Doh, fix the error message to say SSL_read not SSL_write.
[exim.git] / src / src / tls-openssl.c
CommitLineData
89dd51cd 1/* $Cambridge: exim/src/src/tls-openssl.c,v 1.25 2010/06/05 09:36:11 pdp Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
0a49a7a4 7/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25
26/* Structure for collecting random data for seeding. */
27
28typedef struct randstuff {
9e3331ea
TK
29 struct timeval tv;
30 pid_t p;
059ec3d9
PH
31} randstuff;
32
33/* Local static variables */
34
35static BOOL verify_callback_called = FALSE;
36static const uschar *sid_ctx = US"exim";
37
38static SSL_CTX *ctx = NULL;
39static SSL *ssl = NULL;
40
41static char ssl_errstring[256];
42
43static int ssl_session_timeout = 200;
44static BOOL verify_optional = FALSE;
45
46
47
48
49
50/*************************************************
51* Handle TLS error *
52*************************************************/
53
54/* Called from lots of places when errors occur before actually starting to do
55the TLS handshake, that is, while the session is still in clear. Always returns
56DEFER for a server and FAIL for a client so that most calls can use "return
57tls_error(...)" to do this processing and then give an appropriate return. A
58single function is used for both server and client, because it is called from
59some shared functions.
60
61Argument:
62 prefix text to include in the logged error
63 host NULL if setting up a server;
64 the connected host if setting up a client
7199e1ee 65 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
66
67Returns: OK/DEFER/FAIL
68*/
69
70static int
7199e1ee 71tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 72{
7199e1ee
TF
73if (msg == NULL)
74 {
75 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 76 msg = (uschar *)ssl_errstring;
7199e1ee
TF
77 }
78
059ec3d9
PH
79if (host == NULL)
80 {
7199e1ee 81 uschar *conn_info = smtp_get_connection_info();
5ca6d115 82 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
83 conn_info += 5;
84 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
85 conn_info, prefix, msg);
059ec3d9
PH
86 return DEFER;
87 }
88else
89 {
90 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 91 host->name, host->address, prefix, msg);
059ec3d9
PH
92 return FAIL;
93 }
94}
95
96
97
98/*************************************************
99* Callback to generate RSA key *
100*************************************************/
101
102/*
103Arguments:
104 s SSL connection
105 export not used
106 keylength keylength
107
108Returns: pointer to generated key
109*/
110
111static RSA *
112rsa_callback(SSL *s, int export, int keylength)
113{
114RSA *rsa_key;
115export = export; /* Shut picky compilers up */
116DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
117rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
118if (rsa_key == NULL)
119 {
120 ERR_error_string(ERR_get_error(), ssl_errstring);
121 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
122 ssl_errstring);
123 return NULL;
124 }
125return rsa_key;
126}
127
128
129
130
131/*************************************************
132* Callback for verification *
133*************************************************/
134
135/* The SSL library does certificate verification if set up to do so. This
136callback has the current yes/no state is in "state". If verification succeeded,
137we set up the tls_peerdn string. If verification failed, what happens depends
138on whether the client is required to present a verifiable certificate or not.
139
140If verification is optional, we change the state to yes, but still log the
141verification error. For some reason (it really would help to have proper
142documentation of OpenSSL), this callback function then gets called again, this
143time with state = 1. In fact, that's useful, because we can set up the peerdn
144value, but we must take care not to set the private verified flag on the second
145time through.
146
147Note: this function is not called if the client fails to present a certificate
148when asked. We get here only if a certificate has been received. Handling of
149optional verification for this case is done when requesting SSL to verify, by
150setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
151
152Arguments:
153 state current yes/no state as 1/0
154 x509ctx certificate information.
