Fix bug verifying certs on dual-tls.
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
a2ff477a
JH
45static BOOL client_verify_callback_called = FALSE;
46static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
47static const uschar *sid_ctx = US"exim";
48
817d9f57
JH
49static SSL_CTX *client_ctx = NULL;
50static SSL_CTX *server_ctx = NULL;
51static SSL *client_ssl = NULL;
52static SSL *server_ssl = NULL;
35731706 53#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
54static SSL_CTX *client_sni = NULL;
55static SSL_CTX *server_sni = NULL;
35731706 56#endif
059ec3d9
PH
57
58static char ssl_errstring[256];
59
60static int ssl_session_timeout = 200;
a2ff477a
JH
61static BOOL client_verify_optional = FALSE;
62static BOOL server_verify_optional = FALSE;
059ec3d9 63
7be682ca 64static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
65
66
7be682ca
PP
67typedef struct tls_ext_ctx_cb {
68 uschar *certificate;
69 uschar *privatekey;
3f7eeb86
PP
70#ifdef EXPERIMENTAL_OCSP
71 uschar *ocsp_file;
72 uschar *ocsp_file_expanded;
73 OCSP_RESPONSE *ocsp_response;
74#endif
7be682ca
PP
75 uschar *dhparam;
76 /* these are cached from first expand */
77 uschar *server_cipher_list;
78 /* only passed down to tls_error: */
79 host_item *host;
80} tls_ext_ctx_cb;
81
82/* should figure out a cleanup of API to handle state preserved per
83implementation, for various reasons, which can be void * in the APIs.
84For now, we hack around it. */
817d9f57
JH
85tls_ext_ctx_cb *client_static_cbinfo = NULL;
86tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
87
88static int
a2ff477a 89setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client);
059ec3d9 90
3f7eeb86 91/* Callbacks */
3bcbbbe2 92#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 93static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 94#endif
3f7eeb86
PP
95#ifdef EXPERIMENTAL_OCSP
96static int tls_stapling_cb(SSL *s, void *arg);
97#endif
98
059ec3d9
PH
99
100/*************************************************
101* Handle TLS error *
102*************************************************/
103
104/* Called from lots of places when errors occur before actually starting to do
105the TLS handshake, that is, while the session is still in clear. Always returns
106DEFER for a server and FAIL for a client so that most calls can use "return
107tls_error(...)" to do this processing and then give an appropriate return. A
108single function is used for both server and client, because it is called from
109some shared functions.
110
111Argument:
112 prefix text to include in the logged error
113 host NULL if setting up a server;
114 the connected host if setting up a client
7199e1ee 115 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
116
117Returns: OK/DEFER/FAIL
118*/
119
120static int
7199e1ee 121tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 122{
7199e1ee
TF
123if (msg == NULL)
124 {
125 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 126 msg = (uschar *)ssl_errstring;
7199e1ee
TF
127 }
128
059ec3d9
PH
129if (host == NULL)
130 {
7199e1ee 131 uschar *conn_info = smtp_get_connection_info();
5ca6d115 132 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
133 conn_info += 5;
134 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
135 conn_info, prefix, msg);
059ec3d9
PH
136 return DEFER;
137 }
138else
139 {
140 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 141 host->name, host->address, prefix, msg);
059ec3d9
PH
142 return FAIL;
143 }
144}
145
146
147
148/*************************************************
149* Callback to generate RSA key *
150*************************************************/
151
152/*
153Arguments:
154 s SSL connection
155 export not used
156 keylength keylength
157
158Returns: pointer to generated key
159*/
160
161static RSA *
162rsa_callback(SSL *s, int export, int keylength)
163{
164RSA *rsa_key;
165export = export; /* Shut picky compilers up */
166DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
167rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
168if (rsa_key == NULL)
169 {
170 ERR_error_string(ERR_get_error(), ssl_errstring);
171 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
172 ssl_errstring);
173 return NULL;
174 }
175return rsa_key;
176}
177
178
179
180
181/*************************************************
182* Callback for verification *
183*************************************************/
184
185/* The SSL library does certificate verification if set up to do so. This
186callback has the current yes/no state is in "state". If verification succeeded,
187we set up the tls_peerdn string. If verification failed, what happens depends
188on whether the client is required to present a verifiable certificate or not.
189
190If verification is optional, we change the state to yes, but still log the
191verification error. For some reason (it really would help to have proper
192documentation of OpenSSL), this callback function then gets called again, this
193time with state = 1. In fact, that's useful, because we can set up the peerdn
194value, but we must take care not to set the private verified flag on the second
195time through.
196
197Note: this function is not called if the client fails to present a certificate
198when asked. We get here only if a certificate has been received. Handling of
199optional verification for this case is done when requesting SSL to verify, by
200setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
201
202Arguments:
203 state current yes/no state as 1/0
204 x509ctx certificate information.
a2ff477a 205 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
206
207Returns: 1 if verified, 0 if not
208*/
209
210static int
a2ff477a 211verify_callback(int state, X509_STORE_CTX *x509ctx, BOOL client)
059ec3d9
PH
212{
213static uschar txt[256];
a2ff477a
JH
214tls_support * tlsp;
215BOOL * calledp;
216BOOL * optionalp;
217
218if (client)
219 {
220 tlsp= &tls_out;
221 calledp= &client_verify_callback_called;
222 optionalp= &client_verify_optional;
223 }
224else
225 {
226 tlsp= &tls_in;
227 calledp= &server_verify_callback_called;
228 optionalp= &server_verify_optional;
229 }
059ec3d9
PH
230
231X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
232 CS txt, sizeof(txt));
233
234if (state == 0)
235 {
236 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
237 x509ctx->error_depth,
238 X509_verify_cert_error_string(x509ctx->error),
239 txt);
a2ff477a
JH
240 tlsp->certificate_verified = FALSE;
241 *calledp = TRUE;
242 if (!*optionalp) return 0; /* reject */
059ec3d9
PH
243 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
244 "tls_try_verify_hosts)\n");
245 return 1; /* accept */
246 }
247
248if (x509ctx->error_depth != 0)
249 {
250 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
251 x509ctx->error_depth, txt);
252 }
253else
254 {
255 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
a2ff477a
JH
256 *calledp ? "" : " authenticated", txt);
257 tlsp->peerdn = txt;
059ec3d9
PH
258 }
259
a2ff477a
JH
260if (!*calledp) tlsp->certificate_verified = TRUE;
261*calledp = TRUE;
059ec3d9
PH
262
263return 1; /* accept */
264}
265
a2ff477a
JH
266static int
267verify_callback_client(int state, X509_STORE_CTX *x509ctx)
268{
269return verify_callback(state, x509ctx, TRUE);
270}
271
272static int
273verify_callback_server(int state, X509_STORE_CTX *x509ctx)
274{
275return verify_callback(state, x509ctx, FALSE);
276}
277
059ec3d9
PH
278
279
280/*************************************************
281* Information callback *
282*************************************************/
283
284/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
285are doing. We copy the string to the debugging output when TLS debugging has
286been requested.
