tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH
57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP
68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 75# define EXIM_HAVE_SESSION_TICKET
e570d136 76# define EXIM_HAVE_OPESSL_TRACE
012dd02e 77# define EXIM_HAVE_OPESSL_GET0_SERIAL
7434882d
JH
78# else
79# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
80# endif
81# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 82 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
83# define EXIM_HAVE_OPENSSL_CHECKHOST
84# endif
11aa88b0 85#endif
10ca4f1c 86
11aa88b0
RA
87#if !defined(LIBRESSL_VERSION_NUMBER) \
88 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
89# if !defined(OPENSSL_NO_ECDH)
90# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 91# define EXIM_HAVE_ECDH
10ca4f1c
JH
92# endif
93# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
94# define EXIM_HAVE_OPENSSL_EC_NIST2NID
95# endif
96# endif
2dfb468b 97#endif
3bcbbbe2 98
8a40db1c
JH
99#ifndef LIBRESSL_VERSION_NUMBER
100# if OPENSSL_VERSION_NUMBER >= 0x010101000L
101# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 102# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 103# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH
104# endif
105#endif
106
67791ce4
JH
107#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
108# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
109# define DISABLE_OCSP
110#endif
43e2db44
JH
111
112#ifdef EXPERIMENTAL_TLS_RESUME
113# if OPENSSL_VERSION_NUMBER < 0x0101010L
114# error OpenSSL version too old for session-resumption
115# endif
116#endif
67791ce4 117
a6510420
JH
118#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
119# include <openssl/x509v3.h>
120#endif
121
f1be21cf
JH
122#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
123# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
124# define SSL_CIPHER_get_id(c) (c->id)
125# endif
dca6d121
JH
126# ifndef MACRO_PREDEF
127# include "tls-cipher-stdname.c"
128# endif
f1be21cf
JH
129#endif
130
8442641e
JH
131/*************************************************
132* OpenSSL option parse *
133*************************************************/
134
135typedef struct exim_openssl_option {
136 uschar *name;
137 long value;
138} exim_openssl_option;
139/* We could use a macro to expand, but we need the ifdef and not all the
140options document which version they were introduced in. Policylet: include
141all options unless explicitly for DTLS, let the administrator choose which
142to apply.
143
144This list is current as of:
145 ==> 1.0.1b <==
146Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
147Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
148*/
149static exim_openssl_option exim_openssl_options[] = {
150/* KEEP SORTED ALPHABETICALLY! */
151#ifdef SSL_OP_ALL
6d95688d 152 { US"all", (long) SSL_OP_ALL },
8442641e
JH
153#endif
154#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
155 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
156#endif
157#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
158 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
159#endif
160#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
161 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
162#endif
163#ifdef SSL_OP_EPHEMERAL_RSA
164 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
165#endif
166#ifdef SSL_OP_LEGACY_SERVER_CONNECT
167 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
168#endif
169#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
170 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
171#endif
172#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
173 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
174#endif
175#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
176 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
177#endif
178#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
179 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
180#endif
181#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
182 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
183#endif
184#ifdef SSL_OP_NO_COMPRESSION
185 { US"no_compression", SSL_OP_NO_COMPRESSION },
186#endif
187#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
188 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
189#endif
190#ifdef SSL_OP_NO_SSLv2
191 { US"no_sslv2", SSL_OP_NO_SSLv2 },
192#endif
193#ifdef SSL_OP_NO_SSLv3
194 { US"no_sslv3", SSL_OP_NO_SSLv3 },
195#endif
196#ifdef SSL_OP_NO_TICKET
197 { US"no_ticket", SSL_OP_NO_TICKET },
198#endif
199#ifdef SSL_OP_NO_TLSv1
200 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
201#endif
202#ifdef SSL_OP_NO_TLSv1_1
203#if SSL_OP_NO_TLSv1_1 == 0x00000400L
204 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
205#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
206#else
207 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
208#endif
209#endif
210#ifdef SSL_OP_NO_TLSv1_2
211 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
212#endif
213#ifdef SSL_OP_NO_TLSv1_3
214 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
215#endif
216#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
217 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
218#endif
219#ifdef SSL_OP_SINGLE_DH_USE
220 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
221#endif
222#ifdef SSL_OP_SINGLE_ECDH_USE
223 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
224#endif
225#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
226 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
227#endif
228#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
229 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
230#endif
231#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
232 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
233#endif
234#ifdef SSL_OP_TLS_D5_BUG
235 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
236#endif
237#ifdef SSL_OP_TLS_ROLLBACK_BUG
238 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
239#endif
240};
241
242#ifndef MACRO_PREDEF
243static int exim_openssl_options_size = nelem(exim_openssl_options);
244#endif
245
246#ifdef MACRO_PREDEF
247void
248options_tls(void)
249{
8442641e
JH
250uschar buf[64];
251
d7978c0f 252for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
253 o < exim_openssl_options + nelem(exim_openssl_options); o++)
254 {
255 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
256 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
257
258 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
259 builtin_macro_create(buf);
260 }
b10c87b3
JH
261
262# ifdef EXPERIMENTAL_TLS_RESUME
263builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
264# endif
e326959e
JH
265# ifdef SSL_OP_NO_TLSv1_3
266builtin_macro_create(US"_HAVE_TLS1_3");
267# endif
8442641e
JH
268}
269#else
270
271/******************************************************************************/
272
059ec3d9
PH
273/* Structure for collecting random data for seeding. */
274
275typedef struct randstuff {
9e3331ea
TK
276 struct timeval tv;
277 pid_t p;
059ec3d9
PH
278} randstuff;
279
280/* Local static variables */
281
a2ff477a
JH
282static BOOL client_verify_callback_called = FALSE;
283static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
284static const uschar *sid_ctx = US"exim";
285
d4f09789
PP
286/* We have three different contexts to care about.
287
288Simple case: client, `client_ctx`
289 As a client, we can be doing a callout or cut-through delivery while receiving
290 a message. So we have a client context, which should have options initialised
74f1a423
JH
291 from the SMTP Transport. We may also concurrently want to make TLS connections
292 to utility daemons, so client-contexts are allocated and passed around in call
293 args rather than using a gobal.
d4f09789
PP
294
295Server:
296 There are two cases: with and without ServerNameIndication from the client.
297 Given TLS SNI, we can be using different keys, certs and various other
298 configuration settings, because they're re-expanded with $tls_sni set. This
299 allows vhosting with TLS. This SNI is sent in the handshake.
300 A client might not send SNI, so we need a fallback, and an initial setup too.
301 So as a server, we start out using `server_ctx`.
302 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
303 `server_sni` from `server_ctx` and then initialise settings by re-expanding
304 configuration.
305*/
306
74f1a423
JH
307typedef struct {
308 SSL_CTX * ctx;
309 SSL * ssl;
c09dbcfb 310 gstring * corked;
74f1a423
JH
311} exim_openssl_client_tls_ctx;
312
817d9f57 313static SSL_CTX *server_ctx = NULL;
817d9f57 314static SSL *server_ssl = NULL;
389ca47a 315
35731706 316#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 317static SSL_CTX *server_sni = NULL;
35731706 318#endif
059ec3d9
PH
319
320static char ssl_errstring[256];
321
dea4b568 322static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH
323static BOOL client_verify_optional = FALSE;
324static BOOL server_verify_optional = FALSE;
059ec3d9 325
f5d78688 326static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
327
328
5b2fd993
JH
329typedef struct ocsp_resp {
330 struct ocsp_resp * next;
331 OCSP_RESPONSE * resp;
332} ocsp_resplist;
333
7be682ca 334typedef struct tls_ext_ctx_cb {
b10c87b3 335 tls_support * tlsp;
7be682ca
PP
336 uschar *certificate;
337 uschar *privatekey;
f5d78688 338 BOOL is_server;
a6510420 339#ifndef DISABLE_OCSP
c3033f13 340 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
341 union {
342 struct {
343 uschar *file;
5b2fd993
JH
344 const uschar *file_expanded;
345 ocsp_resplist *olist;
f5d78688
JH
346 } server;
347 struct {
44662487
JH
348 X509_STORE *verify_store; /* non-null if status requested */
349 BOOL verify_required;
f5d78688
JH
350 } client;
351 } u_ocsp;
3f7eeb86 352#endif
7be682ca
PP
353 uschar *dhparam;
354 /* these are cached from first expand */
355 uschar *server_cipher_list;
356 /* only passed down to tls_error: */
357 host_item *host;
55414b25 358 const uschar * verify_cert_hostnames;
0cbf2b82 359#ifndef DISABLE_EVENT
a7538db1
JH
360 uschar * event_action;
361#endif
7be682ca
PP
362} tls_ext_ctx_cb;
363
364/* should figure out a cleanup of API to handle state preserved per
365implementation, for various reasons, which can be void * in the APIs.
366For now, we hack around it. */
b10c87b3 367tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 368tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
369
370static int
983207c1 371setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 372 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 373
3f7eeb86 374/* Callbacks */
3bcbbbe2 375#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 376static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 377#endif
f2de3a33 378#ifndef DISABLE_OCSP
f5d78688 379static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
380#endif
381
059ec3d9 382
b10c87b3 383
4d93129f 384/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH
385#ifdef EXPERIMENTAL_TLS_RESUME
386static void tk_init(void);
387static int tls_exdata_idx = -1;
388#endif
389
390void
391tls_daemon_init(void)
392{
393#ifdef EXPERIMENTAL_TLS_RESUME
394tk_init();
395#endif
396return;
397}
398
399
059ec3d9
PH
400/*************************************************
401* Handle TLS error *
402*************************************************/
403
404/* Called from lots of places when errors occur before actually starting to do
405the TLS handshake, that is, while the session is still in clear. Always returns
406DEFER for a server and FAIL for a client so that most calls can use "return
407tls_error(...)" to do this processing and then give an appropriate return. A
408single function is used for both server and client, because it is called from
409some shared functions.
410
411Argument:
412 prefix text to include in the logged error
413 host NULL if setting up a server;
414 the connected host if setting up a client
7199e1ee 415 msg error message or NULL if we should ask OpenSSL
cf0c6164 416 errstr pointer to output error message
059ec3d9
PH
417
418Returns: OK/DEFER/FAIL
419*/
420
421static int
cf0c6164 422tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 423{
c562fd30 424if (!msg)
7199e1ee 425 {
0abc5a13 426 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 427 msg = US ssl_errstring;
7199e1ee
TF
428 }
429
5a2a0989
JH
430msg = string_sprintf("(%s): %s", prefix, msg);
431DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
432if (errstr) *errstr = msg;
cf0c6164 433return host ? FAIL : DEFER;
059ec3d9
PH
434}
435
436
437
438/*************************************************
439* Callback to generate RSA key *
440*************************************************/
441
442/*
443Arguments:
3ae79556 444 s SSL connection (not used)
059ec3d9
PH
445 export not used
446 keylength keylength
447
448Returns: pointer to generated key
449*/
450
451static RSA *
452rsa_callback(SSL *s, int export, int keylength)
453{
454RSA *rsa_key;
c8dfb21d
JH
455#ifdef EXIM_HAVE_RSA_GENKEY_EX
456BIGNUM *bn = BN_new();
457#endif
458
059ec3d9
PH
459export = export; /* Shut picky compilers up */
460DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
461
462#ifdef EXIM_HAVE_RSA_GENKEY_EX
463if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 464 || !(rsa_key = RSA_new())
c8dfb21d
JH
465 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
466 )
467#else
23bb6982 468if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
469#endif
470
059ec3d9 471 {
0abc5a13 472 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
473 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
474 ssl_errstring);
475 return NULL;
476 }
477return rsa_key;
478}
479
480
481
f5d78688 482/* Extreme debug
f2de3a33 483#ifndef DISABLE_OCSP
f5d78688
JH
484void
485x509_store_dump_cert_s_names(X509_STORE * store)
486{
487STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
488static uschar name[256];
489
d7978c0f 490for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
491 {
492 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
493 if(tmp_obj->type == X509_LU_X509)
494 {
70e384dd
JH
495 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
496 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
497 {
498 name[sizeof(name)-1] = '\0';
499 debug_printf(" %s\n", name);
500 }
f5d78688
JH
501 }
502 }
503}
504#endif
505*/
506
059ec3d9 507
0cbf2b82 508#ifndef DISABLE_EVENT
f69979cf
JH
509static int
510verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
511 BOOL *calledp, const BOOL *optionalp, const uschar * what)
512{
513uschar * ev;
514uschar * yield;
515X509 * old_cert;
516
517ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
518if (ev)
519 {
aaba7d03 520 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
521 old_cert = tlsp->peercert;
522 tlsp->peercert = X509_dup(cert);
523 /* NB we do not bother setting peerdn */
524 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
525 {
526 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
527 "depth=%d cert=%s: %s",
528 tlsp == &tls_out ? deliver_host_address : sender_host_address,
529 what, depth, dn, yield);
530 *calledp = TRUE;
531 if (!*optionalp)
532 {
533 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
534 return 1; /* reject (leaving peercert set) */
535 }
536 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
537 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 538 tlsp->verify_override = TRUE;
f69979cf
JH
539 }
540 X509_free(tlsp->peercert);
541 tlsp->peercert = old_cert;
542 }
543return 0;
544}
545#endif
546
059ec3d9
PH
547/*************************************************
548* Callback for verification *
549*************************************************/
550
551/* The SSL library does certificate verification if set up to do so. This
552callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
553we set the certificate-verified flag. If verification failed, what happens
554depends on whether the client is required to present a verifiable certificate
555or not.
