projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use separate routine for translating return-codes to printable strings
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH		 33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH		 57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP		 68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
7434882d
JH		 74# else
75# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP		 76# endif
77# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 78 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 79# define EXIM_HAVE_OPENSSL_CHECKHOST
80# endif
11aa88b0 81#endif
10ca4f1c 82
11aa88b0
RA		 83#if !defined(LIBRESSL_VERSION_NUMBER) \
84 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 85# if !defined(OPENSSL_NO_ECDH)
86# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 87# define EXIM_HAVE_ECDH
10ca4f1c
JH		 88# endif
89# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 90# define EXIM_HAVE_OPENSSL_EC_NIST2NID
91# endif
92# endif
2dfb468b 93#endif
3bcbbbe2 94
8a40db1c
JH		 95#ifndef LIBRESSL_VERSION_NUMBER
96# if OPENSSL_VERSION_NUMBER >= 0x010101000L
97# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 98# define OPENSSL_HAVE_NUM_TICKETS
8a40db1c
JH		 99# endif
100#endif
101
67791ce4
JH		 102#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
103# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
104# define DISABLE_OCSP
105#endif
106
a6510420
JH		 107#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
108# include <openssl/x509v3.h>
109#endif
110
8442641e
JH		 111/*************************************************
112* OpenSSL option parse *
113*************************************************/
114
115typedef struct exim_openssl_option {
116 uschar *name;
117 long value;
118} exim_openssl_option;
119/* We could use a macro to expand, but we need the ifdef and not all the
120options document which version they were introduced in. Policylet: include
121all options unless explicitly for DTLS, let the administrator choose which
122to apply.
123
124This list is current as of:
125 ==> 1.0.1b <==
126Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
127Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
128*/
129static exim_openssl_option exim_openssl_options[] = {
130/* KEEP SORTED ALPHABETICALLY! */
131#ifdef SSL_OP_ALL
132 { US"all", SSL_OP_ALL },
133#endif
134#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
135 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
136#endif
137#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
138 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
139#endif
140#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
141 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
142#endif
143#ifdef SSL_OP_EPHEMERAL_RSA
144 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
145#endif
146#ifdef SSL_OP_LEGACY_SERVER_CONNECT
147 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
148#endif
149#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
150 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
151#endif
152#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
153 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
154#endif
155#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
156 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
157#endif
158#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
159 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
160#endif
161#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
162 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
163#endif
164#ifdef SSL_OP_NO_COMPRESSION
165 { US"no_compression", SSL_OP_NO_COMPRESSION },
166#endif
167#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
168 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
169#endif
170#ifdef SSL_OP_NO_SSLv2
171 { US"no_sslv2", SSL_OP_NO_SSLv2 },
172#endif
173#ifdef SSL_OP_NO_SSLv3
174 { US"no_sslv3", SSL_OP_NO_SSLv3 },
175#endif
176#ifdef SSL_OP_NO_TICKET
177 { US"no_ticket", SSL_OP_NO_TICKET },
178#endif
179#ifdef SSL_OP_NO_TLSv1
180 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
181#endif
182#ifdef SSL_OP_NO_TLSv1_1
183#if SSL_OP_NO_TLSv1_1 == 0x00000400L
184 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
185#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
186#else
187 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
188#endif
189#endif
190#ifdef SSL_OP_NO_TLSv1_2
191 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
192#endif
193#ifdef SSL_OP_NO_TLSv1_3
194 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
195#endif
196#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
197 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
198#endif
199#ifdef SSL_OP_SINGLE_DH_USE
200 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
201#endif
202#ifdef SSL_OP_SINGLE_ECDH_USE
203 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
204#endif
205#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
206 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
207#endif
208#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
209 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
210#endif
211#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
212 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
213#endif
214#ifdef SSL_OP_TLS_D5_BUG
215 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
216#endif
217#ifdef SSL_OP_TLS_ROLLBACK_BUG
218 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
219#endif
220};
221
222#ifndef MACRO_PREDEF
223static int exim_openssl_options_size = nelem(exim_openssl_options);
224#endif
225
226#ifdef MACRO_PREDEF
227void
228options_tls(void)
229{
8442641e
JH		 230uschar buf[64];
231
d7978c0f 232for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH		 233 o < exim_openssl_options + nelem(exim_openssl_options); o++)
234 {
235 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
236 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
237
238 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
239 builtin_macro_create(buf);
240 }
241}
242#else
243
244/******************************************************************************/
245
059ec3d9
PH		 246/* Structure for collecting random data for seeding. */
247
248typedef struct randstuff {
9e3331ea
TK		 249 struct timeval tv;
250 pid_t p;
059ec3d9
PH		 251} randstuff;
252
253/* Local static variables */
254
a2ff477a
JH		 255static BOOL client_verify_callback_called = FALSE;
256static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 257static const uschar *sid_ctx = US"exim";
258
d4f09789
PP		 259/* We have three different contexts to care about.
260
261Simple case: client, `client_ctx`
262 As a client, we can be doing a callout or cut-through delivery while receiving
263 a message. So we have a client context, which should have options initialised
74f1a423
JH		 264 from the SMTP Transport. We may also concurrently want to make TLS connections
265 to utility daemons, so client-contexts are allocated and passed around in call
266 args rather than using a gobal.
d4f09789
PP		 267
268Server:
269 There are two cases: with and without ServerNameIndication from the client.
270 Given TLS SNI, we can be using different keys, certs and various other
271 configuration settings, because they're re-expanded with $tls_sni set. This
272 allows vhosting with TLS. This SNI is sent in the handshake.
273 A client might not send SNI, so we need a fallback, and an initial setup too.
274 So as a server, we start out using `server_ctx`.
275 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
276 `server_sni` from `server_ctx` and then initialise settings by re-expanding
277 configuration.
278*/
279
74f1a423
JH		 280typedef struct {
281 SSL_CTX * ctx;
282 SSL * ssl;
283} exim_openssl_client_tls_ctx;
284
817d9f57 285static SSL_CTX *server_ctx = NULL;
817d9f57 286static SSL *server_ssl = NULL;
389ca47a 287
35731706 288#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 289static SSL_CTX *server_sni = NULL;
35731706 290#endif
059ec3d9
PH		 291
292static char ssl_errstring[256];
293
294static int ssl_session_timeout = 200;
a2ff477a
JH		 295static BOOL client_verify_optional = FALSE;
296static BOOL server_verify_optional = FALSE;
059ec3d9 297
f5d78688 298static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 299
300
7be682ca
PP		 301typedef struct tls_ext_ctx_cb {
302 uschar *certificate;
303 uschar *privatekey;
f5d78688 304 BOOL is_server;
a6510420 305#ifndef DISABLE_OCSP
c3033f13 306 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 307 union {
308 struct {
309 uschar *file;
310 uschar *file_expanded;
311 OCSP_RESPONSE *response;
312 } server;
313 struct {
44662487
JH		 314 X509_STORE *verify_store; /* non-null if status requested */
315 BOOL verify_required;
f5d78688
JH		 316 } client;
317 } u_ocsp;
3f7eeb86 318#endif
7be682ca
PP		 319 uschar *dhparam;
320 /* these are cached from first expand */
321 uschar *server_cipher_list;
322 /* only passed down to tls_error: */
323 host_item *host;
55414b25 324 const uschar * verify_cert_hostnames;
0cbf2b82 325#ifndef DISABLE_EVENT
a7538db1
JH		 326 uschar * event_action;
327#endif
7be682ca
PP		 328} tls_ext_ctx_cb;
329
330/* should figure out a cleanup of API to handle state preserved per
331implementation, for various reasons, which can be void * in the APIs.
332For now, we hack around it. */
817d9f57
JH		 333tls_ext_ctx_cb *client_static_cbinfo = NULL;
334tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 335
336static int
983207c1 337setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 338 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 339
3f7eeb86 340/* Callbacks */
3bcbbbe2 341#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 342static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 343#endif
f2de3a33 344#ifndef DISABLE_OCSP
f5d78688 345static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 346#endif
347
059ec3d9
PH		 348
349/*************************************************
350* Handle TLS error *
351*************************************************/
352
353/* Called from lots of places when errors occur before actually starting to do
354the TLS handshake, that is, while the session is still in clear. Always returns
355DEFER for a server and FAIL for a client so that most calls can use "return
356tls_error(...)" to do this processing and then give an appropriate return. A
357single function is used for both server and client, because it is called from
358some shared functions.
359
360Argument:
361 prefix text to include in the logged error
362 host NULL if setting up a server;
363 the connected host if setting up a client
7199e1ee 364 msg error message or NULL if we should ask OpenSSL
cf0c6164 365 errstr pointer to output error message
059ec3d9
PH		 366
367Returns: OK/DEFER/FAIL
368*/
369
370static int
cf0c6164 371tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 372{
c562fd30 373if (!msg)
7199e1ee 374 {
0abc5a13 375 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 376 msg = US ssl_errstring;
7199e1ee
TF		 377 }
378
5a2a0989
JH		 379msg = string_sprintf("(%s): %s", prefix, msg);
380DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
381if (errstr) *errstr = msg;
cf0c6164 382return host ? FAIL : DEFER;
059ec3d9
PH		 383}
384
385
386
387/*************************************************
388* Callback to generate RSA key *
389*************************************************/
390
391/*
392Arguments:
3ae79556 393 s SSL connection (not used)
059ec3d9
PH		 394 export not used
395 keylength keylength
396
397Returns: pointer to generated key
398*/
399
400static RSA *
401rsa_callback(SSL *s, int export, int keylength)
402{
403RSA *rsa_key;
c8dfb21d
JH		 404#ifdef EXIM_HAVE_RSA_GENKEY_EX
405BIGNUM *bn = BN_new();
406#endif
407
059ec3d9
PH		 408export = export; /* Shut picky compilers up */
409DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 410
411#ifdef EXIM_HAVE_RSA_GENKEY_EX
412if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 413 || !(rsa_key = RSA_new())
c8dfb21d
JH		 414 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
415 )
416#else
23bb6982 417if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 418#endif
419
059ec3d9 420 {
0abc5a13 421 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH		 422 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
423 ssl_errstring);
424 return NULL;
425 }
426return rsa_key;
427}
428
429
430
f5d78688 431/* Extreme debug
f2de3a33 432#ifndef DISABLE_OCSP
f5d78688
JH		 433void
434x509_store_dump_cert_s_names(X509_STORE * store)
435{
436STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH		 437static uschar name[256];
438
d7978c0f 439for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH		 440 {
441 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
442 if(tmp_obj->type == X509_LU_X509)
443 {
70e384dd
JH		 444 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
445 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
446 {
447 name[sizeof(name)-1] = '\0';
448 debug_printf(" %s\n", name);
449 }
f5d78688
JH		 450 }
451 }
452}
453#endif
454*/
455
059ec3d9 456
0cbf2b82 457#ifndef DISABLE_EVENT
f69979cf
JH		 458static int
459verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
460 BOOL *calledp, const BOOL *optionalp, const uschar * what)
461{
462uschar * ev;
463uschar * yield;
464X509 * old_cert;
465
466ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
467if (ev)
468 {
aaba7d03 469 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 470 old_cert = tlsp->peercert;
471 tlsp->peercert = X509_dup(cert);
472 /* NB we do not bother setting peerdn */
473 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
474 {
475 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
476 "depth=%d cert=%s: %s",
477 tlsp == &tls_out ? deliver_host_address : sender_host_address,
478 what, depth, dn, yield);
479 *calledp = TRUE;
480 if (!*optionalp)
481 {
482 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
483 return 1; /* reject (leaving peercert set) */
484 }
485 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
486 "(host in tls_try_verify_hosts)\n");
487 }
488 X509_free(tlsp->peercert);
489 tlsp->peercert = old_cert;
490 }
491return 0;
492}
493#endif
494
059ec3d9
PH		 495/*************************************************
496* Callback for verification *
497*************************************************/
498
499/* The SSL library does certificate verification if set up to do so. This
500callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 501we set the certificate-verified flag. If verification failed, what happens
502depends on whether the client is required to present a verifiable certificate
503or not.
059ec3d9
PH		 504
505If verification is optional, we change the state to yes, but still log the
506verification error. For some reason (it really would help to have proper
507documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 508time with state = 1. We must take care not to set the private verified flag on
509the second time through.
