Merge remote-tracking branch 'exim_github/pr/16'
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5a66c31b 5/* Copyright (c) University of Cambridge 1995 - 2014 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
f2de3a33 25#ifndef DISABLE_OCSP
e51c7be2 26# include <openssl/ocsp.h>
3f7eeb86
PP
27#endif
28
f2de3a33
JH
29#ifndef DISABLE_OCSP
30# define EXIM_OCSP_SKEW_SECONDS (300L)
31# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 32#endif
059ec3d9 33
3bcbbbe2 34#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 35# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2
PP
36#endif
37
67791ce4
JH
38#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
39# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
40# define DISABLE_OCSP
41#endif
42
059ec3d9
PH
43/* Structure for collecting random data for seeding. */
44
45typedef struct randstuff {
9e3331ea
TK
46 struct timeval tv;
47 pid_t p;
059ec3d9
PH
48} randstuff;
49
50/* Local static variables */
51
a2ff477a
JH
52static BOOL client_verify_callback_called = FALSE;
53static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
54static const uschar *sid_ctx = US"exim";
55
d4f09789
PP
56/* We have three different contexts to care about.
57
58Simple case: client, `client_ctx`
59 As a client, we can be doing a callout or cut-through delivery while receiving
60 a message. So we have a client context, which should have options initialised
61 from the SMTP Transport.
62
63Server:
64 There are two cases: with and without ServerNameIndication from the client.
65 Given TLS SNI, we can be using different keys, certs and various other
66 configuration settings, because they're re-expanded with $tls_sni set. This
67 allows vhosting with TLS. This SNI is sent in the handshake.
68 A client might not send SNI, so we need a fallback, and an initial setup too.
69 So as a server, we start out using `server_ctx`.
70 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
71 `server_sni` from `server_ctx` and then initialise settings by re-expanding
72 configuration.
73*/
74
817d9f57
JH
75static SSL_CTX *client_ctx = NULL;
76static SSL_CTX *server_ctx = NULL;
77static SSL *client_ssl = NULL;
78static SSL *server_ssl = NULL;
389ca47a 79
35731706 80#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 81static SSL_CTX *server_sni = NULL;
35731706 82#endif
059ec3d9
PH
83
84static char ssl_errstring[256];
85
86static int ssl_session_timeout = 200;
a2ff477a
JH
87static BOOL client_verify_optional = FALSE;
88static BOOL server_verify_optional = FALSE;
059ec3d9 89
f5d78688 90static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
91
92
7be682ca
PP
93typedef struct tls_ext_ctx_cb {
94 uschar *certificate;
95 uschar *privatekey;
f2de3a33 96#ifndef DISABLE_OCSP
f5d78688
JH
97 BOOL is_server;
98 union {
99 struct {
100 uschar *file;
101 uschar *file_expanded;
102 OCSP_RESPONSE *response;
103 } server;
104 struct {
44662487
JH
105 X509_STORE *verify_store; /* non-null if status requested */
106 BOOL verify_required;
f5d78688
JH
107 } client;
108 } u_ocsp;
3f7eeb86 109#endif
7be682ca
PP
110 uschar *dhparam;
111 /* these are cached from first expand */
112 uschar *server_cipher_list;
113 /* only passed down to tls_error: */
114 host_item *host;
e51c7be2
JH
115
116#ifdef EXPERIMENTAL_CERTNAMES
117 uschar * verify_cert_hostnames;
118#endif
7be682ca
PP
119} tls_ext_ctx_cb;
120
121/* should figure out a cleanup of API to handle state preserved per
122implementation, for various reasons, which can be void * in the APIs.
123For now, we hack around it. */
817d9f57
JH
124tls_ext_ctx_cb *client_static_cbinfo = NULL;
125tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
126
127static int
983207c1
JH
128setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
129 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
059ec3d9 130
3f7eeb86 131/* Callbacks */
3bcbbbe2 132#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 133static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 134#endif
f2de3a33 135#ifndef DISABLE_OCSP
f5d78688 136static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
137#endif
138
059ec3d9
PH
139
140/*************************************************
141* Handle TLS error *
142*************************************************/
143
144/* Called from lots of places when errors occur before actually starting to do
145the TLS handshake, that is, while the session is still in clear. Always returns
146DEFER for a server and FAIL for a client so that most calls can use "return
147tls_error(...)" to do this processing and then give an appropriate return. A
148single function is used for both server and client, because it is called from
149some shared functions.
150
151Argument:
152 prefix text to include in the logged error
153 host NULL if setting up a server;
154 the connected host if setting up a client
7199e1ee 155 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
156
157Returns: OK/DEFER/FAIL
158*/
159
160static int
7199e1ee 161tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 162{
7199e1ee
TF
163if (msg == NULL)
164 {
165 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 166 msg = (uschar *)ssl_errstring;
7199e1ee
TF
167 }
168
059ec3d9
PH
169if (host == NULL)
170 {
7199e1ee 171 uschar *conn_info = smtp_get_connection_info();
5ca6d115 172 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
173 conn_info += 5;
174 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
175 conn_info, prefix, msg);
059ec3d9
PH
176 return DEFER;
177 }
178else
179 {
180 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 181 host->name, host->address, prefix, msg);
059ec3d9
PH
182 return FAIL;
183 }
184}
185
186
187
188/*************************************************
189* Callback to generate RSA key *
190*************************************************/
191
192/*
193Arguments:
194 s SSL connection
195 export not used
196 keylength keylength
197
198Returns: pointer to generated key
199*/
200
201static RSA *
202rsa_callback(SSL *s, int export, int keylength)
203{
204RSA *rsa_key;
205export = export; /* Shut picky compilers up */
206DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
207rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
208if (rsa_key == NULL)
209 {
210 ERR_error_string(ERR_get_error(), ssl_errstring);
211 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
212 ssl_errstring);
213 return NULL;
214 }
215return rsa_key;
216}
217
218
219
f5d78688 220/* Extreme debug
f2de3a33 221#ifndef DISABLE_OCSP
f5d78688
JH
222void
223x509_store_dump_cert_s_names(X509_STORE * store)
224{
225STACK_OF(X509_OBJECT) * roots= store->objs;
226int i;
227static uschar name[256];
228
229for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
230 {
231 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
232 if(tmp_obj->type == X509_LU_X509)
233 {
234 X509 * current_cert= tmp_obj->data.x509;
235 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
236 debug_printf(" %s\n", name);
237 }
238 }
239}
240#endif
241*/
242
059ec3d9
PH
243
244/*************************************************
245* Callback for verification *
246*************************************************/
247
248/* The SSL library does certificate verification if set up to do so. This
249callback has the current yes/no state is in "state". If verification succeeded,
250we set up the tls_peerdn string. If verification failed, what happens depends
251on whether the client is required to present a verifiable certificate or not.
252
253If verification is optional, we change the state to yes, but still log the
254verification error. For some reason (it really would help to have proper
255documentation of OpenSSL), this callback function then gets called again, this
256time with state = 1. In fact, that's useful, because we can set up the peerdn
257value, but we must take care not to set the private verified flag on the second
258time through.