155
156Returns: 1 if verified, 0 if not
157*/
158
159static int
160verify_callback(int state, X509_STORE_CTX *x509ctx)
161{
162static uschar txt[256];
163
164X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
165 CS txt, sizeof(txt));
166
167if (state == 0)
168 {
169 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
170 x509ctx->error_depth,
171 X509_verify_cert_error_string(x509ctx->error),
172 txt);
173 tls_certificate_verified = FALSE;
174 verify_callback_called = TRUE;
175 if (!verify_optional) return 0; /* reject */
176 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
177 "tls_try_verify_hosts)\n");
178 return 1; /* accept */
179 }
180
181if (x509ctx->error_depth != 0)
182 {
183 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
184 x509ctx->error_depth, txt);
185 }
186else
187 {
188 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
189 verify_callback_called? "" : " authenticated", txt);
190 tls_peerdn = txt;
191 }
192
059ec3d9
PH
193if (!verify_callback_called) tls_certificate_verified = TRUE;
194verify_callback_called = TRUE;
195
196return 1; /* accept */
197}
198
199
200
201/*************************************************
202* Information callback *
203*************************************************/
204
205/* The SSL library functions call this from time to time to indicate what they
206are doing. We copy the string to the debugging output when the level is high
207enough.
208
209Arguments:
210 s the SSL connection
211 where
212 ret
213
214Returns: nothing
215*/
216
217static void
218info_callback(SSL *s, int where, int ret)
219{
220where = where;
221ret = ret;
222DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
223}
224
225
226
227/*************************************************
228* Initialize for DH *
229*************************************************/
230
231/* If dhparam is set, expand it, and load up the parameters for DH encryption.
232
233Arguments:
234 dhparam DH parameter file
7199e1ee 235 host connected host, if client; NULL if server
059ec3d9
PH
236
237Returns: TRUE if OK (nothing to set up, or setup worked)
238*/
239
240static BOOL
7199e1ee 241init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH
242{
243BOOL yield = TRUE;
244BIO *bio;
245DH *dh;
246uschar *dhexpanded;
247
248if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
249 return FALSE;
250
251if (dhexpanded == NULL) return TRUE;
252
253if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
254 {
7199e1ee 255 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 256 host, (uschar *)strerror(errno));
059ec3d9
PH
257 yield = FALSE;
258 }
259else
260 {
261 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
262 {
7199e1ee
TF
263 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
264 host, NULL);
059ec3d9
PH
265 yield = FALSE;
266 }
267 else
268 {
269 SSL_CTX_set_tmp_dh(ctx, dh);
270 DEBUG(D_tls)
271 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
272 dhexpanded, 8*DH_size(dh));
273 DH_free(dh);
274 }
275 BIO_free(bio);
276 }
277
278return yield;
279}
280
281
282
283
284/*************************************************
285* Initialize for TLS *
286*************************************************/
287
288/* Called from both server and client code, to do preliminary initialization of
289the library.
290
291Arguments:
292 host connected host, if client; NULL if server
293 dhparam DH parameter file
294 certificate certificate file
295 privatekey private key
296 addr address if client; NULL if server (for some randomness)
297
298Returns: OK/DEFER/FAIL
299*/
300
301static int
c91535f3
PH
302tls_init(host_item *host, uschar *dhparam, uschar *certificate,
303 uschar *privatekey, address_item *addr)
059ec3d9 304{
77bb000f
PP
305long init_options;
306BOOL okay;
307
059ec3d9
PH
308SSL_load_error_strings(); /* basic set up */
309OpenSSL_add_ssl_algorithms();
310
388d6564 311#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 312/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
313list of available digests. */
314EVP_add_digest(EVP_sha256());
cf1ef1a9 315#endif
a0475b69 316
059ec3d9
PH
317/* Create a context */
318
319ctx = SSL_CTX_new((host == NULL)?
320 SSLv23_server_method() : SSLv23_client_method());
321
7199e1ee 322if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
323
324/* It turns out that we need to seed the random number generator this early in
325order to get the full complement of ciphers to work. It took me roughly a day
326of work to discover this by experiment.
327
328On systems that have /dev/urandom, SSL may automatically seed itself from
329there. Otherwise, we have to make something up as best we can. Double check
330afterwards. */
331
332if (!RAND_status())
333 {
334 randstuff r;
9e3331ea 335 gettimeofday(&r.tv, NULL);
059ec3d9
PH
336 r.p = getpid();
337
338 RAND_seed((uschar *)(&r), sizeof(r));
339 RAND_seed((uschar *)big_buffer, big_buffer_size);
340 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
341
342 if (!RAND_status())
7199e1ee 343 return tls_error(US"RAND_status", host,
5ca6d115 344 US"unable to seed random number generator");
059ec3d9
PH
345 }
346
347/* Set up the information callback, which outputs if debugging is at a suitable
348level. */
349
58c01c94 350SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 351
77bb000f
PP
352/* Apply administrator-supplied work-arounds.