059ec3d9
PH
287
288Arguments:
289 s the SSL connection
290 where
291 ret
292
293Returns: nothing
294*/
295
296static void
297info_callback(SSL *s, int where, int ret)
298{
299where = where;
300ret = ret;
301DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
302}
303
304
305
306/*************************************************
307* Initialize for DH *
308*************************************************/
309
310/* If dhparam is set, expand it, and load up the parameters for DH encryption.
311
312Arguments:
a799883d 313 dhparam DH parameter file or fixed parameter identity string
7199e1ee 314 host connected host, if client; NULL if server
059ec3d9
PH
315
316Returns: TRUE if OK (nothing to set up, or setup worked)
317*/
318
319static BOOL
817d9f57 320<<<<<<< HEAD
a799883d 321init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
817d9f57
JH
322=======
323init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
324>>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
059ec3d9 325{
059ec3d9
PH
326BIO *bio;
327DH *dh;
328uschar *dhexpanded;
a799883d 329const char *pem;
059ec3d9
PH
330
331if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
332 return FALSE;
333
a799883d 334if (dhexpanded == NULL || *dhexpanded == '\0')
059ec3d9 335 {
a799883d 336 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
059ec3d9 337 }
a799883d 338else if (dhexpanded[0] == '/')
059ec3d9 339 {
a799883d
PP
340 bio = BIO_new_file(CS dhexpanded, "r");
341 if (bio == NULL)
059ec3d9 342 {
7199e1ee 343 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
344 host, US strerror(errno));
345 return FALSE;
059ec3d9 346 }
a799883d
PP
347 }
348else
349 {
350 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 351 {
a799883d
PP
352 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
353 return TRUE;
059ec3d9 354 }
a799883d
PP
355
356 pem = std_dh_prime_named(dhexpanded);
357 if (!pem)
358 {
359 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
360 host, US strerror(errno));
361 return FALSE;
362 }
363 bio = BIO_new_mem_buf(CS pem, -1);
364 }
365
366dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
367if (dh == NULL)
368 {
059ec3d9 369 BIO_free(bio);
a799883d
PP
370 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
371 host, NULL);
372 return FALSE;
373 }
374
375/* Even if it is larger, we silently return success rather than cause things
376 * to fail out, so that a too-large DH will not knock out all TLS; it's a
377 * debatable choice. */
378if ((8*DH_size(dh)) > tls_dh_max_bits)
379 {
380 DEBUG(D_tls)
381 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
382 8*DH_size(dh), tls_dh_max_bits);
383 }
384else
385 {
386 SSL_CTX_set_tmp_dh(sctx, dh);
387 DEBUG(D_tls)
388 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
389 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
390 }
391
a799883d
PP
392DH_free(dh);
393BIO_free(bio);
394
395return TRUE;
059ec3d9
PH
396}
397
398
399
400
3f7eeb86
PP
401#ifdef EXPERIMENTAL_OCSP
402/*************************************************
403* Load OCSP information into state *
404*************************************************/
405
406/* Called to load the OCSP response from the given file into memory, once
407caller has determined this is needed. Checks validity. Debugs a message
408if invalid.
409
410ASSUMES: single response, for single cert.
411
412Arguments:
413 sctx the SSL_CTX* to update
414 cbinfo various parts of session state
415 expanded the filename putatively holding an OCSP response
416
417*/
418
419static void
420ocsp_load_response(SSL_CTX *sctx,
421 tls_ext_ctx_cb *cbinfo,
422 const uschar *expanded)
423{
424BIO *bio;
425OCSP_RESPONSE *resp;
426OCSP_BASICRESP *basic_response;
427OCSP_SINGLERESP *single_response;
428ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
429X509_STORE *store;
430unsigned long verify_flags;
431int status, reason, i;
432
433cbinfo->ocsp_file_expanded = string_copy(expanded);
434if (cbinfo->ocsp_response)
435 {
436 OCSP_RESPONSE_free(cbinfo->ocsp_response);
437 cbinfo->ocsp_response = NULL;
438 }
439
440bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
441if (!bio)
442 {
443 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
444 cbinfo->ocsp_file_expanded);
445 return;
446 }
447
448resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
449BIO_free(bio);
450if (!resp)
451 {
452 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
453 return;
454 }
455
456status = OCSP_response_status(resp);
457if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
458 {
459 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
460 OCSP_response_status_str(status), status);
461 return;
462 }
463
464basic_response = OCSP_response_get1_basic(resp);
465if (!basic_response)
466 {
467 DEBUG(D_tls)
468 debug_printf("OCSP response parse error: unable to extract basic response.\n");
469 return;
470 }
471
472store = SSL_CTX_get_cert_store(sctx);
473verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
474
475/* May need to expose ability to adjust those flags?
476OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
477OCSP_TRUSTOTHER OCSP_NOINTERN */
478
479i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
480if (i <= 0)
481 {
482 DEBUG(D_tls) {
483 ERR_error_string(ERR_get_error(), ssl_errstring);
484 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
485 }
486 return;
487 }
488
489/* Here's the simplifying assumption: there's only one response, for the
490one certificate we use, and nothing for anything else in a chain. If this
491proves false, we need to extract a cert id from our issued cert
492(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
493right cert in the stack and then calls OCSP_single_get0_status()).
494
495I'm hoping to avoid reworking a bunch more of how we handle state here. */
496single_response = OCSP_resp_get0(basic_response, 0);
497if (!single_response)
498 {
499 DEBUG(D_tls)
500 debug_printf("Unable to get first response from OCSP basic response.\n");
501 return;
502 }
503
504status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
505/* how does this status differ from the one above? */
506if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
507 {
508 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
509 OCSP_response_status_str(status), status);
510 return;
511 }
512
513if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
514 {
515 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
516 return;
517 }
518
519cbinfo->ocsp_response = resp;
520}
521#endif
522
523
524
525
059ec3d9 526/*************************************************
7be682ca
PP
527* Expand key and cert file specs *
528*************************************************/
529
530/* Called once during tls_init and possibly againt during TLS setup, for a
531new context, if Server Name Indication was used and tls_sni was seen in
532the certificate string.