259
260Note: this function is not called if the client fails to present a certificate
261when asked. We get here only if a certificate has been received. Handling of
262optional verification for this case is done when requesting SSL to verify, by
263setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
264
265Arguments:
266 state current yes/no state as 1/0
267 x509ctx certificate information.
a2ff477a 268 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
269
270Returns: 1 if verified, 0 if not
271*/
272
273static int
421aff85
JH
274verify_callback(int state, X509_STORE_CTX *x509ctx,
275 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 276{
421aff85 277X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
059ec3d9
PH
278static uschar txt[256];
279
e51c7be2 280X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
059ec3d9
PH
281
282if (state == 0)
283 {
284 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
421aff85
JH
285 X509_STORE_CTX_get_error_depth(x509ctx),
286 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
059ec3d9 287 txt);
a2ff477a
JH
288 tlsp->certificate_verified = FALSE;
289 *calledp = TRUE;
9d1c15ef
JH
290 if (!*optionalp)
291 {
421aff85 292 tlsp->peercert = X509_dup(cert);
9d1c15ef
JH
293 return 0; /* reject */
294 }
059ec3d9
PH
295 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
296 "tls_try_verify_hosts)\n");
059ec3d9
PH
297 }
298
421aff85 299else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
059ec3d9 300 {
93dcb1c2 301 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
421aff85 302 X509_STORE_CTX_get_error_depth(x509ctx), txt);
f2de3a33 303#ifndef DISABLE_OCSP
f5d78688
JH
304 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
305 { /* client, wanting stapling */
306 /* Add the server cert's signing chain as the one
307 for the verification of the OCSP stapled information. */
308
309 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 310 cert))
f5d78688
JH
311 ERR_clear_error();
312 }
313#endif
059ec3d9
PH
314 }
315else
316 {
e51c7be2
JH
317#ifdef EXPERIMENTAL_CERTNAMES
318 uschar * verify_cert_hostnames;
319#endif
320
a2ff477a 321 tlsp->peerdn = txt;
421aff85 322 tlsp->peercert = X509_dup(cert);
e51c7be2
JH
323
324#ifdef EXPERIMENTAL_CERTNAMES
325 if ( tlsp == &tls_out
326 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
327 /* client, wanting hostname check */
328
329# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
d8e7834a
JH
330# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
331# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
332# endif
e51c7be2
JH
333 {
334 int sep = 0;
335 uschar * list = verify_cert_hostnames;
336 uschar * name;
d8e7834a
JH
337 int rc;
338 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
339 if ((rc = X509_check_host(cert, name, 0,
340 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
341 {
342 if (rc < 0)
343 {
344 log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
345 name = NULL;
346 }
e51c7be2 347 break;
d8e7834a 348 }
e51c7be2
JH
349 if (!name)
350 {
351 log_write(0, LOG_MAIN,
352 "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
353 return 0; /* reject */
354 }
355 }
356# else
357 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
358 {
359 log_write(0, LOG_MAIN,
360 "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
361 return 0; /* reject */
362 }
363# endif
364#endif
365
93dcb1c2
JH
366 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
367 *calledp ? "" : " authenticated", txt);
368 if (!*calledp) tlsp->certificate_verified = TRUE;
369 *calledp = TRUE;
059ec3d9
PH
370 }
371
059ec3d9
PH
372return 1; /* accept */
373}
374
a2ff477a
JH
375static int
376verify_callback_client(int state, X509_STORE_CTX *x509ctx)
377{
f5d78688 378return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
379}
380
381static int
382verify_callback_server(int state, X509_STORE_CTX *x509ctx)
383{
f5d78688 384return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
385}
386
059ec3d9
PH
387
388
389/*************************************************
390* Information callback *
391*************************************************/
392
393/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
394are doing. We copy the string to the debugging output when TLS debugging has
395been requested.
059ec3d9
PH
396
397Arguments:
398 s the SSL connection
399 where
400 ret
401
402Returns: nothing
403*/
404
405static void
406info_callback(SSL *s, int where, int ret)
407{
408where = where;
409ret = ret;
410DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
411}
412
413
414
415/*************************************************
416* Initialize for DH *
417*************************************************/
418
419/* If dhparam is set, expand it, and load up the parameters for DH encryption.
420
421Arguments:
a799883d 422 dhparam DH parameter file or fixed parameter identity string
7199e1ee 423 host connected host, if client; NULL if server
059ec3d9
PH
424
425Returns: TRUE if OK (nothing to set up, or setup worked)
426*/
427
428static BOOL
a799883d 429init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
059ec3d9 430{
059ec3d9
PH
431BIO *bio;
432DH *dh;
433uschar *dhexpanded;
a799883d 434const char *pem;
059ec3d9
PH
435
436if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
437 return FALSE;
438
0df4ab80 439if (!dhexpanded || !*dhexpanded)
a799883d 440 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 441else if (dhexpanded[0] == '/')
059ec3d9 442 {
0df4ab80 443 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 444 {
7199e1ee 445 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
446 host, US strerror(errno));
447 return FALSE;
059ec3d9 448 }
a799883d
PP
449 }
450else
451 {
452 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 453 {
a799883d
PP
454 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
455 return TRUE;
059ec3d9 456 }
a799883d 457
0df4ab80 458 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
459 {
460 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
461 host, US strerror(errno));
462 return FALSE;
463 }
464 bio = BIO_new_mem_buf(CS pem, -1);
465 }
466
0df4ab80 467if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 468 {
059ec3d9 469 BIO_free(bio);
a799883d
PP
470 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
471 host, NULL);
472 return FALSE;
473 }
474
475/* Even if it is larger, we silently return success rather than cause things
476 * to fail out, so that a too-large DH will not knock out all TLS; it's a
477 * debatable choice. */
478if ((8*DH_size(dh)) > tls_dh_max_bits)
479 {
480 DEBUG(D_tls)
481 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
482 8*DH_size(dh), tls_dh_max_bits);
483 }
484else
485 {
486 SSL_CTX_set_tmp_dh(sctx, dh);
487 DEBUG(D_tls)
488 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
489 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
490 }
491
a799883d
PP
492DH_free(dh);
493BIO_free(bio);
494
495return TRUE;
059ec3d9
PH
496}
497
498
499
500
f2de3a33 501#ifndef DISABLE_OCSP
3f7eeb86
PP
502/*************************************************
503* Load OCSP information into state *
504*************************************************/
505
f5d78688 506/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
507caller has determined this is needed. Checks validity. Debugs a message
508if invalid.
509
510ASSUMES: single response, for single cert.
511
512Arguments:
513 sctx the SSL_CTX* to update
514 cbinfo various parts of session state
515 expanded the filename putatively holding an OCSP response
516
517*/
518
519static void
f5d78688 520ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86
PP
521{
522BIO *bio;
523OCSP_RESPONSE *resp;
524OCSP_BASICRESP *basic_response;
525OCSP_SINGLERESP *single_response;
526ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
527X509_STORE *store;
528unsigned long verify_flags;
529int status, reason, i;
530
f5d78688
JH
531cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
532if (cbinfo->u_ocsp.server.response)
3f7eeb86 533 {
f5d78688
JH
534 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
535 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
536 }
537
f5d78688 538bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
3f7eeb86
PP
539if (!bio)
540 {
541 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 542 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
543 return;
544 }
545
546resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
547BIO_free(bio);
548if (!resp)
549 {
550 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
551 return;
552 }
553
554status = OCSP_response_status(resp);
555if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
556 {
557 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
558 OCSP_response_status_str(status), status);
f5d78688 559 goto bad;
3f7eeb86
PP
560 }
561
562basic_response = OCSP_response_get1_basic(resp);
563if (!basic_response)
564 {
565 DEBUG(D_tls)
566 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 567 goto bad;
3f7eeb86
PP
568 }
569
570store = SSL_CTX_get_cert_store(sctx);
571verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
572
573/* May need to expose ability to adjust those flags?
574OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
575OCSP_TRUSTOTHER OCSP_NOINTERN */
576
577i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
578if (i <= 0)
579 {
580 DEBUG(D_tls) {
581 ERR_error_string(ERR_get_error(), ssl_errstring);
582 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
583 }
584 goto bad;
3f7eeb86
PP
585 }
586
587/* Here's the simplifying assumption: there's only one response, for the
588one certificate we use, and nothing for anything else in a chain. If this
589proves false, we need to extract a cert id from our issued cert
590(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
591right cert in the stack and then calls OCSP_single_get0_status()).
592
593I'm hoping to avoid reworking a bunch more of how we handle state here. */
594single_response = OCSP_resp_get0(basic_response, 0);
595if (!single_response)
596 {
597 DEBUG(D_tls)
598 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 599 goto bad;
3f7eeb86
PP
600 }
601
602status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 603if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 604 {
f5d78688
JH
605 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
606 OCSP_cert_status_str(status), status,
607 OCSP_crl_reason_str(reason), reason);
608 goto bad;
3f7eeb86
PP
609 }
610
611if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
612 {
613 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 614 goto bad;
3f7eeb86
PP
615 }
616
f5d78688 617supply_response:
018058b2 618 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
619return;
620
621bad:
018058b2
JH
622 if (running_in_test_harness)
623 {
624 extern char ** environ;
625 uschar ** p;
626 for (p = USS environ; *p != NULL; p++)
627 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
628 {
629 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
630 goto supply_response;
631 }
632 }
f5d78688 633return;
3f7eeb86 634}
f2de3a33 635#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
636
637
638
639
059ec3d9 640/*************************************************
7be682ca
PP
641* Expand key and cert file specs *
642*************************************************/
643
f5d78688 644/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
645new context, if Server Name Indication was used and tls_sni was seen in
646the certificate string.