059ec3d9
PH		 510
511Note: this function is not called if the client fails to present a certificate
512when asked. We get here only if a certificate has been received. Handling of
513optional verification for this case is done when requesting SSL to verify, by
514setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
515
a7538db1
JH		 516May be called multiple times for different issues with a certificate, even
517for a given "depth" in the certificate chain.
518
059ec3d9 519Arguments:
f2f2c91b
JH		 520 preverify_ok current yes/no state as 1/0
521 x509ctx certificate information.
522 tlsp per-direction (client vs. server) support data
523 calledp has-been-called flag
524 optionalp verification-is-optional flag
059ec3d9 525
f2f2c91b 526Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 527*/
528
529static int
70e384dd
JH		 530verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
531 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 532{
421aff85 533X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 534int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 535uschar dn[256];
059ec3d9 536
70e384dd
JH		 537if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
538 {
539 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
540 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
541 tlsp == &tls_out ? deliver_host_address : sender_host_address);
542 return 0;
543 }
f69979cf 544dn[sizeof(dn)-1] = '\0';
059ec3d9 545
f2f2c91b 546if (preverify_ok == 0)
059ec3d9 547 {
f77197ae
JH		 548 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
549 *verify_mode, sender_host_address)
550 : US"";
551 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
552 tlsp == &tls_out ? deliver_host_address : sender_host_address,
553 extra, depth,
554 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 555 *calledp = TRUE;
9d1c15ef
JH		 556 if (!*optionalp)
557 {
f69979cf
JH		 558 if (!tlsp->peercert)
559 tlsp->peercert = X509_dup(cert); /* record failing cert */
560 return 0; /* reject */
9d1c15ef 561 }
059ec3d9
PH		 562 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
563 "tls_try_verify_hosts)\n");
059ec3d9
PH		 564 }
565
a7538db1 566else if (depth != 0)
059ec3d9 567 {
f69979cf 568 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 569#ifndef DISABLE_OCSP
f5d78688
JH		 570 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
571 { /* client, wanting stapling */
572 /* Add the server cert's signing chain as the one
573 for the verification of the OCSP stapled information. */
94431adb 574
f5d78688 575 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 576 cert))
f5d78688 577 ERR_clear_error();
c3033f13 578 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 579 }
a7538db1 580#endif
0cbf2b82 581#ifndef DISABLE_EVENT
f69979cf
JH		 582 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
583 return 0; /* reject, with peercert set */
f5d78688 584#endif
059ec3d9
PH		 585 }
586else
587 {
55414b25 588 const uschar * verify_cert_hostnames;
e51c7be2 589
e51c7be2
JH		 590 if ( tlsp == &tls_out
591 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 592 /* client, wanting hostname check */
e51c7be2 593 {
f69979cf 594
740f36d4 595#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 596# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
597# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
598# endif
599# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
600# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
601# endif
e51c7be2 602 int sep = 0;
55414b25 603 const uschar * list = verify_cert_hostnames;
e51c7be2 604 uschar * name;
d8e7834a
JH		 605 int rc;
606 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 607 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 608 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 609 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
610 NULL)))
d8e7834a
JH		 611 {
612 if (rc < 0)
613 {
93a6fce2 614 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 615 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH		 616 name = NULL;
617 }
e51c7be2 618 break;
d8e7834a 619 }
e51c7be2 620 if (!name)
f69979cf 621#else
e51c7be2 622 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 623#endif
e51c7be2 624 {
f77197ae
JH		 625 uschar * extra = verify_mode
626 ? string_sprintf(" (during %c-verify for [%s])",
627 *verify_mode, sender_host_address)
628 : US"";
e51c7be2 629 log_write(0, LOG_MAIN,
f77197ae
JH		 630 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
631 tlsp == &tls_out ? deliver_host_address : sender_host_address,
632 extra, dn, verify_cert_hostnames);
a3ef7310
JH		 633 *calledp = TRUE;
634 if (!*optionalp)
f69979cf
JH		 635 {
636 if (!tlsp->peercert)
637 tlsp->peercert = X509_dup(cert); /* record failing cert */
638 return 0; /* reject */
639 }
a3ef7310
JH		 640 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
641 "tls_try_verify_hosts)\n");
e51c7be2 642 }
f69979cf 643 }
e51c7be2 644
0cbf2b82 645#ifndef DISABLE_EVENT
f69979cf
JH		 646 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
647 return 0; /* reject, with peercert set */
e51c7be2
JH		 648#endif
649
93dcb1c2 650 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 651 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH		 652 if (!*calledp) tlsp->certificate_verified = TRUE;
653 *calledp = TRUE;
059ec3d9
PH		 654 }
655
a7538db1 656return 1; /* accept, at least for this level */
059ec3d9
PH		 657}
658
a2ff477a 659static int
f2f2c91b 660verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 661{
f2f2c91b
JH		 662return verify_callback(preverify_ok, x509ctx, &tls_out,
663 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 664}
665
666static int
f2f2c91b 667verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 668{
f2f2c91b
JH		 669return verify_callback(preverify_ok, x509ctx, &tls_in,
670 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 671}
672
059ec3d9 673
c0635b6d 674#ifdef SUPPORT_DANE
53a7196b 675
e5cccda9
JH		 676/* This gets called *by* the dane library verify callback, which interposes
677itself.
678*/
679static int
f2f2c91b 680verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 681{
682X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 683uschar dn[256];
83b27293 684int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 685#ifndef DISABLE_EVENT
f69979cf 686BOOL dummy_called, optional = FALSE;
83b27293 687#endif
e5cccda9 688
70e384dd
JH		 689if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
690 {
691 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
692 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
693 deliver_host_address);
694 return 0;
695 }
f69979cf 696dn[sizeof(dn)-1] = '\0';
e5cccda9 697
f2f2c91b
JH		 698DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
699 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 700
0cbf2b82 701#ifndef DISABLE_EVENT
f69979cf
JH		 702 if (verify_event(&tls_out, cert, depth, dn,
703 &dummy_called, &optional, US"DANE"))
704 return 0; /* reject, with peercert set */
83b27293
JH		 705#endif
706
f2f2c91b 707if (preverify_ok == 1)
6fbf3599
JH		 708 {
709 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
710#ifndef DISABLE_OCSP
711 if (client_static_cbinfo->u_ocsp.client.verify_store)
712 { /* client, wanting stapling */
713 /* Add the server cert's signing chain as the one
714 for the verification of the OCSP stapled information. */
715
716 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
717 cert))
718 ERR_clear_error();
719 sk_X509_push(client_static_cbinfo->verify_stack, cert);
720 }
721#endif
722 }
f2f2c91b
JH		 723else
724 {
725 int err = X509_STORE_CTX_get_error(x509ctx);
726 DEBUG(D_tls)
727 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 728 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 729 preverify_ok = 1;
730 }
731return preverify_ok;
e5cccda9 732}
53a7196b 733
c0635b6d 734#endif /*SUPPORT_DANE*/
e5cccda9 735
059ec3d9
PH		 736
737/*************************************************
738* Information callback *
739*************************************************/
740
741/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 742are doing. We copy the string to the debugging output when TLS debugging has
743been requested.
059ec3d9
PH		 744
745Arguments:
746 s the SSL connection
747 where
748 ret
749
750Returns: nothing
751*/
752
753static void
754info_callback(SSL *s, int where, int ret)
755{
0abc5a13
JH		 756DEBUG(D_tls)
757 {
758 const uschar * str;
759
760 if (where & SSL_ST_CONNECT)
48224640 761 str = US"SSL_connect";
0abc5a13 762 else if (where & SSL_ST_ACCEPT)
48224640 763 str = US"SSL_accept";
0abc5a13 764 else
48224640 765 str = US"SSL info (undefined)";
0abc5a13
JH		 766
767 if (where & SSL_CB_LOOP)
768 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
769 else if (where & SSL_CB_ALERT)
770 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 771 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH		 772 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
773 else if (where & SSL_CB_EXIT)
774 if (ret == 0)
775 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
776 else if (ret < 0)
777 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
778 else if (where & SSL_CB_HANDSHAKE_START)
779 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
780 else if (where & SSL_CB_HANDSHAKE_DONE)
781 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
782 }
059ec3d9
PH		 783}
784
8a40db1c
JH		 785static void
786keylog_callback(const SSL *ssl, const char *line)
787{
788DEBUG(D_tls) debug_printf("%.200s\n", line);
789}
790
059ec3d9
PH		 791
792
793/*************************************************
794* Initialize for DH *
795*************************************************/
796
797/* If dhparam is set, expand it, and load up the parameters for DH encryption.
798
799Arguments:
038597d2 800 sctx The current SSL CTX (inbound or outbound)
a799883d 801 dhparam DH parameter file or fixed parameter identity string
7199e1ee 802 host connected host, if client; NULL if server
cf0c6164 803 errstr error string pointer
059ec3d9
PH		 804
805Returns: TRUE if OK (nothing to set up, or setup worked)
806*/
807
808static BOOL
cf0c6164 809init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 810{
059ec3d9
PH		 811BIO *bio;
812DH *dh;
813uschar *dhexpanded;
a799883d 814const char *pem;
6600985a 815int dh_bitsize;
059ec3d9 816
cf0c6164 817if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 818 return FALSE;
819
0df4ab80 820if (!dhexpanded || !*dhexpanded)
a799883d 821 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 822else if (dhexpanded[0] == '/')
059ec3d9 823 {
0df4ab80 824 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 825 {
7199e1ee 826 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 827 host, US strerror(errno), errstr);
a799883d 828 return FALSE;
059ec3d9 829 }
a799883d
PP		 830 }
831else
832 {
833 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 834 {
a799883d
PP		 835 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
836 return TRUE;
059ec3d9 837 }
a799883d 838
0df4ab80 839 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 840 {
841 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 842 host, US strerror(errno), errstr);
a799883d
PP		 843 return FALSE;
844 }
845 bio = BIO_new_mem_buf(CS pem, -1);
846 }
847
0df4ab80 848if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 849 {
059ec3d9 850 BIO_free(bio);
a799883d 851 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 852 host, NULL, errstr);
a799883d
PP		 853 return FALSE;
854 }
855
6600985a
PP		 856/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
857 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
858 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
859 * If someone wants to dance at the edge, then they can raise the limit or use
860 * current libraries. */
861#ifdef EXIM_HAVE_OPENSSL_DH_BITS
862/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
863 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
864dh_bitsize = DH_bits(dh);
865#else
866dh_bitsize = 8 * DH_size(dh);
867#endif
868
a799883d
PP		 869/* Even if it is larger, we silently return success rather than cause things
870 * to fail out, so that a too-large DH will not knock out all TLS; it's a
871 * debatable choice. */
6600985a 872if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 873 {
874 DEBUG(D_tls)
170f4904 875 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 876 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 877 }
878else
879 {
880 SSL_CTX_set_tmp_dh(sctx, dh);
881 DEBUG(D_tls)
882 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 883 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 884 }
885
a799883d
PP		 886DH_free(dh);
887BIO_free(bio);
888
889return TRUE;
059ec3d9
PH		 890}
891
892
893
894
038597d2
PP		 895/*************************************************
896* Initialize for ECDH *
897*************************************************/
898
899/* Load parameters for ECDH encryption.
900
901For now, we stick to NIST P-256 because: it's simple and easy to configure;
902it avoids any patent issues that might bite redistributors; despite events in
903the news and concerns over curve choices, we're not cryptographers, we're not
904pretending to be, and this is "good enough" to be better than no support,
905protecting against most adversaries. Given another year or two, there might
906be sufficient clarity about a "right" way forward to let us make an informed
907decision, instead of a knee-jerk reaction.
908
909Longer-term, we should look at supporting both various named curves and
910external files generated with "openssl ecparam", much as we do for init_dh().
911We should also support "none" as a value, to explicitly avoid initialisation.
912
913Patches welcome.