533
534Arguments:
535 sctx the SSL_CTX* to update
536 cbinfo various parts of session state
537
538Returns: OK/DEFER/FAIL
539*/
540
541static int
3f7eeb86 542tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
543{
544uschar *expanded;
545
546if (cbinfo->certificate == NULL)
547 return OK;
548
549if (Ustrstr(cbinfo->certificate, US"tls_sni"))
550 reexpand_tls_files_for_sni = TRUE;
551
552if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
553 return DEFER;
554
555if (expanded != NULL)
556 {
557 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
558 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
559 return tls_error(string_sprintf(
560 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
561 cbinfo->host, NULL);
562 }
563
564if (cbinfo->privatekey != NULL &&
565 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
566 return DEFER;
567
568/* If expansion was forced to fail, key_expanded will be NULL. If the result
569of the expansion is an empty string, ignore it also, and assume the private
570key is in the same file as the certificate. */
571
572if (expanded != NULL && *expanded != 0)
573 {
574 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
575 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
576 return tls_error(string_sprintf(
577 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
578 }
579
3f7eeb86
PP
580#ifdef EXPERIMENTAL_OCSP
581if (cbinfo->ocsp_file != NULL)
582 {
583 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
584 return DEFER;
585
586 if (expanded != NULL && *expanded != 0)
587 {
588 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
589 if (cbinfo->ocsp_file_expanded &&
590 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
591 {
592 DEBUG(D_tls)
593 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
594 } else {
595 ocsp_load_response(sctx, cbinfo, expanded);
596 }
597 }
598 }
599#endif
600
7be682ca
PP
601return OK;
602}
603
604
605
606
607/*************************************************
608* Callback to handle SNI *
609*************************************************/
610
611/* Called when acting as server during the TLS session setup if a Server Name
612Indication extension was sent by the client.
613
614API documentation is OpenSSL s_server.c implementation.
615
616Arguments:
617 s SSL* of the current session
618 ad unknown (part of OpenSSL API) (unused)
619 arg Callback of "our" registered data
620
621Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
622*/
623
3bcbbbe2 624#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 625static int
7be682ca
PP
626tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
627{
628const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 629tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 630int rc;
3f0945ff 631int old_pool = store_pool;
7be682ca
PP
632
633if (!servername)
634 return SSL_TLSEXT_ERR_OK;
635
3f0945ff 636DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
637 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
638
639/* Make the extension value available for expansion */
3f0945ff 640store_pool = POOL_PERM;
817d9f57 641tls_in.sni = string_copy(US servername);
3f0945ff 642store_pool = old_pool;
7be682ca
PP
643
644if (!reexpand_tls_files_for_sni)
645 return SSL_TLSEXT_ERR_OK;
646
647/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
648not confident that memcpy wouldn't break some internal reference counting.
649Especially since there's a references struct member, which would be off. */
650
817d9f57
JH
651server_sni = SSL_CTX_new(SSLv23_server_method());
652if (!server_sni)
7be682ca
PP
653 {
654 ERR_error_string(ERR_get_error(), ssl_errstring);
655 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
656 return SSL_TLSEXT_ERR_NOACK;
657 }
658
659/* Not sure how many of these are actually needed, since SSL object
660already exists. Might even need this selfsame callback, for reneg? */
661
817d9f57
JH
662SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
663SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
664SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
665SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
666SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
667SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
7be682ca 668if (cbinfo->server_cipher_list)
817d9f57 669 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
670#ifdef EXPERIMENTAL_OCSP
671if (cbinfo->ocsp_file)
672 {
817d9f57 673 SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
3f7eeb86
PP
674 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
675 }
676#endif
7be682ca 677
a2ff477a 678rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
7be682ca
PP
679if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
680
3f7eeb86
PP
681/* do this after setup_certs, because this can require the certs for verifying
682OCSP information. */
817d9f57 683rc = tls_expand_session_files(server_sni, cbinfo);
7be682ca
PP
684if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
685
a799883d
PP
686rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
687if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
688
7be682ca 689DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 690SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
691
692return SSL_TLSEXT_ERR_OK;
693}
3bcbbbe2 694#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
695
696
697
698
3f7eeb86
PP
699#ifdef EXPERIMENTAL_OCSP
700/*************************************************
701* Callback to handle OCSP Stapling *
702*************************************************/
703
704/* Called when acting as server during the TLS session setup if the client
705requests OCSP information with a Certificate Status Request.
706
707Documentation via openssl s_server.c and the Apache patch from the OpenSSL
708project.
709
710*/
711
712static int
713tls_stapling_cb(SSL *s, void *arg)
714{
715const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
716uschar *response_der;
717int response_der_len;
718
719DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
720 cbinfo->ocsp_response ? "have" : "lack");
721if (!cbinfo->ocsp_response)
722 return SSL_TLSEXT_ERR_NOACK;
723
724response_der = NULL;
725response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
726if (response_der_len <= 0)
727 return SSL_TLSEXT_ERR_NOACK;
728
729SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
730return SSL_TLSEXT_ERR_OK;
731}
732
733#endif /* EXPERIMENTAL_OCSP */
734
735
736
737
7be682ca 738/*************************************************
059ec3d9
PH
739* Initialize for TLS *
740*************************************************/
741
742/* Called from both server and client code, to do preliminary initialization of
743the library.
744
745Arguments:
746 host connected host, if client; NULL if server
747 dhparam DH parameter file
748 certificate certificate file
749 privatekey private key
750 addr address if client; NULL if server (for some randomness)
751
752Returns: OK/DEFER/FAIL
753*/
754
755static int
817d9f57 756tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
757 uschar *privatekey,
758#ifdef EXPERIMENTAL_OCSP
759 uschar *ocsp_file,
760#endif
817d9f57 761 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 762{
77bb000f 763long init_options;
7be682ca 764int rc;
77bb000f 765BOOL okay;
7be682ca
PP
766tls_ext_ctx_cb *cbinfo;
767
768cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
769cbinfo->certificate = certificate;
770cbinfo->privatekey = privatekey;
3f7eeb86
PP
771#ifdef EXPERIMENTAL_OCSP
772cbinfo->ocsp_file = ocsp_file;
773#endif
7be682ca
PP
774cbinfo->dhparam = dhparam;
775cbinfo->host = host;
77bb000f 776
059ec3d9
PH
777SSL_load_error_strings(); /* basic set up */
778OpenSSL_add_ssl_algorithms();
779
388d6564 780#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 781/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
782list of available digests. */
783EVP_add_digest(EVP_sha256());
cf1ef1a9 784#endif
a0475b69 785
f0f5a555
PP
786/* Create a context.
787The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
788negotiation in the different methods; as far as I can tell, the only
789*_{server,client}_method which allows negotiation is SSLv23, which exists even
790when OpenSSL is built without SSLv2 support.
791By disabling with openssl_options, we can let admins re-enable with the
792existing knob. */
059ec3d9 793
817d9f57 794*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
795 SSLv23_server_method() : SSLv23_client_method());
796
817d9f57 797if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
798
799/* It turns out that we need to seed the random number generator this early in
800order to get the full complement of ciphers to work. It took me roughly a day
801of work to discover this by experiment.