647
648Arguments:
649 sctx the SSL_CTX* to update
650 cbinfo various parts of session state
651
652Returns: OK/DEFER/FAIL
653*/
654
655static int
3f7eeb86 656tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
657{
658uschar *expanded;
659
660if (cbinfo->certificate == NULL)
661 return OK;
662
d9b2312b
JH
663if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
664 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
665 Ustrstr(cbinfo->certificate, US"tls_out_sni")
666 )
7be682ca
PP
667 reexpand_tls_files_for_sni = TRUE;
668
669if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
670 return DEFER;
671
672if (expanded != NULL)
673 {
674 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
675 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
676 return tls_error(string_sprintf(
677 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
678 cbinfo->host, NULL);
679 }
680
681if (cbinfo->privatekey != NULL &&
682 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
683 return DEFER;
684
685/* If expansion was forced to fail, key_expanded will be NULL. If the result
686of the expansion is an empty string, ignore it also, and assume the private
687key is in the same file as the certificate. */
688
689if (expanded != NULL && *expanded != 0)
690 {
691 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
692 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
693 return tls_error(string_sprintf(
694 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
695 }
696
f2de3a33 697#ifndef DISABLE_OCSP
f5d78688 698if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
3f7eeb86 699 {
f5d78688 700 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
3f7eeb86
PP
701 return DEFER;
702
703 if (expanded != NULL && *expanded != 0)
704 {
705 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f5d78688
JH
706 if (cbinfo->u_ocsp.server.file_expanded &&
707 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86
PP
708 {
709 DEBUG(D_tls)
710 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
711 } else {
712 ocsp_load_response(sctx, cbinfo, expanded);
713 }
714 }
715 }
716#endif
717
7be682ca
PP
718return OK;
719}
720
721
722
723
724/*************************************************
725* Callback to handle SNI *
726*************************************************/
727
728/* Called when acting as server during the TLS session setup if a Server Name
729Indication extension was sent by the client.
730
731API documentation is OpenSSL s_server.c implementation.
732
733Arguments:
734 s SSL* of the current session
735 ad unknown (part of OpenSSL API) (unused)
736 arg Callback of "our" registered data
737
738Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
739*/
740
3bcbbbe2 741#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 742static int
7be682ca
PP
743tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
744{
745const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 746tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 747int rc;
3f0945ff 748int old_pool = store_pool;
7be682ca
PP
749
750if (!servername)
751 return SSL_TLSEXT_ERR_OK;
752
3f0945ff 753DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
754 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
755
756/* Make the extension value available for expansion */
3f0945ff 757store_pool = POOL_PERM;
817d9f57 758tls_in.sni = string_copy(US servername);
3f0945ff 759store_pool = old_pool;
7be682ca
PP
760
761if (!reexpand_tls_files_for_sni)
762 return SSL_TLSEXT_ERR_OK;
763
764/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
765not confident that memcpy wouldn't break some internal reference counting.
766Especially since there's a references struct member, which would be off. */
767
0df4ab80 768if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
769 {
770 ERR_error_string(ERR_get_error(), ssl_errstring);
771 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
772 return SSL_TLSEXT_ERR_NOACK;
773 }
774
775/* Not sure how many of these are actually needed, since SSL object
776already exists. Might even need this selfsame callback, for reneg? */
777
817d9f57
JH
778SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
779SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
780SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
781SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
782SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
783SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
7be682ca 784if (cbinfo->server_cipher_list)
817d9f57 785 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 786#ifndef DISABLE_OCSP
f5d78688 787if (cbinfo->u_ocsp.server.file)
3f7eeb86 788 {
f5d78688 789 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 790 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
791 }
792#endif
7be682ca 793
983207c1 794rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
7be682ca
PP
795if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
796
3f7eeb86
PP
797/* do this after setup_certs, because this can require the certs for verifying
798OCSP information. */
817d9f57 799rc = tls_expand_session_files(server_sni, cbinfo);
7be682ca
PP
800if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
801
0df4ab80
JH
802if (!init_dh(server_sni, cbinfo->dhparam, NULL))
803 return SSL_TLSEXT_ERR_NOACK;
a799883d 804
7be682ca 805DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 806SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
807
808return SSL_TLSEXT_ERR_OK;
809}
3bcbbbe2 810#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
811
812
813
814
f2de3a33 815#ifndef DISABLE_OCSP
f5d78688 816
3f7eeb86
PP
817/*************************************************
818* Callback to handle OCSP Stapling *
819*************************************************/
820
821/* Called when acting as server during the TLS session setup if the client
822requests OCSP information with a Certificate Status Request.
823
824Documentation via openssl s_server.c and the Apache patch from the OpenSSL
825project.
826
827*/
828
829static int
f5d78688 830tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
831{
832const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
833uschar *response_der;
834int response_der_len;
835
af4a1bca
JH
836DEBUG(D_tls)
837 debug_printf("Received TLS status request (OCSP stapling); %s response.",
f5d78688
JH
838 cbinfo->u_ocsp.server.response ? "have" : "lack");
839
44662487 840tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 841if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
842 return SSL_TLSEXT_ERR_NOACK;
843
844response_der = NULL;
44662487
JH
845response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
846 &response_der);
3f7eeb86
PP
847if (response_der_len <= 0)
848 return SSL_TLSEXT_ERR_NOACK;
849
5e55c7a9 850SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 851tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
852return SSL_TLSEXT_ERR_OK;
853}
854
3f7eeb86 855
f5d78688
JH
856static void
857time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
858{
859BIO_printf(bp, "\t%s: ", str);
860ASN1_GENERALIZEDTIME_print(bp, time);
861BIO_puts(bp, "\n");
862}
863
864static int
865tls_client_stapling_cb(SSL *s, void *arg)
866{
867tls_ext_ctx_cb * cbinfo = arg;
868const unsigned char * p;
869int len;
870OCSP_RESPONSE * rsp;
871OCSP_BASICRESP * bs;
872int i;
873
874DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
875len = SSL_get_tlsext_status_ocsp_resp(s, &p);
876if(!p)
877 {
44662487
JH
878 /* Expect this when we requested ocsp but got none */
879 if ( cbinfo->u_ocsp.client.verify_required
880 && log_extra_selector & LX_tls_cipher)
881 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
882 else
883 DEBUG(D_tls) debug_printf(" null\n");
44662487 884 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 885 }
018058b2 886
f5d78688
JH
887if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
888 {
018058b2 889 tls_out.ocsp = OCSP_FAILED;
f5d78688 890 if (log_extra_selector & LX_tls_cipher)
1eca31ca 891 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
892 else
893 DEBUG(D_tls) debug_printf(" parse error\n");
894 return 0;
895 }
896
897if(!(bs = OCSP_response_get1_basic(rsp)))
898 {
018058b2 899 tls_out.ocsp = OCSP_FAILED;
f5d78688 900 if (log_extra_selector & LX_tls_cipher)
1eca31ca 901 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
902 else
903 DEBUG(D_tls) debug_printf(" error parsing response\n");
904 OCSP_RESPONSE_free(rsp);
905 return 0;
906 }
907
908/* We'd check the nonce here if we'd put one in the request. */
909/* However that would defeat cacheability on the server so we don't. */
910
f5d78688
JH
911/* This section of code reworked from OpenSSL apps source;
912 The OpenSSL Project retains copyright:
913 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
914*/
915 {
916 BIO * bp = NULL;
f5d78688
JH
917 int status, reason;
918 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
919
920 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
921
922 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
923
924 /* Use the chain that verified the server cert to verify the stapled info */
925 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
926
44662487
JH
927 if ((i = OCSP_basic_verify(bs, NULL,
928 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 929 {
018058b2 930 tls_out.ocsp = OCSP_FAILED;
1eca31ca
JH
931 if (log_extra_selector & LX_tls_cipher)
932 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH
933 BIO_printf(bp, "OCSP response verify failure\n");
934 ERR_print_errors(bp);
44662487 935 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
936 goto out;
937 }
938
939 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
940
941 {
942 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
943 OCSP_SINGLERESP * single;
944
945 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
946 {
018058b2 947 tls_out.ocsp = OCSP_FAILED;
44662487
JH
948 log_write(0, LOG_MAIN, "OCSP stapling "
949 "with multiple responses not handled");
950 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
951 goto out;
952 }
953 single = OCSP_resp_get0(bs, 0);
44662487
JH
954 status = OCSP_single_get0_status(single, &reason, &rev,
955 &thisupd, &nextupd);
f5d78688
JH
956 }
957
f5d78688
JH
958 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
959 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
960 if (!OCSP_check_validity(thisupd, nextupd,
961 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 962 {
018058b2 963 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
964 DEBUG(D_tls) ERR_print_errors(bp);
965 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
44662487 966 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 967 }
44662487 968 else
f5d78688 969 {
44662487
JH
970 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
971 OCSP_cert_status_str(status));
972 switch(status)
973 {
974 case V_OCSP_CERTSTATUS_GOOD:
44662487 975 tls_out.ocsp = OCSP_VFIED;
018058b2 976 i = 1;
44662487
JH
977 break;
978 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 979 tls_out.ocsp = OCSP_FAILED;
44662487
JH
980 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
981 reason != -1 ? "; reason: " : "",
982 reason != -1 ? OCSP_crl_reason_str(reason) : "");
983 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
984 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
985 break;
986 default:
018058b2 987 tls_out.ocsp = OCSP_FAILED;
44662487
JH
988 log_write(0, LOG_MAIN,
989 "Server certificate status unknown, in OCSP stapling");
990 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
991 break;
992 }
f5d78688
JH
993 }
994 out:
995 BIO_free(bp);
996 }
997
998OCSP_RESPONSE_free(rsp);
999return i;
1000}
f2de3a33 1001#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1002
1003
1004
7be682ca 1005/*************************************************
059ec3d9
PH
1006* Initialize for TLS *
1007*************************************************/
1008
e51c7be2
JH
1009/* Called from both server and client code, to do preliminary initialization
1010of the library. We allocate and return a context structure.