914
915Arguments:
916 sctx The current SSL CTX (inbound or outbound)
917 host connected host, if client; NULL if server
cf0c6164 918 errstr error string pointer
038597d2
PP		 919
920Returns: TRUE if OK (nothing to set up, or setup worked)
921*/
922
923static BOOL
cf0c6164 924init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 925{
63f0dbe0
JH		 926#ifdef OPENSSL_NO_ECDH
927return TRUE;
928#else
929
10ca4f1c
JH		 930EC_KEY * ecdh;
931uschar * exp_curve;
932int nid;
933BOOL rv;
934
038597d2
PP		 935if (host) /* No ECDH setup for clients, only for servers */
936 return TRUE;
937
10ca4f1c 938# ifndef EXIM_HAVE_ECDH
038597d2
PP		 939DEBUG(D_tls)
940 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
941return TRUE;
038597d2 942# else
10ca4f1c 943
cf0c6164 944if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 945 return FALSE;
946if (!exp_curve || !*exp_curve)
947 return TRUE;
948
8e53a4fc 949/* "auto" needs to be handled carefully.
4c04137d 950 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 951 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 952 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 953 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
954 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
955 */
10ca4f1c 956if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 957 {
8e53a4fc 958#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 959 DEBUG(D_tls) debug_printf(
8e53a4fc 960 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 961 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 962#else
963# if defined SSL_CTRL_SET_ECDH_AUTO
964 DEBUG(D_tls) debug_printf(
965 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 966 SSL_CTX_set_ecdh_auto(sctx, 1);
967 return TRUE;
8e53a4fc
HSHR		 968# else
969 DEBUG(D_tls) debug_printf(
970 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
971 return TRUE;
972# endif
973#endif
10ca4f1c 974 }
038597d2 975
10ca4f1c
JH		 976DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
977if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
978# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
979 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
980# endif
981 )
982 {
cf0c6164
JH		 983 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
984 host, NULL, errstr);
10ca4f1c
JH		 985 return FALSE;
986 }
038597d2 987
10ca4f1c
JH		 988if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
989 {
cf0c6164 990 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 991 return FALSE;
038597d2 992 }
10ca4f1c
JH		 993
994/* The "tmp" in the name here refers to setting a temporary key
995not to the stability of the interface. */
996
997if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 998 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 999else
1000 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1001
1002EC_KEY_free(ecdh);
1003return !rv;
1004
1005# endif /*EXIM_HAVE_ECDH*/
1006#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 1007}
1008
1009
1010
1011
f2de3a33 1012#ifndef DISABLE_OCSP
3f7eeb86
PP		 1013/*************************************************
1014* Load OCSP information into state *
1015*************************************************/
f5d78688 1016/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 1017caller has determined this is needed. Checks validity. Debugs a message
1018if invalid.
1019
1020ASSUMES: single response, for single cert.
1021
1022Arguments:
1023 sctx the SSL_CTX* to update
1024 cbinfo various parts of session state
1025 expanded the filename putatively holding an OCSP response
1026
1027*/
1028
1029static void
f5d78688 1030ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1031{
ee5b1e28
JH		 1032BIO * bio;
1033OCSP_RESPONSE * resp;
1034OCSP_BASICRESP * basic_response;
1035OCSP_SINGLERESP * single_response;
1036ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1037STACK_OF(X509) * sk;
3f7eeb86
PP		 1038unsigned long verify_flags;
1039int status, reason, i;
1040
f5d78688
JH		 1041cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1042if (cbinfo->u_ocsp.server.response)
3f7eeb86 1043 {
f5d78688
JH		 1044 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1045 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 1046 }
1047
ee5b1e28 1048if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 1049 {
1050 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1051 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 1052 return;
1053 }
1054
1055resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1056BIO_free(bio);
1057if (!resp)
1058 {
1059 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1060 return;
1061 }
1062
ee5b1e28 1063if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 1064 {
1065 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1066 OCSP_response_status_str(status), status);
f5d78688 1067 goto bad;
3f7eeb86
PP		 1068 }
1069
ee5b1e28 1070if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 1071 {
1072 DEBUG(D_tls)
1073 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1074 goto bad;
3f7eeb86
PP		 1075 }
1076
c3033f13 1077sk = cbinfo->verify_stack;
3f7eeb86
PP		 1078verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1079
1080/* May need to expose ability to adjust those flags?
1081OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1082OCSP_TRUSTOTHER OCSP_NOINTERN */
1083
4c04137d 1084/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 1085up; possibly overkill - just date-checks might be nice enough.
1086
1087OCSP_basic_verify takes a "store" arg, but does not
1088use it for the chain verification, which is all we do
1089when OCSP_NOVERIFY is set. The content from the wire
1090"basic_response" and a cert-stack "sk" are all that is used.
1091
c3033f13
JH		 1092We have a stack, loaded in setup_certs() if tls_verify_certificates
1093was a file (not a directory, or "system"). It is unfortunate we
1094cannot used the connection context store, as that would neatly
1095handle the "system" case too, but there seems to be no library
1096function for getting a stack from a store.
e3555426 1097[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 1098We do not free the stack since it could be needed a second time for
1099SNI handling.
1100
4c04137d 1101Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1102be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1103But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1104And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 1105library does it for us anyway? */
1106
1107if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1108 {
ee5b1e28
JH		 1109 DEBUG(D_tls)
1110 {
0abc5a13 1111 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1112 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 1113 }
1114 goto bad;
3f7eeb86
PP		 1115 }
1116
1117/* Here's the simplifying assumption: there's only one response, for the
1118one certificate we use, and nothing for anything else in a chain. If this
1119proves false, we need to extract a cert id from our issued cert
1120(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1121right cert in the stack and then calls OCSP_single_get0_status()).
1122
1123I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 1124
1125if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 1126 {
1127 DEBUG(D_tls)
1128 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1129 goto bad;
3f7eeb86
PP		 1130 }
1131
1132status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1133if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1134 {
f5d78688
JH		 1135 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1136 OCSP_cert_status_str(status), status,
1137 OCSP_crl_reason_str(reason), reason);
1138 goto bad;
3f7eeb86
PP		 1139 }
1140
1141if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1142 {
1143 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1144 goto bad;
3f7eeb86
PP		 1145 }
1146
f5d78688 1147supply_response:
47195144 1148 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH		 1149return;
1150
1151bad:
8768d548 1152 if (f.running_in_test_harness)
018058b2
JH		 1153 {
1154 extern char ** environ;
d7978c0f 1155 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH		 1156 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1157 {
1158 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1159 goto supply_response;
1160 }
1161 }
f5d78688 1162return;
3f7eeb86 1163}
f2de3a33 1164#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1165
1166
1167
1168
23bb6982
JH		 1169/* Create and install a selfsigned certificate, for use in server mode */
1170
1171static int
cf0c6164 1172tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 1173{
1174X509 * x509 = NULL;
1175EVP_PKEY * pkey;
1176RSA * rsa;
1177X509_NAME * name;
1178uschar * where;
1179
1180where = US"allocating pkey";
1181if (!(pkey = EVP_PKEY_new()))
1182 goto err;
1183
1184where = US"allocating cert";
1185if (!(x509 = X509_new()))
1186 goto err;
1187
1188where = US"generating pkey";
6aac3239 1189if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH		 1190 goto err;
1191
4c04137d 1192where = US"assigning pkey";
23bb6982
JH		 1193if (!EVP_PKEY_assign_RSA(pkey, rsa))
1194 goto err;
1195
1196X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1197ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH		 1198X509_gmtime_adj(X509_get_notBefore(x509), 0);
1199X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1200X509_set_pubkey(x509, pkey);
1201
1202name = X509_get_subject_name(x509);
1203X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1204 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1205X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1206 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1207X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1208 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 1209X509_set_issuer_name(x509, name);
1210
1211where = US"signing cert";
1212if (!X509_sign(x509, pkey, EVP_md5()))
1213 goto err;
1214
1215where = US"installing selfsign cert";
1216if (!SSL_CTX_use_certificate(sctx, x509))
1217 goto err;
1218
1219where = US"installing selfsign key";
1220if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1221 goto err;
1222
1223return OK;
1224
1225err:
cf0c6164 1226 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1227 if (x509) X509_free(x509);
1228 if (pkey) EVP_PKEY_free(pkey);
1229 return DEFER;
1230}
1231
1232
1233
1234
ba86e143
JH		 1235static int
1236tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1237 uschar ** errstr)
1238{
1239DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1240if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1241 return tls_error(string_sprintf(
1242 "SSL_CTX_use_certificate_chain_file file=%s", file),
1243 cbinfo->host, NULL, errstr);
1244return 0;
1245}
1246
1247static int
1248tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1249 uschar ** errstr)
1250{
1251DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1252if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1253 return tls_error(string_sprintf(
1254 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1255return 0;
1256}
1257
1258
7be682ca
PP		 1259/*************************************************
1260* Expand key and cert file specs *
1261*************************************************/
1262
f5d78688 1263/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1264new context, if Server Name Indication was used and tls_sni was seen in
1265the certificate string.
1266
1267Arguments:
1268 sctx the SSL_CTX* to update
1269 cbinfo various parts of session state
cf0c6164 1270 errstr error string pointer
7be682ca
PP		 1271
1272Returns: OK/DEFER/FAIL
1273*/
1274
1275static int
cf0c6164
JH		 1276tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1277 uschar ** errstr)
7be682ca
PP		 1278{
1279uschar *expanded;
1280
23bb6982 1281if (!cbinfo->certificate)
7be682ca 1282 {
ba86e143 1283 if (!cbinfo->is_server) /* client */
23bb6982 1284 return OK;
afdb5e9c 1285 /* server */
cf0c6164 1286 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1287 return DEFER;
7be682ca 1288 }
23bb6982
JH		 1289else
1290 {
ba86e143
JH		 1291 int err;
1292
23bb6982
JH		 1293 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1294 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1295 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1296 )
1297 reexpand_tls_files_for_sni = TRUE;
7be682ca 1298
cf0c6164 1299 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1300 return DEFER;
1301
ba86e143
JH		 1302 if (expanded)
1303 if (cbinfo->is_server)
1304 {
1305 const uschar * file_list = expanded;
1306 int sep = 0;
1307 uschar * file;
1308
1309 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1310 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1311 return err;
1312 }
1313 else /* would there ever be a need for multiple client certs? */
1314 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1315 return err;
7be682ca 1316
5a2a0989
JH		 1317 if ( cbinfo->privatekey
1318 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1319 return DEFER;
7be682ca 1320
23bb6982
JH		 1321 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1322 of the expansion is an empty string, ignore it also, and assume the private
1323 key is in the same file as the certificate. */
1324
1325 if (expanded && *expanded)
ba86e143
JH		 1326 if (cbinfo->is_server)
1327 {
1328 const uschar * file_list = expanded;
1329 int sep = 0;
1330 uschar * file;
1331
1332 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1333 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1334 return err;
1335 }
1336 else /* would there ever be a need for multiple client certs? */
1337 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1338 return err;
7be682ca
PP		 1339 }
1340
f2de3a33 1341#ifndef DISABLE_OCSP
f40d5be3 1342if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1343 {
47195144 1344 /*XXX stack*/
cf0c6164 1345 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1346 return DEFER;
1347
f40d5be3 1348 if (expanded && *expanded)
3f7eeb86
PP		 1349 {
1350 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1351 if ( cbinfo->u_ocsp.server.file_expanded
1352 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1353 {
f40d5be3
JH		 1354 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1355 }
1356 else
f40d5be3 1357 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1358 }
1359 }
1360#endif
1361
7be682ca
PP		 1362return OK;
1363}
1364
1365
1366
1367
1368/*************************************************
1369* Callback to handle SNI *
1370*************************************************/
1371
1372/* Called when acting as server during the TLS session setup if a Server Name
1373Indication extension was sent by the client.
1374
1375API documentation is OpenSSL s_server.c implementation.
1376
1377Arguments:
1378 s SSL* of the current session
1379 ad unknown (part of OpenSSL API) (unused)
1380 arg Callback of "our" registered data
1381
1382Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1383*/
1384
3bcbbbe2 1385#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1386static int
1387tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1388{
1389const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1390tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1391int rc;
3f0945ff 1392int old_pool = store_pool;
cf0c6164 1393uschar * dummy_errstr;
7be682ca
PP		 1394
1395if (!servername)
1396 return SSL_TLSEXT_ERR_OK;
1397
3f0945ff 1398DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1399 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1400
1401/* Make the extension value available for expansion */
3f0945ff 1402store_pool = POOL_PERM;
817d9f57 1403tls_in.sni = string_copy(US servername);
3f0945ff 1404store_pool = old_pool;
7be682ca
PP		 1405
1406if (!reexpand_tls_files_for_sni)
1407 return SSL_TLSEXT_ERR_OK;
1408
1409/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1410not confident that memcpy wouldn't break some internal reference counting.