802
803On systems that have /dev/urandom, SSL may automatically seed itself from
804there. Otherwise, we have to make something up as best we can. Double check
805afterwards. */
806
807if (!RAND_status())
808 {
809 randstuff r;
9e3331ea 810 gettimeofday(&r.tv, NULL);
059ec3d9
PH
811 r.p = getpid();
812
813 RAND_seed((uschar *)(&r), sizeof(r));
814 RAND_seed((uschar *)big_buffer, big_buffer_size);
815 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
816
817 if (!RAND_status())
7199e1ee 818 return tls_error(US"RAND_status", host,
5ca6d115 819 US"unable to seed random number generator");
059ec3d9
PH
820 }
821
822/* Set up the information callback, which outputs if debugging is at a suitable
823level. */
824
817d9f57 825SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 826
c80c5570 827/* Automatically re-try reads/writes after renegotiation. */
817d9f57 828(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 829
77bb000f
PP
830/* Apply administrator-supplied work-arounds.
831Historically we applied just one requested option,
832SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
833moved to an administrator-controlled list of options to specify and
834grandfathered in the first one as the default value for "openssl_options".
059ec3d9 835
77bb000f
PP
836No OpenSSL version number checks: the options we accept depend upon the
837availability of the option value macros from OpenSSL. */
059ec3d9 838
77bb000f
PP
839okay = tls_openssl_options_parse(openssl_options, &init_options);
840if (!okay)
73a46702 841 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
842
843if (init_options)
844 {
845 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 846 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
847 return tls_error(string_sprintf(
848 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
849 }
850else
851 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
852
853/* Initialize with DH parameters if supplied */
854
817d9f57 855<<<<<<< HEAD
a799883d 856if (!init_dh(ctx, dhparam, host)) return DEFER;
817d9f57
JH
857=======
858if (!init_dh(*ctxp, dhparam, host)) return DEFER;
859>>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
059ec3d9 860
3f7eeb86 861/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 862
817d9f57 863rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 864if (rc != OK) return rc;
c91535f3 865
7be682ca 866/* If we need to handle SNI, do so */
3bcbbbe2 867#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
868if (host == NULL)
869 {
3f7eeb86
PP
870#ifdef EXPERIMENTAL_OCSP
871 /* We check ocsp_file, not ocsp_response, because we care about if
872 the option exists, not what the current expansion might be, as SNI might
873 change the certificate and OCSP file in use between now and the time the
874 callback is invoked. */
875 if (cbinfo->ocsp_file)
876 {
877 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
878 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
879 }
880#endif
3f0945ff
PP
881 /* We always do this, so that $tls_sni is available even if not used in
882 tls_certificate */
817d9f57
JH
883 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
884 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 885 }
7be682ca 886#endif
059ec3d9
PH
887
888/* Set up the RSA callback */
889
817d9f57 890SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
891
892/* Finally, set the timeout, and we are done */
893
817d9f57 894SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 895DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 896
817d9f57 897*cbp = cbinfo;
7be682ca 898
059ec3d9
PH
899return OK;
900}
901
902
903
904
905/*************************************************
906* Get name of cipher in use *
907*************************************************/
908
817d9f57 909/*
059ec3d9 910Argument: pointer to an SSL structure for the connection
817d9f57
JH
911 buffer to use for answer
912 size of buffer
913 pointer to number of bits for cipher
059ec3d9
PH
914Returns: nothing
915*/
916
917static void
817d9f57 918construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 919{
57b3a7f5
PP
920/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
921yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
922the accessor functions use const in the prototype. */
923const SSL_CIPHER *c;
059ec3d9 924uschar *ver;
059ec3d9
PH
925
926switch (ssl->session->ssl_version)
927 {
928 case SSL2_VERSION:
929 ver = US"SSLv2";
930 break;
931
932 case SSL3_VERSION:
933 ver = US"SSLv3";
934 break;
935
936 case TLS1_VERSION:
937 ver = US"TLSv1";
938 break;
939
c80c5570
PP
940#ifdef TLS1_1_VERSION
941 case TLS1_1_VERSION:
942 ver = US"TLSv1.1";
943 break;
944#endif
945
946#ifdef TLS1_2_VERSION
947 case TLS1_2_VERSION:
948 ver = US"TLSv1.2";
949 break;
950#endif
951
059ec3d9
PH
952 default:
953 ver = US"UNKNOWN";
954 }
955
57b3a7f5 956c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 957SSL_CIPHER_get_bits(c, bits);
059ec3d9 958
817d9f57
JH
959string_format(cipherbuf, bsize, "%s:%s:%u", ver,
960 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
961
962DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
963}
964
965
966
967
968
969/*************************************************
970* Set up for verifying certificates *
971*************************************************/
972
973/* Called by both client and server startup
974
975Arguments:
7be682ca 976 sctx SSL_CTX* to initialise
059ec3d9
PH
977 certs certs file or NULL
978 crl CRL file or NULL
979 host NULL in a server; the remote host in a client
980 optional TRUE if called from a server for a host in tls_try_verify_hosts;
981 otherwise passed as FALSE
a2ff477a 982 client TRUE if called for client startup, FALSE for server startup
059ec3d9
PH
983
984Returns: OK/DEFER/FAIL
985*/
986
987static int
a2ff477a 988setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client)
059ec3d9
PH
989{
990uschar *expcerts, *expcrl;
991
992if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
993 return DEFER;
994
995if (expcerts != NULL)
996 {
997 struct stat statbuf;
7be682ca 998 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 999 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1000
1001 if (Ustat(expcerts, &statbuf) < 0)
1002 {
1003 log_write(0, LOG_MAIN|LOG_PANIC,
1004 "failed to stat %s for certificates", expcerts);
1005 return DEFER;
1006 }
1007 else
1008 {
1009 uschar *file, *dir;
1010 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1011 { file = NULL; dir = expcerts; }
1012 else
1013 { file = expcerts; dir = NULL; }
1014
1015 /* If a certificate file is empty, the next function fails with an
1016 unhelpful error message. If we skip it, we get the correct behaviour (no
1017 certificates are recognized, but the error message is still misleading (it
1018 says no certificate was supplied.) But this is better. */
1019
1020 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 1021 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 1022 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
1023
1024 if (file != NULL)
1025 {
7be682ca 1026 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
1027 }
1028 }
1029
1030 /* Handle a certificate revocation list. */
1031
1032 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1033
8b417f2c
PH
1034 /* This bit of code is now the version supplied by Lars Mainka. (I have
1035 * merely reformatted it into the Exim code style.)
1036
1037 * "From here I changed the code to add support for multiple crl's
1038 * in pem format in one file or to support hashed directory entries in
1039 * pem format instead of a file. This method now uses the library function
1040 * X509_STORE_load_locations to add the CRL location to the SSL context.
