General tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5a66c31b 5/* Copyright (c) University of Cambridge 1995 - 2014 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
3f7eeb86
PP
25#ifdef EXPERIMENTAL_OCSP
26#include <openssl/ocsp.h>
27#endif
28
29#ifdef EXPERIMENTAL_OCSP
30#define EXIM_OCSP_SKEW_SECONDS (300L)
31#define EXIM_OCSP_MAX_AGE (-1L)
32#endif
059ec3d9 33
3bcbbbe2
PP
34#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
35#define EXIM_HAVE_OPENSSL_TLSEXT
36#endif
37
059ec3d9
PH
38/* Structure for collecting random data for seeding. */
39
40typedef struct randstuff {
9e3331ea
TK
41 struct timeval tv;
42 pid_t p;
059ec3d9
PH
43} randstuff;
44
45/* Local static variables */
46
a2ff477a
JH
47static BOOL client_verify_callback_called = FALSE;
48static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
49static const uschar *sid_ctx = US"exim";
50
d4f09789
PP
51/* We have three different contexts to care about.
52
53Simple case: client, `client_ctx`
54 As a client, we can be doing a callout or cut-through delivery while receiving
55 a message. So we have a client context, which should have options initialised
56 from the SMTP Transport.
57
58Server:
59 There are two cases: with and without ServerNameIndication from the client.
60 Given TLS SNI, we can be using different keys, certs and various other
61 configuration settings, because they're re-expanded with $tls_sni set. This
62 allows vhosting with TLS. This SNI is sent in the handshake.
63 A client might not send SNI, so we need a fallback, and an initial setup too.
64 So as a server, we start out using `server_ctx`.
65 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
66 `server_sni` from `server_ctx` and then initialise settings by re-expanding
67 configuration.
68*/
69
817d9f57
JH
70static SSL_CTX *client_ctx = NULL;
71static SSL_CTX *server_ctx = NULL;
72static SSL *client_ssl = NULL;
73static SSL *server_ssl = NULL;
389ca47a 74
35731706 75#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 76static SSL_CTX *server_sni = NULL;
35731706 77#endif
059ec3d9
PH
78
79static char ssl_errstring[256];
80
81static int ssl_session_timeout = 200;
a2ff477a
JH
82static BOOL client_verify_optional = FALSE;
83static BOOL server_verify_optional = FALSE;
059ec3d9 84
f5d78688 85static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
86
87
7be682ca
PP
88typedef struct tls_ext_ctx_cb {
89 uschar *certificate;
90 uschar *privatekey;
3f7eeb86 91#ifdef EXPERIMENTAL_OCSP
f5d78688
JH
92 BOOL is_server;
93 union {
94 struct {
95 uschar *file;
96 uschar *file_expanded;
97 OCSP_RESPONSE *response;
98 } server;
99 struct {
44662487
JH
100 X509_STORE *verify_store; /* non-null if status requested */
101 BOOL verify_required;
f5d78688
JH
102 } client;
103 } u_ocsp;
3f7eeb86 104#endif
7be682ca
PP
105 uschar *dhparam;
106 /* these are cached from first expand */
107 uschar *server_cipher_list;
108 /* only passed down to tls_error: */
109 host_item *host;
110} tls_ext_ctx_cb;
111
112/* should figure out a cleanup of API to handle state preserved per
113implementation, for various reasons, which can be void * in the APIs.
114For now, we hack around it. */
817d9f57
JH
115tls_ext_ctx_cb *client_static_cbinfo = NULL;
116tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
117
118static int
983207c1
JH
119setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
120 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
059ec3d9 121
3f7eeb86 122/* Callbacks */
3bcbbbe2 123#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 124static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 125#endif
3f7eeb86 126#ifdef EXPERIMENTAL_OCSP
f5d78688 127static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
128#endif
129
059ec3d9
PH
130
131/*************************************************
132* Handle TLS error *
133*************************************************/
134
135/* Called from lots of places when errors occur before actually starting to do
136the TLS handshake, that is, while the session is still in clear. Always returns
137DEFER for a server and FAIL for a client so that most calls can use "return
138tls_error(...)" to do this processing and then give an appropriate return. A
139single function is used for both server and client, because it is called from
140some shared functions.