059ec3d9
PH
556
557If verification is optional, we change the state to yes, but still log the
558verification error. For some reason (it really would help to have proper
559documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
560time with state = 1. We must take care not to set the private verified flag on
561the second time through.
059ec3d9
PH
562
563Note: this function is not called if the client fails to present a certificate
564when asked. We get here only if a certificate has been received. Handling of
565optional verification for this case is done when requesting SSL to verify, by
566setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
567
a7538db1
JH
568May be called multiple times for different issues with a certificate, even
569for a given "depth" in the certificate chain.
570
059ec3d9 571Arguments:
f2f2c91b
JH
572 preverify_ok current yes/no state as 1/0
573 x509ctx certificate information.
574 tlsp per-direction (client vs. server) support data
575 calledp has-been-called flag
576 optionalp verification-is-optional flag
059ec3d9 577
f2f2c91b 578Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
579*/
580
581static int
70e384dd
JH
582verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
583 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 584{
421aff85 585X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 586int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 587uschar dn[256];
059ec3d9 588
70e384dd
JH
589if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
590 {
591 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
592 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
593 tlsp == &tls_out ? deliver_host_address : sender_host_address);
594 return 0;
595 }
f69979cf 596dn[sizeof(dn)-1] = '\0';
059ec3d9 597
f4e62a87 598tlsp->verify_override = FALSE;
f2f2c91b 599if (preverify_ok == 0)
059ec3d9 600 {
f77197ae
JH
601 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
602 *verify_mode, sender_host_address)
603 : US"";
604 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
605 tlsp == &tls_out ? deliver_host_address : sender_host_address,
606 extra, depth,
607 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 608 *calledp = TRUE;
9d1c15ef
JH
609 if (!*optionalp)
610 {
f69979cf
JH
611 if (!tlsp->peercert)
612 tlsp->peercert = X509_dup(cert); /* record failing cert */
613 return 0; /* reject */
9d1c15ef 614 }
059ec3d9
PH
615 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
616 "tls_try_verify_hosts)\n");
4a1bd6b9 617 tlsp->verify_override = TRUE;
059ec3d9
PH
618 }
619
a7538db1 620else if (depth != 0)
059ec3d9 621 {
f69979cf 622 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 623#ifndef DISABLE_OCSP
f5d78688
JH
624 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
625 { /* client, wanting stapling */
626 /* Add the server cert's signing chain as the one
627 for the verification of the OCSP stapled information. */
94431adb 628
f5d78688 629 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 630 cert))
f5d78688 631 ERR_clear_error();
c3033f13 632 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
633 }
634#endif
0cbf2b82 635#ifndef DISABLE_EVENT
f69979cf
JH
636 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
637 return 0; /* reject, with peercert set */
a7538db1 638#endif
059ec3d9
PH
639 }
640else
641 {
55414b25 642 const uschar * verify_cert_hostnames;
e51c7be2 643
e51c7be2
JH
644 if ( tlsp == &tls_out
645 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 646 /* client, wanting hostname check */
e51c7be2 647 {
f69979cf 648
740f36d4 649#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
650# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
651# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
652# endif
653# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
654# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
655# endif
e51c7be2 656 int sep = 0;
55414b25 657 const uschar * list = verify_cert_hostnames;
e51c7be2 658 uschar * name;
d8e7834a
JH
659 int rc;
660 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 661 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 662 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
663 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
664 NULL)))
d8e7834a
JH
665 {
666 if (rc < 0)
667 {
93a6fce2 668 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 669 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
670 name = NULL;
671 }
e51c7be2 672 break;
d8e7834a 673 }
e51c7be2 674 if (!name)
f69979cf 675#else
e51c7be2 676 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 677#endif
e51c7be2 678 {
f77197ae
JH
679 uschar * extra = verify_mode
680 ? string_sprintf(" (during %c-verify for [%s])",
681 *verify_mode, sender_host_address)
682 : US"";
e51c7be2 683 log_write(0, LOG_MAIN,
f77197ae
JH
684 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
685 tlsp == &tls_out ? deliver_host_address : sender_host_address,
686 extra, dn, verify_cert_hostnames);
a3ef7310
JH
687 *calledp = TRUE;
688 if (!*optionalp)
f69979cf
JH
689 {
690 if (!tlsp->peercert)
691 tlsp->peercert = X509_dup(cert); /* record failing cert */
692 return 0; /* reject */
693 }
4a1bd6b9 694 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 695 "tls_try_verify_hosts)\n");
4a1bd6b9 696 tlsp->verify_override = TRUE;
e51c7be2 697 }
f69979cf 698 }
e51c7be2 699
0cbf2b82 700#ifndef DISABLE_EVENT
f69979cf
JH
701 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
702 return 0; /* reject, with peercert set */
e51c7be2
JH
703#endif
704
93dcb1c2 705 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 706 *calledp ? "" : " authenticated", dn);
93dcb1c2 707 *calledp = TRUE;
059ec3d9
PH
708 }
709
a7538db1 710return 1; /* accept, at least for this level */
059ec3d9
PH
711}
712
a2ff477a 713static int
f2f2c91b 714verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 715{
f2f2c91b
JH
716return verify_callback(preverify_ok, x509ctx, &tls_out,
717 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
718}
719
720static int
f2f2c91b 721verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 722{
f2f2c91b
JH
723return verify_callback(preverify_ok, x509ctx, &tls_in,
724 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
725}
726
059ec3d9 727
c0635b6d 728#ifdef SUPPORT_DANE
53a7196b 729
e5cccda9
JH
730/* This gets called *by* the dane library verify callback, which interposes
731itself.
732*/
733static int
f2f2c91b 734verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
735{
736X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 737uschar dn[256];
83b27293 738int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 739#ifndef DISABLE_EVENT
f69979cf 740BOOL dummy_called, optional = FALSE;
83b27293 741#endif
e5cccda9 742
70e384dd
JH
743if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
744 {
745 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
746 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
747 deliver_host_address);
748 return 0;
749 }
f69979cf 750dn[sizeof(dn)-1] = '\0';
e5cccda9 751
f2f2c91b
JH
752DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
753 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 754
0cbf2b82 755#ifndef DISABLE_EVENT
f69979cf
JH
756 if (verify_event(&tls_out, cert, depth, dn,
757 &dummy_called, &optional, US"DANE"))
758 return 0; /* reject, with peercert set */
83b27293
JH
759#endif
760
f2f2c91b 761if (preverify_ok == 1)
6fbf3599 762 {
4a1bd6b9 763 tls_out.dane_verified = TRUE;
6fbf3599
JH
764#ifndef DISABLE_OCSP
765 if (client_static_cbinfo->u_ocsp.client.verify_store)
766 { /* client, wanting stapling */
767 /* Add the server cert's signing chain as the one
768 for the verification of the OCSP stapled information. */
769
770 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
771 cert))
772 ERR_clear_error();
773 sk_X509_push(client_static_cbinfo->verify_stack, cert);
774 }
775#endif
776 }
f2f2c91b
JH
777else
778 {
779 int err = X509_STORE_CTX_get_error(x509ctx);
780 DEBUG(D_tls)
781 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 782 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
783 preverify_ok = 1;
784 }
785return preverify_ok;
e5cccda9 786}
53a7196b 787
c0635b6d 788#endif /*SUPPORT_DANE*/
e5cccda9 789
059ec3d9
PH
790
791/*************************************************
792* Information callback *
793*************************************************/
794
795/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
796are doing. We copy the string to the debugging output when TLS debugging has
797been requested.
059ec3d9
PH
798
799Arguments:
800 s the SSL connection
801 where
802 ret
803
804Returns: nothing
805*/
806
807static void
808info_callback(SSL *s, int where, int ret)
809{
0abc5a13
JH
810DEBUG(D_tls)
811 {
812 const uschar * str;
813
814 if (where & SSL_ST_CONNECT)
48224640 815 str = US"SSL_connect";
0abc5a13 816 else if (where & SSL_ST_ACCEPT)
48224640 817 str = US"SSL_accept";
0abc5a13 818 else
48224640 819 str = US"SSL info (undefined)";
0abc5a13
JH
820
821 if (where & SSL_CB_LOOP)
822 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
823 else if (where & SSL_CB_ALERT)
824 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 825 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
826 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
827 else if (where & SSL_CB_EXIT)
828 if (ret == 0)
829 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
830 else if (ret < 0)
831 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
832 else if (where & SSL_CB_HANDSHAKE_START)
833 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
834 else if (where & SSL_CB_HANDSHAKE_DONE)
835 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
836 }
059ec3d9
PH
837}
838
8238bc7b 839#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
840static void
841keylog_callback(const SSL *ssl, const char *line)
842{
843DEBUG(D_tls) debug_printf("%.200s\n", line);
844}
8238bc7b 845#endif
8a40db1c 846
059ec3d9 847
b10c87b3
JH
848#ifdef EXPERIMENTAL_TLS_RESUME
849/* Manage the keysets used for encrypting the session tickets, on the server. */
850
851typedef struct { /* Session ticket encryption key */
852 uschar name[16];
853
854 const EVP_CIPHER * aes_cipher;
4d93129f 855 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH
856 const EVP_MD * hmac_hash;
857 uschar hmac_key[16];
858 time_t renew;
859 time_t expire;
860} exim_stek;
861
4d93129f
JH
862static exim_stek exim_tk; /* current key */
863static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH
864
865static void
866tk_init(void)
867{
4d93129f
JH
868time_t t = time(NULL);
869
b10c87b3
JH
870if (exim_tk.name[0])
871 {
4d93129f 872 if (exim_tk.renew >= t) return;
b10c87b3
JH
873 exim_tk_old = exim_tk;
874 }
875
876if (f.running_in_test_harness) ssl_session_timeout = 6;
877
878DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
879if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
880if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
881if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
882
883exim_tk.name[0] = 'E';
4d93129f 884exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 885exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH
886exim_tk.expire = t + ssl_session_timeout;
887exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH
888}
889
890static exim_stek *
891tk_current(void)
892{
893if (!exim_tk.name[0]) return NULL;
894return &exim_tk;
895}
896
897static exim_stek *
898tk_find(const uschar * name)
899{
900return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
901 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
902 : NULL;
903}
904
905/* Callback for session tickets, on server */
906static int
907ticket_key_callback(SSL * ssl, uschar key_name[16],
908 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
909{
910tls_support * tlsp = server_static_cbinfo->tlsp;
911exim_stek * key;
912
913if (enc)
914 {
915 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
916 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
917
918 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
919 return -1; /* insufficient random */
920
921 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
922 return 0; /* key couldn't be created */
923 memcpy(key_name, key->name, 16);
d70fc283 924 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH
925
926 /*XXX will want these dependent on the ssl session strength */
927 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
928 key->hmac_hash, NULL);
929 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
930
931 DEBUG(D_tls) debug_printf("ticket created\n");
932 return 1;
933 }
934else
935 {
936 time_t now = time(NULL);
937
938 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
939 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
940
941 if (!(key = tk_find(key_name)) || key->expire < now)
942 {
943 DEBUG(D_tls)
944 {
945 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 946 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH
947 }
948 return 0;
949 }
950
951 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
952 key->hmac_hash, NULL);
953 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
954
d70fc283 955 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH
956
957 /* The ticket lifetime and renewal are the same as the STEK lifetime and
958 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
959 be better. To do that we'd have to encode ticket lifetime in the name as
960 we don't yet see the restored session. Could check posthandshake for TLS1.3
961 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH
962 return key->renew < now ? 2 : 1;
963 }
964}
965#endif
966
967
059ec3d9
PH
968
969/*************************************************
970* Initialize for DH *
971*************************************************/
972
973/* If dhparam is set, expand it, and load up the parameters for DH encryption.