059ec3d9
PH
1011
1012Arguments:
1013 host connected host, if client; NULL if server
1014 dhparam DH parameter file
1015 certificate certificate file
1016 privatekey private key
f5d78688 1017 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1018 addr address if client; NULL if server (for some randomness)
e51c7be2 1019 cbp place to put allocated context
059ec3d9
PH
1020
1021Returns: OK/DEFER/FAIL
1022*/
1023
1024static int
817d9f57 1025tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1026 uschar *privatekey,
f2de3a33 1027#ifndef DISABLE_OCSP
3f7eeb86
PP
1028 uschar *ocsp_file,
1029#endif
817d9f57 1030 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 1031{
77bb000f 1032long init_options;
7be682ca 1033int rc;
77bb000f 1034BOOL okay;
7be682ca
PP
1035tls_ext_ctx_cb *cbinfo;
1036
1037cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1038cbinfo->certificate = certificate;
1039cbinfo->privatekey = privatekey;
f2de3a33 1040#ifndef DISABLE_OCSP
f5d78688
JH
1041if ((cbinfo->is_server = host==NULL))
1042 {
1043 cbinfo->u_ocsp.server.file = ocsp_file;
1044 cbinfo->u_ocsp.server.file_expanded = NULL;
1045 cbinfo->u_ocsp.server.response = NULL;
1046 }
1047else
1048 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1049#endif
7be682ca 1050cbinfo->dhparam = dhparam;
0df4ab80 1051cbinfo->server_cipher_list = NULL;
7be682ca 1052cbinfo->host = host;
77bb000f 1053
059ec3d9
PH
1054SSL_load_error_strings(); /* basic set up */
1055OpenSSL_add_ssl_algorithms();
1056
388d6564 1057#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 1058/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1059list of available digests. */
1060EVP_add_digest(EVP_sha256());
cf1ef1a9 1061#endif
a0475b69 1062
f0f5a555
PP
1063/* Create a context.
1064The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1065negotiation in the different methods; as far as I can tell, the only
1066*_{server,client}_method which allows negotiation is SSLv23, which exists even
1067when OpenSSL is built without SSLv2 support.
1068By disabling with openssl_options, we can let admins re-enable with the
1069existing knob. */
059ec3d9 1070
817d9f57 1071*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
1072 SSLv23_server_method() : SSLv23_client_method());
1073
817d9f57 1074if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
1075
1076/* It turns out that we need to seed the random number generator this early in
1077order to get the full complement of ciphers to work. It took me roughly a day
1078of work to discover this by experiment.
1079
1080On systems that have /dev/urandom, SSL may automatically seed itself from
1081there. Otherwise, we have to make something up as best we can. Double check
1082afterwards. */
1083
1084if (!RAND_status())
1085 {
1086 randstuff r;
9e3331ea 1087 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1088 r.p = getpid();
1089
1090 RAND_seed((uschar *)(&r), sizeof(r));
1091 RAND_seed((uschar *)big_buffer, big_buffer_size);
1092 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1093
1094 if (!RAND_status())
7199e1ee 1095 return tls_error(US"RAND_status", host,
5ca6d115 1096 US"unable to seed random number generator");
059ec3d9
PH
1097 }
1098
1099/* Set up the information callback, which outputs if debugging is at a suitable
1100level. */
1101
817d9f57 1102SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 1103
c80c5570 1104/* Automatically re-try reads/writes after renegotiation. */
817d9f57 1105(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 1106
77bb000f
PP
1107/* Apply administrator-supplied work-arounds.
1108Historically we applied just one requested option,
1109SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1110moved to an administrator-controlled list of options to specify and
1111grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1112
77bb000f
PP
1113No OpenSSL version number checks: the options we accept depend upon the
1114availability of the option value macros from OpenSSL. */
059ec3d9 1115
77bb000f
PP
1116okay = tls_openssl_options_parse(openssl_options, &init_options);
1117if (!okay)
73a46702 1118 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
1119
1120if (init_options)
1121 {
1122 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 1123 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
1124 return tls_error(string_sprintf(
1125 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1126 }
1127else
1128 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
1129
1130/* Initialize with DH parameters if supplied */
1131
817d9f57 1132if (!init_dh(*ctxp, dhparam, host)) return DEFER;
059ec3d9 1133
3f7eeb86 1134/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1135
817d9f57 1136rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 1137if (rc != OK) return rc;
c91535f3 1138
7be682ca 1139/* If we need to handle SNI, do so */
3bcbbbe2 1140#ifdef EXIM_HAVE_OPENSSL_TLSEXT
f5d78688 1141if (host == NULL) /* server */
3f0945ff 1142 {
f2de3a33 1143# ifndef DISABLE_OCSP
f5d78688 1144 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1145 the option exists, not what the current expansion might be, as SNI might
1146 change the certificate and OCSP file in use between now and the time the
1147 callback is invoked. */
f5d78688 1148 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1149 {
f5d78688 1150 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
5e55c7a9 1151 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86 1152 }
f5d78688 1153# endif
3f0945ff
PP
1154 /* We always do this, so that $tls_sni is available even if not used in
1155 tls_certificate */
817d9f57
JH
1156 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1157 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 1158 }
f2de3a33 1159# ifndef DISABLE_OCSP
f5d78688
JH
1160else /* client */
1161 if(ocsp_file) /* wanting stapling */
1162 {
1163 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1164 {
1165 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1166 return FAIL;
1167 }
1168 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1169 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1170 }
1171# endif
7be682ca 1172#endif
059ec3d9 1173
e51c7be2
JH
1174#ifdef EXPERIMENTAL_CERTNAMES
1175cbinfo->verify_cert_hostnames = NULL;
1176#endif
1177
059ec3d9
PH
1178/* Set up the RSA callback */
1179
817d9f57 1180SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
1181
1182/* Finally, set the timeout, and we are done */
1183
817d9f57 1184SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 1185DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1186
817d9f57 1187*cbp = cbinfo;
7be682ca 1188
059ec3d9
PH
1189return OK;
1190}
1191
1192
1193
1194
1195/*************************************************
1196* Get name of cipher in use *
1197*************************************************/
1198
817d9f57 1199/*
059ec3d9 1200Argument: pointer to an SSL structure for the connection
817d9f57
JH
1201 buffer to use for answer
1202 size of buffer
1203 pointer to number of bits for cipher
059ec3d9
PH
1204Returns: nothing
1205*/
1206
1207static void
817d9f57 1208construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1209{
57b3a7f5
PP
1210/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1211yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1212the accessor functions use const in the prototype. */
1213const SSL_CIPHER *c;
d9784128 1214const uschar *ver;
059ec3d9 1215
d9784128 1216ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1217
57b3a7f5 1218c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1219SSL_CIPHER_get_bits(c, bits);
059ec3d9 1220
817d9f57
JH
1221string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1222 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1223
1224DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1225}
1226
1227
1228
1229
1230