1411Especially since there's a references struct member, which would be off. */
1412
7a8b9519
JH		 1413#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1414if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1415#else
0df4ab80 1416if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1417#endif
7be682ca 1418 {
0abc5a13 1419 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1420 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1421 goto bad;
7be682ca
PP		 1422 }
1423
1424/* Not sure how many of these are actually needed, since SSL object
1425already exists. Might even need this selfsame callback, for reneg? */
1426
817d9f57
JH		 1427SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1428SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1429SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1430SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1431SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1432SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1433
cf0c6164
JH		 1434if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1435 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1436 )
5a2a0989 1437 goto bad;
038597d2 1438
ca954d7f
JH		 1439if ( cbinfo->server_cipher_list
1440 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1441 goto bad;
ca954d7f 1442
f2de3a33 1443#ifndef DISABLE_OCSP
f5d78688 1444if (cbinfo->u_ocsp.server.file)
3f7eeb86 1445 {
f5d78688 1446 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1447 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1448 }
1449#endif
7be682ca 1450
c3033f13 1451if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1452 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1453 goto bad;
7be682ca 1454
3f7eeb86
PP		 1455/* do this after setup_certs, because this can require the certs for verifying
1456OCSP information. */
cf0c6164 1457if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1458 goto bad;
a799883d 1459
7be682ca 1460DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1461SSL_set_SSL_CTX(s, server_sni);
7be682ca 1462return SSL_TLSEXT_ERR_OK;
5a2a0989
JH		 1463
1464bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1465}
3bcbbbe2 1466#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1467
1468
1469
1470
f2de3a33 1471#ifndef DISABLE_OCSP
f5d78688 1472
3f7eeb86
PP		 1473/*************************************************
1474* Callback to handle OCSP Stapling *
1475*************************************************/
1476
1477/* Called when acting as server during the TLS session setup if the client
1478requests OCSP information with a Certificate Status Request.
1479
1480Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1481project.
1482
1483*/
1484
1485static int
f5d78688 1486tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1487{
1488const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1489uschar *response_der; /*XXX blob */
3f7eeb86
PP		 1490int response_der_len;
1491
47195144
JH		 1492/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1493out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1494buggy in current OpenSSL; it returns the last cert loaded always rather than
1495the one actually presented. So we can't support a stack of OCSP proofs at
1496this time. */
1497
af4a1bca 1498DEBUG(D_tls)
b3ef41c9 1499 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1500 cbinfo->u_ocsp.server.response ? "have" : "lack");
1501
44662487 1502tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1503if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1504 return SSL_TLSEXT_ERR_NOACK;
1505
1506response_der = NULL;
47195144 1507response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1508 &response_der);
3f7eeb86
PP		 1509if (response_der_len <= 0)
1510 return SSL_TLSEXT_ERR_NOACK;
1511
5e55c7a9 1512SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1513tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1514return SSL_TLSEXT_ERR_OK;
1515}
1516
3f7eeb86 1517
f5d78688
JH		 1518static void
1519time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1520{
1521BIO_printf(bp, "\t%s: ", str);
1522ASN1_GENERALIZEDTIME_print(bp, time);
1523BIO_puts(bp, "\n");
1524}
1525
1526static int
1527tls_client_stapling_cb(SSL *s, void *arg)
1528{
1529tls_ext_ctx_cb * cbinfo = arg;
1530const unsigned char * p;
1531int len;
1532OCSP_RESPONSE * rsp;
1533OCSP_BASICRESP * bs;
1534int i;
1535
1536DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1537len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1538if(!p)
1539 {
44662487 1540 /* Expect this when we requested ocsp but got none */
6c6d6e48 1541 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1542 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1543 else
1544 DEBUG(D_tls) debug_printf(" null\n");
44662487 1545 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1546 }
018058b2 1547
f5d78688
JH		 1548if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1549 {
018058b2 1550 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1551 if (LOGGING(tls_cipher))
1eca31ca 1552 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1553 else
1554 DEBUG(D_tls) debug_printf(" parse error\n");
1555 return 0;
1556 }
1557
1558if(!(bs = OCSP_response_get1_basic(rsp)))
1559 {
018058b2 1560 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1561 if (LOGGING(tls_cipher))
1eca31ca 1562 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1563 else
1564 DEBUG(D_tls) debug_printf(" error parsing response\n");
1565 OCSP_RESPONSE_free(rsp);
1566 return 0;
1567 }
1568
1569/* We'd check the nonce here if we'd put one in the request. */
1570/* However that would defeat cacheability on the server so we don't. */
1571
f5d78688
JH		 1572/* This section of code reworked from OpenSSL apps source;
1573 The OpenSSL Project retains copyright:
1574 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1575*/
1576 {
1577 BIO * bp = NULL;
f5d78688
JH		 1578 int status, reason;
1579 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1580
57887ecc 1581 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH		 1582
1583 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1584
1585 /* Use the chain that verified the server cert to verify the stapled info */
1586 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1587
c3033f13 1588 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1589 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1590 {
018058b2 1591 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH		 1592 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1593 "Received TLS cert status response, itself unverifiable: %s",
1594 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH		 1595 BIO_printf(bp, "OCSP response verify failure\n");
1596 ERR_print_errors(bp);
57887ecc 1597 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1598 goto failed;
f5d78688
JH		 1599 }
1600
1601 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1602
c8dfb21d
JH		 1603 /*XXX So we have a good stapled OCSP status. How do we know
1604 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1605 OCSP_resp_find_status() which matches on a cert id, which presumably
1606 we should use. Making an id needs OCSP_cert_id_new(), which takes
1607 issuerName, issuerKey, serialNumber. Are they all in the cert?
1608
1609 For now, carry on blindly accepting the resp. */
1610
f5d78688 1611 {
f5d78688
JH		 1612 OCSP_SINGLERESP * single;
1613
c8dfb21d
JH		 1614#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1615 if (OCSP_resp_count(bs) != 1)
1616#else
1617 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1618 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1619#endif
f5d78688 1620 {
018058b2 1621 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1622 log_write(0, LOG_MAIN, "OCSP stapling "
1623 "with multiple responses not handled");
c8dfb21d 1624 goto failed;
f5d78688
JH		 1625 }
1626 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1627 status = OCSP_single_get0_status(single, &reason, &rev,
1628 &thisupd, &nextupd);
f5d78688
JH		 1629 }
1630
f5d78688
JH		 1631 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1632 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1633 if (!OCSP_check_validity(thisupd, nextupd,
1634 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1635 {
018058b2 1636 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1637 DEBUG(D_tls) ERR_print_errors(bp);
1638 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1639 }
44662487 1640 else
f5d78688 1641 {
44662487
JH		 1642 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1643 OCSP_cert_status_str(status));
1644 switch(status)
1645 {
1646 case V_OCSP_CERTSTATUS_GOOD:
44662487 1647 tls_out.ocsp = OCSP_VFIED;
018058b2 1648 i = 1;
c8dfb21d 1649 goto good;
44662487 1650 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1651 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1652 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1653 reason != -1 ? "; reason: " : "",
1654 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1655 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1656 break;
1657 default:
018058b2 1658 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1659 log_write(0, LOG_MAIN,
1660 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1661 break;
1662 }
f5d78688 1663 }
c8dfb21d
JH		 1664 failed:
1665 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1666 good:
f5d78688
JH		 1667 BIO_free(bp);
1668 }
1669
1670OCSP_RESPONSE_free(rsp);
1671return i;
1672}
f2de3a33 1673#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1674
1675
059ec3d9
PH		 1676/*************************************************
1677* Initialize for TLS *
1678*************************************************/
1679
e51c7be2
JH		 1680/* Called from both server and client code, to do preliminary initialization
1681of the library. We allocate and return a context structure.
059ec3d9
PH		 1682
1683Arguments:
946ecbe0 1684 ctxp returned SSL context
059ec3d9
PH		 1685 host connected host, if client; NULL if server
1686 dhparam DH parameter file
1687 certificate certificate file
1688 privatekey private key
f5d78688 1689 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1690 addr address if client; NULL if server (for some randomness)
946ecbe0 1691 cbp place to put allocated callback context
cf0c6164 1692 errstr error string pointer
059ec3d9
PH		 1693
1694Returns: OK/DEFER/FAIL
1695*/
1696
1697static int
817d9f57 1698tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1699 uschar *privatekey,
f2de3a33 1700#ifndef DISABLE_OCSP
47195144 1701 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1702#endif
cf0c6164 1703 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1704{
7006ee24 1705SSL_CTX * ctx;
77bb000f 1706long init_options;
7be682ca 1707int rc;
a7538db1 1708tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1709
1710cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1711cbinfo->certificate = certificate;
1712cbinfo->privatekey = privatekey;
a6510420 1713cbinfo->is_server = host==NULL;
f2de3a33 1714#ifndef DISABLE_OCSP
c3033f13 1715cbinfo->verify_stack = NULL;
a6510420 1716if (!host)
f5d78688
JH		 1717 {
1718 cbinfo->u_ocsp.server.file = ocsp_file;
1719 cbinfo->u_ocsp.server.file_expanded = NULL;
1720 cbinfo->u_ocsp.server.response = NULL;
1721 }
1722else
1723 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1724#endif
7be682ca 1725cbinfo->dhparam = dhparam;
0df4ab80 1726cbinfo->server_cipher_list = NULL;
7be682ca 1727cbinfo->host = host;
0cbf2b82 1728#ifndef DISABLE_EVENT
a7538db1
JH		 1729cbinfo->event_action = NULL;
1730#endif
77bb000f 1731
7434882d 1732#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH		 1733SSL_load_error_strings(); /* basic set up */
1734OpenSSL_add_ssl_algorithms();
7434882d 1735#endif
059ec3d9 1736
c8dfb21d 1737#ifdef EXIM_HAVE_SHA256
77bb000f 1738/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1739list of available digests. */
1740EVP_add_digest(EVP_sha256());
cf1ef1a9 1741#endif
a0475b69 1742
f0f5a555
PP		 1743/* Create a context.
1744The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1745negotiation in the different methods; as far as I can tell, the only
1746*_{server,client}_method which allows negotiation is SSLv23, which exists even
1747when OpenSSL is built without SSLv2 support.
1748By disabling with openssl_options, we can let admins re-enable with the
1749existing knob. */
059ec3d9 1750
7a8b9519
JH		 1751#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1752if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1753#else
7006ee24 1754if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1755#endif
7006ee24 1756 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1757
1758/* It turns out that we need to seed the random number generator this early in
1759order to get the full complement of ciphers to work. It took me roughly a day
1760of work to discover this by experiment.
1761
1762On systems that have /dev/urandom, SSL may automatically seed itself from
1763there. Otherwise, we have to make something up as best we can. Double check
1764afterwards. */
1765
1766if (!RAND_status())
1767 {
1768 randstuff r;
9e3331ea 1769 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1770 r.p = getpid();
1771
5903c6ff
JH		 1772 RAND_seed(US (&r), sizeof(r));
1773 RAND_seed(US big_buffer, big_buffer_size);
1774 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH		 1775
1776 if (!RAND_status())
7199e1ee 1777 return tls_error(US"RAND_status", host,
cf0c6164 1778 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1779 }
1780
1781/* Set up the information callback, which outputs if debugging is at a suitable
1782level. */
1783
7006ee24 1784DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
8a40db1c
JH		 1785#ifdef OPENSSL_HAVE_KEYLOG_CB
1786DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1787#endif
059ec3d9 1788
c80c5570 1789/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1790(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1791
77bb000f
PP		 1792/* Apply administrator-supplied work-arounds.