353Historically we applied just one requested option,
354SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
355moved to an administrator-controlled list of options to specify and
356grandfathered in the first one as the default value for "openssl_options".
059ec3d9 357
77bb000f
PP
358No OpenSSL version number checks: the options we accept depend upon the
359availability of the option value macros from OpenSSL. */
059ec3d9 360
77bb000f
PP
361okay = tls_openssl_options_parse(openssl_options, &init_options);
362if (!okay)
363 return tls_error("openssl_options parsing failed", host, NULL);
364
365if (init_options)
366 {
367 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
368 if (!(SSL_CTX_set_options(ctx, init_options)))
369 return tls_error(string_sprintf(
370 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
371 }
372else
373 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
374
375/* Initialize with DH parameters if supplied */
376
7199e1ee 377if (!init_dh(dhparam, host)) return DEFER;
059ec3d9
PH
378
379/* Set up certificate and key */
380
381if (certificate != NULL)
382 {
383 uschar *expanded;
384 if (!expand_check(certificate, US"tls_certificate", &expanded))
385 return DEFER;
386
387 if (expanded != NULL)
388 {
389 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
390 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
d6453af2 391 return tls_error(string_sprintf(
7199e1ee 392 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
059ec3d9
PH
393 }
394
395 if (privatekey != NULL &&
396 !expand_check(privatekey, US"tls_privatekey", &expanded))
397 return DEFER;
398
c91535f3
PH
399 /* If expansion was forced to fail, key_expanded will be NULL. If the result
400 of the expansion is an empty string, ignore it also, and assume the private
401 key is in the same file as the certificate. */
402
403 if (expanded != NULL && *expanded != 0)
059ec3d9
PH
404 {
405 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
406 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
d6453af2 407 return tls_error(string_sprintf(
7199e1ee 408 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
059ec3d9
PH
409 }
410 }
411
412/* Set up the RSA callback */
413
414SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
415
416/* Finally, set the timeout, and we are done */
417
418SSL_CTX_set_timeout(ctx, ssl_session_timeout);
419DEBUG(D_tls) debug_printf("Initialized TLS\n");
420return OK;
421}
422
423
424
425
426/*************************************************
427* Get name of cipher in use *
428*************************************************/
429
430/* The answer is left in a static buffer, and tls_cipher is set to point
431to it.
432
433Argument: pointer to an SSL structure for the connection
434Returns: nothing
435*/
436
437static void
438construct_cipher_name(SSL *ssl)
439{
440static uschar cipherbuf[256];
441SSL_CIPHER *c;
442uschar *ver;
443int bits;
444
445switch (ssl->session->ssl_version)
446 {
447 case SSL2_VERSION:
448 ver = US"SSLv2";
449 break;
450
451 case SSL3_VERSION:
452 ver = US"SSLv3";
453 break;
454
455 case TLS1_VERSION:
456 ver = US"TLSv1";
457 break;
458
459 default:
460 ver = US"UNKNOWN";
461 }
462
463c = SSL_get_current_cipher(ssl);
464SSL_CIPHER_get_bits(c, &bits);
465
466string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
467 SSL_CIPHER_get_name(c), bits);
468tls_cipher = cipherbuf;
469
470DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
471}
472
473
474
475
476
477/*************************************************
478* Set up for verifying certificates *
479*************************************************/
480
481/* Called by both client and server startup
482
483Arguments:
484 certs certs file or NULL
485 crl CRL file or NULL
486 host NULL in a server; the remote host in a client
487 optional TRUE if called from a server for a host in tls_try_verify_hosts;
488 otherwise passed as FALSE
489
490Returns: OK/DEFER/FAIL
491*/
492
493static int
494setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
495{
496uschar *expcerts, *expcrl;
497
498if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
499 return DEFER;
500
501if (expcerts != NULL)
502 {
503 struct stat statbuf;
504 if (!SSL_CTX_set_default_verify_paths(ctx))
7199e1ee 505 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
506
507 if (Ustat(expcerts, &statbuf) < 0)
508 {
509 log_write(0, LOG_MAIN|LOG_PANIC,
510 "failed to stat %s for certificates", expcerts);
511 return DEFER;
512 }
513 else
514 {
515 uschar *file, *dir;
516 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
517 { file = NULL; dir = expcerts; }
518 else
519 { file = expcerts; dir = NULL; }
520
521 /* If a certificate file is empty, the next function fails with an
522 unhelpful error message. If we skip it, we get the correct behaviour (no
523 certificates are recognized, but the error message is still misleading (it
524 says no certificate was supplied.) But this is better. */
525
526 if ((file == NULL || statbuf.st_size > 0) &&
527 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
7199e1ee 528 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
529
530 if (file != NULL)
531 {
532 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
533 }
534 }
535
536 /* Handle a certificate revocation list. */
537
538 #if OPENSSL_VERSION_NUMBER > 0x00907000L
539
8b417f2c
PH
540 /* This bit of code is now the version supplied by Lars Mainka. (I have
541 * merely reformatted it into the Exim code style.)