974
975Arguments:
038597d2 976 sctx The current SSL CTX (inbound or outbound)
a799883d 977 dhparam DH parameter file or fixed parameter identity string
7199e1ee 978 host connected host, if client; NULL if server
cf0c6164 979 errstr error string pointer
059ec3d9
PH
980
981Returns: TRUE if OK (nothing to set up, or setup worked)
982*/
983
984static BOOL
cf0c6164 985init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 986{
059ec3d9
PH
987BIO *bio;
988DH *dh;
989uschar *dhexpanded;
a799883d 990const char *pem;
6600985a 991int dh_bitsize;
059ec3d9 992
cf0c6164 993if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
994 return FALSE;
995
0df4ab80 996if (!dhexpanded || !*dhexpanded)
a799883d 997 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 998else if (dhexpanded[0] == '/')
059ec3d9 999 {
0df4ab80 1000 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 1001 {
7199e1ee 1002 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 1003 host, US strerror(errno), errstr);
a799883d 1004 return FALSE;
059ec3d9 1005 }
a799883d
PP
1006 }
1007else
1008 {
1009 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1010 {
a799883d
PP
1011 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1012 return TRUE;
059ec3d9 1013 }
a799883d 1014
0df4ab80 1015 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
1016 {
1017 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1018 host, US strerror(errno), errstr);
a799883d
PP
1019 return FALSE;
1020 }
1021 bio = BIO_new_mem_buf(CS pem, -1);
1022 }
1023
0df4ab80 1024if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1025 {
059ec3d9 1026 BIO_free(bio);
a799883d 1027 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1028 host, NULL, errstr);
a799883d
PP
1029 return FALSE;
1030 }
1031
6600985a
PP
1032/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1033 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1034 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1035 * If someone wants to dance at the edge, then they can raise the limit or use
1036 * current libraries. */
1037#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1038/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1039 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1040dh_bitsize = DH_bits(dh);
1041#else
1042dh_bitsize = 8 * DH_size(dh);
1043#endif
1044
a799883d
PP
1045/* Even if it is larger, we silently return success rather than cause things
1046 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1047 * debatable choice. */
6600985a 1048if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
1049 {
1050 DEBUG(D_tls)
170f4904 1051 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1052 dh_bitsize, tls_dh_max_bits);
a799883d
PP
1053 }
1054else
1055 {
1056 SSL_CTX_set_tmp_dh(sctx, dh);
1057 DEBUG(D_tls)
1058 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1059 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
1060 }
1061
a799883d
PP
1062DH_free(dh);
1063BIO_free(bio);
1064
1065return TRUE;
059ec3d9
PH
1066}
1067
1068
1069
1070
038597d2
PP
1071/*************************************************
1072* Initialize for ECDH *
1073*************************************************/
1074
1075/* Load parameters for ECDH encryption.
1076
1077For now, we stick to NIST P-256 because: it's simple and easy to configure;
1078it avoids any patent issues that might bite redistributors; despite events in
1079the news and concerns over curve choices, we're not cryptographers, we're not
1080pretending to be, and this is "good enough" to be better than no support,
1081protecting against most adversaries. Given another year or two, there might
1082be sufficient clarity about a "right" way forward to let us make an informed
1083decision, instead of a knee-jerk reaction.
1084
1085Longer-term, we should look at supporting both various named curves and
1086external files generated with "openssl ecparam", much as we do for init_dh().
1087We should also support "none" as a value, to explicitly avoid initialisation.
1088
1089Patches welcome.
1090
1091Arguments:
1092 sctx The current SSL CTX (inbound or outbound)
1093 host connected host, if client; NULL if server
cf0c6164 1094 errstr error string pointer
038597d2
PP
1095
1096Returns: TRUE if OK (nothing to set up, or setup worked)
1097*/
1098
1099static BOOL
cf0c6164 1100init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1101{
63f0dbe0
JH
1102#ifdef OPENSSL_NO_ECDH
1103return TRUE;
1104#else
1105
10ca4f1c
JH
1106EC_KEY * ecdh;
1107uschar * exp_curve;
1108int nid;
1109BOOL rv;
1110
038597d2
PP
1111if (host) /* No ECDH setup for clients, only for servers */
1112 return TRUE;
1113
10ca4f1c 1114# ifndef EXIM_HAVE_ECDH
038597d2
PP
1115DEBUG(D_tls)
1116 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1117return TRUE;
038597d2 1118# else
10ca4f1c 1119
cf0c6164 1120if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
1121 return FALSE;
1122if (!exp_curve || !*exp_curve)
1123 return TRUE;
1124
8e53a4fc 1125/* "auto" needs to be handled carefully.
4c04137d 1126 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1127 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1128 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
1129 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1130 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1131 */
10ca4f1c 1132if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1133 {
8e53a4fc 1134#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1135 DEBUG(D_tls) debug_printf(
8e53a4fc 1136 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1137 exp_curve = US"prime256v1";
8e53a4fc
HSHR
1138#else
1139# if defined SSL_CTRL_SET_ECDH_AUTO
1140 DEBUG(D_tls) debug_printf(
1141 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
1142 SSL_CTX_set_ecdh_auto(sctx, 1);
1143 return TRUE;
8e53a4fc
HSHR
1144# else
1145 DEBUG(D_tls) debug_printf(
1146 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1147 return TRUE;
1148# endif
1149#endif
10ca4f1c 1150 }
038597d2 1151
10ca4f1c
JH
1152DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1153if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1154# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1155 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1156# endif
1157 )
1158 {
cf0c6164
JH
1159 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1160 host, NULL, errstr);
10ca4f1c
JH
1161 return FALSE;
1162 }
038597d2 1163
10ca4f1c
JH
1164if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1165 {
cf0c6164 1166 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1167 return FALSE;
038597d2 1168 }
10ca4f1c
JH
1169
1170/* The "tmp" in the name here refers to setting a temporary key
1171not to the stability of the interface. */
1172
1173if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1174 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1175else
1176 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1177
1178EC_KEY_free(ecdh);
1179return !rv;
1180
1181# endif /*EXIM_HAVE_ECDH*/
1182#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1183}
1184
1185
1186
1187
f2de3a33 1188#ifndef DISABLE_OCSP
3f7eeb86
PP
1189/*************************************************
1190* Load OCSP information into state *
1191*************************************************/
f5d78688 1192/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1193caller has determined this is needed. Checks validity. Debugs a message
1194if invalid.
1195
1196ASSUMES: single response, for single cert.
1197
1198Arguments:
1199 sctx the SSL_CTX* to update
1200 cbinfo various parts of session state
5b2fd993 1201 filename the filename putatively holding an OCSP response
3f7eeb86
PP
1202
1203*/
1204
1205static void
5b2fd993
JH
1206ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1207 const uschar * filename)
3f7eeb86 1208{
ee5b1e28
JH
1209BIO * bio;
1210OCSP_RESPONSE * resp;
1211OCSP_BASICRESP * basic_response;
1212OCSP_SINGLERESP * single_response;
1213ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1214STACK_OF(X509) * sk;
3f7eeb86
PP
1215unsigned long verify_flags;
1216int status, reason, i;
1217
5b2fd993 1218DEBUG(D_tls) debug_printf("tls_ocsp_file '%s'\n", filename);
3f7eeb86 1219
5b2fd993 1220if (!(bio = BIO_new_file(CS filename, "rb")))
3f7eeb86
PP
1221 {
1222 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
5b2fd993 1223 filename);
3f7eeb86
PP
1224 return;
1225 }
1226
1227resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1228BIO_free(bio);
1229if (!resp)
1230 {
1231 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1232 return;
1233 }
1234
ee5b1e28 1235if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1236 {
1237 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1238 OCSP_response_status_str(status), status);
f5d78688 1239 goto bad;
3f7eeb86
PP
1240 }
1241
5b2fd993
JH
1242#ifdef notdef
1243 {
1244 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1245 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1246 BIO_free(bp);
1247 }
1248#endif
1249
ee5b1e28 1250if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1251 {
1252 DEBUG(D_tls)
1253 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1254 goto bad;
3f7eeb86
PP
1255 }
1256
c3033f13 1257sk = cbinfo->verify_stack;
3f7eeb86
PP
1258verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1259
1260/* May need to expose ability to adjust those flags?
1261OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1262OCSP_TRUSTOTHER OCSP_NOINTERN */
1263
4c04137d 1264/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1265up; possibly overkill - just date-checks might be nice enough.
1266
1267OCSP_basic_verify takes a "store" arg, but does not
1268use it for the chain verification, which is all we do
1269when OCSP_NOVERIFY is set. The content from the wire
1270"basic_response" and a cert-stack "sk" are all that is used.
1271
c3033f13
JH
1272We have a stack, loaded in setup_certs() if tls_verify_certificates
1273was a file (not a directory, or "system"). It is unfortunate we
1274cannot used the connection context store, as that would neatly
1275handle the "system" case too, but there seems to be no library
1276function for getting a stack from a store.
e3555426 1277[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1278We do not free the stack since it could be needed a second time for
1279SNI handling.
1280
4c04137d 1281Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1282be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1283But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1284And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1285library does it for us anyway? */
1286
1287if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1288 {
ee5b1e28
JH
1289 DEBUG(D_tls)
1290 {
0abc5a13 1291 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1292 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1293 }
1294 goto bad;
3f7eeb86
PP
1295 }
1296
1297/* Here's the simplifying assumption: there's only one response, for the
1298one certificate we use, and nothing for anything else in a chain. If this
1299proves false, we need to extract a cert id from our issued cert
1300(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1301right cert in the stack and then calls OCSP_single_get0_status()).
1302
5b2fd993
JH
1303I'm hoping to avoid reworking a bunch more of how we handle state here.