1793Historically we applied just one requested option,
1794SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1795moved to an administrator-controlled list of options to specify and
1796grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1797
77bb000f
PP		 1798No OpenSSL version number checks: the options we accept depend upon the
1799availability of the option value macros from OpenSSL. */
059ec3d9 1800
7006ee24 1801if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1802 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP		 1803
1804if (init_options)
1805 {
1806 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1807 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1808 return tls_error(string_sprintf(
cf0c6164 1809 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 1810 }
1811else
1812 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1813
d7f31bb6
JH		 1814#ifdef OPENSSL_HAVE_NUM_TICKETS
1815SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
1816#endif
1817
a28050f8
JH		 1818/* We'd like to disable session cache unconditionally, but foolish Outlook
1819Express clients then give up the first TLS connection and make a second one
1820(which works). Only when there is an IMAP service on the same machine.
1821Presumably OE is trying to use the cache for A on B. Leave it enabled for
1822now, until we work out a decent way of presenting control to the config. It
1823will never be used because we use a new context every time. */
1824#ifdef notdef
7006ee24 1825(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1826#endif
7006ee24 1827
059ec3d9 1828/* Initialize with DH parameters if supplied */
10ca4f1c 1829/* Initialize ECDH temp key parameter selection */
059ec3d9 1830
7006ee24
JH		 1831if ( !init_dh(ctx, dhparam, host, errstr)
1832 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 1833 )
1834 return DEFER;
059ec3d9 1835
3f7eeb86 1836/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1837
7006ee24 1838if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1839 return rc;
c91535f3 1840
c3033f13
JH		 1841/* If we need to handle SNI or OCSP, do so */
1842
3bcbbbe2 1843#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 1844# ifndef DISABLE_OCSP
1845 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1846 {
1847 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1848 return FAIL;
1849 }
1850# endif
1851
7a8b9519 1852if (!host) /* server */
3f0945ff 1853 {
f2de3a33 1854# ifndef DISABLE_OCSP
f5d78688 1855 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 1856 the option exists, not what the current expansion might be, as SNI might
1857 change the certificate and OCSP file in use between now and the time the
1858 callback is invoked. */
f5d78688 1859 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1860 {
7006ee24
JH		 1861 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1862 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1863 }
f5d78688 1864# endif
3f0945ff
PP		 1865 /* We always do this, so that $tls_sni is available even if not used in
1866 tls_certificate */
7006ee24
JH		 1867 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1868 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1869 }
f2de3a33 1870# ifndef DISABLE_OCSP
f5d78688
JH		 1871else /* client */
1872 if(ocsp_file) /* wanting stapling */
1873 {
1874 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1875 {
1876 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1877 return FAIL;
1878 }
7006ee24
JH		 1879 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1880 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 1881 }
1882# endif
7be682ca 1883#endif
059ec3d9 1884
e51c7be2 1885cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1886
c8dfb21d 1887#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1888/* Set up the RSA callback */
7006ee24 1889SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1890#endif
059ec3d9
PH		 1891
1892/* Finally, set the timeout, and we are done */
1893
7006ee24 1894SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1895DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1896
817d9f57 1897*cbp = cbinfo;
7006ee24 1898*ctxp = ctx;
7be682ca 1899
059ec3d9
PH		 1900return OK;
1901}
1902
1903
1904
1905
1906/*************************************************
1907* Get name of cipher in use *
1908*************************************************/
1909
817d9f57 1910/*
059ec3d9 1911Argument: pointer to an SSL structure for the connection
817d9f57
JH		 1912 buffer to use for answer
1913 size of buffer
1914 pointer to number of bits for cipher
059ec3d9
PH		 1915Returns: nothing
1916*/
1917
1918static void
817d9f57 1919construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1920{
7a8b9519 1921/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP		 1922yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1923the accessor functions use const in the prototype. */
059ec3d9 1924
7a8b9519
JH		 1925const uschar * ver = CUS SSL_get_version(ssl);
1926const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1927
817d9f57 1928SSL_CIPHER_get_bits(c, bits);
059ec3d9 1929
817d9f57
JH		 1930string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1931 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH		 1932
1933DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1934}
1935
1936
f69979cf 1937static void
70e384dd 1938peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH		 1939{
1940/*XXX we might consider a list-of-certs variable for the cert chain.
1941SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1942in list-handling functions, also consider the difference between the entire
1943chain and the elements sent by the peer. */
1944
70e384dd
JH		 1945tlsp->peerdn = NULL;
1946
f69979cf
JH		 1947/* Will have already noted peercert on a verify fail; possibly not the leaf */
1948if (!tlsp->peercert)
1949 tlsp->peercert = SSL_get_peer_certificate(ssl);
1950/* Beware anonymous ciphers which lead to server_cert being NULL */
1951if (tlsp->peercert)
70e384dd
JH		 1952 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1953 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1954 else
1955 {
1956 peerdn[siz-1] = '\0';
1957 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1958 }
f69979cf
JH		 1959}
1960
1961
059ec3d9
PH		 1962
1963
1964
1965/*************************************************
1966* Set up for verifying certificates *
1967*************************************************/
1968
0e8aed8a 1969#ifndef DISABLE_OCSP
c3033f13
JH		 1970/* Load certs from file, return TRUE on success */
1971
1972static BOOL
1973chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1974{
1975BIO * bp;
1976X509 * x;
1977
dec766a1
WB		 1978while (sk_X509_num(verify_stack) > 0)
1979 X509_free(sk_X509_pop(verify_stack));
1980
c3033f13
JH		 1981if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1982while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1983 sk_X509_push(verify_stack, x);
1984BIO_free(bp);
1985return TRUE;
1986}
0e8aed8a 1987#endif
c3033f13
JH		 1988
1989
1990
dec766a1
WB		 1991/* Called by both client and server startup; on the server possibly
1992repeated after a Server Name Indication.
059ec3d9
PH		 1993
1994Arguments:
7be682ca 1995 sctx SSL_CTX* to initialise
059ec3d9
PH		 1996 certs certs file or NULL
1997 crl CRL file or NULL
1998 host NULL in a server; the remote host in a client
1999 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2000 otherwise passed as FALSE
983207c1 2001 cert_vfy_cb Callback function for certificate verification
cf0c6164 2002 errstr error string pointer
059ec3d9
PH		 2003
2004Returns: OK/DEFER/FAIL
2005*/
2006
2007static int
983207c1 2008setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2009 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 2010{
2011uschar *expcerts, *expcrl;
2012
cf0c6164 2013if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2014 return DEFER;
57cc2785 2015DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2016
10a831a3 2017if (expcerts && *expcerts)
059ec3d9 2018 {
10a831a3
JH		 2019 /* Tell the library to use its compiled-in location for the system default
2020 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2021
10a831a3 2022 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2023 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 2024
2025 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2026 {
cb1d7830
JH		 2027 struct stat statbuf;
2028
cb1d7830
JH		 2029 if (Ustat(expcerts, &statbuf) < 0)
2030 {
2031 log_write(0, LOG_MAIN|LOG_PANIC,
2032 "failed to stat %s for certificates", expcerts);
2033 return DEFER;
2034 }
059ec3d9 2035 else
059ec3d9 2036 {
cb1d7830
JH		 2037 uschar *file, *dir;
2038 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2039 { file = NULL; dir = expcerts; }
2040 else
c3033f13
JH		 2041 {
2042 file = expcerts; dir = NULL;
2043#ifndef DISABLE_OCSP
2044 /* In the server if we will be offering an OCSP proof, load chain from
2045 file for verifying the OCSP proof at load time. */
2046
2047 if ( !host
2048 && statbuf.st_size > 0
2049 && server_static_cbinfo->u_ocsp.server.file
2050 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2051 )
2052 {
2053 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2054 "failed to load cert chain from %s", file);
c3033f13
JH		 2055 return DEFER;
2056 }
2057#endif
2058 }
cb1d7830
JH		 2059
2060 /* If a certificate file is empty, the next function fails with an
2061 unhelpful error message. If we skip it, we get the correct behaviour (no
2062 certificates are recognized, but the error message is still misleading (it
c3033f13 2063 says no certificate was supplied). But this is better. */
cb1d7830 2064
f2f2c91b
JH		 2065 if ( (!file || statbuf.st_size > 0)
2066 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2067 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 2068
2069 /* Load the list of CAs for which we will accept certs, for sending
2070 to the client. This is only for the one-file tls_verify_certificates
2071 variant.
d7978c0f
JH		 2072 If a list isn't loaded into the server, but some verify locations are set,
2073 the server end appears to make a wildcard request for client certs.
10a831a3 2074 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 2075 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2076 Because of this, and that the dir variant is likely only used for
d7978c0f
JH		 2077 the public-CA bundle (not for a private CA), not worth fixing. */
2078
f2f2c91b 2079 if (file)
cb1d7830 2080 {
2009ecca 2081 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB		 2082
2083 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2084 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2085 sk_X509_NAME_num(names));
cb1d7830 2086 }
059ec3d9
PH		 2087 }
2088 }
2089
2090 /* Handle a certificate revocation list. */
2091
10a831a3 2092#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2093
8b417f2c 2094 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2095 merely reformatted it into the Exim code style.)
8b417f2c 2096
10a831a3
JH		 2097 "From here I changed the code to add support for multiple crl's
2098 in pem format in one file or to support hashed directory entries in
2099 pem format instead of a file. This method now uses the library function
2100 X509_STORE_load_locations to add the CRL location to the SSL context.
2101 OpenSSL will then handle the verify against CA certs and CRLs by
2102 itself in the verify callback." */
8b417f2c 2103
cf0c6164 2104 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2105 if (expcrl && *expcrl)
059ec3d9 2106 {
8b417f2c
PH		 2107 struct stat statbufcrl;
2108 if (Ustat(expcrl, &statbufcrl) < 0)
2109 {
2110 log_write(0, LOG_MAIN|LOG_PANIC,
2111 "failed to stat %s for certificates revocation lists", expcrl);
2112 return DEFER;
2113 }
2114 else
059ec3d9 2115 {
8b417f2c
PH		 2116 /* is it a file or directory? */
2117 uschar *file, *dir;
7be682ca 2118 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2119 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2120 {
8b417f2c
PH		 2121 file = NULL;
2122 dir = expcrl;
2123 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 2124 }
2125 else
2126 {
8b417f2c
PH		 2127 file = expcrl;
2128 dir = NULL;
2129 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2130 }
8b417f2c 2131 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2132 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 2133
2134 /* setting the flags to check against the complete crl chain */
2135
2136 X509_STORE_set_flags(cvstore,
2137 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2138 }
059ec3d9
PH		 2139 }
2140
10a831a3 2141#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 2142
2143 /* If verification is optional, don't fail if no certificate */
2144
7be682ca 2145 SSL_CTX_set_verify(sctx,
5a2a0989 2146 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2147 cert_vfy_cb);
059ec3d9
PH		 2148 }
2149
2150return OK;
2151}
2152
2153
2154
2155/*************************************************
2156* Start a TLS session in a server *
2157*************************************************/
2158
2159/* This is called when Exim is running as a server, after having received
2160the STARTTLS command. It must respond to that command, and then negotiate
2161a TLS session.
2162
2163Arguments:
2164 require_ciphers allowed ciphers
cf0c6164 2165 errstr pointer to error message
059ec3d9
PH		 2166
2167Returns: OK on success
2168 DEFER for errors before the start of the negotiation
4c04137d 2169 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2170 continue running.
