to_alabel(host->name, NULL);
2864#else
2865 host->name;
2866#endif
aa2a70ba
JH
2867 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2868 cbinfo->verify_cert_hostnames);
043b1248 2869 }
043b1248
JH
2870return OK;
2871}
059ec3d9 2872
fde080a4 2873
c0635b6d 2874#ifdef SUPPORT_DANE
fde080a4 2875static int
cf0c6164 2876dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2877{
fde080a4
JH
2878dns_scan dnss;
2879const char * hostnames[2] = { CS host->name, NULL };
2880int found = 0;
2881
2882if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2883 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2884
d7978c0f 2885for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2886 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2887 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2888 {
c3033f13 2889 const uschar * p = rr->data;
fde080a4
JH
2890 uint8_t usage, selector, mtype;
2891 const char * mdname;
2892
fde080a4 2893 usage = *p++;
133d2546
JH
2894
2895 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2896 if (usage != 2 && usage != 3) continue;
2897
fde080a4
JH
2898 selector = *p++;
2899 mtype = *p++;
2900
2901 switch (mtype)
2902 {
133d2546
JH
2903 default: continue; /* Only match-types 0, 1, 2 are supported */
2904 case 0: mdname = NULL; break;
2905 case 1: mdname = "sha256"; break;
2906 case 2: mdname = "sha512"; break;
fde080a4
JH
2907 }
2908
133d2546 2909 found++;
fde080a4
JH
2910 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2911 {
2912 default:
cf0c6164 2913 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2914 case 0: /* action not taken */
fde080a4
JH
2915 case 1: break;
2916 }
594706ea
JH
2917
2918 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2919 }
2920
2921if (found)
2922 return OK;
2923
133d2546 2924log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2925return DEFER;
fde080a4 2926}
c0635b6d 2927#endif /*SUPPORT_DANE*/
fde080a4
JH
2928
2929
2930
b10c87b3
JH
2931#ifdef EXPERIMENTAL_TLS_RESUME
2932/* On the client, get any stashed session for the given IP from hints db
2933and apply it to the ssl-connection for attempted resumption. */
2934
2935static void
2936tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2937{
2938tlsp->resumption |= RESUME_SUPPORTED;
2939if (tlsp->host_resumable)
2940 {
2941 dbdata_tls_session * dt;
2942 int len;
2943 open_db dbblock, * dbm_file;
2944
2945 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2946 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2947 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2948 {
2949 /* key for the db is the IP */
2950 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2951 {
2952 SSL_SESSION * ss = NULL;
2953 const uschar * sess_asn1 = dt->session;
2954
2955 len -= sizeof(dbdata_tls_session);
2956 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2957 {
2958 DEBUG(D_tls)
2959 {
2960 ERR_error_string_n(ERR_get_error(),
2961 ssl_errstring, sizeof(ssl_errstring));
2962 debug_printf("decoding session: %s\n", ssl_errstring);
2963 }
2964 }
a775dd1d 2965#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH
2966 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2967 < time(NULL))
2968 {
2969 DEBUG(D_tls) debug_printf("session expired\n");
2970 dbfn_delete(dbm_file, key);
2971 }
a775dd1d 2972#endif
b10c87b3
JH
2973 else if (!SSL_set_session(ssl, ss))
2974 {
2975 DEBUG(D_tls)
2976 {
2977 ERR_error_string_n(ERR_get_error(),
2978 ssl_errstring, sizeof(ssl_errstring));
2979 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2980 }
2981 }
2982 else
2983 {
2984 DEBUG(D_tls) debug_printf("good session\n");
2985 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2986 tlsp->verify_override = dt->verify_override;
c82de233 2987 tlsp->ocsp = dt->ocsp;
b10c87b3
JH
2988 }
2989 }
2990 else
2991 DEBUG(D_tls) debug_printf("no session record\n");
2992 dbfn_close(dbm_file);
2993 }
2994 }
2995}
2996
2997
2998/* On the client, save the session for later resumption */
2999
3000static int
3001tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3002{
3003tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3004tls_support * tlsp;
3005
3006DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3007
3008if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3009
40618fb6
JH
3010# ifdef OPENSSL_HAVE_NUM_TICKETS
3011if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3012# endif
b10c87b3
JH
3013 {
3014 int len = i2d_SSL_SESSION(ss, NULL);
3015 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 3016 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
3017 uschar * s = dt->session;
3018 open_db dbblock, * dbm_file;
3019
3020 DEBUG(D_tls) debug_printf("session is resumable\n");
3021 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3022
f4e62a87 3023 dt->verify_override = tlsp->verify_override;
c82de233 3024 dt->ocsp = tlsp->ocsp;
f4e62a87 3025 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH
3026
3027 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3028 {