1304
1305XXX that will change when we add support for (TLS1.3) whole-chain stapling
1306*/
ee5b1e28
JH
1307
1308if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1309 {
1310 DEBUG(D_tls)
1311 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1312 goto bad;
3f7eeb86
PP
1313 }
1314
1315status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1316if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1317 {
f5d78688
JH
1318 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1319 OCSP_cert_status_str(status), status,
1320 OCSP_crl_reason_str(reason), reason);
1321 goto bad;
3f7eeb86
PP
1322 }
1323
1324if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1325 {
1326 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1327 goto bad;
3f7eeb86
PP
1328 }
1329
f5d78688 1330supply_response:
5b2fd993
JH
1331 /* Add the resp to the list used by tls_server_stapling_cb() */
1332 {
1333 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1334 while (oentry = *op)
1335 op = &oentry->next;
1336 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1337 oentry->next = NULL;
1338 oentry->resp = resp;
1339 }
f5d78688
JH
1340return;
1341
1342bad:
8768d548 1343 if (f.running_in_test_harness)
018058b2
JH
1344 {
1345 extern char ** environ;
d7978c0f 1346 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1347 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1348 {
1349 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1350 goto supply_response;
1351 }
1352 }
f5d78688 1353return;
3f7eeb86 1354}
5b2fd993
JH
1355
1356
1357static void
1358ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1359{
1360for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1361 olist = olist->next)
1362 OCSP_RESPONSE_free(olist->resp);
1363cbinfo->u_ocsp.server.olist = NULL;
1364}
f2de3a33 1365#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1366
1367
1368
1369
23bb6982
JH
1370/* Create and install a selfsigned certificate, for use in server mode */
1371
1372static int
cf0c6164 1373tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1374{
1375X509 * x509 = NULL;
1376EVP_PKEY * pkey;
1377RSA * rsa;
1378X509_NAME * name;
1379uschar * where;
1380
1381where = US"allocating pkey";
1382if (!(pkey = EVP_PKEY_new()))
1383 goto err;
1384
1385where = US"allocating cert";
1386if (!(x509 = X509_new()))
1387 goto err;
1388
1389where = US"generating pkey";
6aac3239 1390if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1391 goto err;
1392
4c04137d 1393where = US"assigning pkey";
23bb6982
JH
1394if (!EVP_PKEY_assign_RSA(pkey, rsa))
1395 goto err;
1396
1397X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1398ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1399X509_gmtime_adj(X509_get_notBefore(x509), 0);
1400X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1401X509_set_pubkey(x509, pkey);
1402
1403name = X509_get_subject_name(x509);
1404X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1405 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1406X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1407 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1408X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1409 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1410X509_set_issuer_name(x509, name);
1411
1412where = US"signing cert";
1413if (!X509_sign(x509, pkey, EVP_md5()))
1414 goto err;
1415
1416where = US"installing selfsign cert";
1417if (!SSL_CTX_use_certificate(sctx, x509))
1418 goto err;
1419
1420where = US"installing selfsign key";
1421if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1422 goto err;
1423
1424return OK;
1425
1426err:
cf0c6164 1427 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1428 if (x509) X509_free(x509);
1429 if (pkey) EVP_PKEY_free(pkey);
1430 return DEFER;
1431}
1432
1433
1434
1435
ba86e143
JH
1436static int
1437tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1438 uschar ** errstr)
1439{
5b2fd993 1440DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
ba86e143
JH
1441if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1442 return tls_error(string_sprintf(
1443 "SSL_CTX_use_certificate_chain_file file=%s", file),
1444 cbinfo->host, NULL, errstr);
1445return 0;
1446}
1447
1448static int
1449tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1450 uschar ** errstr)
1451{
5b2fd993 1452DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
ba86e143
JH
1453if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1454 return tls_error(string_sprintf(
1455 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1456return 0;
1457}
1458
1459
059ec3d9 1460/*************************************************
7be682ca
PP
1461* Expand key and cert file specs *
1462*************************************************/
1463
f5d78688 1464/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1465new context, if Server Name Indication was used and tls_sni was seen in
1466the certificate string.
1467
1468Arguments:
1469 sctx the SSL_CTX* to update
1470 cbinfo various parts of session state
cf0c6164 1471 errstr error string pointer
7be682ca
PP
1472
1473Returns: OK/DEFER/FAIL
1474*/
1475
1476static int
5b2fd993 1477tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
cf0c6164 1478 uschar ** errstr)
7be682ca 1479{
5b2fd993 1480uschar * expanded;
7be682ca 1481
23bb6982 1482if (!cbinfo->certificate)
7be682ca 1483 {
ba86e143 1484 if (!cbinfo->is_server) /* client */
23bb6982 1485 return OK;
afdb5e9c 1486 /* server */
cf0c6164 1487 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1488 return DEFER;
7be682ca 1489 }
23bb6982
JH
1490else
1491 {
ba86e143
JH
1492 int err;
1493
5b2fd993
JH
1494 if ( !reexpand_tls_files_for_sni
1495 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1496 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1497 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1498 ) )
23bb6982 1499 reexpand_tls_files_for_sni = TRUE;
7be682ca 1500
cf0c6164 1501 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1502 return DEFER;
1503
ba86e143
JH
1504 if (expanded)
1505 if (cbinfo->is_server)
1506 {
1507 const uschar * file_list = expanded;
1508 int sep = 0;
1509 uschar * file;
5b2fd993
JH
1510#ifndef DISABLE_OCSP
1511 const uschar * olist = cbinfo->u_ocsp.server.file;
1512 int osep = 0;
1513 uschar * ofile;
1514
1515 if (olist)
1516 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1517 return DEFER;
1518 if (olist && !*olist)
1519 olist = NULL;
1520
1521 if ( cbinfo->u_ocsp.server.file_expanded && olist
1522 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1523 {
1524 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1525 olist = NULL;
1526 }
1527 else
1528 {
1529 ocsp_free_response_list(cbinfo);
1530 cbinfo->u_ocsp.server.file_expanded = olist;
1531 }
1532#endif
ba86e143
JH
1533
1534 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
5b2fd993 1535 {
ba86e143
JH
1536 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1537 return err;
5b2fd993
JH
1538
1539#ifndef DISABLE_OCSP
1540 if (olist)
1541 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1542 ocsp_load_response(sctx, cbinfo, ofile);
1543 else
1544 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1545#endif
1546 }
ba86e143
JH
1547 }
1548 else /* would there ever be a need for multiple client certs? */
1549 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1550 return err;
7be682ca 1551
5a2a0989
JH
1552 if ( cbinfo->privatekey
1553 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1554 return DEFER;
7be682ca 1555
23bb6982
JH
1556 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1557 of the expansion is an empty string, ignore it also, and assume the private
1558 key is in the same file as the certificate. */
1559
1560 if (expanded && *expanded)
ba86e143
JH
1561 if (cbinfo->is_server)
1562 {
1563 const uschar * file_list = expanded;
1564 int sep = 0;
1565 uschar * file;
1566
1567 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1568 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1569 return err;
1570 }
1571 else /* would there ever be a need for multiple client certs? */
1572 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1573 return err;
7be682ca
PP
1574 }
1575
1576return OK;
1577}
1578
1579
1580
1581
1582/*************************************************
1583* Callback to handle SNI *
1584*************************************************/
1585
1586/* Called when acting as server during the TLS session setup if a Server Name
1587Indication extension was sent by the client.
1588
1589API documentation is OpenSSL s_server.c implementation.
1590
1591Arguments:
1592 s SSL* of the current session
1593 ad unknown (part of OpenSSL API) (unused)
1594 arg Callback of "our" registered data
1595
1596Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH
1597
1598XXX might need to change to using ClientHello callback,
1599per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP
1600*/
1601
3bcbbbe2 1602#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1603static int
7be682ca
PP
1604tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1605{
1606const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1607tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1608int rc;
3f0945ff 1609int old_pool = store_pool;
cf0c6164 1610uschar * dummy_errstr;
7be682ca
PP
1611
1612if (!servername)
1613 return SSL_TLSEXT_ERR_OK;
1614
3f0945ff 1615DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1616 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1617
1618/* Make the extension value available for expansion */
3f0945ff 1619store_pool = POOL_PERM;
89a80675 1620tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1621store_pool = old_pool;
7be682ca
PP
1622
1623if (!reexpand_tls_files_for_sni)
1624 return SSL_TLSEXT_ERR_OK;
1625
1626/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1627not confident that memcpy wouldn't break some internal reference counting.
1628Especially since there's a references struct member, which would be off. */
1629
7a8b9519
JH
1630#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1631if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1632#else
0df4ab80 1633if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1634#endif
7be682ca 1635 {
0abc5a13 1636 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1637 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1638 goto bad;
7be682ca
PP
1639 }
1640
1641/* Not sure how many of these are actually needed, since SSL object
1642already exists. Might even need this selfsame callback, for reneg? */
1643
817d9f57
JH
1644SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1645SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1646SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1647SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1648SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1649SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1650
cf0c6164
JH
1651if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1652 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1653 )
5a2a0989 1654 goto bad;
038597d2 1655
ca954d7f
JH
1656if ( cbinfo->server_cipher_list
1657 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1658 goto bad;
ca954d7f 1659
f2de3a33 1660#ifndef DISABLE_OCSP
f5d78688 1661if (cbinfo->u_ocsp.server.file)
3f7eeb86 1662 {
f5d78688 1663 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1664 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1665 }
1666#endif
7be682ca 1667
c3033f13 1668if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1669 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1670 goto bad;
7be682ca 1671
3f7eeb86
PP
1672/* do this after setup_certs, because this can require the certs for verifying
1673OCSP information. */
cf0c6164 1674if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1675 goto bad;
a799883d 1676
7be682ca 1677DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1678SSL_set_SSL_CTX(s, server_sni);
7be682ca 1679return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1680
1681bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1682}
3bcbbbe2 1683#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1684
1685
1686
1687
f2de3a33 1688#ifndef DISABLE_OCSP
f5d78688 1689
3f7eeb86
PP
1690/*************************************************
1691* Callback to handle OCSP Stapling *
1692*************************************************/
1693
1694/* Called when acting as server during the TLS session setup if the client
1695requests OCSP information with a Certificate Status Request.
1696
1697Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1698project.
1699
1700*/
1701
1702static int
f5d78688 1703tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86 1704{
5b2fd993
JH
1705const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1706ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1707uschar * response_der; /*XXX blob */
3f7eeb86
PP
1708int response_der_len;
1709
af4a1bca 1710DEBUG(D_tls)
5b2fd993
JH
1711 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1712 olist ? "have" : "lack");
f5d78688 1713
44662487 1714tls_in.ocsp = OCSP_NOT_RESP;
5b2fd993 1715if (!olist)
3f7eeb86
PP
1716 return SSL_TLSEXT_ERR_NOACK;
1717
012dd02e 1718#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
5b2fd993
JH
1719 {
1720 const X509 * cert_sent = SSL_get_certificate(s);
1721 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1722 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1723 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1724 uschar * chash;
1725 uint chash_len;
1726
1727 for (; olist; olist = olist->next)
1728 {
1729 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1730 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1731 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1732 ASN1_INTEGER * res_cert_serial;
1733 const BIGNUM * resp_bn;
1734 ASN1_OCTET_STRING * res_cert_iNameHash;
1735
1736
1737 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1738 (OCSP_CERTID *) cid);
1739 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1740
1741 DEBUG(D_tls)
1742 {
1743 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1744 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1745 }
1746
1747 if (BN_cmp(cert_bn, resp_bn) == 0)
1748 {
1749 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1750
1751 /*XXX TODO: check the rest of the list for duplicate matches.