542
543 * "From here I changed the code to add support for multiple crl's
544 * in pem format in one file or to support hashed directory entries in
545 * pem format instead of a file. This method now uses the library function
546 * X509_STORE_load_locations to add the CRL location to the SSL context.
547 * OpenSSL will then handle the verify against CA certs and CRLs by
548 * itself in the verify callback." */
549
059ec3d9
PH
550 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
551 if (expcrl != NULL && *expcrl != 0)
552 {
8b417f2c
PH
553 struct stat statbufcrl;
554 if (Ustat(expcrl, &statbufcrl) < 0)
555 {
556 log_write(0, LOG_MAIN|LOG_PANIC,
557 "failed to stat %s for certificates revocation lists", expcrl);
558 return DEFER;
559 }
560 else
059ec3d9 561 {
8b417f2c
PH
562 /* is it a file or directory? */
563 uschar *file, *dir;
564 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
565 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 566 {
8b417f2c
PH
567 file = NULL;
568 dir = expcrl;
569 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
570 }
571 else
572 {
8b417f2c
PH
573 file = expcrl;
574 dir = NULL;
575 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 576 }
8b417f2c 577 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 578 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
579
580 /* setting the flags to check against the complete crl chain */
581
582 X509_STORE_set_flags(cvstore,
583 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 584 }
059ec3d9
PH
585 }
586
587 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
588
589 /* If verification is optional, don't fail if no certificate */
590
591 SSL_CTX_set_verify(ctx,
592 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
593 verify_callback);
594 }
595
596return OK;
597}
598
599
600
601/*************************************************
602* Start a TLS session in a server *
603*************************************************/
604
605/* This is called when Exim is running as a server, after having received
606the STARTTLS command. It must respond to that command, and then negotiate
607a TLS session.
608
609Arguments:
610 require_ciphers allowed ciphers
83da1223
PH
611 ------------------------------------------------------
612 require_mac list of allowed MACs ) Not used
613 require_kx list of allowed key_exchange methods ) for
614 require_proto list of allowed protocols ) OpenSSL
615 ------------------------------------------------------
059ec3d9
PH
616
617Returns: OK on success
618 DEFER for errors before the start of the negotiation
619 FAIL for errors during the negotation; the server can't
620 continue running.