3029 const uschar * key = cbinfo->host->address;
3030 dbfn_delete(dbm_file, key);
3031 dbfn_write(dbm_file, key, dt, dlen);
3032 dbfn_close(dbm_file);
3033 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3034 (unsigned)dlen);
3035 }
3036 }
b10c87b3
JH
3037return 1;
3038}
3039
3040
3041static void
3042tls_client_ctx_resume_prehandshake(
3043 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
3044 smtp_transport_options_block * ob, host_item * host)
3045{
3046/* Should the client request a session resumption ticket? */
3047if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
3048 {
3049 tlsp->host_resumable = TRUE;
3050
3051 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3052 SSL_SESS_CACHE_CLIENT
3053 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3054 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
3055 }
3056}
3057
3058static BOOL
3059tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
3060 host_item * host, uschar ** errstr)
3061{
3062if (tlsp->host_resumable)
3063 {
3064 DEBUG(D_tls)
3065 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3066 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3067
3068 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3069 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
3070 {
3071 tls_error(US"set ex_data", host, NULL, errstr);
3072 return FALSE;
3073 }
3074 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3075 }
3076
3077tlsp->resumption = RESUME_SUPPORTED;
3078/* Pick up a previous session, saved on an old ticket */
3079tls_retrieve_session(tlsp, ssl, host->address);
3080return TRUE;
3081}
3082
3083static void
3084tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3085 tls_support * tlsp)
3086{
3087if (SSL_session_reused(exim_client_ctx->ssl))
3088 {
3089 DEBUG(D_tls) debug_printf("The session was reused\n");
3090 tlsp->resumption |= RESUME_USED;
3091 }
3092}
3093#endif /* EXPERIMENTAL_TLS_RESUME */
3094
3095
059ec3d9
PH
3096/*************************************************
3097* Start a TLS session in a client *
3098*************************************************/
3099
3100/* Called from the smtp transport after STARTTLS has been accepted.
3101
c05bdbd6
JH
3102Arguments:
3103 cctx connection context
3104 conn_args connection details
3105 cookie datum for randomness; can be NULL
3106 tlsp record details of TLS channel configuration here; must be non-NULL
3107 errstr error string pointer
3108
3109Returns: TRUE for success with TLS session context set in connection context,
3110 FALSE on error
059ec3d9
PH
3111*/
3112
c05bdbd6
JH
3113BOOL
3114tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3115 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 3116{
c05bdbd6
JH
3117host_item * host = conn_args->host; /* for msgs and option-tests */
3118transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
3119smtp_transport_options_block * ob = tb
3120 ? (smtp_transport_options_block *)tb->options_block
3121 : &smtp_transport_option_defaults;
74f1a423 3122exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 3123uschar * expciphers;
059ec3d9 3124int rc;
c05bdbd6 3125static uschar peerdn[256];
043b1248
JH
3126
3127#ifndef DISABLE_OCSP
043b1248 3128BOOL request_ocsp = FALSE;
6634ac8d 3129BOOL require_ocsp = FALSE;
043b1248 3130#endif
043b1248 3131
74f1a423
JH
3132rc = store_pool;
3133store_pool = POOL_PERM;
f3ebb786 3134exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 3135exim_client_ctx->corked = NULL;
74f1a423
JH
3136store_pool = rc;
3137
c0635b6d 3138#ifdef SUPPORT_DANE
74f1a423 3139tlsp->tlsa_usage = 0;
043b1248
JH
3140#endif
3141
f2de3a33 3142#ifndef DISABLE_OCSP
043b1248 3143 {
c0635b6d 3144# ifdef SUPPORT_DANE
c05bdbd6 3145 if ( conn_args->dane
4f59c424
JH
3146 && ob->hosts_request_ocsp[0] == '*'
3147 && ob->hosts_request_ocsp[1] == '\0'
3148 )
3149 {
3150 /* Unchanged from default. Use a safer one under DANE */
3151 request_ocsp = TRUE;
3152 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3153 " {= {4}{$tls_out_tlsa_usage}} } "
3154 " {*}{}}";
3155 }
3156# endif
3157
5130845b 3158 if ((require_ocsp =
3c07dd2d 3159 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
3160 request_ocsp = TRUE;
3161 else
c0635b6d 3162# ifdef SUPPORT_DANE
4f59c424 3163 if (!request_ocsp)
fca41d5a 3164# endif
5130845b 3165 request_ocsp =
3c07dd2d 3166 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 3167 }
f5d78688 3168#endif
059ec3d9 3169
74f1a423 3170rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 3171 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 3172#ifndef DISABLE_OCSP
44662487 3173 (void *)(long)request_ocsp,
3f7eeb86 3174#endif
b10c87b3 3175 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 3176if (rc != OK) return FALSE;
059ec3d9 3177
74f1a423 3178tlsp->certificate_verified = FALSE;
a2ff477a 3179client_verify_callback_called = FALSE;
059ec3d9 3180
5ec37a55
PP
3181expciphers = NULL;
3182#ifdef SUPPORT_DANE
c05bdbd6 3183if (conn_args->dane)
5ec37a55