141
142Argument:
143 prefix text to include in the logged error
144 host NULL if setting up a server;
145 the connected host if setting up a client
7199e1ee 146 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
147
148Returns: OK/DEFER/FAIL
149*/
150
151static int
7199e1ee 152tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 153{
7199e1ee
TF
154if (msg == NULL)
155 {
156 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 157 msg = (uschar *)ssl_errstring;
7199e1ee
TF
158 }
159
059ec3d9
PH
160if (host == NULL)
161 {
7199e1ee 162 uschar *conn_info = smtp_get_connection_info();
5ca6d115 163 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
164 conn_info += 5;
165 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
166 conn_info, prefix, msg);
059ec3d9
PH
167 return DEFER;
168 }
169else
170 {
171 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 172 host->name, host->address, prefix, msg);
059ec3d9
PH
173 return FAIL;
174 }
175}
176
177
178
179/*************************************************
180* Callback to generate RSA key *
181*************************************************/
182
183/*
184Arguments:
185 s SSL connection
186 export not used
187 keylength keylength
188
189Returns: pointer to generated key
190*/
191
192static RSA *
193rsa_callback(SSL *s, int export, int keylength)
194{
195RSA *rsa_key;
196export = export; /* Shut picky compilers up */
197DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
198rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
199if (rsa_key == NULL)
200 {
201 ERR_error_string(ERR_get_error(), ssl_errstring);
202 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
203 ssl_errstring);
204 return NULL;
205 }
206return rsa_key;
207}
208
209
210
f5d78688
JH
211/* Extreme debug
212#if defined(EXPERIMENTAL_OCSP)
213void
214x509_store_dump_cert_s_names(X509_STORE * store)
215{
216STACK_OF(X509_OBJECT) * roots= store->objs;
217int i;
218static uschar name[256];
219
220for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
221 {
222 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
223 if(tmp_obj->type == X509_LU_X509)
224 {
225 X509 * current_cert= tmp_obj->data.x509;
226 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
227 debug_printf(" %s\n", name);
228 }
229 }
230}
231#endif
232*/
233
059ec3d9
PH
234
235/*************************************************
236* Callback for verification *
237*************************************************/
238
239/* The SSL library does certificate verification if set up to do so. This
240callback has the current yes/no state is in "state". If verification succeeded,
241we set up the tls_peerdn string. If verification failed, what happens depends
242on whether the client is required to present a verifiable certificate or not.
243
244If verification is optional, we change the state to yes, but still log the
245verification error. For some reason (it really would help to have proper
246documentation of OpenSSL), this callback function then gets called again, this
247time with state = 1. In fact, that's useful, because we can set up the peerdn
248value, but we must take care not to set the private verified flag on the second
249time through.
250
251Note: this function is not called if the client fails to present a certificate
252when asked. We get here only if a certificate has been received. Handling of
253optional verification for this case is done when requesting SSL to verify, by
254setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
255
256Arguments:
257 state current yes/no state as 1/0
258 x509ctx certificate information.
a2ff477a 259 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
260
261Returns: 1 if verified, 0 if not
262*/
263
264static int
f5d78688 265verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9
PH
266{
267static uschar txt[256];
268
269X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
270 CS txt, sizeof(txt));
271
272if (state == 0)
273 {
274 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
275 x509ctx->error_depth,
276 X509_verify_cert_error_string(x509ctx->error),
277 txt);
a2ff477a
JH
278 tlsp->certificate_verified = FALSE;
279 *calledp = TRUE;
9d1c15ef
JH
280 if (!*optionalp)
281 {
282 tlsp->peercert = X509_dup(x509ctx->current_cert);
283 return 0; /* reject */
284 }
059ec3d9
PH
285 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
286 "tls_try_verify_hosts)\n");
059ec3d9
PH
287 }
288
93dcb1c2 289else if (x509ctx->error_depth != 0)
059ec3d9 290 {
93dcb1c2 291 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
059ec3d9 292 x509ctx->error_depth, txt);
f5d78688
JH
293#ifdef EXPERIMENTAL_OCSP
294 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
295 { /* client, wanting stapling */
296 /* Add the server cert's signing chain as the one
297 for the verification of the OCSP stapled information. */
298
299 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
300 x509ctx->current_cert))
301 ERR_clear_error();
302 }
303#endif
059ec3d9
PH
304 }
305else
306 {
a2ff477a 307 tlsp->peerdn = txt;
9d1c15ef 308 tlsp->peercert = X509_dup(x509ctx->current_cert);
93dcb1c2
JH
309 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
310 *calledp ? "" : " authenticated", txt);
311 if (!*calledp) tlsp->certificate_verified = TRUE;
312 *calledp = TRUE;
059ec3d9
PH
313 }
314
059ec3d9
PH
315return 1; /* accept */
316}
317
a2ff477a
JH
318static int
319verify_callback_client(int state, X509_STORE_CTX *x509ctx)
320{
f5d78688 321return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
322}
323
324static int
325verify_callback_server(int state, X509_STORE_CTX *x509ctx)
326{
f5d78688 327return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
328}
329
059ec3d9
PH
330
331
332/*************************************************
333* Information callback *
334*************************************************/
335
336/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
337are doing. We copy the string to the debugging output when TLS debugging has
338been requested.
059ec3d9
PH
339
340Arguments:
341 s the SSL connection
342 where
343 ret
344
345Returns: nothing
346*/
347
348static void
349info_callback(SSL *s, int where, int ret)
350{
351where = where;
352ret = ret;
353DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
354}
355
356
357
358/*************************************************
359* Initialize for DH *
360*************************************************/
361
362/* If dhparam is set, expand it, and load up the parameters for DH encryption.