621*/
622
623int
83da1223
PH
624tls_server_start(uschar *require_ciphers, uschar *require_mac,
625 uschar *require_kx, uschar *require_proto)
059ec3d9
PH
626{
627int rc;
628uschar *expciphers;
629
630/* Check for previous activation */
631
632if (tls_active >= 0)
633 {
5ca6d115 634 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
635 smtp_printf("554 Already in TLS\r\n");
636 return FAIL;
637 }
638
639/* Initialize the SSL library. If it fails, it will already have logged
640the error. */
641
642rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
643if (rc != OK) return rc;
644
645if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
646 return FAIL;
647
648/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
649are separated by underscores. So that I can use either form in my tests, and
650also for general convenience, we turn underscores into hyphens here. */
651
652if (expciphers != NULL)
653 {
654 uschar *s = expciphers;
655 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
656 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
657 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 658 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
059ec3d9
PH
659 }
660
661/* If this is a host for which certificate verification is mandatory or
662optional, set up appropriately. */
663
664tls_certificate_verified = FALSE;
665verify_callback_called = FALSE;
666
667if (verify_check_host(&tls_verify_hosts) == OK)
668 {
669 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
670 if (rc != OK) return rc;
671 verify_optional = FALSE;
672 }
673else if (verify_check_host(&tls_try_verify_hosts) == OK)
674 {
675 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
676 if (rc != OK) return rc;
677 verify_optional = TRUE;
678 }
679
680/* Prepare for new connection */
681
7199e1ee 682if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
059ec3d9
PH
683SSL_clear(ssl);
684
685/* Set context and tell client to go ahead, except in the case of TLS startup
686on connection, where outputting anything now upsets the clients and tends to
687make them disconnect. We need to have an explicit fflush() here, to force out
688the response. Other smtp_printf() calls do not need it, because in non-TLS
689mode, the fflush() happens when smtp_getc() is called. */
690
691SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
692if (!tls_on_connect)
693 {
694 smtp_printf("220 TLS go ahead\r\n");
695 fflush(smtp_out);
696 }
697
698/* Now negotiate the TLS session. We put our own timer on it, since it seems
699that the OpenSSL library doesn't. */
700
56f5d9bd
PH
701SSL_set_wfd(ssl, fileno(smtp_out));
702SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
703SSL_set_accept_state(ssl);
704
705DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
706
707sigalrm_seen = FALSE;
708if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
709rc = SSL_accept(ssl);
710alarm(0);
711
712if (rc <= 0)
713 {
7199e1ee 714 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
715 if (ERR_get_error() == 0)
716 log_write(0, LOG_MAIN,
717 " => client disconnected cleanly (rejected our certificate?)\n");
059ec3d9
PH
718 return FAIL;
719 }
720
721DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
722
723/* TLS has been set up. Adjust the input functions to read via TLS,
724and initialize things. */
725
726construct_cipher_name(ssl);
727
728DEBUG(D_tls)
729 {
730 uschar buf[2048];
731 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
732 debug_printf("Shared ciphers: %s\n", buf);
733 }
734
735
736ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
737ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
738ssl_xfer_eof = ssl_xfer_error = 0;
739
740receive_getc = tls_getc;
741receive_ungetc = tls_ungetc;
742receive_feof = tls_feof;
743receive_ferror = tls_ferror;
58eb016e 744receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
745
746tls_active = fileno(smtp_out);
747return OK;
748}
749
750
751
752
753
754/*************************************************
755* Start a TLS session in a client *
756*************************************************/
757
758/* Called from the smtp transport after STARTTLS has been accepted.
759
760Argument:
761 fd the fd of the connection
762 host connected host (for messages)
83da1223 763 addr the first address
059ec3d9
PH
764 dhparam DH parameter file
765 certificate certificate file
766 privatekey private key file
767 verify_certs file for certificate verify
768 crl file containing CRL
769 require_ciphers list of allowed ciphers
83da1223
PH
770 ------------------------------------------------------
771 require_mac list of allowed MACs ) Not used
772 require_kx list of allowed key_exchange methods ) for
773 require_proto list of allowed protocols ) OpenSSL
774 ------------------------------------------------------
775 timeout startup timeout
059ec3d9
PH
776
777Returns: OK on success
778 FAIL otherwise - note that tls_error() will not give DEFER
779 because this is not a server
780*/
781
782int
783tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
784 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
83da1223
PH
785 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
786 uschar *require_proto, int timeout)
059ec3d9
PH
787{
788static uschar txt[256];
789uschar *expciphers;
790X509* server_cert;
791int rc;
792
793rc = tls_init(host, dhparam, certificate, privatekey, addr);
794if (rc != OK) return rc;
795
796tls_certificate_verified = FALSE;
797verify_callback_called = FALSE;
798
799if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
800 return FAIL;
801
802/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
803are separated by underscores. So that I can use either form in my tests, and
804also for general convenience, we turn underscores into hyphens here. */
805
806if (expciphers != NULL)
807 {
808 uschar *s = expciphers;
809 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
810 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
811 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 812 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
813 }
814
815rc = setup_certs(verify_certs, crl, host, FALSE);
816if (rc != OK) return rc;
817
7199e1ee 818if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
819SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
820SSL_set_fd(ssl, fd);
821SSL_set_connect_state(ssl);
822
823/* There doesn't seem to be a built-in timeout on connection. */
824
825DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
826sigalrm_seen = FALSE;
827alarm(timeout);
828rc = SSL_connect(ssl);
829alarm(0);
830
831if (rc <= 0)
7199e1ee 832 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
833
834DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
835
836server_cert = SSL_get_peer_certificate (ssl);
837tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
838 CS txt, sizeof(txt));
839tls_peerdn = txt;
840
841construct_cipher_name(ssl); /* Sets tls_cipher */
842
843tls_active = fd;
844return OK;
845}
846
847
848
849
850
851/*************************************************
852* TLS version of getc *
853*************************************************/
854
855/* This gets the next byte from the TLS input buffer. If the buffer is empty,
856it refills the buffer via the SSL reading function.