1041 * OpenSSL will then handle the verify against CA certs and CRLs by
1042 * itself in the verify callback." */
1043
059ec3d9
PH
1044 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1045 if (expcrl != NULL && *expcrl != 0)
1046 {
8b417f2c
PH
1047 struct stat statbufcrl;
1048 if (Ustat(expcrl, &statbufcrl) < 0)
1049 {
1050 log_write(0, LOG_MAIN|LOG_PANIC,
1051 "failed to stat %s for certificates revocation lists", expcrl);
1052 return DEFER;
1053 }
1054 else
059ec3d9 1055 {
8b417f2c
PH
1056 /* is it a file or directory? */
1057 uschar *file, *dir;
7be682ca 1058 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1059 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1060 {
8b417f2c
PH
1061 file = NULL;
1062 dir = expcrl;
1063 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1064 }
1065 else
1066 {
8b417f2c
PH
1067 file = expcrl;
1068 dir = NULL;
1069 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1070 }
8b417f2c 1071 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1072 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1073
1074 /* setting the flags to check against the complete crl chain */
1075
1076 X509_STORE_set_flags(cvstore,
1077 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1078 }
059ec3d9
PH
1079 }
1080
1081 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1082
1083 /* If verification is optional, don't fail if no certificate */
1084
7be682ca 1085 SSL_CTX_set_verify(sctx,
059ec3d9 1086 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
a2ff477a 1087 client ? verify_callback_client : verify_callback_server);
059ec3d9
PH
1088 }
1089
1090return OK;
1091}
1092
1093
1094
1095/*************************************************
1096* Start a TLS session in a server *
1097*************************************************/
1098
1099/* This is called when Exim is running as a server, after having received
1100the STARTTLS command. It must respond to that command, and then negotiate
1101a TLS session.
1102
1103Arguments:
1104 require_ciphers allowed ciphers
1105
1106Returns: OK on success
1107 DEFER for errors before the start of the negotiation
1108 FAIL for errors during the negotation; the server can't
1109 continue running.
1110*/
1111
1112int
17c76198 1113tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1114{
1115int rc;
1116uschar *expciphers;
7be682ca 1117tls_ext_ctx_cb *cbinfo;
817d9f57 1118static uschar cipherbuf[256];
059ec3d9
PH
1119
1120/* Check for previous activation */
1121
817d9f57 1122if (tls_in.active >= 0)
059ec3d9 1123 {
5ca6d115 1124 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1125 smtp_printf("554 Already in TLS\r\n");
1126 return FAIL;
1127 }
1128
1129/* Initialize the SSL library. If it fails, it will already have logged
1130the error. */
1131
817d9f57 1132rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
3f7eeb86
PP
1133#ifdef EXPERIMENTAL_OCSP
1134 tls_ocsp_file,
1135#endif
817d9f57 1136 NULL, &server_static_cbinfo);
059ec3d9 1137if (rc != OK) return rc;
817d9f57 1138cbinfo = server_static_cbinfo;
059ec3d9
PH
1139
1140if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1141 return FAIL;
1142
1143/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1144were historically separated by underscores. So that I can use either form in my
1145tests, and also for general convenience, we turn underscores into hyphens here.
1146*/
059ec3d9
PH
1147
1148if (expciphers != NULL)
1149 {
1150 uschar *s = expciphers;
1151 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1152 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1153 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1154 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1155 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1156 }
1157
1158/* If this is a host for which certificate verification is mandatory or
1159optional, set up appropriately. */
1160
817d9f57 1161tls_in.certificate_verified = FALSE;
a2ff477a 1162server_verify_callback_called = FALSE;
059ec3d9
PH
1163
1164if (verify_check_host(&tls_verify_hosts) == OK)
1165 {
a2ff477a 1166 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
059ec3d9 1167 if (rc != OK) return rc;
a2ff477a 1168 server_verify_optional = FALSE;
059ec3d9
PH
1169 }
1170else if (verify_check_host(&tls_try_verify_hosts) == OK)
1171 {
a2ff477a 1172 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, TRUE, FALSE);
059ec3d9 1173 if (rc != OK) return rc;
a2ff477a 1174 server_verify_optional = TRUE;
059ec3d9
PH
1175 }
1176
1177/* Prepare for new connection */
1178
817d9f57 1179if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1180
1181/* Warning: we used to SSL_clear(ssl) here, it was removed.
1182 *
1183 * With the SSL_clear(), we get strange interoperability bugs with
1184 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1185 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1186 *
1187 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1188 * session shutdown. In this case, we have a brand new object and there's no
1189 * obvious reason to immediately clear it. I'm guessing that this was
1190 * originally added because of incomplete initialisation which the clear fixed,
1191 * in some historic release.
1192 */
059ec3d9
PH
1193
1194/* Set context and tell client to go ahead, except in the case of TLS startup
1195on connection, where outputting anything now upsets the clients and tends to
1196make them disconnect. We need to have an explicit fflush() here, to force out
1197the response. Other smtp_printf() calls do not need it, because in non-TLS
1198mode, the fflush() happens when smtp_getc() is called. */
1199
817d9f57
JH
1200SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1201if (!tls_in.on_connect)
059ec3d9
PH
1202 {
1203 smtp_printf("220 TLS go ahead\r\n");
1204 fflush(smtp_out);
1205 }
1206
1207/* Now negotiate the TLS session. We put our own timer on it, since it seems
1208that the OpenSSL library doesn't. */
1209
817d9f57
JH
1210SSL_set_wfd(server_ssl, fileno(smtp_out));
1211SSL_set_rfd(server_ssl, fileno(smtp_in));
1212SSL_set_accept_state(server_ssl);
059ec3d9
PH
1213
1214DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1215
1216sigalrm_seen = FALSE;
1217if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1218rc = SSL_accept(server_ssl);
059ec3d9
PH
1219alarm(0);
1220
1221if (rc <= 0)
1222 {
7199e1ee 1223 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1224 if (ERR_get_error() == 0)
1225 log_write(0, LOG_MAIN,
a053d125 1226 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1227 return FAIL;
1228 }
1229
1230DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1231
1232/* TLS has been set up. Adjust the input functions to read via TLS,
1233and initialize things. */
1234
817d9f57
JH
1235construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1236tls_in.cipher = cipherbuf;
059ec3d9
PH
1237
1238DEBUG(D_tls)
1239 {
1240 uschar buf[2048];
817d9f57 1241 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1242 debug_printf("Shared ciphers: %s\n", buf);
1243 }
1244
1245
817d9f57
JH
1246/* Only used by the server-side tls (tls_in), including tls_getc.
1247 Client-side (tls_out) reads (seem to?) go via
1248 smtp_read_response()/ip_recv().