363
364Arguments:
a799883d 365 dhparam DH parameter file or fixed parameter identity string
7199e1ee 366 host connected host, if client; NULL if server
059ec3d9
PH
367
368Returns: TRUE if OK (nothing to set up, or setup worked)
369*/
370
371static BOOL
a799883d 372init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
059ec3d9 373{
059ec3d9
PH
374BIO *bio;
375DH *dh;
376uschar *dhexpanded;
a799883d 377const char *pem;
059ec3d9
PH
378
379if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
380 return FALSE;
381
a799883d 382if (dhexpanded == NULL || *dhexpanded == '\0')
059ec3d9 383 {
a799883d 384 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
059ec3d9 385 }
a799883d 386else if (dhexpanded[0] == '/')
059ec3d9 387 {
a799883d
PP
388 bio = BIO_new_file(CS dhexpanded, "r");
389 if (bio == NULL)
059ec3d9 390 {
7199e1ee 391 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
392 host, US strerror(errno));
393 return FALSE;
059ec3d9 394 }
a799883d
PP
395 }
396else
397 {
398 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 399 {
a799883d
PP
400 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
401 return TRUE;
059ec3d9 402 }
a799883d
PP
403
404 pem = std_dh_prime_named(dhexpanded);
405 if (!pem)
406 {
407 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
408 host, US strerror(errno));
409 return FALSE;
410 }
411 bio = BIO_new_mem_buf(CS pem, -1);
412 }
413
414dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
415if (dh == NULL)
416 {
059ec3d9 417 BIO_free(bio);
a799883d
PP
418 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
419 host, NULL);
420 return FALSE;
421 }
422
423/* Even if it is larger, we silently return success rather than cause things
424 * to fail out, so that a too-large DH will not knock out all TLS; it's a
425 * debatable choice. */
426if ((8*DH_size(dh)) > tls_dh_max_bits)
427 {
428 DEBUG(D_tls)
429 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
430 8*DH_size(dh), tls_dh_max_bits);
431 }
432else
433 {
434 SSL_CTX_set_tmp_dh(sctx, dh);
435 DEBUG(D_tls)
436 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
437 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
438 }
439
a799883d
PP
440DH_free(dh);
441BIO_free(bio);
442
443return TRUE;
059ec3d9
PH
444}
445
446
447
448
3f7eeb86
PP
449#ifdef EXPERIMENTAL_OCSP
450/*************************************************
451* Load OCSP information into state *
452*************************************************/
453
f5d78688 454/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
455caller has determined this is needed. Checks validity. Debugs a message
456if invalid.
457
458ASSUMES: single response, for single cert.
459
460Arguments:
461 sctx the SSL_CTX* to update
462 cbinfo various parts of session state
463 expanded the filename putatively holding an OCSP response
464
465*/
466
467static void
f5d78688 468ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86
PP
469{
470BIO *bio;
471OCSP_RESPONSE *resp;
472OCSP_BASICRESP *basic_response;
473OCSP_SINGLERESP *single_response;
474ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
475X509_STORE *store;
476unsigned long verify_flags;
477int status, reason, i;
478
f5d78688
JH
479cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
480if (cbinfo->u_ocsp.server.response)
3f7eeb86 481 {
f5d78688
JH
482 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
483 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
484 }
485
f5d78688 486bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
3f7eeb86
PP
487if (!bio)
488 {
489 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 490 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
491 return;
492 }
493
494resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
495BIO_free(bio);
496if (!resp)
497 {
498 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
499 return;
500 }
501
502status = OCSP_response_status(resp);
503if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
504 {
505 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
506 OCSP_response_status_str(status), status);
f5d78688 507 goto bad;
3f7eeb86
PP
508 }
509
510basic_response = OCSP_response_get1_basic(resp);
511if (!basic_response)
512 {
513 DEBUG(D_tls)
514 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 515 goto bad;
3f7eeb86
PP
516 }
517
518store = SSL_CTX_get_cert_store(sctx);
519verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
520
521/* May need to expose ability to adjust those flags?
522OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
523OCSP_TRUSTOTHER OCSP_NOINTERN */
524
525i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
526if (i <= 0)
527 {
528 DEBUG(D_tls) {
529 ERR_error_string(ERR_get_error(), ssl_errstring);
530 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
531 }
532 goto bad;
3f7eeb86
PP
533 }
534
535/* Here's the simplifying assumption: there's only one response, for the
536one certificate we use, and nothing for anything else in a chain. If this
537proves false, we need to extract a cert id from our issued cert
538(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
539right cert in the stack and then calls OCSP_single_get0_status()).