857
858Arguments: none
859Returns: the next character or EOF
860*/
861
862int
863tls_getc(void)
864{
865if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
866 {
867 int error;
868 int inbytes;
869
870 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
871 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
872
873 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
874 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
875 error = SSL_get_error(ssl, inbytes);
876 alarm(0);
877
878 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
879 closed down, not that the socket itself has been closed down. Revert to
880 non-SSL handling. */
881
882 if (error == SSL_ERROR_ZERO_RETURN)
883 {
884 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
885
886 receive_getc = smtp_getc;
887 receive_ungetc = smtp_ungetc;
888 receive_feof = smtp_feof;
889 receive_ferror = smtp_ferror;
58eb016e 890 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
891
892 SSL_free(ssl);
893 ssl = NULL;
894 tls_active = -1;
895 tls_cipher = NULL;
896 tls_peerdn = NULL;
897
898 return smtp_getc();
899 }
900
901 /* Handle genuine errors */
902
ba084640
PP
903 else if (error == SSL_ERROR_SSL)
904 {
905 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 906 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
907 ssl_xfer_error = 1;
908 return EOF;
909 }
910
059ec3d9
PH
911 else if (error != SSL_ERROR_NONE)
912 {
913 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
914 ssl_xfer_error = 1;
915 return EOF;
916 }
80a47a2c
TK
917#ifndef DISABLE_DKIM
918 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
919#endif
059ec3d9
PH
920 ssl_xfer_buffer_hwm = inbytes;
921 ssl_xfer_buffer_lwm = 0;
922 }
923
924/* Something in the buffer; return next uschar */
925
926return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
927}
928
929
930
931/*************************************************
932* Read bytes from TLS channel *
933*************************************************/
934
935/*
936Arguments:
937 buff buffer of data
938 len size of buffer
939
940Returns: the number of bytes read
941 -1 after a failed read
942*/
943
944int
945tls_read(uschar *buff, size_t len)
946{
947int inbytes;
948int error;
949
950DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
951 (long)buff, (unsigned int)len);
952
953inbytes = SSL_read(ssl, CS buff, len);
954error = SSL_get_error(ssl, inbytes);
955
956if (error == SSL_ERROR_ZERO_RETURN)
957 {
958 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
959 return -1;
960 }
961else if (error != SSL_ERROR_NONE)
962 {
963 return -1;
964 }
965
966return inbytes;
967}
968
969
970
971
972
973/*************************************************
974* Write bytes down TLS channel *
975*************************************************/
976
977/*
978Arguments:
979 buff buffer of data
980 len number of bytes
981
982Returns: the number of bytes after a successful write,
983 -1 after a failed write
984*/
985
986int
987tls_write(const uschar *buff, size_t len)
988{
989int outbytes;
990int error;
991int left = len;
992
993DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
994while (left > 0)
995 {
996 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
997 outbytes = SSL_write(ssl, CS buff, left);
998 error = SSL_get_error(ssl, outbytes);
999 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1000 switch (error)
1001 {
1002 case SSL_ERROR_SSL:
1003 ERR_error_string(ERR_get_error(), ssl_errstring);
1004 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1005 return -1;
1006
1007 case SSL_ERROR_NONE:
1008 left -= outbytes;
1009 buff += outbytes;
1010 break;
1011
1012 case SSL_ERROR_ZERO_RETURN:
1013 log_write(0, LOG_MAIN, "SSL channel closed on write");
1014 return -1;
1015
1016 default:
1017 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1018 return -1;
1019 }
1020 }
1021return len;
1022}
1023
1024
1025
1026/*************************************************
1027* Close down a TLS session *
1028*************************************************/
1029
1030/* This is also called from within a delivery subprocess forked from the
1031daemon, to shut down the TLS library, without actually doing a shutdown (which
1032would tamper with the SSL session in the parent process).