2171*/
2172
2173int
cf0c6164 2174tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2175{
2176int rc;
cf0c6164
JH		 2177uschar * expciphers;
2178tls_ext_ctx_cb * cbinfo;
f69979cf 2179static uschar peerdn[256];
817d9f57 2180static uschar cipherbuf[256];
059ec3d9
PH		 2181
2182/* Check for previous activation */
2183
74f1a423 2184if (tls_in.active.sock >= 0)
059ec3d9 2185 {
cf0c6164 2186 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2187 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2188 return FAIL;
2189 }
2190
2191/* Initialize the SSL library. If it fails, it will already have logged
2192the error. */
2193
817d9f57 2194rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2195#ifndef DISABLE_OCSP
47195144 2196 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2197#endif
cf0c6164 2198 NULL, &server_static_cbinfo, errstr);
059ec3d9 2199if (rc != OK) return rc;
817d9f57 2200cbinfo = server_static_cbinfo;
059ec3d9 2201
cf0c6164 2202if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 2203 return FAIL;
2204
2205/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 2206were historically separated by underscores. So that I can use either form in my
2207tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH		 2208
2209XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2210for TLS 1.3 . Since we do not call it at present we get the default list:
2211TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2212*/
059ec3d9 2213
c3033f13 2214if (expciphers)
059ec3d9 2215 {
c3033f13 2216 uschar * s = expciphers;
059ec3d9
PH		 2217 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2218 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2219 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2220 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2221 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 2222 }
2223
2224/* If this is a host for which certificate verification is mandatory or
2225optional, set up appropriately. */
2226
817d9f57 2227tls_in.certificate_verified = FALSE;
c0635b6d 2228#ifdef SUPPORT_DANE
53a7196b
JH		 2229tls_in.dane_verified = FALSE;
2230#endif
a2ff477a 2231server_verify_callback_called = FALSE;
059ec3d9
PH		 2232
2233if (verify_check_host(&tls_verify_hosts) == OK)
2234 {
983207c1 2235 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2236 FALSE, verify_callback_server, errstr);
059ec3d9 2237 if (rc != OK) return rc;
a2ff477a 2238 server_verify_optional = FALSE;
059ec3d9
PH		 2239 }
2240else if (verify_check_host(&tls_try_verify_hosts) == OK)
2241 {
983207c1 2242 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2243 TRUE, verify_callback_server, errstr);
059ec3d9 2244 if (rc != OK) return rc;
a2ff477a 2245 server_verify_optional = TRUE;
059ec3d9
PH		 2246 }
2247
2248/* Prepare for new connection */
2249
cf0c6164
JH		 2250if (!(server_ssl = SSL_new(server_ctx)))
2251 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 2252
2253/* Warning: we used to SSL_clear(ssl) here, it was removed.
2254 *
2255 * With the SSL_clear(), we get strange interoperability bugs with
2256 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2257 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2258 *
2259 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2260 * session shutdown. In this case, we have a brand new object and there's no
2261 * obvious reason to immediately clear it. I'm guessing that this was
2262 * originally added because of incomplete initialisation which the clear fixed,
2263 * in some historic release.
2264 */
059ec3d9
PH		 2265
2266/* Set context and tell client to go ahead, except in the case of TLS startup
2267on connection, where outputting anything now upsets the clients and tends to
2268make them disconnect. We need to have an explicit fflush() here, to force out
2269the response. Other smtp_printf() calls do not need it, because in non-TLS
2270mode, the fflush() happens when smtp_getc() is called. */
2271
817d9f57
JH		 2272SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2273if (!tls_in.on_connect)
059ec3d9 2274 {
925ac8e4 2275 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 2276 fflush(smtp_out);
2277 }
2278
2279/* Now negotiate the TLS session. We put our own timer on it, since it seems
2280that the OpenSSL library doesn't. */
2281
817d9f57
JH		 2282SSL_set_wfd(server_ssl, fileno(smtp_out));
2283SSL_set_rfd(server_ssl, fileno(smtp_in));
2284SSL_set_accept_state(server_ssl);
059ec3d9
PH		 2285
2286DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2287
2288sigalrm_seen = FALSE;
c2a1bba0 2289if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2290rc = SSL_accept(server_ssl);
c2a1bba0 2291ALARM_CLR(0);
059ec3d9
PH		 2292
2293if (rc <= 0)
2294 {
cf0c6164 2295 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 2296 return FAIL;
2297 }
2298
2299DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868
JH		 2300ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2301 anon-authentication ciphersuite negociated. */
059ec3d9
PH		 2302
2303/* TLS has been set up. Adjust the input functions to read via TLS,
2304and initialize things. */
2305
f69979cf
JH		 2306peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2307
059ec3d9
PH		 2308DEBUG(D_tls)
2309 {
2310 uschar buf[2048];
817d9f57 2311 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9 2312 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH		 2313
2314#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2315 {
2316 BIO * bp = BIO_new(BIO_s_mem());
2317 uschar * s;
2318 int len;
2319 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2320 len = (int) BIO_get_mem_data(bp, CSS &s);
2321 debug_printf("%.*s", len, s);
2322 BIO_free(bp);
2323 }
2324#endif
059ec3d9
PH		 2325 }
2326
f20cfa4a
JH		 2327construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2328tls_in.cipher = cipherbuf;
2329
9d1c15ef
JH		 2330/* Record the certificate we presented */
2331 {
2332 X509 * crt = SSL_get_certificate(server_ssl);
2333 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2334 }
059ec3d9 2335
817d9f57
JH		 2336/* Only used by the server-side tls (tls_in), including tls_getc.
2337 Client-side (tls_out) reads (seem to?) go via
2338 smtp_read_response()/ip_recv().
2339 Hence no need to duplicate for _in and _out.
2340 */
b808677c 2341if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2342ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2343ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH		 2344
2345receive_getc = tls_getc;
0d81dabc 2346receive_getbuf = tls_getbuf;
584e96c6 2347receive_get_cache = tls_get_cache;
059ec3d9
PH		 2348receive_ungetc = tls_ungetc;
2349receive_feof = tls_feof;
2350receive_ferror = tls_ferror;
58eb016e 2351receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2352
74f1a423
JH		 2353tls_in.active.sock = fileno(smtp_out);
2354tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH		 2355return OK;
2356}
2357
2358
2359
2360
043b1248
JH		 2361static int
2362tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2363 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2364 uschar ** errstr)
043b1248
JH		 2365{
2366int rc;
94431adb 2367/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2368 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2369 the specified host patterns if one of them is defined */
2370
610ff438
JH		 2371if ( ( !ob->tls_verify_hosts
2372 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2373 )
3c07dd2d 2374 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2375 )
043b1248 2376 client_verify_optional = FALSE;
3c07dd2d 2377else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2378 client_verify_optional = TRUE;
2379else
2380 return OK;
2381
2382if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2383 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2384 errstr)) != OK)
aa2a70ba 2385 return rc;
043b1248 2386
3c07dd2d 2387if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2388 {
4af0d74a 2389 cbinfo->verify_cert_hostnames =
8c5d388a 2390#ifdef SUPPORT_I18N
4af0d74a
JH		 2391 string_domain_utf8_to_alabel(host->name, NULL);
2392#else
2393 host->name;
2394#endif
aa2a70ba
JH		 2395 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2396 cbinfo->verify_cert_hostnames);
043b1248 2397 }
043b1248
JH		 2398return OK;
2399}
059ec3d9 2400
fde080a4 2401
c0635b6d 2402#ifdef SUPPORT_DANE
fde080a4 2403static int
cf0c6164 2404dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2405{
fde080a4
JH		 2406dns_scan dnss;
2407const char * hostnames[2] = { CS host->name, NULL };
2408int found = 0;
2409
2410if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2411 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2412
d7978c0f 2413for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2414 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2415 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2416 {
c3033f13 2417 const uschar * p = rr->data;
fde080a4
JH		 2418 uint8_t usage, selector, mtype;
2419 const char * mdname;
2420
fde080a4 2421 usage = *p++;
133d2546
JH		 2422
2423 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2424 if (usage != 2 && usage != 3) continue;
2425
fde080a4
JH		 2426 selector = *p++;
2427 mtype = *p++;
2428
2429 switch (mtype)
2430 {
133d2546
JH		 2431 default: continue; /* Only match-types 0, 1, 2 are supported */
2432 case 0: mdname = NULL; break;
2433 case 1: mdname = "sha256"; break;
2434 case 2: mdname = "sha512"; break;
fde080a4
JH		 2435 }
2436
133d2546 2437 found++;
fde080a4
JH		 2438 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2439 {
2440 default:
cf0c6164 2441 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2442 case 0: /* action not taken */
fde080a4
JH		 2443 case 1: break;
2444 }
594706ea
JH		 2445
2446 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2447 }
2448
2449if (found)
2450 return OK;
2451
133d2546 2452log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2453return DEFER;
fde080a4 2454}
c0635b6d 2455#endif /*SUPPORT_DANE*/
fde080a4
JH		 2456
2457
2458
059ec3d9
PH		 2459/*************************************************
2460* Start a TLS session in a client *
2461*************************************************/
2462
2463/* Called from the smtp transport after STARTTLS has been accepted.
2464
2465Argument:
2466 fd the fd of the connection
afdb5e9c
JH		 2467 host connected host (for messages and option-tests)
2468 addr the first address (for some randomness; can be NULL)
a7538db1 2469 tb transport (always smtp)
0e66b3b6 2470 tlsa_dnsa tlsa lookup, if DANE, else null
afdb5e9c 2471 tlsp record details of channel configuration here; must be non-NULL
cf0c6164 2472 errstr error string pointer
059ec3d9 2473
74f1a423 2474Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH		 2475*/
2476
74f1a423 2477void *
f5d78688 2478tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2479 transport_instance * tb,
c0635b6d 2480#ifdef SUPPORT_DANE
cf0c6164 2481 dns_answer * tlsa_dnsa,
0e66b3b6 2482#endif
74f1a423 2483 tls_support * tlsp, uschar ** errstr)
059ec3d9 2484{
afdb5e9c
JH		 2485smtp_transport_options_block * ob = tb
2486 ? (smtp_transport_options_block *)tb->options_block
2487 : &smtp_transport_option_defaults;
74f1a423 2488exim_openssl_client_tls_ctx * exim_client_ctx;
f69979cf 2489static uschar peerdn[256];
868f5672 2490uschar * expciphers;
059ec3d9 2491int rc;
817d9f57 2492static uschar cipherbuf[256];
043b1248
JH		 2493
2494#ifndef DISABLE_OCSP
043b1248 2495BOOL request_ocsp = FALSE;
6634ac8d 2496BOOL require_ocsp = FALSE;
043b1248 2497#endif
043b1248 2498
74f1a423
JH		 2499rc = store_pool;
2500store_pool = POOL_PERM;
2501exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2502store_pool = rc;
2503
c0635b6d 2504#ifdef SUPPORT_DANE
74f1a423 2505tlsp->tlsa_usage = 0;
043b1248
JH		 2506#endif
2507
f2de3a33 2508#ifndef DISABLE_OCSP
043b1248 2509 {
c0635b6d 2510# ifdef SUPPORT_DANE
4f59c424
JH		 2511 if ( tlsa_dnsa
2512 && ob->hosts_request_ocsp[0] == '*'
2513 && ob->hosts_request_ocsp[1] == '\0'
2514 )
2515 {
2516 /* Unchanged from default. Use a safer one under DANE */
2517 request_ocsp = TRUE;
2518 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2519 " {= {4}{$tls_out_tlsa_usage}} } "
2520 " {*}{}}";
2521 }
2522# endif
2523
5130845b 2524 if ((require_ocsp =
3c07dd2d 2525 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2526 request_ocsp = TRUE;
2527 else
c0635b6d 2528# ifdef SUPPORT_DANE
4f59c424 2529 if (!request_ocsp)
fca41d5a 2530# endif
5130845b 2531 request_ocsp =
3c07dd2d 2532 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2533 }
f5d78688 2534#endif
059ec3d9 2535