540
541I'm hoping to avoid reworking a bunch more of how we handle state here. */
542single_response = OCSP_resp_get0(basic_response, 0);
543if (!single_response)
544 {
545 DEBUG(D_tls)
546 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 547 goto bad;
3f7eeb86
PP
548 }
549
550status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 551if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 552 {
f5d78688
JH
553 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
554 OCSP_cert_status_str(status), status,
555 OCSP_crl_reason_str(reason), reason);
556 goto bad;
3f7eeb86
PP
557 }
558
559if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
560 {
561 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 562 goto bad;
3f7eeb86
PP
563 }
564
f5d78688 565supply_response:
018058b2 566 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
567return;
568
569bad:
018058b2
JH
570 if (running_in_test_harness)
571 {
572 extern char ** environ;
573 uschar ** p;
574 for (p = USS environ; *p != NULL; p++)
575 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
576 {
577 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
578 goto supply_response;
579 }
580 }
f5d78688 581return;
3f7eeb86 582}
f5d78688 583#endif /*EXPERIMENTAL_OCSP*/
3f7eeb86
PP
584
585
586
587
059ec3d9 588/*************************************************
7be682ca
PP
589* Expand key and cert file specs *
590*************************************************/
591
f5d78688 592/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
593new context, if Server Name Indication was used and tls_sni was seen in
594the certificate string.
595
596Arguments:
597 sctx the SSL_CTX* to update
598 cbinfo various parts of session state
599
600Returns: OK/DEFER/FAIL
601*/
602
603static int
3f7eeb86 604tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
605{
606uschar *expanded;
607
608if (cbinfo->certificate == NULL)
609 return OK;
610
d9b2312b
JH
611if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
612 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
613 Ustrstr(cbinfo->certificate, US"tls_out_sni")
614 )
7be682ca
PP
615 reexpand_tls_files_for_sni = TRUE;
616
617if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
618 return DEFER;
619
620if (expanded != NULL)
621 {
622 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
623 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
624 return tls_error(string_sprintf(
625 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
626 cbinfo->host, NULL);
627 }
628
629if (cbinfo->privatekey != NULL &&
630 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
631 return DEFER;
632
633/* If expansion was forced to fail, key_expanded will be NULL. If the result
634of the expansion is an empty string, ignore it also, and assume the private
635key is in the same file as the certificate. */
636
637if (expanded != NULL && *expanded != 0)
638 {
639 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
640 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
641 return tls_error(string_sprintf(
642 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
643 }
644
3f7eeb86 645#ifdef EXPERIMENTAL_OCSP
f5d78688 646if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
3f7eeb86 647 {
f5d78688 648 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
3f7eeb86
PP
649 return DEFER;
650
651 if (expanded != NULL && *expanded != 0)
652 {
653 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f5d78688
JH
654 if (cbinfo->u_ocsp.server.file_expanded &&
655 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86
PP
656 {
657 DEBUG(D_tls)
658 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
659 } else {
660 ocsp_load_response(sctx, cbinfo, expanded);
661 }
662 }
663 }
664#endif
665
7be682ca
PP
666return OK;
667}
668
669
670
671
672/*************************************************
673* Callback to handle SNI *
674*************************************************/
675
676/* Called when acting as server during the TLS session setup if a Server Name
677Indication extension was sent by the client.
678
679API documentation is OpenSSL s_server.c implementation.
680
681Arguments:
682 s SSL* of the current session
683 ad unknown (part of OpenSSL API) (unused)
684 arg Callback of "our" registered data
685
686Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
687*/
688
3bcbbbe2 689#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 690static int
7be682ca
PP
691tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
692{
693const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 694tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 695int rc;
3f0945ff 696int old_pool = store_pool;
7be682ca
PP
697
698if (!servername)
699 return SSL_TLSEXT_ERR_OK;
700
3f0945ff 701DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
702 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
703
704/* Make the extension value available for expansion */
3f0945ff 705store_pool = POOL_PERM;
817d9f57 706tls_in.sni = string_copy(US servername);
3f0945ff 707store_pool = old_pool;
7be682ca
PP
708
709if (!reexpand_tls_files_for_sni)
710 return SSL_TLSEXT_ERR_OK;
711
712/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
713not confident that memcpy wouldn't break some internal reference counting.
714Especially since there's a references struct member, which would be off. */
715
817d9f57
JH
716server_sni = SSL_CTX_new(SSLv23_server_method());
717if (!server_sni)
7be682ca
PP
718 {
719 ERR_error_string(ERR_get_error(), ssl_errstring);
720 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
721 return SSL_TLSEXT_ERR_NOACK;
722 }
723
724/* Not sure how many of these are actually needed, since SSL object
725already exists. Might even need this selfsame callback, for reneg? */
726
817d9f57
JH
727SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
728SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
729SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
730SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
731SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
732SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
7be682ca 733if (cbinfo->server_cipher_list)
817d9f57 734 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
3f7eeb86 735#ifdef EXPERIMENTAL_OCSP
f5d78688 736if (cbinfo->u_ocsp.server.file)
3f7eeb86 737 {
f5d78688 738 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 739 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
740 }
741#endif
7be682ca 742
983207c1 743rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
7be682ca
PP
744if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
745
3f7eeb86
PP
746/* do this after setup_certs, because this can require the certs for verifying
747OCSP information. */
817d9f57 748rc = tls_expand_session_files(server_sni, cbinfo);
7be682ca
PP
749if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
750
389ca47a 751rc = init_dh(server_sni, cbinfo->dhparam, NULL);
a799883d
PP
752if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
753
7be682ca 754DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 755SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
756
757return SSL_TLSEXT_ERR_OK;
758}
3bcbbbe2 759#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
760
761
762
763
3f7eeb86 764#ifdef EXPERIMENTAL_OCSP
f5d78688 765
3f7eeb86
PP
766/*************************************************
767* Callback to handle OCSP Stapling *
768*************************************************/
769
770/* Called when acting as server during the TLS session setup if the client
771requests OCSP information with a Certificate Status Request.