1033
1034Arguments: TRUE if SSL_shutdown is to be called
1035Returns: nothing
1036*/
1037
1038void
1039tls_close(BOOL shutdown)
1040{
1041if (tls_active < 0) return; /* TLS was not active */
1042
1043if (shutdown)
1044 {
1045 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1046 SSL_shutdown(ssl);
1047 }
1048
1049SSL_free(ssl);
1050ssl = NULL;
1051
1052tls_active = -1;
1053}
1054
36f12725
NM
1055
1056
1057
1058/*************************************************
1059* Report the library versions. *
1060*************************************************/
1061
1062/* There have historically been some issues with binary compatibility in
1063OpenSSL libraries; if Exim (like many other applications) is built against
1064one version of OpenSSL but the run-time linker picks up another version,
1065it can result in serious failures, including crashing with a SIGSEGV. So
1066report the version found by the compiler and the run-time version.
1067
1068Arguments: a FILE* to print the results to
1069Returns: nothing
1070*/
1071
1072void
1073tls_version_report(FILE *f)
1074{
1075fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
1076fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
1077}
1078
9e3331ea
TK
1079
1080
1081
1082/*************************************************
1083* Pseudo-random number generation *
1084*************************************************/
1085
1086/* Pseudo-random number generation. The result is not expected to be
1087cryptographically strong but not so weak that someone will shoot themselves
1088in the foot using it as a nonce in input in some email header scheme or
1089whatever weirdness they'll twist this into. The result should handle fork()
1090and avoid repeating sequences. OpenSSL handles that for us.
1091
1092Arguments:
1093 max range maximum
1094Returns a random number in range [0, max-1]
1095*/
1096
1097int
1098pseudo_random_number(int max)
1099{
1100unsigned int r;
1101int i, needed_len;
1102uschar *p;
1103uschar smallbuf[sizeof(r)];
1104
1105if (max <= 1)
1106 return 0;
1107
1108/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1109if (!RAND_status())
1110 {
1111 randstuff r;
1112 gettimeofday(&r.tv, NULL);
1113 r.p = getpid();
1114
1115 RAND_seed((uschar *)(&r), sizeof(r));
1116 }
1117/* We're after pseudo-random, not random; if we still don't have enough data
1118in the internal PRNG then our options are limited. We could sleep and hope
1119for entropy to come along (prayer technique) but if the system is so depleted
1120in the first place then something is likely to just keep taking it. Instead,
1121we'll just take whatever little bit of pseudo-random we can still manage to
1122get. */
1123
1124needed_len = sizeof(r);
1125/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1126asked for a number less than 10. */
1127for (r = max, i = 0; r; ++i)
1128 r >>= 1;
1129i = (i + 7) / 8;
1130if (i < needed_len)
1131 needed_len = i;
1132
1133/* We do not care if crypto-strong */
1134(void) RAND_pseudo_bytes(smallbuf, needed_len);
1135r = 0;
1136for (p = smallbuf; needed_len; --needed_len, ++p)
1137 {
1138 r *= 256;
1139 r += *p;
1140 }
1141
1142/* We don't particularly care about weighted results; if someone wants
1143smooth distribution and cares enough then they should submit a patch then. */
1144return r % max;
1145}
1146
77bb000f
PP
1147
1148
1149
1150/*************************************************
1151* OpenSSL option parse *
1152*************************************************/
1153
1154/* Parse one option for tls_openssl_options_parse below
1155
1156Arguments:
1157 name one option name
1158 value place to store a value for it
1159Returns success or failure in parsing
1160*/
1161
1162struct exim_openssl_option {
1163 uschar *name;
1164 long value;
1165};
1166/* We could use a macro to expand, but we need the ifdef and not all the
1167options document which version they were introduced in. Policylet: include
1168all options unless explicitly for DTLS, let the administrator choose which
1169to apply.