74f1a423 2536rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2537 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2538#ifndef DISABLE_OCSP
44662487 2539 (void *)(long)request_ocsp,
3f7eeb86 2540#endif
cf0c6164 2541 addr, &client_static_cbinfo, errstr);
74f1a423 2542if (rc != OK) return NULL;
059ec3d9 2543
74f1a423 2544tlsp->certificate_verified = FALSE;
a2ff477a 2545client_verify_callback_called = FALSE;
059ec3d9 2546
5ec37a55
PP		 2547expciphers = NULL;
2548#ifdef SUPPORT_DANE
2549if (tlsa_dnsa)
2550 {
2551 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2552 other failures should be treated as problems. */
2553 if (ob->dane_require_tls_ciphers &&
2554 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2555 &expciphers, errstr))
74f1a423 2556 return NULL;
5ec37a55
PP		 2557 if (expciphers && *expciphers == '\0')
2558 expciphers = NULL;
2559 }
2560#endif
2561if (!expciphers &&
2562 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2563 &expciphers, errstr))
74f1a423 2564 return NULL;
059ec3d9
PH		 2565
2566/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2567are separated by underscores. So that I can use either form in my tests, and
2568also for general convenience, we turn underscores into hyphens here. */
2569
cf0c6164 2570if (expciphers)
059ec3d9
PH		 2571 {
2572 uschar *s = expciphers;
cf0c6164 2573 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2574 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH		 2575 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2576 {
2577 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2578 return NULL;
2579 }
059ec3d9
PH		 2580 }
2581
c0635b6d 2582#ifdef SUPPORT_DANE
0e66b3b6 2583if (tlsa_dnsa)
a63be306 2584 {
74f1a423 2585 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH		 2586 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2587 verify_callback_client_dane);
e5cccda9 2588
043b1248 2589 if (!DANESSL_library_init())
74f1a423
JH		 2590 {
2591 tls_error(US"library init", host, NULL, errstr);
2592 return NULL;
2593 }
2594 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2595 {
2596 tls_error(US"context init", host, NULL, errstr);
2597 return NULL;
2598 }
043b1248
JH		 2599 }
2600else
e51c7be2 2601
043b1248
JH		 2602#endif
2603
74f1a423
JH		 2604 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2605 client_static_cbinfo, errstr) != OK)
2606 return NULL;
059ec3d9 2607
74f1a423
JH		 2608if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2609 {
2610 tls_error(US"SSL_new", host, NULL, errstr);
2611 return NULL;
2612 }
2613SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2614SSL_set_fd(exim_client_ctx->ssl, fd);
2615SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2616
65867078 2617if (ob->tls_sni)
3f0945ff 2618 {
74f1a423
JH		 2619 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2620 return NULL;
2621 if (!tlsp->sni)
2c9a0e86
PP		 2622 {
2623 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2624 }
74f1a423
JH		 2625 else if (!Ustrlen(tlsp->sni))
2626 tlsp->sni = NULL;
3f0945ff
PP		 2627 else
2628 {
35731706 2629#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH		 2630 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2631 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2632#else
66802652 2633 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2634 tlsp->sni);
35731706 2635#endif
3f0945ff
PP		 2636 }
2637 }
2638
c0635b6d 2639#ifdef SUPPORT_DANE
0e66b3b6 2640if (tlsa_dnsa)
74f1a423
JH		 2641 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2642 return NULL;
594706ea
JH		 2643#endif
2644
f2de3a33 2645#ifndef DISABLE_OCSP
f5d78688
JH		 2646/* Request certificate status at connection-time. If the server
2647does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2648# ifdef SUPPORT_DANE
594706ea
JH		 2649if (request_ocsp)
2650 {
2651 const uschar * s;
41afb5cb
JH		 2652 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2653 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 2654 )
2655 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2656 this means we avoid the OCSP request, we wasted the setup
2657 cost in tls_init(). */
3c07dd2d 2658 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2659 request_ocsp = require_ocsp
3c07dd2d 2660 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 2661 }
2662 }
b50c8b84
JH		 2663# endif
2664
44662487
JH		 2665if (request_ocsp)
2666 {
74f1a423 2667 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2668 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2669 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2670 }
f5d78688
JH		 2671#endif
2672
0cbf2b82 2673#ifndef DISABLE_EVENT
afdb5e9c 2674client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2675#endif
043b1248 2676
059ec3d9
PH		 2677/* There doesn't seem to be a built-in timeout on connection. */
2678
2679DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2680sigalrm_seen = FALSE;
c2a1bba0 2681ALARM(ob->command_timeout);
74f1a423 2682rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 2683ALARM_CLR(0);
059ec3d9 2684
c0635b6d 2685#ifdef SUPPORT_DANE
0e66b3b6 2686if (tlsa_dnsa)
74f1a423 2687 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH		 2688#endif
2689
059ec3d9 2690if (rc <= 0)
74f1a423
JH		 2691 {
2692 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2693 return NULL;
2694 }
059ec3d9 2695
f20cfa4a
JH		 2696DEBUG(D_tls)
2697 {
2698 debug_printf("SSL_connect succeeded\n");
2699#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2700 {
2701 BIO * bp = BIO_new(BIO_s_mem());
2702 uschar * s;
2703 int len;
2704 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2705 len = (int) BIO_get_mem_data(bp, CSS &s);
2706 debug_printf("%.*s", len, s);
2707 BIO_free(bp);
2708 }
2709#endif
2710 }
059ec3d9 2711
74f1a423 2712peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2713
74f1a423
JH		 2714construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2715tlsp->cipher = cipherbuf;
059ec3d9 2716
9d1c15ef
JH		 2717/* Record the certificate we presented */
2718 {
74f1a423
JH		 2719 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2720 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH		 2721 }
2722
74f1a423
JH		 2723tlsp->active.sock = fd;
2724tlsp->active.tls_ctx = exim_client_ctx;
2725return exim_client_ctx;
059ec3d9
PH		 2726}
2727
2728
2729
2730
2731
0d81dabc
JH		 2732static BOOL
2733tls_refill(unsigned lim)
2734{
2735int error;
2736int inbytes;
2737
2738DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2739 ssl_xfer_buffer, ssl_xfer_buffer_size);
2740
c2a1bba0 2741if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH		 2742inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2743 MIN(ssl_xfer_buffer_size, lim));
2744error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 2745if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 2746
2747if (had_command_timeout) /* set by signal handler */
2748 smtp_command_timeout_exit(); /* does not return */
2749if (had_command_sigterm)
2750 smtp_command_sigterm_exit();
2751if (had_data_timeout)
2752 smtp_data_timeout_exit();
2753if (had_data_sigint)
2754 smtp_data_sigint_exit();
0d81dabc
JH		 2755
2756/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2757closed down, not that the socket itself has been closed down. Revert to
2758non-SSL handling. */
2759
74f1a423 2760switch(error)
0d81dabc 2761 {
74f1a423
JH		 2762 case SSL_ERROR_NONE:
2763 break;
2764
2765 case SSL_ERROR_ZERO_RETURN:
2766 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2767
74f1a423
JH		 2768 receive_getc = smtp_getc;
2769 receive_getbuf = smtp_getbuf;
2770 receive_get_cache = smtp_get_cache;
2771 receive_ungetc = smtp_ungetc;
2772 receive_feof = smtp_feof;
2773 receive_ferror = smtp_ferror;
2774 receive_smtp_buffered = smtp_buffered;
0d81dabc 2775
74f1a423
JH		 2776 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2777 SSL_shutdown(server_ssl);
dec766a1 2778
37f0ce65 2779#ifndef DISABLE_OCSP
74f1a423
JH		 2780 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2781 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2782#endif
74f1a423
JH		 2783 SSL_free(server_ssl);
2784 SSL_CTX_free(server_ctx);
2785 server_ctx = NULL;
2786 server_ssl = NULL;
2787 tls_in.active.sock = -1;
2788 tls_in.active.tls_ctx = NULL;
2789 tls_in.bits = 0;
2790 tls_in.cipher = NULL;
2791 tls_in.peerdn = NULL;
2792 tls_in.sni = NULL;
0d81dabc 2793
74f1a423 2794 return FALSE;
0d81dabc 2795
74f1a423
JH		 2796 /* Handle genuine errors */
2797 case SSL_ERROR_SSL:
0abc5a13 2798 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH		 2799 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2800 ssl_xfer_error = TRUE;
2801 return FALSE;
0d81dabc 2802
74f1a423
JH		 2803 default:
2804 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2805 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2806 debug_printf(" - syscall %s\n", strerror(errno));
2807 ssl_xfer_error = TRUE;
2808 return FALSE;
0d81dabc
JH		 2809 }
2810
2811#ifndef DISABLE_DKIM
2812dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2813#endif
2814ssl_xfer_buffer_hwm = inbytes;
2815ssl_xfer_buffer_lwm = 0;
2816return TRUE;
2817}
2818
2819
059ec3d9
PH		 2820/*************************************************
2821* TLS version of getc *
2822*************************************************/
2823
2824/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2825it refills the buffer via the SSL reading function.
2826
bd8fbe36 2827Arguments: lim Maximum amount to read/buffer
059ec3d9 2828Returns: the next character or EOF
817d9f57
JH		 2829
2830Only used by the server-side TLS.
059ec3d9
PH		 2831*/
2832
2833int
bd8fbe36 2834tls_getc(unsigned lim)
059ec3d9
PH		 2835{
2836if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 2837 if (!tls_refill(lim))
2838 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2839
0d81dabc 2840/* Something in the buffer; return next uschar */
059ec3d9 2841
0d81dabc
JH		 2842return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2843}
059ec3d9 2844
0d81dabc
JH		 2845uschar *
2846tls_getbuf(unsigned * len)
2847{
2848unsigned size;
2849uschar * buf;
ba084640 2850
0d81dabc
JH		 2851if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2852 if (!tls_refill(*len))
059ec3d9 2853 {
0d81dabc
JH		 2854 if (!ssl_xfer_error) return smtp_getbuf(len);
2855 *len = 0;
2856 return NULL;
059ec3d9 2857 }
c80c5570 2858
0d81dabc
JH		 2859if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2860 size = *len;
2861buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2862ssl_xfer_buffer_lwm += size;
2863*len = size;
2864return buf;
059ec3d9
PH		 2865}
2866
0d81dabc 2867
584e96c6
JH		 2868void
2869tls_get_cache()
2870{
9960d1e5 2871#ifndef DISABLE_DKIM
584e96c6
JH		 2872int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2873if (n > 0)
2874 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2875#endif
9960d1e5 2876}
584e96c6 2877
059ec3d9 2878
925ac8e4
JH		 2879BOOL
2880tls_could_read(void)
2881{
a5ffa9b4 2882return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 2883}
2884
059ec3d9
PH		 2885
2886/*************************************************
2887* Read bytes from TLS channel *
2888*************************************************/
2889
2890/*
2891Arguments:
74f1a423 2892 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 2893 buff buffer of data
2894 len size of buffer
2895
2896Returns: the number of bytes read
afdb5e9c 2897 -1 after a failed read, including EOF
817d9f57
JH		 2898
2899Only used by the client-side TLS.
059ec3d9
PH		 2900*/
2901
2902int
74f1a423 2903tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2904{
74f1a423 2905SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH		 2906int inbytes;
2907int error;
2908
389ca47a 2909DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2910 buff, (unsigned int)len);
059ec3d9 2911
389ca47a
JH		 2912inbytes = SSL_read(ssl, CS buff, len);
2913error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 2914
2915if (error == SSL_ERROR_ZERO_RETURN)
2916 {
2917 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2918 return -1;
2919 }
2920else if (error != SSL_ERROR_NONE)
059ec3d9 2921 return -1;
059ec3d9
PH		 2922
2923return inbytes;
2924}
2925
2926
2927
2928
2929
2930/*************************************************
2931* Write bytes down TLS channel *
2932*************************************************/
2933
2934/*
2935Arguments:
74f1a423 2936 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 2937 buff buffer of data
2938 len number of bytes
925ac8e4 2939 more further data expected soon
059ec3d9
PH		 2940
2941Returns: the number of bytes after a successful write,
2942 -1 after a failed write
817d9f57
JH		 2943
2944Used by both server-side and client-side TLS.