1231/*************************************************
1232* Set up for verifying certificates *
1233*************************************************/
1234
1235/* Called by both client and server startup
1236
1237Arguments:
7be682ca 1238 sctx SSL_CTX* to initialise
059ec3d9
PH
1239 certs certs file or NULL
1240 crl CRL file or NULL
1241 host NULL in a server; the remote host in a client
1242 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1243 otherwise passed as FALSE
983207c1 1244 cert_vfy_cb Callback function for certificate verification
059ec3d9
PH
1245
1246Returns: OK/DEFER/FAIL
1247*/
1248
1249static int
983207c1
JH
1250setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1251 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
059ec3d9
PH
1252{
1253uschar *expcerts, *expcrl;
1254
1255if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1256 return DEFER;
1257
26e72755 1258if (expcerts != NULL && *expcerts != '\0')
059ec3d9
PH
1259 {
1260 struct stat statbuf;
7be682ca 1261 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 1262 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1263
1264 if (Ustat(expcerts, &statbuf) < 0)
1265 {
1266 log_write(0, LOG_MAIN|LOG_PANIC,
1267 "failed to stat %s for certificates", expcerts);
1268 return DEFER;
1269 }
1270 else
1271 {
1272 uschar *file, *dir;
1273 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1274 { file = NULL; dir = expcerts; }
1275 else
1276 { file = expcerts; dir = NULL; }
1277
1278 /* If a certificate file is empty, the next function fails with an
1279 unhelpful error message. If we skip it, we get the correct behaviour (no
1280 certificates are recognized, but the error message is still misleading (it
1281 says no certificate was supplied.) But this is better. */
1282
1283 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 1284 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 1285 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
1286
1287 if (file != NULL)
1288 {
7be682ca 1289 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
1290 }
1291 }
1292
1293 /* Handle a certificate revocation list. */
1294
1295 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1296
8b417f2c
PH
1297 /* This bit of code is now the version supplied by Lars Mainka. (I have
1298 * merely reformatted it into the Exim code style.)
1299
1300 * "From here I changed the code to add support for multiple crl's
1301 * in pem format in one file or to support hashed directory entries in
1302 * pem format instead of a file. This method now uses the library function
1303 * X509_STORE_load_locations to add the CRL location to the SSL context.
1304 * OpenSSL will then handle the verify against CA certs and CRLs by
1305 * itself in the verify callback." */
1306
059ec3d9
PH
1307 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1308 if (expcrl != NULL && *expcrl != 0)
1309 {
8b417f2c
PH
1310 struct stat statbufcrl;
1311 if (Ustat(expcrl, &statbufcrl) < 0)
1312 {
1313 log_write(0, LOG_MAIN|LOG_PANIC,
1314 "failed to stat %s for certificates revocation lists", expcrl);
1315 return DEFER;
1316 }
1317 else
059ec3d9 1318 {
8b417f2c
PH
1319 /* is it a file or directory? */
1320 uschar *file, *dir;
7be682ca 1321 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1322 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1323 {
8b417f2c
PH
1324 file = NULL;
1325 dir = expcrl;
1326 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1327 }
1328 else
1329 {
8b417f2c
PH
1330 file = expcrl;
1331 dir = NULL;
1332 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1333 }
8b417f2c 1334 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1335 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1336
1337 /* setting the flags to check against the complete crl chain */
1338
1339 X509_STORE_set_flags(cvstore,
1340 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1341 }
059ec3d9
PH
1342 }
1343
1344 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1345
1346 /* If verification is optional, don't fail if no certificate */
1347
7be682ca 1348 SSL_CTX_set_verify(sctx,
059ec3d9 1349 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1350 cert_vfy_cb);
059ec3d9
PH
1351 }
1352
1353return OK;
1354}
1355
1356
1357
1358/*************************************************
1359* Start a TLS session in a server *
1360*************************************************/
1361
1362/* This is called when Exim is running as a server, after having received
1363the STARTTLS command. It must respond to that command, and then negotiate
1364a TLS session.
1365
1366Arguments:
1367 require_ciphers allowed ciphers
1368
1369Returns: OK on success
1370 DEFER for errors before the start of the negotiation
1371 FAIL for errors during the negotation; the server can't
1372 continue running.
1373*/
1374
1375int
17c76198 1376tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1377{
1378int rc;
1379uschar *expciphers;
7be682ca 1380tls_ext_ctx_cb *cbinfo;
817d9f57 1381static uschar cipherbuf[256];
059ec3d9
PH
1382
1383/* Check for previous activation */
1384
817d9f57 1385if (tls_in.active >= 0)
059ec3d9 1386 {
5ca6d115 1387 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1388 smtp_printf("554 Already in TLS\r\n");
1389 return FAIL;
1390 }
1391
1392/* Initialize the SSL library. If it fails, it will already have logged
1393the error. */
1394
817d9f57 1395rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1396#ifndef DISABLE_OCSP
3f7eeb86
PP
1397 tls_ocsp_file,
1398#endif
817d9f57 1399 NULL, &server_static_cbinfo);
059ec3d9 1400if (rc != OK) return rc;
817d9f57 1401cbinfo = server_static_cbinfo;
059ec3d9
PH
1402
1403if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1404 return FAIL;
1405
1406/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1407were historically separated by underscores. So that I can use either form in my
1408tests, and also for general convenience, we turn underscores into hyphens here.
1409*/
059ec3d9
PH
1410
1411if (expciphers != NULL)
1412 {
1413 uschar *s = expciphers;
1414 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1415 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1416 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1417 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1418 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1419 }
1420
1421/* If this is a host for which certificate verification is mandatory or
1422optional, set up appropriately. */
1423
817d9f57 1424tls_in.certificate_verified = FALSE;
a2ff477a 1425server_verify_callback_called = FALSE;
059ec3d9
PH
1426
1427if (verify_check_host(&tls_verify_hosts) == OK)
1428 {
983207c1
JH
1429 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1430 FALSE, verify_callback_server);
059ec3d9 1431 if (rc != OK) return rc;
a2ff477a 1432 server_verify_optional = FALSE;
059ec3d9
PH
1433 }
1434else if (verify_check_host(&tls_try_verify_hosts) == OK)
1435 {
983207c1
JH
1436 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1437 TRUE, verify_callback_server);
059ec3d9 1438 if (rc != OK) return rc;
a2ff477a 1439 server_verify_optional = TRUE;
059ec3d9
PH
1440 }
1441
1442/* Prepare for new connection */
1443
817d9f57 1444if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1445
1446/* Warning: we used to SSL_clear(ssl) here, it was removed.
1447 *
1448 * With the SSL_clear(), we get strange interoperability bugs with
1449 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1450 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1451 *
1452 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1453 * session shutdown. In this case, we have a brand new object and there's no
1454 * obvious reason to immediately clear it. I'm guessing that this was
1455 * originally added because of incomplete initialisation which the clear fixed,
1456 * in some historic release.