1170
1171This list is current as of:
1172 ==> 0.9.8n <== */
1173static struct exim_openssl_option exim_openssl_options[] = {
1174/* KEEP SORTED ALPHABETICALLY! */
1175#ifdef SSL_OP_ALL
1176 { "all", SSL_OP_ALL },
1177#endif
1178#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1179 { "allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1180#endif
1181#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1182 { "cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1183#endif
1184#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1185 { "dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1186#endif
1187#ifdef SSL_OP_EPHEMERAL_RSA
1188 { "ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1189#endif
1190#ifdef SSL_OP_LEGACY_SERVER_CONNECT
1191 { "legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1192#endif
1193#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1194 { "microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1195#endif
1196#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1197 { "microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1198#endif
1199#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1200 { "msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1201#endif
1202#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1203 { "netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1204#endif
1205#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1206 { "netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1207#endif
1208#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1209 { "no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1210#endif
1211#ifdef SSL_OP_SINGLE_DH_USE
1212 { "single_dh_use", SSL_OP_SINGLE_DH_USE },
1213#endif
1214#ifdef SSL_OP_SINGLE_ECDH_USE
1215 { "single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1216#endif
1217#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1218 { "ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1219#endif
1220#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1221 { "sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1222#endif
1223#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1224 { "tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1225#endif
1226#ifdef SSL_OP_TLS_D5_BUG
1227 { "tls_d5_bug", SSL_OP_TLS_D5_BUG },
1228#endif
1229#ifdef SSL_OP_TLS_ROLLBACK_BUG
1230 { "tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1231#endif
1232};
1233static int exim_openssl_options_size =
1234 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1235
1236static BOOL
1237tls_openssl_one_option_parse(uschar *name, long *value)
1238{
1239int first = 0;
1240int last = exim_openssl_options_size;
1241while (last > first)
1242 {
1243 int middle = (first + last)/2;
1244 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1245 if (c == 0)
1246 {
1247 *value = exim_openssl_options[middle].value;
1248 return TRUE;
1249 }
1250 else if (c > 0)
1251 first = middle + 1;
1252 else
1253 last = middle;
1254 }
1255return FALSE;
1256}
1257
1258
1259
1260
1261/*************************************************
1262* OpenSSL option parsing logic *
1263*************************************************/
1264
1265/* OpenSSL has a number of compatibility options which an administrator might
1266reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1267we look like log_selector.
1268
1269Arguments:
1270 option_spec the administrator-supplied string of options
1271 results ptr to long storage for the options bitmap
1272Returns success or failure
1273*/
1274
1275BOOL
1276tls_openssl_options_parse(uschar *option_spec, long *results)
1277{
1278long result, item;
1279uschar *s, *end;
1280uschar keep_c;
1281BOOL adding, item_parsed;
1282
1283/* We grandfather in as default the one option which we used to set always. */
1284#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1285result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1286#else
1287result = 0L;
1288#endif
1289
1290if (option_spec == NULL)
1291 {
1292 *results = result;
1293 return TRUE;
1294 }
1295
1296for (s=option_spec; *s != '\0'; /**/)
1297 {
1298 while (isspace(*s)) ++s;
1299 if (*s == '\0')
1300 break;
1301 if (*s != '+' && *s != '-')
1302 {
1303 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1304 "+ or - expected but found \"%s\"", s);
1305 return FALSE;
1306 }
1307 adding = *s++ == '+';
1308 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1309 keep_c = *end;
1310 *end = '\0';
1311 item_parsed = tls_openssl_one_option_parse(s, &item);
1312 if (!item_parsed)
1313 {
1314 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s);
1315 return FALSE;
1316 }
1317 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1318 adding ? "adding" : "removing", result, item, s);
1319 if (adding)
1320 result |= item;
1321 else
1322 result &= ~item;
1323 *end = keep_c;
1324 s = end;
1325 }
1326
1327*results = result;
1328return TRUE;
1329}
1330
059ec3d9 1331/* End of tls-openssl.c */