1752 If any, need to also check the Issuer Name hash.
1753 Without this, we will provide the wrong status in the case of
1754 duplicate id. */
1755
1756 break;
1757 }
1758 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1759 }
1760 if (!olist)
1761 {
1762 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1763 return SSL_TLSEXT_ERR_NOACK;
1764 }
1765 }
012dd02e
JH
1766#else
1767if (olist->next)
1768 {
1769 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1770 return SSL_TLSEXT_ERR_NOACK;
1771 }
1772#endif
5b2fd993
JH
1773
1774/*XXX could we do the i2d earlier, rather than during the callback? */
3f7eeb86 1775response_der = NULL;
5b2fd993 1776response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
3f7eeb86
PP
1777if (response_der_len <= 0)
1778 return SSL_TLSEXT_ERR_NOACK;
1779
5e55c7a9 1780SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1781tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1782return SSL_TLSEXT_ERR_OK;
1783}
1784
3f7eeb86 1785
f5d78688
JH
1786static void
1787time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1788{
1789BIO_printf(bp, "\t%s: ", str);
1790ASN1_GENERALIZEDTIME_print(bp, time);
1791BIO_puts(bp, "\n");
1792}
1793
1794static int
1795tls_client_stapling_cb(SSL *s, void *arg)
1796{
1797tls_ext_ctx_cb * cbinfo = arg;
1798const unsigned char * p;
1799int len;
1800OCSP_RESPONSE * rsp;
1801OCSP_BASICRESP * bs;
1802int i;
1803
1804DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1805len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1806if(!p)
1807 {
44662487 1808 /* Expect this when we requested ocsp but got none */
6c6d6e48 1809 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1810 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1811 else
1812 DEBUG(D_tls) debug_printf(" null\n");
44662487 1813 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1814 }
018058b2 1815
c82de233
JH
1816if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1817 {
1818 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1819 if (LOGGING(tls_cipher))
1eca31ca 1820 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1821 else
1822 DEBUG(D_tls) debug_printf(" parse error\n");
1823 return 0;
c82de233 1824 }
f5d78688 1825
c82de233 1826if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1827 {
018058b2 1828 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1829 if (LOGGING(tls_cipher))
1eca31ca 1830 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1831 else
1832 DEBUG(D_tls) debug_printf(" error parsing response\n");
1833 OCSP_RESPONSE_free(rsp);
1834 return 0;
1835 }
1836
1837/* We'd check the nonce here if we'd put one in the request. */
1838/* However that would defeat cacheability on the server so we don't. */
1839
f5d78688
JH
1840/* This section of code reworked from OpenSSL apps source;
1841 The OpenSSL Project retains copyright:
1842 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1843*/
1844 {
1845 BIO * bp = NULL;
f5d78688
JH
1846 int status, reason;
1847 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1848
57887ecc 1849 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1850
1851 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1852
1853 /* Use the chain that verified the server cert to verify the stapled info */
1854 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1855
c3033f13 1856 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1857 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1858 {
018058b2 1859 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1860 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1861 "Received TLS cert status response, itself unverifiable: %s",
1862 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1863 BIO_printf(bp, "OCSP response verify failure\n");
1864 ERR_print_errors(bp);
57887ecc 1865 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1866 goto failed;
f5d78688
JH
1867 }
1868
1869 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1870
c8dfb21d
JH
1871 /*XXX So we have a good stapled OCSP status. How do we know
1872 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1873 OCSP_resp_find_status() which matches on a cert id, which presumably
1874 we should use. Making an id needs OCSP_cert_id_new(), which takes
1875 issuerName, issuerKey, serialNumber. Are they all in the cert?
1876
1877 For now, carry on blindly accepting the resp. */
1878
f5d78688 1879 {
f5d78688
JH
1880 OCSP_SINGLERESP * single;
1881
c8dfb21d
JH
1882#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1883 if (OCSP_resp_count(bs) != 1)
1884#else
1885 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1886 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1887#endif
f5d78688 1888 {
018058b2 1889 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1890 log_write(0, LOG_MAIN, "OCSP stapling "
1891 "with multiple responses not handled");
c8dfb21d 1892 goto failed;
f5d78688
JH
1893 }
1894 single = OCSP_resp_get0(bs, 0);
44662487
JH
1895 status = OCSP_single_get0_status(single, &reason, &rev,
1896 &thisupd, &nextupd);
f5d78688
JH
1897 }
1898
f5d78688
JH
1899 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1900 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1901 if (!OCSP_check_validity(thisupd, nextupd,
1902 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1903 {
018058b2 1904 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1905 DEBUG(D_tls) ERR_print_errors(bp);
1906 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1907 }
44662487 1908 else
f5d78688 1909 {
44662487
JH
1910 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1911 OCSP_cert_status_str(status));
1912 switch(status)
1913 {
1914 case V_OCSP_CERTSTATUS_GOOD:
44662487 1915 tls_out.ocsp = OCSP_VFIED;
018058b2 1916 i = 1;
c8dfb21d 1917 goto good;
44662487 1918 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1919 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1920 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1921 reason != -1 ? "; reason: " : "",
1922 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1923 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1924 break;
1925 default:
018058b2 1926 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1927 log_write(0, LOG_MAIN,
1928 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1929 break;
1930 }
f5d78688 1931 }
c8dfb21d
JH
1932 failed:
1933 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1934 good:
f5d78688
JH
1935 BIO_free(bp);
1936 }
1937
1938OCSP_RESPONSE_free(rsp);
1939return i;
1940}
f2de3a33 1941#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1942
1943
7be682ca 1944/*************************************************
059ec3d9
PH
1945* Initialize for TLS *
1946*************************************************/
1947
e51c7be2
JH
1948/* Called from both server and client code, to do preliminary initialization
1949of the library. We allocate and return a context structure.
059ec3d9
PH
1950
1951Arguments:
946ecbe0 1952 ctxp returned SSL context
059ec3d9
PH
1953 host connected host, if client; NULL if server
1954 dhparam DH parameter file
1955 certificate certificate file
1956 privatekey private key
f5d78688 1957 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1958 addr address if client; NULL if server (for some randomness)
946ecbe0 1959 cbp place to put allocated callback context
cf0c6164 1960 errstr error string pointer
059ec3d9
PH
1961
1962Returns: OK/DEFER/FAIL
1963*/
1964
1965static int
817d9f57 1966tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1967 uschar *privatekey,
f2de3a33 1968#ifndef DISABLE_OCSP
5b2fd993 1969 uschar *ocsp_file,
3f7eeb86 1970#endif
b10c87b3
JH
1971 address_item *addr, tls_ext_ctx_cb ** cbp,
1972 tls_support * tlsp,
1973 uschar ** errstr)
059ec3d9 1974{
7006ee24 1975SSL_CTX * ctx;
77bb000f 1976long init_options;
7be682ca 1977int rc;
a7538db1 1978tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1979
1980cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1981cbinfo->tlsp = tlsp;
7be682ca
PP
1982cbinfo->certificate = certificate;
1983cbinfo->privatekey = privatekey;
a6510420 1984cbinfo->is_server = host==NULL;
f2de3a33 1985#ifndef DISABLE_OCSP
c3033f13 1986cbinfo->verify_stack = NULL;
a6510420 1987if (!host)
f5d78688
JH
1988 {
1989 cbinfo->u_ocsp.server.file = ocsp_file;
1990 cbinfo->u_ocsp.server.file_expanded = NULL;
5b2fd993 1991 cbinfo->u_ocsp.server.olist = NULL;
f5d78688
JH
1992 }
1993else
1994 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1995#endif
7be682ca 1996cbinfo->dhparam = dhparam;
0df4ab80 1997cbinfo->server_cipher_list = NULL;
7be682ca 1998cbinfo->host = host;
0cbf2b82 1999#ifndef DISABLE_EVENT
a7538db1
JH
2000cbinfo->event_action = NULL;
2001#endif
77bb000f 2002
7434882d 2003#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
2004SSL_load_error_strings(); /* basic set up */
2005OpenSSL_add_ssl_algorithms();
7434882d 2006#endif
059ec3d9 2007
c8dfb21d 2008#ifdef EXIM_HAVE_SHA256
77bb000f 2009/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
2010list of available digests. */
2011EVP_add_digest(EVP_sha256());
cf1ef1a9 2012#endif
a0475b69 2013
f0f5a555
PP
2014/* Create a context.
2015The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2016negotiation in the different methods; as far as I can tell, the only
2017*_{server,client}_method which allows negotiation is SSLv23, which exists even
2018when OpenSSL is built without SSLv2 support.
2019By disabling with openssl_options, we can let admins re-enable with the
2020existing knob. */
059ec3d9 2021
7a8b9519
JH
2022#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2023if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2024#else
7006ee24 2025if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 2026#endif
7006ee24 2027 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
2028
2029/* It turns out that we need to seed the random number generator this early in
2030order to get the full complement of ciphers to work. It took me roughly a day
2031of work to discover this by experiment.
2032
2033On systems that have /dev/urandom, SSL may automatically seed itself from
2034there. Otherwise, we have to make something up as best we can. Double check
2035afterwards. */
2036
2037if (!RAND_status())
2038 {
2039 randstuff r;
9e3331ea 2040 gettimeofday(&r.tv, NULL);
059ec3d9
PH
2041 r.p = getpid();
2042
5903c6ff
JH
2043 RAND_seed(US (&r), sizeof(r));
2044 RAND_seed(US big_buffer, big_buffer_size);
2045 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
2046
2047 if (!RAND_status())
7199e1ee 2048 return tls_error(US"RAND_status", host,
cf0c6164 2049 US"unable to seed random number generator", errstr);
059ec3d9
PH
2050 }
2051
2052/* Set up the information callback, which outputs if debugging is at a suitable
2053level. */
2054
b10c87b3
JH
2055DEBUG(D_tls)
2056 {
2057 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH
2058#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2059 /* this needs a debug build of OpenSSL */
b10c87b3
JH
2060 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2061#endif
8a40db1c 2062#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 2063 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 2064#endif
b10c87b3 2065 }
059ec3d9 2066
c80c5570 2067/* Automatically re-try reads/writes after renegotiation. */
7006ee24 2068(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 2069
77bb000f
PP
2070/* Apply administrator-supplied work-arounds.
2071Historically we applied just one requested option,
2072SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2073moved to an administrator-controlled list of options to specify and
2074grandfathered in the first one as the default value for "openssl_options".
059ec3d9 2075
77bb000f
PP
2076No OpenSSL version number checks: the options we accept depend upon the
2077availability of the option value macros from OpenSSL. */
059ec3d9 2078
7006ee24 2079if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 2080 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 2081
b10c87b3
JH
2082#ifdef EXPERIMENTAL_TLS_RESUME
2083tlsp->resumption = RESUME_SUPPORTED;
2084#endif
77bb000f
PP
2085if (init_options)
2086 {
b10c87b3
JH
2087#ifdef EXPERIMENTAL_TLS_RESUME
2088 /* Should the server offer session resumption? */
2089 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2090 {
2091 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2092 init_options &= ~SSL_OP_NO_TICKET;
2093 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2094 tlsp->host_resumable = TRUE;
2095 }
2096#endif
2097
77bb000f 2098 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2099 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2100 return tls_error(string_sprintf(
cf0c6164 2101 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
2102 }
2103else
2104 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2105
a28050f8
JH
2106/* We'd like to disable session cache unconditionally, but foolish Outlook
2107Express clients then give up the first TLS connection and make a second one
2108(which works). Only when there is an IMAP service on the same machine.