PP
3184 {
3185 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3186 other failures should be treated as problems. */
3187 if (ob->dane_require_tls_ciphers &&
3188 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3189 &expciphers, errstr))
c05bdbd6 3190 return FALSE;
5ec37a55
PP
3191 if (expciphers && *expciphers == '\0')
3192 expciphers = NULL;
3193 }
3194#endif
3195if (!expciphers &&
3196 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3197 &expciphers, errstr))
c05bdbd6 3198 return FALSE;
059ec3d9
PH
3199
3200/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3201are separated by underscores. So that I can use either form in my tests, and
3202also for general convenience, we turn underscores into hyphens here. */
3203
cf0c6164 3204if (expciphers)
059ec3d9
PH
3205 {
3206 uschar *s = expciphers;
cf0c6164 3207 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 3208 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
3209 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3210 {
3211 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 3212 return FALSE;
74f1a423 3213 }
059ec3d9
PH
3214 }
3215
c0635b6d 3216#ifdef SUPPORT_DANE
c05bdbd6 3217if (conn_args->dane)
a63be306 3218 {
74f1a423 3219 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
3220 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3221 verify_callback_client_dane);
e5cccda9 3222
043b1248 3223 if (!DANESSL_library_init())
74f1a423
JH
3224 {
3225 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3226 return FALSE;
74f1a423
JH
3227 }
3228 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3229 {
3230 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3231 return FALSE;
74f1a423 3232 }
043b1248
JH
3233 }
3234else
e51c7be2 3235
043b1248
JH
3236#endif
3237
74f1a423
JH
3238 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3239 client_static_cbinfo, errstr) != OK)
c05bdbd6 3240 return FALSE;
059ec3d9 3241
b10c87b3
JH
3242#ifdef EXPERIMENTAL_TLS_RESUME
3243tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3244#endif
3245
3246
74f1a423
JH
3247if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3248 {
3249 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3250 return FALSE;
74f1a423
JH
3251 }
3252SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3253
c05bdbd6 3254SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3255SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3256
65867078 3257if (ob->tls_sni)
3f0945ff 3258 {
74f1a423 3259 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3260 return FALSE;
74f1a423 3261 if (!tlsp->sni)
2c9a0e86
PP
3262 {
3263 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3264 }
74f1a423
JH
3265 else if (!Ustrlen(tlsp->sni))
3266 tlsp->sni = NULL;
3f0945ff
PP
3267 else
3268 {
35731706 3269#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
3270 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3271 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3272#else
66802652 3273 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3274 tlsp->sni);
35731706 3275#endif
3f0945ff
PP
3276 }
3277 }
3278
c0635b6d 3279#ifdef SUPPORT_DANE
c05bdbd6
JH
3280if (conn_args->dane)
3281 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3282 return FALSE;
594706ea
JH
3283#endif
3284
f2de3a33 3285#ifndef DISABLE_OCSP
f5d78688
JH
3286/* Request certificate status at connection-time. If the server
3287does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3288# ifdef SUPPORT_DANE
44662487
JH
3289if (request_ocsp)
3290 {
594706ea 3291 const uschar * s;
41afb5cb
JH
3292 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3293 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
3294 )
3295 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3296 this means we avoid the OCSP request, we wasted the setup
3297 cost in tls_init(). */
3c07dd2d 3298 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3299 request_ocsp = require_ocsp
3c07dd2d 3300 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
3301 }
3302 }
b50c8b84
JH
3303# endif
3304
594706ea
JH
3305if (request_ocsp)
3306 {
74f1a423 3307 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3308 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3309 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3310 }
f5d78688
JH
3311#endif
3312
c82de233
JH
3313#ifdef EXPERIMENTAL_TLS_RESUME
3314if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3315 errstr))
3316 return FALSE;
3317#endif
3318
0cbf2b82 3319#ifndef DISABLE_EVENT
afdb5e9c 3320client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3321#endif
043b1248 3322
059ec3d9
PH
3323/* There doesn't seem to be a built-in timeout on connection. */
3324
3325DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3326sigalrm_seen = FALSE;
c2a1bba0 3327ALARM(ob->command_timeout);
74f1a423 3328rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3329ALARM_CLR(0);
059ec3d9 3330
c0635b6d 3331#ifdef SUPPORT_DANE
c05bdbd6 3332if (conn_args->dane)