059ec3d9
PH		 2945*/
2946
2947int
74f1a423 2948tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2949{
ac35befe 2950size_t olen = len;
d7978c0f 2951int outbytes, error;
74f1a423 2952SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
acec9514 2953static gstring * corked = NULL;
a5ffa9b4 2954
ef698bf6 2955DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2956 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH		 2957
2958/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2959"more" is notified. This hack is only ok if small amounts are involved AND only
2960one stream does it, in one context (i.e. no store reset). Currently it is used
2961for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
ac35befe
JH		 2962/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2963a store reset there, so use POOL_PERM. */
2964/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 2965
ac35befe 2966if ((more || corked))
a5ffa9b4 2967 {
ee8b8090
JH		 2968#ifdef EXPERIMENTAL_PIPE_CONNECT
2969 int save_pool = store_pool;
2970 store_pool = POOL_PERM;
2971#endif
2972
acec9514 2973 corked = string_catn(corked, buff, len);
ee8b8090
JH		 2974
2975#ifdef EXPERIMENTAL_PIPE_CONNECT
2976 store_pool = save_pool;
2977#endif
2978
a5ffa9b4
JH		 2979 if (more)
2980 return len;
acec9514
JH		 2981 buff = CUS corked->s;
2982 len = corked->ptr;
2983 corked = NULL;
a5ffa9b4 2984 }
059ec3d9 2985
d7978c0f 2986for (int left = len; left > 0;)
059ec3d9 2987 {
74f1a423 2988 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH		 2989 outbytes = SSL_write(ssl, CS buff, left);
2990 error = SSL_get_error(ssl, outbytes);
2991 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2992 switch (error)
2993 {
2994 case SSL_ERROR_SSL:
0abc5a13 2995 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH		 2996 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2997 return -1;
059ec3d9
PH		 2998
2999 case SSL_ERROR_NONE:
96f5fe4c
JH		 3000 left -= outbytes;
3001 buff += outbytes;
3002 break;
059ec3d9
PH		 3003
3004 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 3005 log_write(0, LOG_MAIN, "SSL channel closed on write");
3006 return -1;
059ec3d9 3007
817d9f57 3008 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 3009 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3010 sender_fullhost ? sender_fullhost : US"<unknown>",
3011 strerror(errno));
3012 return -1;
817d9f57 3013
059ec3d9 3014 default:
96f5fe4c
JH		 3015 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3016 return -1;
059ec3d9
PH		 3017 }
3018 }
ac35befe 3019return olen;
059ec3d9
PH		 3020}
3021
3022
3023
3024/*************************************************
3025* Close down a TLS session *
3026*************************************************/
3027
3028/* This is also called from within a delivery subprocess forked from the
3029daemon, to shut down the TLS library, without actually doing a shutdown (which
3030would tamper with the SSL session in the parent process).
3031
dec766a1 3032Arguments:
74f1a423 3033 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB		 3034 shutdown 1 if TLS close-alert is to be sent,
3035 2 if also response to be waited for
3036
059ec3d9 3037Returns: nothing
817d9f57
JH		 3038
3039Used by both server-side and client-side TLS.
059ec3d9
PH		 3040*/
3041
3042void
74f1a423 3043tls_close(void * ct_ctx, int shutdown)
059ec3d9 3044{
74f1a423
JH		 3045exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3046SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3047SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3048int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH		 3049
3050if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 3051
3052if (shutdown)
3053 {
dec766a1
WB		 3054 int rc;
3055 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3056 shutdown > 1 ? " (with response-wait)" : "");
3057
3058 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3059 && shutdown > 1)
3060 {
c2a1bba0 3061 ALARM(2);
dec766a1 3062 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3063 ALARM_CLR(0);
dec766a1
WB		 3064 }
3065
3066 if (rc < 0) DEBUG(D_tls)
3067 {
0abc5a13 3068 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB		 3069 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3070 }
3071 }
3072
37f0ce65 3073#ifndef DISABLE_OCSP
74f1a423 3074if (!o_ctx) /* server side */
dec766a1
WB		 3075 {
3076 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3077 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3078 }
37f0ce65 3079#endif
059ec3d9 3080
dec766a1 3081SSL_CTX_free(*ctxp);
817d9f57 3082SSL_free(*sslp);
dec766a1 3083*ctxp = NULL;
817d9f57 3084*sslp = NULL;
817d9f57 3085*fdp = -1;
059ec3d9
PH		 3086}
3087
36f12725
NM		 3088
3089
3090
3375e053
PP		 3091/*************************************************
3092* Let tls_require_ciphers be checked at startup *
3093*************************************************/
3094
3095/* The tls_require_ciphers option, if set, must be something which the
3096library can parse.
3097
3098Returns: NULL on success, or error message
3099*/
3100
3101uschar *
3102tls_validate_require_cipher(void)
3103{
3104SSL_CTX *ctx;
3105uschar *s, *expciphers, *err;
3106
3107/* this duplicates from tls_init(), we need a better "init just global
3108state, for no specific purpose" singleton function of our own */
3109
7434882d 3110#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP		 3111SSL_load_error_strings();
3112OpenSSL_add_ssl_algorithms();
7434882d 3113#endif
3375e053
PP		 3114#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3115/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3116list of available digests. */
3117EVP_add_digest(EVP_sha256());
3118#endif
3119
3120if (!(tls_require_ciphers && *tls_require_ciphers))
3121 return NULL;
3122
cf0c6164
JH		 3123if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3124 &err))
3375e053
PP		 3125 return US"failed to expand tls_require_ciphers";
3126
3127if (!(expciphers && *expciphers))
3128 return NULL;
3129
3130/* normalisation ripped from above */
3131s = expciphers;
3132while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3133
3134err = NULL;
3135
7a8b9519
JH		 3136#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3137if (!(ctx = SSL_CTX_new(TLS_server_method())))
3138#else
3139if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3140#endif
3375e053 3141 {
0abc5a13 3142 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP		 3143 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3144 }
3145
3146DEBUG(D_tls)
3147 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3148
3149if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3150 {
0abc5a13 3151 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH		 3152 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3153 expciphers, ssl_errstring);
3375e053
PP		 3154 }
3155
3156SSL_CTX_free(ctx);
3157
3158return err;
3159}
3160
3161
3162
3163
36f12725
NM		 3164/*************************************************
3165* Report the library versions. *
3166*************************************************/
3167
3168/* There have historically been some issues with binary compatibility in
3169OpenSSL libraries; if Exim (like many other applications) is built against
3170one version of OpenSSL but the run-time linker picks up another version,
3171it can result in serious failures, including crashing with a SIGSEGV. So
3172report the version found by the compiler and the run-time version.
3173
f64a1e23
PP		 3174Note: some OS vendors backport security fixes without changing the version
3175number/string, and the version date remains unchanged. The _build_ date
3176will change, so we can more usefully assist with version diagnosis by also
3177reporting the build date.
3178
36f12725
NM		 3179Arguments: a FILE* to print the results to
3180Returns: nothing
3181*/
3182
3183void
3184tls_version_report(FILE *f)
3185{
754a0503 3186fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 3187 " Runtime: %s\n"
3188 " : %s\n",
754a0503 3189 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 3190 SSLeay_version(SSLEAY_VERSION),
3191 SSLeay_version(SSLEAY_BUILT_ON));
3192/* third line is 38 characters for the %s and the line is 73 chars long;
3193the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 3194}
3195
9e3331ea
TK		 3196
3197
3198
3199/*************************************************
17c76198 3200* Random number generation *
9e3331ea
TK		 3201*************************************************/
3202
3203/* Pseudo-random number generation. The result is not expected to be
3204cryptographically strong but not so weak that someone will shoot themselves
3205in the foot using it as a nonce in input in some email header scheme or
3206whatever weirdness they'll twist this into. The result should handle fork()
3207and avoid repeating sequences. OpenSSL handles that for us.
3208
3209Arguments:
3210 max range maximum
3211Returns a random number in range [0, max-1]
3212*/
3213
3214int
17c76198 3215vaguely_random_number(int max)
9e3331ea
TK		 3216{
3217unsigned int r;
3218int i, needed_len;
de6135a0
PP		 3219static pid_t pidlast = 0;
3220pid_t pidnow;
9e3331ea
TK		 3221uschar smallbuf[sizeof(r)];
3222
3223if (max <= 1)
3224 return 0;
3225
de6135a0
PP		 3226pidnow = getpid();
3227if (pidnow != pidlast)
3228 {
3229 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3230 is unique for each thread", this doesn't apparently apply across processes,
3231 so our own warning from vaguely_random_number_fallback() applies here too.
3232 Fix per PostgreSQL. */
3233 if (pidlast != 0)
3234 RAND_cleanup();
3235 pidlast = pidnow;
3236 }
3237
9e3331ea
TK		 3238/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3239if (!RAND_status())
3240 {
3241 randstuff r;
3242 gettimeofday(&r.tv, NULL);
3243 r.p = getpid();
3244
5903c6ff 3245 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK		 3246 }
3247/* We're after pseudo-random, not random; if we still don't have enough data
3248in the internal PRNG then our options are limited. We could sleep and hope
3249for entropy to come along (prayer technique) but if the system is so depleted
3250in the first place then something is likely to just keep taking it. Instead,
3251we'll just take whatever little bit of pseudo-random we can still manage to
3252get. */
3253
3254needed_len = sizeof(r);
3255/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3256asked for a number less than 10. */
3257for (r = max, i = 0; r; ++i)
3258 r >>= 1;
3259i = (i + 7) / 8;
3260if (i < needed_len)
3261 needed_len = i;
3262
c8dfb21d 3263#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3264/* We do not care if crypto-strong */
17c76198 3265i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 3266#else
3267i = RAND_bytes(smallbuf, needed_len);
3268#endif
3269
17c76198
PP		 3270if (i < 0)
3271 {
3272 DEBUG(D_all)
3273 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3274 return vaguely_random_number_fallback(max);
3275 }
3276
9e3331ea 3277r = 0;
d7978c0f
JH		 3278for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3279 r = 256 * r + *p;
9e3331ea
TK		 3280
3281/* We don't particularly care about weighted results; if someone wants
3282smooth distribution and cares enough then they should submit a patch then. */
3283return r % max;
3284}
3285
77bb000f
PP		 3286
3287
3288
3289/*************************************************
3290* OpenSSL option parse *
3291*************************************************/
3292
3293/* Parse one option for tls_openssl_options_parse below
3294
3295Arguments:
3296 name one option name
3297 value place to store a value for it
3298Returns success or failure in parsing
3299*/
3300
77bb000f 3301
c80c5570 3302
77bb000f
PP		 3303static BOOL
3304tls_openssl_one_option_parse(uschar *name, long *value)
3305{
3306int first = 0;
3307int last = exim_openssl_options_size;
3308while (last > first)
3309 {
3310 int middle = (first + last)/2;
3311 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3312 if (c == 0)
3313 {
3314 *value = exim_openssl_options[middle].value;
3315 return TRUE;
3316 }
3317 else if (c > 0)
3318 first = middle + 1;
3319 else
3320 last = middle;
3321 }
3322return FALSE;
3323}
3324
3325
3326
3327
3328/*************************************************
3329* OpenSSL option parsing logic *
3330*************************************************/
3331
3332/* OpenSSL has a number of compatibility options which an administrator might
3333reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3334we look like log_selector.
3335
3336Arguments:
3337 option_spec the administrator-supplied string of options
3338 results ptr to long storage for the options bitmap
3339Returns success or failure
3340*/
3341
3342BOOL
3343tls_openssl_options_parse(uschar *option_spec, long *results)
3344{
3345long result, item;
d7978c0f 3346uschar *end;
77bb000f
PP		 3347uschar keep_c;
3348BOOL adding, item_parsed;
3349
7006ee24 3350result = SSL_OP_NO_TICKET;
b1770b6e 3351/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3352 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3353#ifdef SSL_OP_NO_SSLv2
3354result |= SSL_OP_NO_SSLv2;
3355#endif
a57b6200
JH		 3356#ifdef SSL_OP_SINGLE_DH_USE
3357result |= SSL_OP_SINGLE_DH_USE;
3358#endif
77bb000f 3359
7006ee24 3360if (!option_spec)
77bb000f
PP		 3361 {
3362 *results = result;
3363 return TRUE;
3364 }
3365
d7978c0f 3366for (uschar * s = option_spec; *s != '\0'; /**/)
77bb000f
PP		 3367 {
3368 while (isspace(*s)) ++s;
3369 if (*s == '\0')
3370 break;
3371 if (*s != '+' && *s != '-')
3372 {
3373 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3374 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3375 return FALSE;
3376 }
3377 adding = *s++ == '+';
3378 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3379 keep_c = *end;
3380 *end = '\0';
3381 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3382 *end = keep_c;
77bb000f
PP		 3383 if (!item_parsed)
3384 {
0e944a0d 3385 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3386 return FALSE;
3387 }
3388 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3389 adding ? "adding" : "removing", result, item, s);
3390 if (adding)
3391 result |= item;
3392 else
3393 result &= ~item;
77bb000f
PP		 3394 s = end;
3395 }
3396
3397*results = result;
3398return TRUE;
3399}
3400
8442641e 3401#endif /*!MACRO_PREDEF*/
9d1c15ef
JH		 3402/* vi: aw ai sw=2
3403*/
059ec3d9 3404/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.