772
773Documentation via openssl s_server.c and the Apache patch from the OpenSSL
774project.
775
776*/
777
778static int
f5d78688 779tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
780{
781const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
782uschar *response_der;
783int response_der_len;
784
af4a1bca
JH
785DEBUG(D_tls)
786 debug_printf("Received TLS status request (OCSP stapling); %s response.",
f5d78688
JH
787 cbinfo->u_ocsp.server.response ? "have" : "lack");
788
44662487 789tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 790if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
791 return SSL_TLSEXT_ERR_NOACK;
792
793response_der = NULL;
44662487
JH
794response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
795 &response_der);
3f7eeb86
PP
796if (response_der_len <= 0)
797 return SSL_TLSEXT_ERR_NOACK;
798
5e55c7a9 799SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 800tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
801return SSL_TLSEXT_ERR_OK;
802}
803
3f7eeb86 804
f5d78688
JH
805static void
806time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
807{
808BIO_printf(bp, "\t%s: ", str);
809ASN1_GENERALIZEDTIME_print(bp, time);
810BIO_puts(bp, "\n");
811}
812
813static int
814tls_client_stapling_cb(SSL *s, void *arg)
815{
816tls_ext_ctx_cb * cbinfo = arg;
817const unsigned char * p;
818int len;
819OCSP_RESPONSE * rsp;
820OCSP_BASICRESP * bs;
821int i;
822
823DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
824len = SSL_get_tlsext_status_ocsp_resp(s, &p);
825if(!p)
826 {
44662487
JH
827 /* Expect this when we requested ocsp but got none */
828 if ( cbinfo->u_ocsp.client.verify_required
829 && log_extra_selector & LX_tls_cipher)
830 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
831 else
832 DEBUG(D_tls) debug_printf(" null\n");
44662487 833 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 834 }
018058b2 835
f5d78688
JH
836if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
837 {
018058b2 838 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
839 if (log_extra_selector & LX_tls_cipher)
840 log_write(0, LOG_MAIN, "Received TLS status response, parse error");
841 else
842 DEBUG(D_tls) debug_printf(" parse error\n");
843 return 0;
844 }
845
846if(!(bs = OCSP_response_get1_basic(rsp)))
847 {
018058b2 848 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
849 if (log_extra_selector & LX_tls_cipher)
850 log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
851 else
852 DEBUG(D_tls) debug_printf(" error parsing response\n");
853 OCSP_RESPONSE_free(rsp);
854 return 0;
855 }
856
857/* We'd check the nonce here if we'd put one in the request. */
858/* However that would defeat cacheability on the server so we don't. */
859
f5d78688
JH
860/* This section of code reworked from OpenSSL apps source;
861 The OpenSSL Project retains copyright:
862 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
863*/
864 {
865 BIO * bp = NULL;
f5d78688
JH
866 int status, reason;
867 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
868
869 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
870
871 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
872
873 /* Use the chain that verified the server cert to verify the stapled info */
874 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
875
44662487
JH
876 if ((i = OCSP_basic_verify(bs, NULL,
877 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 878 {
018058b2 879 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
880 BIO_printf(bp, "OCSP response verify failure\n");
881 ERR_print_errors(bp);
44662487 882 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
883 goto out;
884 }
885
886 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
887
888 {
889 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
890 OCSP_SINGLERESP * single;
891
892 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
893 {
018058b2 894 tls_out.ocsp = OCSP_FAILED;
44662487
JH
895 log_write(0, LOG_MAIN, "OCSP stapling "
896 "with multiple responses not handled");
897 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
898 goto out;
899 }
900 single = OCSP_resp_get0(bs, 0);
44662487
JH
901 status = OCSP_single_get0_status(single, &reason, &rev,
902 &thisupd, &nextupd);
f5d78688
JH
903 }
904
f5d78688
JH
905 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
906 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
907 if (!OCSP_check_validity(thisupd, nextupd,
908 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 909 {
018058b2 910 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
911 DEBUG(D_tls) ERR_print_errors(bp);
912 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
44662487 913 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 914 }
44662487 915 else
f5d78688 916 {
44662487
JH
917 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
918 OCSP_cert_status_str(status));
919 switch(status)
920 {
921 case V_OCSP_CERTSTATUS_GOOD:
44662487 922 tls_out.ocsp = OCSP_VFIED;
018058b2 923 i = 1;
44662487
JH
924 break;
925 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 926 tls_out.ocsp = OCSP_FAILED;
44662487
JH
927 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
928 reason != -1 ? "; reason: " : "",
929 reason != -1 ? OCSP_crl_reason_str(reason) : "");
930 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
931 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
932 break;
933 default:
018058b2 934 tls_out.ocsp = OCSP_FAILED;
44662487
JH
935 log_write(0, LOG_MAIN,
936 "Server certificate status unknown, in OCSP stapling");
937 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
938 break;
939 }
f5d78688
JH
940 }
941 out:
942 BIO_free(bp);
943 }
944
945OCSP_RESPONSE_free(rsp);
946return i;
947}
948#endif /*EXPERIMENTAL_OCSP*/
3f7eeb86
PP
949
950
951
7be682ca 952/*************************************************
059ec3d9
PH
953* Initialize for TLS *
954*************************************************/
955
956/* Called from both server and client code, to do preliminary initialization of
957the library.