1457 */
059ec3d9
PH
1458
1459/* Set context and tell client to go ahead, except in the case of TLS startup
1460on connection, where outputting anything now upsets the clients and tends to
1461make them disconnect. We need to have an explicit fflush() here, to force out
1462the response. Other smtp_printf() calls do not need it, because in non-TLS
1463mode, the fflush() happens when smtp_getc() is called. */
1464
817d9f57
JH
1465SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1466if (!tls_in.on_connect)
059ec3d9
PH
1467 {
1468 smtp_printf("220 TLS go ahead\r\n");
1469 fflush(smtp_out);
1470 }
1471
1472/* Now negotiate the TLS session. We put our own timer on it, since it seems
1473that the OpenSSL library doesn't. */
1474
817d9f57
JH
1475SSL_set_wfd(server_ssl, fileno(smtp_out));
1476SSL_set_rfd(server_ssl, fileno(smtp_in));
1477SSL_set_accept_state(server_ssl);
059ec3d9
PH
1478
1479DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1480
1481sigalrm_seen = FALSE;
1482if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1483rc = SSL_accept(server_ssl);
059ec3d9
PH
1484alarm(0);
1485
1486if (rc <= 0)
1487 {
7199e1ee 1488 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1489 if (ERR_get_error() == 0)
1490 log_write(0, LOG_MAIN,
a053d125 1491 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1492 return FAIL;
1493 }
1494
1495DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1496
1497/* TLS has been set up. Adjust the input functions to read via TLS,
1498and initialize things. */
1499
817d9f57
JH
1500construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1501tls_in.cipher = cipherbuf;
059ec3d9
PH
1502
1503DEBUG(D_tls)
1504 {
1505 uschar buf[2048];
817d9f57 1506 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1507 debug_printf("Shared ciphers: %s\n", buf);
1508 }
1509
9d1c15ef
JH
1510/* Record the certificate we presented */
1511 {
1512 X509 * crt = SSL_get_certificate(server_ssl);
1513 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1514 }
059ec3d9 1515
817d9f57
JH
1516/* Only used by the server-side tls (tls_in), including tls_getc.
1517 Client-side (tls_out) reads (seem to?) go via
1518 smtp_read_response()/ip_recv().
1519 Hence no need to duplicate for _in and _out.
1520 */
059ec3d9
PH
1521ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1522ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1523ssl_xfer_eof = ssl_xfer_error = 0;
1524
1525receive_getc = tls_getc;
1526receive_ungetc = tls_ungetc;
1527receive_feof = tls_feof;
1528receive_ferror = tls_ferror;
58eb016e 1529receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1530
817d9f57 1531tls_in.active = fileno(smtp_out);
059ec3d9
PH
1532return OK;
1533}
1534
1535
1536
1537
1538
1539/*************************************************
1540* Start a TLS session in a client *
1541*************************************************/
1542
1543/* Called from the smtp transport after STARTTLS has been accepted.
1544
1545Argument:
1546 fd the fd of the connection
1547 host connected host (for messages)
83da1223 1548 addr the first address
65867078 1549 ob smtp transport options
059ec3d9
PH
1550
1551Returns: OK on success
1552 FAIL otherwise - note that tls_error() will not give DEFER
1553 because this is not a server
1554*/
1555
1556int
f5d78688 1557tls_client_start(int fd, host_item *host, address_item *addr,
65867078 1558 void *v_ob)
059ec3d9 1559{
65867078 1560smtp_transport_options_block * ob = v_ob;
059ec3d9
PH
1561static uschar txt[256];
1562uschar *expciphers;
1563X509* server_cert;
1564int rc;
817d9f57 1565static uschar cipherbuf[256];
f2de3a33 1566#ifndef DISABLE_OCSP
65867078 1567BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
f5d78688 1568 NULL, host->name, host->address, NULL) == OK;
44662487
JH
1569BOOL request_ocsp = require_ocsp ? TRUE
1570 : verify_check_this_host(&ob->hosts_request_ocsp,
1571 NULL, host->name, host->address, NULL) == OK;
f5d78688 1572#endif
059ec3d9 1573
65867078
JH
1574rc = tls_init(&client_ctx, host, NULL,
1575 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 1576#ifndef DISABLE_OCSP
44662487 1577 (void *)(long)request_ocsp,
3f7eeb86 1578#endif
817d9f57 1579 addr, &client_static_cbinfo);
059ec3d9
PH
1580if (rc != OK) return rc;
1581
817d9f57 1582tls_out.certificate_verified = FALSE;
a2ff477a 1583client_verify_callback_called = FALSE;
059ec3d9 1584
65867078
JH
1585if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1586 &expciphers))
059ec3d9
PH
1587 return FAIL;
1588
1589/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1590are separated by underscores. So that I can use either form in my tests, and
1591also for general convenience, we turn underscores into hyphens here. */
1592
1593if (expciphers != NULL)
1594 {
1595 uschar *s = expciphers;
1596 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1597 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1598 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1599 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1600 }
1601
a63be306 1602/* stick to the old behaviour for compatibility if tls_verify_certificates is
65867078 1603 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
a63be306 1604 the specified host patterns if one of them is defined */
e51c7be2 1605
65867078
JH
1606if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
1607 (verify_check_host(&ob->tls_verify_hosts) == OK))
a63be306 1608 {
65867078
JH
1609 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1610 ob->tls_crl, host, FALSE, verify_callback_client)) != OK)
1611 return rc;
a63be306 1612 client_verify_optional = FALSE;
e51c7be2
JH
1613
1614#ifdef EXPERIMENTAL_CERTNAMES
1615 if (ob->tls_verify_cert_hostnames)
1616 {
1617 if (!expand_check(ob->tls_verify_cert_hostnames,
1618 US"tls_verify_cert_hostnames",
1619 &client_static_cbinfo->verify_cert_hostnames))
1620 return FAIL;
1621 if (client_static_cbinfo->verify_cert_hostnames)
1622 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1623 client_static_cbinfo->verify_cert_hostnames);
1624 }
1625#endif
a63be306 1626 }
65867078 1627else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
a63be306 1628 {
65867078
JH
1629 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1630 ob->tls_crl, host, TRUE, verify_callback_client)) != OK)
1631 return rc;
a63be306
WB
1632 client_verify_optional = TRUE;
1633 }
059ec3d9 1634
65867078
JH
1635if ((client_ssl = SSL_new(client_ctx)) == NULL)
1636 return tls_error(US"SSL_new", host, NULL);
817d9f57
JH
1637SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1638SSL_set_fd(client_ssl, fd);
1639SSL_set_connect_state(client_ssl);
059ec3d9 1640
65867078 1641if (ob->tls_sni)
3f0945ff 1642 {
65867078 1643 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
3f0945ff 1644 return FAIL;
ec4b68e5 1645 if (tls_out.sni == NULL)
2c9a0e86
PP
1646 {
1647 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1648 }
ec4b68e5 1649 else if (!Ustrlen(tls_out.sni))
817d9f57 1650 tls_out.sni = NULL;
3f0945ff
PP
1651 else
1652 {
35731706 1653#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
1654 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1655 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
1656#else
1657 DEBUG(D_tls)
1658 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
02d9264f 1659 tls_out.sni);
35731706 1660#endif
3f0945ff
PP
1661 }
1662 }
1663
f2de3a33 1664#ifndef DISABLE_OCSP
f5d78688
JH
1665/* Request certificate status at connection-time. If the server
1666does OCSP stapling we will get the callback (set in tls_init()) */
44662487
JH
1667if (request_ocsp)
1668 {
f5d78688 1669 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
1670 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
1671 tls_out.ocsp = OCSP_NOT_RESP;
1672 }
f5d78688
JH
1673#endif
1674
059ec3d9
PH
1675/* There doesn't seem to be a built-in timeout on connection. */
1676
1677DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1678sigalrm_seen = FALSE;
65867078 1679alarm(ob->command_timeout);
817d9f57 1680rc = SSL_connect(client_ssl);
059ec3d9
PH
1681alarm(0);
1682
1683if (rc <= 0)
7199e1ee 1684 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1685
1686DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1687
453a6645 1688/* Beware anonymous ciphers which lead to server_cert being NULL */
9d1c15ef 1689/*XXX server_cert is never freed... use X509_free() */
817d9f57 1690server_cert = SSL_get_peer_certificate (client_ssl);
453a6645
PP
1691if (server_cert)
1692 {
817d9f57 1693 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
453a6645 1694 CS txt, sizeof(txt));
9d1c15ef 1695 tls_out.peerdn = txt; /*XXX a static buffer... */
453a6645
PP
1696 }
1697else
817d9f57 1698 tls_out.peerdn = NULL;
059ec3d9 1699
817d9f57
JH
1700construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1701tls_out.cipher = cipherbuf;
059ec3d9 1702
9d1c15ef
JH
1703/* Record the certificate we presented */
1704 {
1705 X509 * crt = SSL_get_certificate(client_ssl);
1706 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
1707 }
1708
817d9f57 1709tls_out.active = fd;
059ec3d9
PH
1710return OK;
1711}
1712
1713
1714
1715
1716
1717/*************************************************
1718* TLS version of getc *
1719*************************************************/
1720
1721/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1722it refills the buffer via the SSL reading function.