1249 Hence no need to duplicate for _in and _out.
1250 */
059ec3d9
PH
1251ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1252ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1253ssl_xfer_eof = ssl_xfer_error = 0;
1254
1255receive_getc = tls_getc;
1256receive_ungetc = tls_ungetc;
1257receive_feof = tls_feof;
1258receive_ferror = tls_ferror;
58eb016e 1259receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1260
817d9f57 1261tls_in.active = fileno(smtp_out);
059ec3d9
PH
1262return OK;
1263}
1264
1265
1266
1267
1268
1269/*************************************************
1270* Start a TLS session in a client *
1271*************************************************/
1272
1273/* Called from the smtp transport after STARTTLS has been accepted.
1274
1275Argument:
1276 fd the fd of the connection
1277 host connected host (for messages)
83da1223 1278 addr the first address
059ec3d9
PH
1279 dhparam DH parameter file
1280 certificate certificate file
1281 privatekey private key file
3f0945ff 1282 sni TLS SNI to send to remote host
059ec3d9
PH
1283 verify_certs file for certificate verify
1284 crl file containing CRL
1285 require_ciphers list of allowed ciphers
54c90be1
PP
1286 dh_min_bits minimum number of bits acceptable in server's DH prime
1287 (unused in OpenSSL)
83da1223 1288 timeout startup timeout
059ec3d9
PH
1289
1290Returns: OK on success
1291 FAIL otherwise - note that tls_error() will not give DEFER
1292 because this is not a server
1293*/
1294
1295int
1296tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1297 uschar *certificate, uschar *privatekey, uschar *sni,
1298 uschar *verify_certs, uschar *crl,
54c90be1 1299 uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
059ec3d9
PH
1300{
1301static uschar txt[256];
1302uschar *expciphers;
1303X509* server_cert;
1304int rc;
817d9f57 1305static uschar cipherbuf[256];
059ec3d9 1306
817d9f57 1307rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
3f7eeb86
PP
1308#ifdef EXPERIMENTAL_OCSP
1309 NULL,
1310#endif
817d9f57 1311 addr, &client_static_cbinfo);
059ec3d9
PH
1312if (rc != OK) return rc;
1313
817d9f57 1314tls_out.certificate_verified = FALSE;
a2ff477a 1315client_verify_callback_called = FALSE;
059ec3d9
PH
1316
1317if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1318 return FAIL;
1319
1320/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1321are separated by underscores. So that I can use either form in my tests, and
1322also for general convenience, we turn underscores into hyphens here. */
1323
1324if (expciphers != NULL)
1325 {
1326 uschar *s = expciphers;
1327 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1328 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1329 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1330 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1331 }
1332
a2ff477a 1333rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, TRUE);
059ec3d9
PH
1334if (rc != OK) return rc;
1335
817d9f57
JH
1336if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1337SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1338SSL_set_fd(client_ssl, fd);
1339SSL_set_connect_state(client_ssl);
059ec3d9 1340
3f0945ff
PP
1341if (sni)
1342 {
817d9f57 1343 if (!expand_check(sni, US"tls_sni", &tls_out.sni))
3f0945ff 1344 return FAIL;
817d9f57
JH
1345 if (!Ustrlen(tls_out.sni))
1346 tls_out.sni = NULL;
3f0945ff
PP
1347 else
1348 {
35731706 1349#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
1350 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1351 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
1352#else
1353 DEBUG(D_tls)
1354 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1355 tls_sni);
1356#endif
3f0945ff
PP
1357 }
1358 }
1359
059ec3d9
PH
1360/* There doesn't seem to be a built-in timeout on connection. */
1361
1362DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1363sigalrm_seen = FALSE;
1364alarm(timeout);
817d9f57 1365rc = SSL_connect(client_ssl);
059ec3d9
PH
1366alarm(0);
1367
1368if (rc <= 0)
7199e1ee 1369 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1370
1371DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1372
453a6645 1373/* Beware anonymous ciphers which lead to server_cert being NULL */
817d9f57 1374server_cert = SSL_get_peer_certificate (client_ssl);
453a6645
PP
1375if (server_cert)
1376 {
817d9f57 1377 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
453a6645 1378 CS txt, sizeof(txt));
817d9f57 1379 tls_out.peerdn = txt;
453a6645
PP
1380 }
1381else
817d9f57 1382 tls_out.peerdn = NULL;
059ec3d9 1383
817d9f57
JH
1384construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1385tls_out.cipher = cipherbuf;
059ec3d9 1386
817d9f57 1387tls_out.active = fd;
059ec3d9
PH
1388return OK;
1389}
1390
1391
1392
1393
1394
1395/*************************************************
1396* TLS version of getc *
1397*************************************************/
1398
1399/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1400it refills the buffer via the SSL reading function.
1401
1402Arguments: none
1403Returns: the next character or EOF
817d9f57
JH
1404
1405Only used by the server-side TLS.
059ec3d9
PH
1406*/
1407
1408int
1409tls_getc(void)
1410{
1411if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1412 {
1413 int error;
1414 int inbytes;
1415
817d9f57 1416 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 1417 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1418
1419 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
1420 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1421 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
1422 alarm(0);
1423
1424 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1425 closed down, not that the socket itself has been closed down. Revert to
1426 non-SSL handling. */
1427
1428 if (error == SSL_ERROR_ZERO_RETURN)
1429 {
1430 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1431
1432 receive_getc = smtp_getc;
1433 receive_ungetc = smtp_ungetc;
1434 receive_feof = smtp_feof;
1435 receive_ferror = smtp_ferror;
58eb016e 1436 receive_smtp_buffered = smtp_buffered;
059ec3d9 1437
817d9f57
JH
1438 SSL_free(server_ssl);
1439 server_ssl = NULL;
1440 tls_in.active = -1;
1441 tls_in.bits = 0;
1442 tls_in.cipher = NULL;
1443 tls_in.peerdn = NULL;
1444 tls_in.sni = NULL;
059ec3d9
PH
1445
1446 return smtp_getc();
1447 }
1448
1449 /* Handle genuine errors */
1450
ba084640
PP
1451 else if (error == SSL_ERROR_SSL)
1452 {
1453 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1454 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1455 ssl_xfer_error = 1;
1456 return EOF;
1457 }
1458
059ec3d9
PH
1459 else if (error != SSL_ERROR_NONE)
1460 {
1461 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1462 ssl_xfer_error = 1;
1463 return EOF;
1464 }
c80c5570 1465
80a47a2c
TK
1466#ifndef DISABLE_DKIM
1467 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1468#endif
059ec3d9
PH
1469 ssl_xfer_buffer_hwm = inbytes;
1470 ssl_xfer_buffer_lwm = 0;
1471 }
1472
1473/* Something in the buffer; return next uschar */
1474
1475return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1476}
1477
1478
1479
1480/*************************************************
1481* Read bytes from TLS channel *
1482*************************************************/
1483
1484/*
1485Arguments:
1486 buff buffer of data
1487 len size of buffer
1488
1489Returns: the number of bytes read
1490 -1 after a failed read
817d9f57
JH
1491
1492Only used by the client-side TLS.