958
959Arguments:
960 host connected host, if client; NULL if server
961 dhparam DH parameter file
962 certificate certificate file
963 privatekey private key
f5d78688 964 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9
PH
965 addr address if client; NULL if server (for some randomness)
966
967Returns: OK/DEFER/FAIL
968*/
969
970static int
817d9f57 971tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
972 uschar *privatekey,
973#ifdef EXPERIMENTAL_OCSP
974 uschar *ocsp_file,
975#endif
817d9f57 976 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 977{
77bb000f 978long init_options;
7be682ca 979int rc;
77bb000f 980BOOL okay;
7be682ca
PP
981tls_ext_ctx_cb *cbinfo;
982
983cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
984cbinfo->certificate = certificate;
985cbinfo->privatekey = privatekey;
3f7eeb86 986#ifdef EXPERIMENTAL_OCSP
f5d78688
JH
987if ((cbinfo->is_server = host==NULL))
988 {
989 cbinfo->u_ocsp.server.file = ocsp_file;
990 cbinfo->u_ocsp.server.file_expanded = NULL;
991 cbinfo->u_ocsp.server.response = NULL;
992 }
993else
994 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 995#endif
7be682ca
PP
996cbinfo->dhparam = dhparam;
997cbinfo->host = host;
77bb000f 998
059ec3d9
PH
999SSL_load_error_strings(); /* basic set up */
1000OpenSSL_add_ssl_algorithms();
1001
388d6564 1002#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 1003/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1004list of available digests. */
1005EVP_add_digest(EVP_sha256());
cf1ef1a9 1006#endif
a0475b69 1007
f0f5a555
PP
1008/* Create a context.
1009The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1010negotiation in the different methods; as far as I can tell, the only
1011*_{server,client}_method which allows negotiation is SSLv23, which exists even
1012when OpenSSL is built without SSLv2 support.
1013By disabling with openssl_options, we can let admins re-enable with the
1014existing knob. */
059ec3d9 1015
817d9f57 1016*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
1017 SSLv23_server_method() : SSLv23_client_method());
1018
817d9f57 1019if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
1020
1021/* It turns out that we need to seed the random number generator this early in
1022order to get the full complement of ciphers to work. It took me roughly a day
1023of work to discover this by experiment.
1024
1025On systems that have /dev/urandom, SSL may automatically seed itself from
1026there. Otherwise, we have to make something up as best we can. Double check
1027afterwards. */
1028
1029if (!RAND_status())
1030 {
1031 randstuff r;
9e3331ea 1032 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1033 r.p = getpid();
1034
1035 RAND_seed((uschar *)(&r), sizeof(r));
1036 RAND_seed((uschar *)big_buffer, big_buffer_size);
1037 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1038
1039 if (!RAND_status())
7199e1ee 1040 return tls_error(US"RAND_status", host,
5ca6d115 1041 US"unable to seed random number generator");
059ec3d9
PH
1042 }
1043
1044/* Set up the information callback, which outputs if debugging is at a suitable
1045level. */
1046
817d9f57 1047SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 1048
c80c5570 1049/* Automatically re-try reads/writes after renegotiation. */
817d9f57 1050(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 1051
77bb000f
PP
1052/* Apply administrator-supplied work-arounds.