1723
1724Arguments: none
1725Returns: the next character or EOF
817d9f57
JH
1726
1727Only used by the server-side TLS.
059ec3d9
PH
1728*/
1729
1730int
1731tls_getc(void)
1732{
1733if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1734 {
1735 int error;
1736 int inbytes;
1737
817d9f57 1738 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 1739 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1740
1741 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
1742 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1743 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
1744 alarm(0);
1745
1746 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1747 closed down, not that the socket itself has been closed down. Revert to
1748 non-SSL handling. */
1749
1750 if (error == SSL_ERROR_ZERO_RETURN)
1751 {
1752 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1753
1754 receive_getc = smtp_getc;
1755 receive_ungetc = smtp_ungetc;
1756 receive_feof = smtp_feof;
1757 receive_ferror = smtp_ferror;
58eb016e 1758 receive_smtp_buffered = smtp_buffered;
059ec3d9 1759
817d9f57
JH
1760 SSL_free(server_ssl);
1761 server_ssl = NULL;
1762 tls_in.active = -1;
1763 tls_in.bits = 0;
1764 tls_in.cipher = NULL;
1765 tls_in.peerdn = NULL;
1766 tls_in.sni = NULL;
059ec3d9
PH
1767
1768 return smtp_getc();
1769 }
1770
1771 /* Handle genuine errors */
1772
ba084640
PP
1773 else if (error == SSL_ERROR_SSL)
1774 {
1775 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1776 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1777 ssl_xfer_error = 1;
1778 return EOF;
1779 }
1780
059ec3d9
PH
1781 else if (error != SSL_ERROR_NONE)
1782 {
1783 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1784 ssl_xfer_error = 1;
1785 return EOF;
1786 }
c80c5570 1787
80a47a2c
TK
1788#ifndef DISABLE_DKIM
1789 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1790#endif
059ec3d9
PH
1791 ssl_xfer_buffer_hwm = inbytes;
1792 ssl_xfer_buffer_lwm = 0;
1793 }
1794
1795/* Something in the buffer; return next uschar */
1796
1797return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1798}
1799
1800
1801
1802/*************************************************
1803* Read bytes from TLS channel *
1804*************************************************/
1805
1806/*
1807Arguments:
1808 buff buffer of data
1809 len size of buffer
1810
1811Returns: the number of bytes read
1812 -1 after a failed read
817d9f57
JH
1813
1814Only used by the client-side TLS.
059ec3d9
PH
1815*/
1816
1817int
389ca47a 1818tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 1819{
389ca47a 1820SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
1821int inbytes;
1822int error;
1823
389ca47a 1824DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 1825 buff, (unsigned int)len);
059ec3d9 1826
389ca47a
JH
1827inbytes = SSL_read(ssl, CS buff, len);
1828error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
1829
1830if (error == SSL_ERROR_ZERO_RETURN)
1831 {
1832 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1833 return -1;
1834 }
1835else if (error != SSL_ERROR_NONE)
1836 {
1837 return -1;
1838 }
1839
1840return inbytes;
1841}
1842
1843
1844
1845
1846
1847/*************************************************
1848* Write bytes down TLS channel *
1849*************************************************/
1850
1851/*
1852Arguments:
817d9f57 1853 is_server channel specifier
059ec3d9
PH
1854 buff buffer of data
1855 len number of bytes
1856
1857Returns: the number of bytes after a successful write,
1858 -1 after a failed write
817d9f57
JH
1859
1860Used by both server-side and client-side TLS.
059ec3d9
PH
1861*/
1862
1863int
817d9f57 1864tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
1865{
1866int outbytes;
1867int error;
1868int left = len;
817d9f57 1869SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 1870
c80c5570 1871DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1872while (left > 0)
1873 {
c80c5570 1874 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1875 outbytes = SSL_write(ssl, CS buff, left);
1876 error = SSL_get_error(ssl, outbytes);
1877 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1878 switch (error)
1879 {
1880 case SSL_ERROR_SSL:
1881 ERR_error_string(ERR_get_error(), ssl_errstring);
1882 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1883 return -1;
1884
1885 case SSL_ERROR_NONE:
1886 left -= outbytes;
1887 buff += outbytes;
1888 break;
1889
1890 case SSL_ERROR_ZERO_RETURN:
1891 log_write(0, LOG_MAIN, "SSL channel closed on write");
1892 return -1;
1893
817d9f57
JH
1894 case SSL_ERROR_SYSCALL:
1895 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1896 sender_fullhost ? sender_fullhost : US"<unknown>",
1897 strerror(errno));
1898
059ec3d9
PH
1899 default:
1900 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1901 return -1;
1902 }
1903 }
1904return len;
1905}
1906
1907
1908
1909/*************************************************
1910* Close down a TLS session *
1911*************************************************/
1912
1913/* This is also called from within a delivery subprocess forked from the
1914daemon, to shut down the TLS library, without actually doing a shutdown (which
1915would tamper with the SSL session in the parent process).
1916
1917Arguments: TRUE if SSL_shutdown is to be called
1918Returns: nothing
817d9f57
JH
1919
1920Used by both server-side and client-side TLS.
059ec3d9
PH
1921*/
1922
1923void
817d9f57 1924tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 1925{
817d9f57 1926SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 1927int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
1928
1929if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
1930
1931if (shutdown)
1932 {
1933 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 1934 SSL_shutdown(*sslp);
059ec3d9
PH
1935 }
1936
817d9f57
JH
1937SSL_free(*sslp);
1938*sslp = NULL;
059ec3d9 1939
817d9f57 1940*fdp = -1;
059ec3d9
PH
1941}
1942
36f12725
NM
1943
1944
1945
1946/*************************************************
3375e053
PP
1947* Let tls_require_ciphers be checked at startup *
1948*************************************************/
1949
1950/* The tls_require_ciphers option, if set, must be something which the
1951library can parse.
1952
1953Returns: NULL on success, or error message
1954*/
1955
1956uschar *
1957tls_validate_require_cipher(void)
1958{
1959SSL_CTX *ctx;
1960uschar *s, *expciphers, *err;
1961
1962/* this duplicates from tls_init(), we need a better "init just global
1963state, for no specific purpose" singleton function of our own */
1964
1965SSL_load_error_strings();
1966OpenSSL_add_ssl_algorithms();
1967#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1968/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1969list of available digests. */
1970EVP_add_digest(EVP_sha256());
1971#endif
1972
1973if (!(tls_require_ciphers && *tls_require_ciphers))
1974 return NULL;
1975
1976if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1977 return US"failed to expand tls_require_ciphers";
1978
1979if (!(expciphers && *expciphers))
1980 return NULL;
1981
1982/* normalisation ripped from above */
1983s = expciphers;
1984while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1985
1986err = NULL;
1987
1988ctx = SSL_CTX_new(SSLv23_server_method());
1989if (!ctx)
1990 {
1991 ERR_error_string(ERR_get_error(), ssl_errstring);
1992 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1993 }
1994
1995DEBUG(D_tls)
1996 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1997
1998if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1999 {
2000 ERR_error_string(ERR_get_error(), ssl_errstring);
2001 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2002 }
2003
2004SSL_CTX_free(ctx);
2005
2006return err;
2007}
2008
2009
2010
2011
2012/*************************************************
36f12725
NM
2013* Report the library versions. *
2014*************************************************/
2015
2016/* There have historically been some issues with binary compatibility in
2017OpenSSL libraries; if Exim (like many other applications) is built against
2018one version of OpenSSL but the run-time linker picks up another version,
2019it can result in serious failures, including crashing with a SIGSEGV. So
2020report the version found by the compiler and the run-time version.
2021
f64a1e23
PP
2022Note: some OS vendors backport security fixes without changing the version
2023number/string, and the version date remains unchanged. The _build_ date
2024will change, so we can more usefully assist with version diagnosis by also
2025reporting the build date.