059ec3d9
PH
1493*/
1494
1495int
1496tls_read(uschar *buff, size_t len)
1497{
1498int inbytes;
1499int error;
1500
817d9f57 1501DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
c80c5570 1502 buff, (unsigned int)len);
059ec3d9 1503
817d9f57
JH
1504inbytes = SSL_read(client_ssl, CS buff, len);
1505error = SSL_get_error(client_ssl, inbytes);
059ec3d9
PH
1506
1507if (error == SSL_ERROR_ZERO_RETURN)
1508 {
1509 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1510 return -1;
1511 }
1512else if (error != SSL_ERROR_NONE)
1513 {
1514 return -1;
1515 }
1516
1517return inbytes;
1518}
1519
1520
1521
1522
1523
1524/*************************************************
1525* Write bytes down TLS channel *
1526*************************************************/
1527
1528/*
1529Arguments:
817d9f57 1530 is_server channel specifier
059ec3d9
PH
1531 buff buffer of data
1532 len number of bytes
1533
1534Returns: the number of bytes after a successful write,
1535 -1 after a failed write
817d9f57
JH
1536
1537Used by both server-side and client-side TLS.
059ec3d9
PH
1538*/
1539
1540int
817d9f57 1541tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
1542{
1543int outbytes;
1544int error;
1545int left = len;
817d9f57 1546SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 1547
c80c5570 1548DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1549while (left > 0)
1550 {
c80c5570 1551 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1552 outbytes = SSL_write(ssl, CS buff, left);
1553 error = SSL_get_error(ssl, outbytes);
1554 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1555 switch (error)
1556 {
1557 case SSL_ERROR_SSL:
1558 ERR_error_string(ERR_get_error(), ssl_errstring);
1559 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1560 return -1;
1561
1562 case SSL_ERROR_NONE:
1563 left -= outbytes;
1564 buff += outbytes;
1565 break;
1566
1567 case SSL_ERROR_ZERO_RETURN:
1568 log_write(0, LOG_MAIN, "SSL channel closed on write");
1569 return -1;
1570
817d9f57
JH
1571 case SSL_ERROR_SYSCALL:
1572 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1573 sender_fullhost ? sender_fullhost : US"<unknown>",
1574 strerror(errno));
1575
059ec3d9
PH
1576 default:
1577 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1578 return -1;
1579 }
1580 }
1581return len;
1582}
1583
1584
1585
1586/*************************************************
1587* Close down a TLS session *
1588*************************************************/
1589
1590/* This is also called from within a delivery subprocess forked from the
1591daemon, to shut down the TLS library, without actually doing a shutdown (which
1592would tamper with the SSL session in the parent process).
1593
1594Arguments: TRUE if SSL_shutdown is to be called
1595Returns: nothing
817d9f57
JH
1596
1597Used by both server-side and client-side TLS.
059ec3d9
PH
1598*/
1599
1600void
817d9f57 1601tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 1602{
817d9f57
JH
1603SSL **sslp = is_server ? &server_ssl : &client_ssl;
1604
1605if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
1606
1607if (shutdown)
1608 {
1609 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 1610 SSL_shutdown(*sslp);
059ec3d9
PH
1611 }
1612
817d9f57
JH
1613SSL_free(*sslp);
1614*sslp = NULL;
059ec3d9 1615
817d9f57 1616*fdp = -1;
059ec3d9
PH
1617}
1618
36f12725
NM
1619
1620
1621
1622/*************************************************
3375e053
PP
1623* Let tls_require_ciphers be checked at startup *
1624*************************************************/
1625
1626/* The tls_require_ciphers option, if set, must be something which the
1627library can parse.
1628
1629Returns: NULL on success, or error message
1630*/
1631
1632uschar *
1633tls_validate_require_cipher(void)
1634{
1635SSL_CTX *ctx;
1636uschar *s, *expciphers, *err;
1637
1638/* this duplicates from tls_init(), we need a better "init just global
1639state, for no specific purpose" singleton function of our own */
1640
1641SSL_load_error_strings();
1642OpenSSL_add_ssl_algorithms();
1643#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1644/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1645list of available digests. */
1646EVP_add_digest(EVP_sha256());
1647#endif
1648
1649if (!(tls_require_ciphers && *tls_require_ciphers))
1650 return NULL;
1651
1652if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1653 return US"failed to expand tls_require_ciphers";
1654
1655if (!(expciphers && *expciphers))
1656 return NULL;
1657
1658/* normalisation ripped from above */
1659s = expciphers;
1660while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1661
1662err = NULL;
1663
1664ctx = SSL_CTX_new(SSLv23_server_method());
1665if (!ctx)
1666 {
1667 ERR_error_string(ERR_get_error(), ssl_errstring);
1668 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1669 }
1670
1671DEBUG(D_tls)
1672 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1673
1674if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1675 {
1676 ERR_error_string(ERR_get_error(), ssl_errstring);
1677 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1678 }
1679
1680SSL_CTX_free(ctx);
1681
1682return err;
1683}
1684
1685
1686
1687
1688/*************************************************
36f12725
NM
1689* Report the library versions. *
1690*************************************************/
1691
1692/* There have historically been some issues with binary compatibility in
1693OpenSSL libraries; if Exim (like many other applications) is built against
1694one version of OpenSSL but the run-time linker picks up another version,
1695it can result in serious failures, including crashing with a SIGSEGV. So
1696report the version found by the compiler and the run-time version.
1697
1698Arguments: a FILE* to print the results to
1699Returns: nothing
1700*/
1701
1702void
1703tls_version_report(FILE *f)
1704{
754a0503
PP
1705fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1706 " Runtime: %s\n",
1707 OPENSSL_VERSION_TEXT,
1708 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1709}
1710
9e3331ea
TK
1711
1712
1713
1714/*************************************************
17c76198 1715* Random number generation *
9e3331ea
TK
1716*************************************************/
1717
1718/* Pseudo-random number generation. The result is not expected to be
1719cryptographically strong but not so weak that someone will shoot themselves
1720in the foot using it as a nonce in input in some email header scheme or
1721whatever weirdness they'll twist this into. The result should handle fork()
1722and avoid repeating sequences. OpenSSL handles that for us.