1053Historically we applied just one requested option,
1054SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1055moved to an administrator-controlled list of options to specify and
1056grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1057
77bb000f
PP
1058No OpenSSL version number checks: the options we accept depend upon the
1059availability of the option value macros from OpenSSL. */
059ec3d9 1060
77bb000f
PP
1061okay = tls_openssl_options_parse(openssl_options, &init_options);
1062if (!okay)
73a46702 1063 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
1064
1065if (init_options)
1066 {
1067 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 1068 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
1069 return tls_error(string_sprintf(
1070 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1071 }
1072else
1073 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
1074
1075/* Initialize with DH parameters if supplied */
1076
817d9f57 1077if (!init_dh(*ctxp, dhparam, host)) return DEFER;
059ec3d9 1078
3f7eeb86 1079/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1080
817d9f57 1081rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 1082if (rc != OK) return rc;
c91535f3 1083
7be682ca 1084/* If we need to handle SNI, do so */
3bcbbbe2 1085#ifdef EXIM_HAVE_OPENSSL_TLSEXT
f5d78688 1086if (host == NULL) /* server */
3f0945ff 1087 {
f5d78688
JH
1088# ifdef EXPERIMENTAL_OCSP
1089 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1090 the option exists, not what the current expansion might be, as SNI might
1091 change the certificate and OCSP file in use between now and the time the
1092 callback is invoked. */
f5d78688 1093 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1094 {
f5d78688 1095 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
5e55c7a9 1096 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86 1097 }
f5d78688 1098# endif
3f0945ff
PP
1099 /* We always do this, so that $tls_sni is available even if not used in
1100 tls_certificate */
817d9f57
JH
1101 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1102 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 1103 }
f5d78688
JH
1104# ifdef EXPERIMENTAL_OCSP
1105else /* client */
1106 if(ocsp_file) /* wanting stapling */
1107 {
1108 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1109 {
1110 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1111 return FAIL;
1112 }
1113 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1114 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1115 }
1116# endif
7be682ca 1117#endif
059ec3d9
PH
1118
1119/* Set up the RSA callback */
1120
817d9f57 1121SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
1122
1123/* Finally, set the timeout, and we are done */
1124
817d9f57 1125SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 1126DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1127
817d9f57 1128*cbp = cbinfo;
7be682ca 1129
059ec3d9
PH
1130return OK;
1131}
1132
1133
1134
1135
1136/*************************************************
1137* Get name of cipher in use *
1138*************************************************/
1139
817d9f57 1140/*
059ec3d9 1141Argument: pointer to an SSL structure for the connection
817d9f57
JH
1142 buffer to use for answer
1143 size of buffer
1144 pointer to number of bits for cipher
059ec3d9
PH
1145Returns: nothing
1146*/
1147
1148static void
817d9f57 1149construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1150{
57b3a7f5
PP
1151/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1152yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1153the accessor functions use const in the prototype. */
1154const SSL_CIPHER *c;
d9784128 1155const uschar *ver;
059ec3d9 1156
d9784128 1157ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1158
57b3a7f5 1159c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1160SSL_CIPHER_get_bits(c, bits);
059ec3d9 1161
817d9f57
JH
1162string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1163 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1164
1165DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1166}
1167
1168
1169
1170
1171
1172/*************************************************
1173* Set up for verifying certificates *
1174*************************************************/
1175
1176/* Called by both client and server startup
1177
1178Arguments:
7be682ca 1179 sctx SSL_CTX* to initialise
059ec3d9
PH
1180 certs certs file or NULL
1181 crl CRL file or NULL
1182 host NULL in a server; the remote host in a client
1183 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1184 otherwise passed as FALSE
983207c1 1185 cert_vfy_cb Callback function for certificate verification
059ec3d9
PH
1186
1187Returns: OK/DEFER/FAIL
1188*/
1189
1190static int
983207c1
JH
1191setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1192 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
059ec3d9
PH
1193{
1194uschar *expcerts, *expcrl;
1195
1196if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1197 return DEFER;
1198
26e72755 1199if (expcerts != NULL && *expcerts != '\0')
059ec3d9
PH
1200 {
1201 struct stat statbuf;
7be682ca 1202 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 1203 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1204
1205 if (Ustat(expcerts, &statbuf) < 0)
1206 {
1207 log_write(0, LOG_MAIN|LOG_PANIC,
1208 "failed to stat %s for certificates", expcerts);
1209 return DEFER;
1210 }
1211 else
1212 {
1213 uschar *file, *dir;
1214 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1215 { file = NULL; dir = expcerts; }
1216 else
1217 { file = expcerts; dir = NULL; }
1218
1219 /* If a certificate file is empty, the next function fails with an
1220 unhelpful error message. If we skip it, we get the correct behaviour (no
1221 certificates are recognized, but the error message is still misleading (it
1222 says no certificate was supplied.) But this is better. */
1223
1224 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 1225 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 1226 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
1227
1228 if (file != NULL)
1229 {
7be682ca 1230 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
1231 }
1232 }
1233
1234 /* Handle a certificate revocation list. */
1235
1236 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1237
8b417f2c
PH
1238 /* This bit of code is now the version supplied by Lars Mainka. (I have
1239 * merely reformatted it into the Exim code style.)
1240
1241 * "From here I changed the code to add support for multiple crl's
1242 * in pem format in one file or to support hashed directory entries in
1243 * pem format instead of a file. This method now uses the library function
1244 * X509_STORE_load_locations to add the CRL location to the SSL context.