2026
36f12725
NM
2027Arguments: a FILE* to print the results to
2028Returns: nothing
2029*/
2030
2031void
2032tls_version_report(FILE *f)
2033{
754a0503 2034fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2035 " Runtime: %s\n"
2036 " : %s\n",
754a0503 2037 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2038 SSLeay_version(SSLEAY_VERSION),
2039 SSLeay_version(SSLEAY_BUILT_ON));
2040/* third line is 38 characters for the %s and the line is 73 chars long;
2041the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2042}
2043
9e3331ea
TK
2044
2045
2046
2047/*************************************************
17c76198 2048* Random number generation *
9e3331ea
TK
2049*************************************************/
2050
2051/* Pseudo-random number generation. The result is not expected to be
2052cryptographically strong but not so weak that someone will shoot themselves
2053in the foot using it as a nonce in input in some email header scheme or
2054whatever weirdness they'll twist this into. The result should handle fork()
2055and avoid repeating sequences. OpenSSL handles that for us.
2056
2057Arguments:
2058 max range maximum
2059Returns a random number in range [0, max-1]
2060*/
2061
2062int
17c76198 2063vaguely_random_number(int max)
9e3331ea
TK
2064{
2065unsigned int r;
2066int i, needed_len;
de6135a0
PP
2067static pid_t pidlast = 0;
2068pid_t pidnow;
9e3331ea
TK
2069uschar *p;
2070uschar smallbuf[sizeof(r)];
2071
2072if (max <= 1)
2073 return 0;
2074
de6135a0
PP
2075pidnow = getpid();
2076if (pidnow != pidlast)
2077 {
2078 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2079 is unique for each thread", this doesn't apparently apply across processes,
2080 so our own warning from vaguely_random_number_fallback() applies here too.
2081 Fix per PostgreSQL. */
2082 if (pidlast != 0)
2083 RAND_cleanup();
2084 pidlast = pidnow;
2085 }
2086
9e3331ea
TK
2087/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2088if (!RAND_status())
2089 {
2090 randstuff r;
2091 gettimeofday(&r.tv, NULL);
2092 r.p = getpid();
2093
2094 RAND_seed((uschar *)(&r), sizeof(r));
2095 }
2096/* We're after pseudo-random, not random; if we still don't have enough data
2097in the internal PRNG then our options are limited. We could sleep and hope
2098for entropy to come along (prayer technique) but if the system is so depleted
2099in the first place then something is likely to just keep taking it. Instead,
2100we'll just take whatever little bit of pseudo-random we can still manage to
2101get. */
2102
2103needed_len = sizeof(r);
2104/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2105asked for a number less than 10. */
2106for (r = max, i = 0; r; ++i)
2107 r >>= 1;
2108i = (i + 7) / 8;
2109if (i < needed_len)
2110 needed_len = i;
2111
2112/* We do not care if crypto-strong */
17c76198
PP
2113i = RAND_pseudo_bytes(smallbuf, needed_len);
2114if (i < 0)
2115 {
2116 DEBUG(D_all)
2117 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2118 return vaguely_random_number_fallback(max);
2119 }
2120
9e3331ea
TK
2121r = 0;
2122for (p = smallbuf; needed_len; --needed_len, ++p)
2123 {
2124 r *= 256;
2125 r += *p;
2126 }
2127
2128/* We don't particularly care about weighted results; if someone wants
2129smooth distribution and cares enough then they should submit a patch then. */
2130return r % max;
2131}
2132
77bb000f
PP
2133
2134
2135
2136/*************************************************
2137* OpenSSL option parse *
2138*************************************************/
2139
2140/* Parse one option for tls_openssl_options_parse below
2141
2142Arguments:
2143 name one option name
2144 value place to store a value for it
2145Returns success or failure in parsing
2146*/
2147
2148struct exim_openssl_option {
2149 uschar *name;
2150 long value;
2151};
2152/* We could use a macro to expand, but we need the ifdef and not all the
2153options document which version they were introduced in. Policylet: include
2154all options unless explicitly for DTLS, let the administrator choose which
2155to apply.
2156
2157This list is current as of:
e2fbf4a2
PP
2158 ==> 1.0.1b <==
2159Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2160*/
77bb000f
PP
2161static struct exim_openssl_option exim_openssl_options[] = {
2162/* KEEP SORTED ALPHABETICALLY! */
2163#ifdef SSL_OP_ALL
73a46702 2164 { US"all", SSL_OP_ALL },
77bb000f
PP
2165#endif
2166#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2167 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2168#endif
2169#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2170 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2171#endif
2172#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2173 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2174#endif
2175#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2176 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2177#endif
2178#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2179 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2180#endif
2181#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2182 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2183#endif
2184#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2185 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2186#endif
2187#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2188 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2189#endif
2190#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2191 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2192#endif
2193#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2194 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2195#endif
c80c5570
PP
2196#ifdef SSL_OP_NO_COMPRESSION
2197 { US"no_compression", SSL_OP_NO_COMPRESSION },
2198#endif
77bb000f 2199#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2200 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2201#endif
c0c7b2da
PP
2202#ifdef SSL_OP_NO_SSLv2
2203 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2204#endif
2205#ifdef SSL_OP_NO_SSLv3
2206 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2207#endif
2208#ifdef SSL_OP_NO_TICKET
2209 { US"no_ticket", SSL_OP_NO_TICKET },
2210#endif
2211#ifdef SSL_OP_NO_TLSv1
2212 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2213#endif
c80c5570
PP
2214#ifdef SSL_OP_NO_TLSv1_1
2215#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2216 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2217#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2218#else
2219 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2220#endif
2221#endif
2222#ifdef SSL_OP_NO_TLSv1_2
2223 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2224#endif
e2fbf4a2
PP
2225#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2226 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2227#endif
77bb000f 2228#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2229 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2230#endif
2231#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2232 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2233#endif
2234#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2235 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2236#endif
2237#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2238 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2239#endif
2240#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2241 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2242#endif
2243#ifdef SSL_OP_TLS_D5_BUG
73a46702 2244 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2245#endif
2246#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2247 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2248#endif
2249};
2250static int exim_openssl_options_size =
2251 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2252
c80c5570 2253
77bb000f
PP
2254static BOOL
2255tls_openssl_one_option_parse(uschar *name, long *value)
2256{
2257int first = 0;
2258int last = exim_openssl_options_size;
2259while (last > first)
2260 {
2261 int middle = (first + last)/2;
2262 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2263 if (c == 0)
2264 {
2265 *value = exim_openssl_options[middle].value;
2266 return TRUE;
2267 }
2268 else if (c > 0)
2269 first = middle + 1;
2270 else
2271 last = middle;
2272 }
2273return FALSE;
2274}
2275
2276
2277
2278
2279/*************************************************
2280* OpenSSL option parsing logic *
2281*************************************************/
2282
2283/* OpenSSL has a number of compatibility options which an administrator might
2284reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2285we look like log_selector.
2286
2287Arguments:
2288 option_spec the administrator-supplied string of options
2289 results ptr to long storage for the options bitmap
2290Returns success or failure
2291*/
2292
2293BOOL
2294tls_openssl_options_parse(uschar *option_spec, long *results)
2295{
2296long result, item;
2297uschar *s, *end;
2298uschar keep_c;
2299BOOL adding, item_parsed;
2300
0e944a0d 2301result = 0L;
b1770b6e 2302/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 2303 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
2304#ifdef SSL_OP_NO_SSLv2
2305result |= SSL_OP_NO_SSLv2;
2306#endif
77bb000f
PP
2307
2308if (option_spec == NULL)
2309 {
2310 *results = result;
2311 return TRUE;
2312 }
2313
2314for (s=option_spec; *s != '\0'; /**/)
2315 {
2316 while (isspace(*s)) ++s;
2317 if (*s == '\0')
2318 break;
2319 if (*s != '+' && *s != '-')
2320 {
2321 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 2322 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
2323 return FALSE;
2324 }
2325 adding = *s++ == '+';
2326 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2327 keep_c = *end;
2328 *end = '\0';
2329 item_parsed = tls_openssl_one_option_parse(s, &item);
2330 if (!item_parsed)
2331 {
0e944a0d 2332 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
2333 return FALSE;
2334 }
2335 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2336 adding ? "adding" : "removing", result, item, s);
2337 if (adding)
2338 result |= item;
2339 else
2340 result &= ~item;
2341 *end = keep_c;
2342 s = end;
2343 }
2344
2345*results = result;
2346return TRUE;
2347}
2348
9d1c15ef
JH
2349/* vi: aw ai sw=2
2350*/
059ec3d9 2351/* End of tls-openssl.c */