1723
1724Arguments:
1725 max range maximum
1726Returns a random number in range [0, max-1]
1727*/
1728
1729int
17c76198 1730vaguely_random_number(int max)
9e3331ea
TK
1731{
1732unsigned int r;
1733int i, needed_len;
1734uschar *p;
1735uschar smallbuf[sizeof(r)];
1736
1737if (max <= 1)
1738 return 0;
1739
1740/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1741if (!RAND_status())
1742 {
1743 randstuff r;
1744 gettimeofday(&r.tv, NULL);
1745 r.p = getpid();
1746
1747 RAND_seed((uschar *)(&r), sizeof(r));
1748 }
1749/* We're after pseudo-random, not random; if we still don't have enough data
1750in the internal PRNG then our options are limited. We could sleep and hope
1751for entropy to come along (prayer technique) but if the system is so depleted
1752in the first place then something is likely to just keep taking it. Instead,
1753we'll just take whatever little bit of pseudo-random we can still manage to
1754get. */
1755
1756needed_len = sizeof(r);
1757/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1758asked for a number less than 10. */
1759for (r = max, i = 0; r; ++i)
1760 r >>= 1;
1761i = (i + 7) / 8;
1762if (i < needed_len)
1763 needed_len = i;
1764
1765/* We do not care if crypto-strong */
17c76198
PP
1766i = RAND_pseudo_bytes(smallbuf, needed_len);
1767if (i < 0)
1768 {
1769 DEBUG(D_all)
1770 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1771 return vaguely_random_number_fallback(max);
1772 }
1773
9e3331ea
TK
1774r = 0;
1775for (p = smallbuf; needed_len; --needed_len, ++p)
1776 {
1777 r *= 256;
1778 r += *p;
1779 }
1780
1781/* We don't particularly care about weighted results; if someone wants
1782smooth distribution and cares enough then they should submit a patch then. */
1783return r % max;
1784}
1785
77bb000f
PP
1786
1787
1788
1789/*************************************************
1790* OpenSSL option parse *
1791*************************************************/
1792
1793/* Parse one option for tls_openssl_options_parse below
1794
1795Arguments:
1796 name one option name
1797 value place to store a value for it
1798Returns success or failure in parsing
1799*/
1800
1801struct exim_openssl_option {
1802 uschar *name;
1803 long value;
1804};
1805/* We could use a macro to expand, but we need the ifdef and not all the
1806options document which version they were introduced in. Policylet: include
1807all options unless explicitly for DTLS, let the administrator choose which
1808to apply.
1809
1810This list is current as of:
c80c5570 1811 ==> 1.0.1b <== */
77bb000f
PP
1812static struct exim_openssl_option exim_openssl_options[] = {
1813/* KEEP SORTED ALPHABETICALLY! */
1814#ifdef SSL_OP_ALL
73a46702 1815 { US"all", SSL_OP_ALL },
77bb000f
PP
1816#endif
1817#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1818 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1819#endif
1820#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1821 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1822#endif
1823#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1824 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1825#endif
1826#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1827 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1828#endif
1829#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1830 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1831#endif
1832#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1833 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1834#endif
1835#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1836 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1837#endif
1838#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1839 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1840#endif
1841#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1842 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1843#endif
1844#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1845 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1846#endif
c80c5570
PP
1847#ifdef SSL_OP_NO_COMPRESSION
1848 { US"no_compression", SSL_OP_NO_COMPRESSION },
1849#endif
77bb000f 1850#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1851 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1852#endif
c0c7b2da
PP
1853#ifdef SSL_OP_NO_SSLv2
1854 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1855#endif
1856#ifdef SSL_OP_NO_SSLv3
1857 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1858#endif
1859#ifdef SSL_OP_NO_TICKET
1860 { US"no_ticket", SSL_OP_NO_TICKET },
1861#endif
1862#ifdef SSL_OP_NO_TLSv1
1863 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1864#endif
c80c5570
PP
1865#ifdef SSL_OP_NO_TLSv1_1
1866#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1867 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1868#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1869#else
1870 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1871#endif
1872#endif
1873#ifdef SSL_OP_NO_TLSv1_2
1874 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1875#endif
77bb000f 1876#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1877 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1878#endif
1879#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1880 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1881#endif
1882#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1883 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1884#endif
1885#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1886 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1887#endif
1888#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1889 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1890#endif
1891#ifdef SSL_OP_TLS_D5_BUG
73a46702 1892 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1893#endif
1894#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1895 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1896#endif
1897};
1898static int exim_openssl_options_size =
1899 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1900
c80c5570 1901
77bb000f
PP
1902static BOOL
1903tls_openssl_one_option_parse(uschar *name, long *value)
1904{
1905int first = 0;
1906int last = exim_openssl_options_size;
1907while (last > first)
1908 {
1909 int middle = (first + last)/2;
1910 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1911 if (c == 0)
1912 {
1913 *value = exim_openssl_options[middle].value;
1914 return TRUE;
1915 }
1916 else if (c > 0)
1917 first = middle + 1;
1918 else
1919 last = middle;
1920 }
1921return FALSE;
1922}
1923
1924
1925
1926
1927/*************************************************
1928* OpenSSL option parsing logic *
1929*************************************************/
1930
1931/* OpenSSL has a number of compatibility options which an administrator might
1932reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1933we look like log_selector.
1934
1935Arguments:
1936 option_spec the administrator-supplied string of options
1937 results ptr to long storage for the options bitmap
1938Returns success or failure
1939*/
1940
1941BOOL
1942tls_openssl_options_parse(uschar *option_spec, long *results)
1943{
1944long result, item;
1945uschar *s, *end;
1946uschar keep_c;
1947BOOL adding, item_parsed;
1948
0e944a0d 1949result = 0L;
b1770b6e 1950/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1951 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
1952#ifdef SSL_OP_NO_SSLv2
1953result |= SSL_OP_NO_SSLv2;
1954#endif
77bb000f
PP
1955
1956if (option_spec == NULL)
1957 {
1958 *results = result;
1959 return TRUE;
1960 }
1961
1962for (s=option_spec; *s != '\0'; /**/)
1963 {
1964 while (isspace(*s)) ++s;
1965 if (*s == '\0')
1966 break;
1967 if (*s != '+' && *s != '-')
1968 {
1969 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1970 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1971 return FALSE;
1972 }
1973 adding = *s++ == '+';
1974 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1975 keep_c = *end;
1976 *end = '\0';
1977 item_parsed = tls_openssl_one_option_parse(s, &item);
1978 if (!item_parsed)
1979 {
0e944a0d 1980 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1981 return FALSE;
1982 }
1983 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1984 adding ? "adding" : "removing", result, item, s);
1985 if (adding)
1986 result |= item;
1987 else
1988 result &= ~item;
1989 *end = keep_c;
1990 s = end;
1991 }
1992
1993*results = result;
1994return TRUE;
1995}
1996
059ec3d9 1997/* End of tls-openssl.c */