2109Presumably OE is trying to use the cache for A on B. Leave it enabled for
2110now, until we work out a decent way of presenting control to the config. It
2111will never be used because we use a new context every time. */
2112#ifdef notdef
7006ee24 2113(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2114#endif
7006ee24 2115
059ec3d9 2116/* Initialize with DH parameters if supplied */
10ca4f1c 2117/* Initialize ECDH temp key parameter selection */
059ec3d9 2118
7006ee24
JH
2119if ( !init_dh(ctx, dhparam, host, errstr)
2120 || !init_ecdh(ctx, host, errstr)
038597d2
PP
2121 )
2122 return DEFER;
059ec3d9 2123
3f7eeb86 2124/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2125
7006ee24 2126if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2127 return rc;
c91535f3 2128
c3033f13
JH
2129/* If we need to handle SNI or OCSP, do so */
2130
3bcbbbe2 2131#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
2132# ifndef DISABLE_OCSP
2133 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2134 {
2135 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2136 return FAIL;
2137 }
2138# endif
2139
7a8b9519 2140if (!host) /* server */
3f0945ff 2141 {
f2de3a33 2142# ifndef DISABLE_OCSP
5b2fd993 2143 /* We check u_ocsp.server.file, not server.olist, because we care about if
3f7eeb86
PP
2144 the option exists, not what the current expansion might be, as SNI might
2145 change the certificate and OCSP file in use between now and the time the
2146 callback is invoked. */
f5d78688 2147 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2148 {
7006ee24
JH
2149 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2150 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2151 }
f5d78688 2152# endif
3f0945ff
PP
2153 /* We always do this, so that $tls_sni is available even if not used in
2154 tls_certificate */
7006ee24
JH
2155 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2156 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2157 }
f2de3a33 2158# ifndef DISABLE_OCSP
f5d78688
JH
2159else /* client */
2160 if(ocsp_file) /* wanting stapling */
2161 {
2162 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2163 {
2164 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2165 return FAIL;
2166 }
7006ee24
JH
2167 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2168 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
2169 }
2170# endif
7be682ca 2171#endif
059ec3d9 2172
e51c7be2 2173cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2174
c8dfb21d 2175#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2176/* Set up the RSA callback */
7006ee24 2177SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2178#endif
059ec3d9 2179
b10c87b3
JH
2180/* Finally, set the session cache timeout, and we are done.
2181The period appears to be also used for (server-generated) session tickets */
059ec3d9 2182
7006ee24 2183SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2184DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2185
817d9f57 2186*cbp = cbinfo;
7006ee24 2187*ctxp = ctx;
7be682ca 2188
059ec3d9
PH
2189return OK;
2190}
2191
2192
2193
2194
2195/*************************************************
2196* Get name of cipher in use *
2197*************************************************/
2198
817d9f57 2199/*
059ec3d9 2200Argument: pointer to an SSL structure for the connection
817d9f57 2201 pointer to number of bits for cipher
f1be21cf 2202Returns: pointer to allocated string in perm-pool
059ec3d9
PH
2203*/
2204
f1be21cf
JH
2205static uschar *
2206construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2207{
f1be21cf 2208int pool = store_pool;
7a8b9519 2209/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
2210yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2211the accessor functions use const in the prototype. */
059ec3d9 2212
7a8b9519
JH
2213const uschar * ver = CUS SSL_get_version(ssl);
2214const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2215uschar * s;
059ec3d9 2216
817d9f57 2217SSL_CIPHER_get_bits(c, bits);
059ec3d9 2218
f1be21cf
JH
2219store_pool = POOL_PERM;
2220s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2221store_pool = pool;
2222DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2223return s;
2224}
2225
059ec3d9 2226
f1be21cf
JH
2227/* Get IETF-standard name for ciphersuite.
2228Argument: pointer to an SSL structure for the connection
2229Returns: pointer to string
2230*/
2231
2232static const uschar *
2233cipher_stdname_ssl(SSL * ssl)
2234{
2235#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2236return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2237#else
2238ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2239return cipher_stdname(id >> 8, id & 0xff);
2240#endif
059ec3d9
PH
2241}
2242
2243
f69979cf 2244static void
70e384dd 2245peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
2246{
2247/*XXX we might consider a list-of-certs variable for the cert chain.
2248SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2249in list-handling functions, also consider the difference between the entire
2250chain and the elements sent by the peer. */
2251
70e384dd
JH
2252tlsp->peerdn = NULL;
2253
f69979cf
JH
2254/* Will have already noted peercert on a verify fail; possibly not the leaf */
2255if (!tlsp->peercert)
2256 tlsp->peercert = SSL_get_peer_certificate(ssl);
2257/* Beware anonymous ciphers which lead to server_cert being NULL */
2258if (tlsp->peercert)
70e384dd
JH
2259 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2260 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2261 else
2262 {
4a1bd6b9
JH
2263 int oldpool = store_pool;
2264
2265 peerdn[siz-1] = '\0'; /* paranoia */
2266 store_pool = POOL_PERM;
2267 tlsp->peerdn = string_copy(peerdn);
2268 store_pool = oldpool;
2269
2270 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2271 but they don't get called on session-resumption. So use the official
2272 interface, which uses the resumed value. Unfortunately this claims verified
2273 when it actually failed but we're in try-verify mode, due to us wanting the
2274 knowlege that it failed so needing to have the callback and forcing a
2275 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH
2276 The extra bit of information is set in verify_override in the cb, stashed
2277 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH
2278
2279 if (!tlsp->verify_override)
2280 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2281 }
f69979cf
JH
2282}
2283
2284
059ec3d9
PH
2285
2286
2287
2288/*************************************************
2289* Set up for verifying certificates *
2290*************************************************/
2291
0e8aed8a 2292#ifndef DISABLE_OCSP
c3033f13
JH
2293/* Load certs from file, return TRUE on success */
2294
2295static BOOL
2296chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2297{
2298BIO * bp;
2299X509 * x;
2300
dec766a1
WB
2301while (sk_X509_num(verify_stack) > 0)
2302 X509_free(sk_X509_pop(verify_stack));
2303
c3033f13
JH
2304if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2305while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2306 sk_X509_push(verify_stack, x);
2307BIO_free(bp);
2308return TRUE;
2309}
0e8aed8a 2310#endif
c3033f13
JH
2311
2312
2313
dec766a1
WB
2314/* Called by both client and server startup; on the server possibly
2315repeated after a Server Name Indication.
059ec3d9
PH
2316
2317Arguments:
7be682ca 2318 sctx SSL_CTX* to initialise
059ec3d9
PH
2319 certs certs file or NULL
2320 crl CRL file or NULL
2321 host NULL in a server; the remote host in a client
2322 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2323 otherwise passed as FALSE
983207c1 2324 cert_vfy_cb Callback function for certificate verification
cf0c6164 2325 errstr error string pointer
059ec3d9
PH
2326
2327Returns: OK/DEFER/FAIL
2328*/
2329
2330static int
983207c1 2331setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2332 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2333{
2334uschar *expcerts, *expcrl;
2335
cf0c6164 2336if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2337 return DEFER;
57cc2785 2338DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2339
10a831a3 2340if (expcerts && *expcerts)
059ec3d9 2341 {
10a831a3
JH
2342 /* Tell the library to use its compiled-in location for the system default
2343 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2344
10a831a3 2345 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2346 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2347
2348 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2349 {
cb1d7830
JH
2350 struct stat statbuf;
2351
cb1d7830
JH
2352 if (Ustat(expcerts, &statbuf) < 0)
2353 {
2354 log_write(0, LOG_MAIN|LOG_PANIC,
2355 "failed to stat %s for certificates", expcerts);
2356 return DEFER;
2357 }
059ec3d9 2358 else
059ec3d9 2359 {
cb1d7830
JH
2360 uschar *file, *dir;
2361 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2362 { file = NULL; dir = expcerts; }
2363 else
c3033f13
JH
2364 {
2365 file = expcerts; dir = NULL;
2366#ifndef DISABLE_OCSP
2367 /* In the server if we will be offering an OCSP proof, load chain from
2368 file for verifying the OCSP proof at load time. */
2369
5b2fd993
JH
2370/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2371This is inconsistent with the need to verify the OCSP proof of the server cert.
2372*/
2373
c3033f13
JH
2374 if ( !host
2375 && statbuf.st_size > 0
2376 && server_static_cbinfo->u_ocsp.server.file
2377 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2378 )
2379 {
2380 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2381 "failed to load cert chain from %s", file);
c3033f13
JH
2382 return DEFER;
2383 }
2384#endif
2385 }
cb1d7830
JH
2386
2387 /* If a certificate file is empty, the next function fails with an
2388 unhelpful error message. If we skip it, we get the correct behaviour (no
2389 certificates are recognized, but the error message is still misleading (it
c3033f13 2390 says no certificate was supplied). But this is better. */
cb1d7830 2391
f2f2c91b
JH
2392 if ( (!file || statbuf.st_size > 0)
2393 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2394 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2395
2396 /* Load the list of CAs for which we will accept certs, for sending
2397 to the client. This is only for the one-file tls_verify_certificates
2398 variant.
d7978c0f
JH
2399 If a list isn't loaded into the server, but some verify locations are set,
2400 the server end appears to make a wildcard request for client certs.
10a831a3 2401 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2402 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2403 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2404 the public-CA bundle (not for a private CA), not worth fixing. */
2405
f2f2c91b 2406 if (file)
cb1d7830 2407 {
2009ecca 2408 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2409
2410 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2411 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2412 sk_X509_NAME_num(names));
cb1d7830 2413 }
059ec3d9
PH
2414 }
2415 }
2416
2417 /* Handle a certificate revocation list. */
2418
10a831a3 2419#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2420
8b417f2c 2421 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2422 merely reformatted it into the Exim code style.)
8b417f2c 2423
10a831a3
JH
2424 "From here I changed the code to add support for multiple crl's
2425 in pem format in one file or to support hashed directory entries in
2426 pem format instead of a file. This method now uses the library function
2427 X509_STORE_load_locations to add the CRL location to the SSL context.
2428 OpenSSL will then handle the verify against CA certs and CRLs by
2429 itself in the verify callback." */
8b417f2c 2430
cf0c6164 2431 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2432 if (expcrl && *expcrl)
059ec3d9 2433 {
8b417f2c
PH
2434 struct stat statbufcrl;
2435 if (Ustat(expcrl, &statbufcrl) < 0)
2436 {
2437 log_write(0, LOG_MAIN|LOG_PANIC,
2438 "failed to stat %s for certificates revocation lists", expcrl);
2439 return DEFER;
2440 }
2441 else
059ec3d9 2442 {
8b417f2c
PH
2443 /* is it a file or directory? */
2444 uschar *file, *dir;
7be682ca 2445 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2446 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2447 {
8b417f2c
PH
2448 file = NULL;
2449 dir = expcrl;
2450 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2451 }
2452 else
2453 {
8b417f2c
PH
2454 file = expcrl;
2455 dir = NULL;
2456 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2457 }
8b417f2c 2458 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2459 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2460
2461 /* setting the flags to check against the complete crl chain */
2462
2463 X509_STORE_set_flags(cvstore,
2464 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2465 }
059ec3d9
PH
2466 }
2467
10a831a3 2468#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2469
2470 /* If verification is optional, don't fail if no certificate */
2471
7be682ca 2472 SSL_CTX_set_verify(sctx,
5a2a0989 2473 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2474 cert_vfy_cb);
059ec3d9
PH
2475 }
2476
2477return OK;
2478}
2479
2480
2481
2482/*************************************************
2483* Start a TLS session in a server *
2484*************************************************/
2485
2486/* This is called when Exim is running as a server, after having received
2487the STARTTLS command. It must respond to that command, and then negotiate
2488a TLS session.
2489
2490Arguments:
2491 require_ciphers allowed ciphers
cf0c6164 2492 errstr pointer to error message
059ec3d9
PH
2493
2494Returns: OK on success
2495 DEFER for errors before the start of the negotiation
4c04137d 2496 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2497 continue running.
2498*/
2499
2500int
cf0c6164 2501tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2502{
2503int rc;
cf0c6164
JH
2504uschar * expciphers;
2505tls_ext_ctx_cb * cbinfo;
f69979cf 2506static uschar peerdn[256];
059ec3d9
PH
2507
2508/* Check for previous activation */
2509
74f1a423 2510if (tls_in.active.sock >= 0)
059ec3d9 2511 {
cf0c6164 2512 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2513 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2514 return FAIL;
2515 }
2516
2517/* Initialize the SSL library. If it fails, it will already have logged
2518the error. */
2519
817d9f57 2520rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2521#ifndef DISABLE_OCSP
5b2fd993 2522 tls_ocsp_file,
3f7eeb86 2523#endif
b10c87b3 2524 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2525if (rc != OK) return rc;
817d9f57 2526cbinfo = server_static_cbinfo;
059ec3d9 2527
cf0c6164 2528if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2529 return FAIL;
2530
2531/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2532were historically separated by underscores. So that I can use either form in my
2533tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2534
2535XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2536for TLS 1.3 . Since we do not call it at present we get the default list:
2537TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2538*/
059ec3d9 2539
c3033f13 2540if (expciphers)
059ec3d9 2541 {
b10c87b3 2542 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2543 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2544 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2545 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2546 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2547 }
2548
2549/* If this is a host for which certificate verification is mandatory or
2550optional, set up appropriately. */
2551
817d9f57 2552tls_in.certificate_verified = FALSE;
c0635b6d 2553#ifdef SUPPORT_DANE
53a7196b
JH
2554tls_in.dane_verified = FALSE;
2555#endif
a2ff477a 2556server_verify_callback_called = FALSE;
059ec3d9
PH
2557
2558if (verify_check_host(&tls_verify_hosts) == OK)
2559 {
983207c1 2560 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2561 FALSE, verify_callback_server, errstr);
059ec3d9 2562 if (rc != OK) return rc;
a2ff477a 2563 server_verify_optional = FALSE;
059ec3d9
PH
2564 }
2565else if (verify_check_host(&tls_try_verify_hosts) == OK)
2566 {
983207c1 2567 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2568 TRUE, verify_callback_server, errstr);
059ec3d9 2569 if (rc != OK) return rc;
a2ff477a 2570 server_verify_optional = TRUE;
059ec3d9
PH
2571 }
2572
b10c87b3
JH
2573#ifdef EXPERIMENTAL_TLS_RESUME
2574SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2575/* despite working, appears to always return failure, so ignoring */
2576#endif
2577#ifdef OPENSSL_HAVE_NUM_TICKETS
2578# ifdef EXPERIMENTAL_TLS_RESUME
2579SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2580# else
2581SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2582# endif
2583#endif
2584
2585
059ec3d9
PH
2586/* Prepare for new connection */
2587
cf0c6164
JH
2588if (!(server_ssl = SSL_new(server_ctx)))
2589 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2590
2591/* Warning: we used to SSL_clear(ssl) here, it was removed.
2592 *
2593 * With the SSL_clear(), we get strange interoperability bugs with
2594 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2595 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2596 *
2597 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2598 * session shutdown. In this case, we have a brand new object and there's no
2599 * obvious reason to immediately clear it. I'm guessing that this was
2600 * originally added because of incomplete initialisation which the clear fixed,
2601 * in some historic release.
2602 */
059ec3d9
PH
2603
2604/* Set context and tell client to go ahead, except in the case of TLS startup
2605on connection, where outputting anything now upsets the clients and tends to
2606make them disconnect. We need to have an explicit fflush() here, to force out
2607the response. Other smtp_printf() calls do not need it, because in non-TLS
2608mode, the fflush() happens when smtp_getc() is called. */
2609
817d9f57
JH
2610SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2611if (!tls_in.on_connect)
059ec3d9 2612 {
925ac8e4 2613 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2614 fflush(smtp_out);
2615 }
2616
2617/* Now negotiate the TLS session. We put our own timer on it, since it seems
2618that the OpenSSL library doesn't. */
2619
817d9f57
JH
2620SSL_set_wfd(server_ssl, fileno(smtp_out));
2621SSL_set_rfd(server_ssl, fileno(smtp_in));
2622SSL_set_accept_state(server_ssl);
059ec3d9
PH
2623
2624DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2625
2626sigalrm_seen = FALSE;
c2a1bba0 2627if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2628rc = SSL_accept(server_ssl);
c2a1bba0 2629ALARM_CLR(0);
059ec3d9
PH
2630
2631if (rc <= 0)
2632 {
cf0c6164 2633 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2634 return FAIL;
2635 }
2636
2637DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2638ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH
2639 anon-authentication ciphersuite negotiated. */
2640
2641#ifdef EXPERIMENTAL_TLS_RESUME
2642if (SSL_session_reused(server_ssl))
2643 {
2644 tls_in.resumption |= RESUME_USED;
2645 DEBUG(D_tls) debug_printf("Session reused\n");
2646 }
2647#endif
059ec3d9
PH
2648
2649/* TLS has been set up. Adjust the input functions to read via TLS,
2650and initialize things. */
2651
f69979cf
JH
2652peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2653
f1be21cf
JH
2654tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2655tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2656
059ec3d9
PH
2657DEBUG(D_tls)
2658 {
2659 uschar buf[2048];
f1be21cf 2660 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2661 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2662
2663#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2664 {
10ed27e0 2665 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2666 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2667 BIO_free(bp);
2668 }
2669#endif
b10c87b3
JH
2670
2671#ifdef EXIM_HAVE_SESSION_TICKET
2672 {
2673 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2674 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH
2675 debug_printf("The session has a ticket, life %lu seconds\n",
2676 SSL_SESSION_get_ticket_lifetime_hint(ss));
2677 }
2678#endif
059ec3d9
PH
2679 }
2680
9d1c15ef
JH
2681/* Record the certificate we presented */
2682 {
2683 X509 * crt = SSL_get_certificate(server_ssl);
2684 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2685 }
059ec3d9 2686
817d9f57
JH
2687/* Only used by the server-side tls (tls_in), including tls_getc.
2688 Client-side (tls_out) reads (seem to?) go via
2689 smtp_read_response()/ip_recv().
2690 Hence no need to duplicate for _in and _out.
2691 */
b808677c 2692if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2693ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2694ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2695
2696receive_getc = tls_getc;
0d81dabc 2697receive_getbuf = tls_getbuf;
584e96c6 2698receive_get_cache = tls_get_cache;
059ec3d9
PH
2699receive_ungetc = tls_ungetc;
2700receive_feof = tls_feof;
2701receive_ferror = tls_ferror;
58eb016e 2702receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2703
74f1a423
JH
2704tls_in.active.sock = fileno(smtp_out);
2705tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2706return OK;
2707}
2708
2709
2710
2711
043b1248
JH
2712static int
2713tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2714 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2715 uschar ** errstr)
043b1248
JH
2716{
2717int rc;
94431adb 2718/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2719 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2720 the specified host patterns if one of them is defined */
2721
610ff438
JH
2722if ( ( !ob->tls_verify_hosts
2723 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2724 )
3c07dd2d 2725 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2726 )
043b1248 2727 client_verify_optional = FALSE;
3c07dd2d 2728else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2729 client_verify_optional = TRUE;
2730else
2731 return OK;
2732
2733if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2734 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2735 errstr)) != OK)
aa2a70ba 2736 return rc;
043b1248 2737
3c07dd2d 2738if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2739 {
4af0d74a 2740 cbinfo->verify_cert_hostnames =
8c5d388a 2741#ifdef SUPPORT_I18N
4af0d74a
JH
2742 string_domain_utf8_to_alabel(host->name, NULL);
2743#else
2744 host->name;
2745#endif
aa2a70ba
JH
2746 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2747 cbinfo->verify_cert_hostnames);
043b1248 2748 }
043b1248
JH
2749return OK;
2750}
059ec3d9 2751
fde080a4 2752
c0635b6d 2753#ifdef SUPPORT_DANE
fde080a4 2754static int
cf0c6164 2755dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2756{
fde080a4
JH
2757dns_scan dnss;
2758const char * hostnames[2] = { CS host->name, NULL };
2759int found = 0;
2760
2761if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2762 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2763
d7978c0f 2764for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2765 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2766 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2767 {
c3033f13 2768 const uschar * p = rr->data;
fde080a4
JH
2769 uint8_t usage, selector, mtype;
2770 const char * mdname;
2771
fde080a4 2772 usage = *p++;
133d2546
JH
2773
2774 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2775 if (usage != 2 && usage != 3) continue;
2776
fde080a4
JH
2777 selector = *p++;
2778 mtype = *p++;
2779
2780 switch (mtype)
2781 {
133d2546
JH
2782 default: continue; /* Only match-types 0, 1, 2 are supported */
2783 case 0: mdname = NULL; break;
2784 case 1: mdname = "sha256"; break;
2785 case 2: mdname = "sha512"; break;
fde080a4
JH
2786 }
2787
133d2546 2788 found++;
fde080a4
JH
2789 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2790 {
2791 default:
cf0c6164 2792 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2793 case 0: /* action not taken */
fde080a4
JH
2794 case 1: break;
2795 }
594706ea
JH
2796
2797 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2798 }
2799
2800if (found)
2801 return OK;
2802
133d2546 2803log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2804return DEFER;
fde080a4 2805}
c0635b6d 2806#endif /*SUPPORT_DANE*/
fde080a4
JH
2807
2808
2809
b10c87b3
JH
2810#ifdef EXPERIMENTAL_TLS_RESUME
2811/* On the client, get any stashed session for the given IP from hints db
2812and apply it to the ssl-connection for attempted resumption. */
2813
2814static void
2815tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2816{
2817tlsp->resumption |= RESUME_SUPPORTED;
2818if (tlsp->host_resumable)
2819 {
2820 dbdata_tls_session * dt;
2821 int len;
2822 open_db dbblock, * dbm_file;
2823
2824 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2825 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2826 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2827 {
2828 /* key for the db is the IP */
2829 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2830 {
2831 SSL_SESSION * ss = NULL;
2832 const uschar * sess_asn1 = dt->session;
2833
2834 len -= sizeof(dbdata_tls_session);
2835 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2836 {
2837 DEBUG(D_tls)
2838 {
2839 ERR_error_string_n(ERR_get_error(),
2840 ssl_errstring, sizeof(ssl_errstring));
2841 debug_printf("decoding session: %s\n", ssl_errstring);
2842 }
2843 }
a775dd1d 2844#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH
2845 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2846 < time(NULL))
2847 {
2848 DEBUG(D_tls) debug_printf("session expired\n");
2849 dbfn_delete(dbm_file, key);
2850 }
a775dd1d 2851#endif
b10c87b3
JH
2852 else if (!SSL_set_session(ssl, ss))
2853 {
2854 DEBUG(D_tls)
2855 {
2856 ERR_error_string_n(ERR_get_error(),
2857 ssl_errstring, sizeof(ssl_errstring));
2858 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2859 }
2860 }
2861 else
2862 {
2863 DEBUG(D_tls) debug_printf("good session\n");
2864 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2865 tlsp->verify_override = dt->verify_override;
c82de233 2866 tlsp->ocsp = dt->ocsp;
b10c87b3
JH
2867 }
2868 }
2869 else
2870 DEBUG(D_tls) debug_printf("no session record\n");
2871 dbfn_close(dbm_file);
2872 }
2873 }
2874}
2875
2876
2877/* On the client, save the session for later resumption */
2878
2879static int
2880tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2881{
2882tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2883tls_support * tlsp;
2884
2885DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2886
2887if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2888
40618fb6
JH
2889# ifdef OPENSSL_HAVE_NUM_TICKETS
2890if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2891# endif
b10c87b3
JH
2892 {
2893 int len = i2d_SSL_SESSION(ss, NULL);
2894 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 2895 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
2896 uschar * s = dt->session;
2897 open_db dbblock, * dbm_file;
2898
2899 DEBUG(D_tls) debug_printf("session is resumable\n");
2900 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2901
f4e62a87 2902 dt->verify_override = tlsp->verify_override;
c82de233 2903 dt->ocsp = tlsp->ocsp;
f4e62a87 2904 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH
2905
2906 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2907 {
2908 const uschar * key = cbinfo->host->address;
2909 dbfn_delete(dbm_file, key);
2910 dbfn_write(dbm_file, key, dt, dlen);
2911 dbfn_close(dbm_file);
2912 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2913 (unsigned)dlen);
2914 }
2915 }
b10c87b3
JH
2916return 1;
2917}
2918
2919
2920static void
2921tls_client_ctx_resume_prehandshake(
2922 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2923 smtp_transport_options_block * ob, host_item * host)
2924{
2925/* Should the client request a session resumption ticket? */
2926if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2927 {
2928 tlsp->host_resumable = TRUE;
2929
2930 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2931 SSL_SESS_CACHE_CLIENT
2932 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2933 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2934 }
2935}
2936
2937static BOOL
2938tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2939 host_item * host, uschar ** errstr)
2940{
2941if (tlsp->host_resumable)
2942 {
2943 DEBUG(D_tls)
2944 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2945 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2946
2947 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2948 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2949 {
2950 tls_error(US"set ex_data", host, NULL, errstr);
2951 return FALSE;
2952 }
2953 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2954 }
2955
2956tlsp->resumption = RESUME_SUPPORTED;
2957/* Pick up a previous session, saved on an old ticket */
2958tls_retrieve_session(tlsp, ssl, host->address);
2959return TRUE;
2960}
2961
2962static void
2963tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2964 tls_support * tlsp)
2965{
2966if (SSL_session_reused(exim_client_ctx->ssl))
2967 {
2968 DEBUG(D_tls) debug_printf("The session was reused\n");
2969 tlsp->resumption |= RESUME_USED;
2970 }
2971}
2972#endif /* EXPERIMENTAL_TLS_RESUME */
2973
2974
059ec3d9
PH
2975/*************************************************
2976* Start a TLS session in a client *
2977*************************************************/
2978
2979/* Called from the smtp transport after STARTTLS has been accepted.
2980
c05bdbd6
JH
2981Arguments:
2982 cctx connection context
2983 conn_args connection details
2984 cookie datum for randomness; can be NULL
2985 tlsp record details of TLS channel configuration here; must be non-NULL
2986 errstr error string pointer
2987
2988Returns: TRUE for success with TLS session context set in connection context,
2989 FALSE on error
059ec3d9
PH
2990*/
2991
c05bdbd6
JH
2992BOOL
2993tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2994 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2995{
c05bdbd6
JH
2996host_item * host = conn_args->host; /* for msgs and option-tests */
2997transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
2998smtp_transport_options_block * ob = tb
2999 ? (smtp_transport_options_block *)tb->options_block
3000 : &smtp_transport_option_defaults;
74f1a423 3001exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 3002uschar * expciphers;
059ec3d9 3003int rc;
c05bdbd6 3004static uschar peerdn[256];
043b1248
JH
3005
3006#ifndef DISABLE_OCSP
043b1248 3007BOOL request_ocsp = FALSE;
6634ac8d 3008BOOL require_ocsp = FALSE;
043b1248 3009#endif
043b1248 3010
74f1a423
JH
3011rc = store_pool;
3012store_pool = POOL_PERM;
f3ebb786 3013exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 3014exim_client_ctx->corked = NULL;
74f1a423
JH
3015store_pool = rc;
3016
c0635b6d 3017#ifdef SUPPORT_DANE
74f1a423 3018tlsp->tlsa_usage = 0;
043b1248
JH
3019#endif
3020
f2de3a33 3021#ifndef DISABLE_OCSP
043b1248 3022 {
c0635b6d 3023# ifdef SUPPORT_DANE
c05bdbd6 3024 if ( conn_args->dane
4f59c424
JH
3025 && ob->hosts_request_ocsp[0] == '*'
3026 && ob->hosts_request_ocsp[1] == '\0'
3027 )
3028 {
3029 /* Unchanged from default. Use a safer one under DANE */
3030 request_ocsp = TRUE;
3031 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3032 " {= {4}{$tls_out_tlsa_usage}} } "
3033 " {*}{}}";
3034 }
3035# endif
3036
5130845b 3037 if ((require_ocsp =
3c07dd2d 3038 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
3039 request_ocsp = TRUE;
3040 else
c0635b6d 3041# ifdef SUPPORT_DANE
4f59c424 3042 if (!request_ocsp)
fca41d5a 3043# endif
5130845b 3044 request_ocsp =
3c07dd2d 3045 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 3046 }
f5d78688 3047#endif
059ec3d9 3048
74f1a423 3049rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 3050 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 3051#ifndef DISABLE_OCSP
44662487 3052 (void *)(long)request_ocsp,
3f7eeb86 3053#endif
b10c87b3 3054 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 3055if (rc != OK) return FALSE;
059ec3d9 3056
74f1a423 3057tlsp->certificate_verified = FALSE;
a2ff477a 3058client_verify_callback_called = FALSE;
059ec3d9 3059
5ec37a55
PP
3060expciphers = NULL;
3061#ifdef SUPPORT_DANE
c05bdbd6 3062if (conn_args->dane)
5ec37a55
PP
3063 {
3064 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3065 other failures should be treated as problems. */
3066 if (ob->dane_require_tls_ciphers &&
3067 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3068 &expciphers, errstr))
c05bdbd6 3069 return FALSE;
5ec37a55
PP
3070 if (expciphers && *expciphers == '\0')
3071 expciphers = NULL;
3072 }
3073#endif
3074if (!expciphers &&
3075 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3076 &expciphers, errstr))
c05bdbd6 3077 return FALSE;
059ec3d9
PH
3078
3079/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3080are separated by underscores. So that I can use either form in my tests, and
3081also for general convenience, we turn underscores into hyphens here. */
3082
cf0c6164 3083if (expciphers)
059ec3d9
PH
3084 {
3085 uschar *s = expciphers;
cf0c6164 3086 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 3087 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
3088 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3089 {
3090 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 3091 return FALSE;
74f1a423 3092 }
059ec3d9
PH
3093 }
3094
c0635b6d 3095#ifdef SUPPORT_DANE
c05bdbd6 3096if (conn_args->dane)
a63be306 3097 {
74f1a423 3098 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
3099 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3100 verify_callback_client_dane);
e5cccda9 3101
043b1248 3102 if (!DANESSL_library_init())
74f1a423
JH
3103 {
3104 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3105 return FALSE;
74f1a423
JH
3106 }
3107 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3108 {
3109 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3110 return FALSE;
74f1a423 3111 }
043b1248
JH
3112 }
3113else
e51c7be2 3114
043b1248
JH
3115#endif
3116
74f1a423
JH
3117 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3118 client_static_cbinfo, errstr) != OK)
c05bdbd6 3119 return FALSE;
059ec3d9 3120
b10c87b3
JH
3121#ifdef EXPERIMENTAL_TLS_RESUME
3122tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3123#endif
3124
3125
74f1a423
JH
3126if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3127 {
3128 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3129 return FALSE;
74f1a423
JH
3130 }
3131SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3132
c05bdbd6 3133SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3134SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3135
65867078 3136if (ob->tls_sni)
3f0945ff 3137 {
74f1a423 3138 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3139 return FALSE;
74f1a423 3140 if (!tlsp->sni)
2c9a0e86
PP
3141 {
3142 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3143 }
74f1a423
JH
3144 else if (!Ustrlen(tlsp->sni))
3145 tlsp->sni = NULL;
3f0945ff
PP
3146 else
3147 {
35731706 3148#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
3149 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3150 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3151#else
66802652 3152 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3153 tlsp->sni);
35731706 3154#endif
3f0945ff
PP
3155 }
3156 }
3157
c0635b6d 3158#ifdef SUPPORT_DANE
c05bdbd6
JH
3159if (conn_args->dane)
3160 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3161 return FALSE;
594706ea
JH
3162#endif
3163
f2de3a33 3164#ifndef DISABLE_OCSP
f5d78688
JH
3165/* Request certificate status at connection-time. If the server
3166does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3167# ifdef SUPPORT_DANE
44662487
JH
3168if (request_ocsp)
3169 {
594706ea 3170 const uschar * s;
41afb5cb
JH
3171 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3172 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
3173 )
3174 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3175 this means we avoid the OCSP request, we wasted the setup
3176 cost in tls_init(). */
3c07dd2d 3177 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3178 request_ocsp = require_ocsp
3c07dd2d 3179 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
3180 }
3181 }
b50c8b84
JH
3182# endif
3183
594706ea
JH
3184if (request_ocsp)
3185 {
74f1a423 3186 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3187 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3188 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3189 }
f5d78688
JH
3190#endif
3191
c82de233
JH
3192#ifdef EXPERIMENTAL_TLS_RESUME
3193if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3194 errstr))
3195 return FALSE;
3196#endif
3197
0cbf2b82 3198#ifndef DISABLE_EVENT
afdb5e9c 3199client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3200#endif
043b1248 3201
059ec3d9
PH
3202/* There doesn't seem to be a built-in timeout on connection. */
3203
3204DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3205sigalrm_seen = FALSE;
c2a1bba0 3206ALARM(ob->command_timeout);
74f1a423 3207rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3208ALARM_CLR(0);
059ec3d9 3209
c0635b6d 3210#ifdef SUPPORT_DANE
c05bdbd6 3211if (conn_args->dane)
74f1a423 3212 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
3213#endif
3214
059ec3d9 3215if (rc <= 0)
74f1a423
JH
3216 {
3217 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3218 return FALSE;
74f1a423 3219 }
059ec3d9 3220
f20cfa4a
JH
3221DEBUG(D_tls)
3222 {
3223 debug_printf("SSL_connect succeeded\n");
3224#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3225 {
10ed27e0
JH
3226 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3227 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3228 BIO_free(bp);
f20cfa4a
JH
3229 }
3230#endif
3231 }
059ec3d9 3232
b10c87b3
JH
3233#ifdef EXPERIMENTAL_TLS_RESUME
3234tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3235#endif
3236
74f1a423 3237peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3238
f1be21cf
JH
3239tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3240tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3241
9d1c15ef
JH
3242/* Record the certificate we presented */
3243 {
74f1a423
JH
3244 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3245 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
3246 }
3247
c05bdbd6 3248tlsp->active.sock = cctx->sock;
74f1a423 3249tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH
3250cctx->tls_ctx = exim_client_ctx;
3251return TRUE;
059ec3d9
PH
3252}
3253
3254
3255
3256
3257
0d81dabc
JH
3258static BOOL
3259tls_refill(unsigned lim)
3260{
3261int error;
3262int inbytes;
3263
3264DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3265 ssl_xfer_buffer, ssl_xfer_buffer_size);
3266
c2a1bba0 3267if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
3268inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3269 MIN(ssl_xfer_buffer_size, lim));
3270error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3271if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
3272
3273if (had_command_timeout) /* set by signal handler */
3274 smtp_command_timeout_exit(); /* does not return */
3275if (had_command_sigterm)
3276 smtp_command_sigterm_exit();
3277if (had_data_timeout)
3278 smtp_data_timeout_exit();
3279if (had_data_sigint)
3280 smtp_data_sigint_exit();
0d81dabc
JH
3281
3282/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3283closed down, not that the socket itself has been closed down. Revert to
3284non-SSL handling. */
3285
74f1a423 3286switch(error)
0d81dabc 3287 {
74f1a423
JH
3288 case SSL_ERROR_NONE:
3289 break;
3290
3291 case SSL_ERROR_ZERO_RETURN:
3292 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 3293
74f1a423
JH
3294 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3295 SSL_shutdown(server_ssl);
dec766a1 3296
bd231acd 3297 tls_close(NULL, TLS_NO_SHUTDOWN);
74f1a423 3298 return FALSE;
0d81dabc 3299
74f1a423
JH
3300 /* Handle genuine errors */
3301 case SSL_ERROR_SSL:
0abc5a13 3302 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
3303 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3304 ssl_xfer_error = TRUE;
3305 return FALSE;
0d81dabc 3306
74f1a423
JH
3307 default:
3308