1245 * OpenSSL will then handle the verify against CA certs and CRLs by
1246 * itself in the verify callback." */
1247
059ec3d9
PH
1248 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1249 if (expcrl != NULL && *expcrl != 0)
1250 {
8b417f2c
PH
1251 struct stat statbufcrl;
1252 if (Ustat(expcrl, &statbufcrl) < 0)
1253 {
1254 log_write(0, LOG_MAIN|LOG_PANIC,
1255 "failed to stat %s for certificates revocation lists", expcrl);
1256 return DEFER;
1257 }
1258 else
059ec3d9 1259 {
8b417f2c
PH
1260 /* is it a file or directory? */
1261 uschar *file, *dir;
7be682ca 1262 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1263 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1264 {
8b417f2c
PH
1265 file = NULL;
1266 dir = expcrl;
1267 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1268 }
1269 else
1270 {
8b417f2c
PH
1271 file = expcrl;
1272 dir = NULL;
1273 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1274 }
8b417f2c 1275 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1276 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1277
1278 /* setting the flags to check against the complete crl chain */
1279
1280 X509_STORE_set_flags(cvstore,
1281 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1282 }
059ec3d9
PH
1283 }
1284
1285 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1286
1287 /* If verification is optional, don't fail if no certificate */
1288
7be682ca 1289 SSL_CTX_set_verify(sctx,
059ec3d9 1290 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1291 cert_vfy_cb);
059ec3d9
PH
1292 }
1293
1294return OK;
1295}
1296
1297
1298
1299/*************************************************
1300* Start a TLS session in a server *
1301*************************************************/
1302
1303/* This is called when Exim is running as a server, after having received
1304the STARTTLS command. It must respond to that command, and then negotiate
1305a TLS session.
1306
1307Arguments:
1308 require_ciphers allowed ciphers
1309
1310Returns: OK on success
1311 DEFER for errors before the start of the negotiation
1312 FAIL for errors during the negotation; the server can't
1313 continue running.
1314*/
1315
1316int
17c76198 1317tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1318{
1319int rc;
1320uschar *expciphers;
7be682ca 1321tls_ext_ctx_cb *cbinfo;
817d9f57 1322static uschar cipherbuf[256];
059ec3d9
PH
1323
1324/* Check for previous activation */
1325
817d9f57 1326if (tls_in.active >= 0)
059ec3d9 1327 {
5ca6d115 1328 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1329 smtp_printf("554 Already in TLS\r\n");
1330 return FAIL;
1331 }
1332
1333/* Initialize the SSL library. If it fails, it will already have logged
1334the error. */
1335
817d9f57 1336rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
3f7eeb86
PP
1337#ifdef EXPERIMENTAL_OCSP
1338 tls_ocsp_file,
1339#endif
817d9f57 1340 NULL, &server_static_cbinfo);
059ec3d9 1341if (rc != OK) return rc;
817d9f57 1342cbinfo = server_static_cbinfo;
059ec3d9
PH
1343
1344if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1345 return FAIL;
1346
1347/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1348were historically separated by underscores. So that I can use either form in my
1349tests, and also for general convenience, we turn underscores into hyphens here.
1350*/
059ec3d9
PH
1351
1352if (expciphers != NULL)
1353 {
1354 uschar *s = expciphers;
1355 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1356 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1357 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1358 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1359 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1360 }
1361
1362/* If this is a host for which certificate verification is mandatory or
1363optional, set up appropriately. */
1364
817d9f57 1365tls_in.certificate_verified = FALSE;
a2ff477a 1366server_verify_callback_called = FALSE;
059ec3d9
PH
1367
1368if (verify_check_host(&tls_verify_hosts) == OK)
1369 {
983207c1
JH
1370 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1371 FALSE, verify_callback_server);
059ec3d9 1372 if (rc != OK) return rc;
a2ff477a 1373 server_verify_optional = FALSE;
059ec3d9
PH
1374 }
1375else if (verify_check_host(&tls_try_verify_hosts) == OK)
1376 {
983207c1
JH
1377 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1378 TRUE, verify_callback_server);
059ec3d9 1379 if (rc != OK) return rc;
a2ff477a 1380 server_verify_optional = TRUE;
059ec3d9
PH
1381 }
1382
1383/* Prepare for new connection */
1384
817d9f57 1385if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1386
1387/* Warning: we used to SSL_clear(ssl) here, it was removed.
1388 *
1389 * With the SSL_clear(), we get strange interoperability bugs with
1390 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1391 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1392 *
1393 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1394 * session shutdown. In this case, we have a brand new object and there's no
1395 * obvious reason to immediately clear it. I'm guessing that this was
1396 * originally added because of incomplete initialisation which the clear fixed,
1397 * in some historic release.
1398 */
059ec3d9
PH
1399
1400/* Set context and tell client to go ahead, except in the case of TLS startup
1401on connection, where outputting anything now upsets the clients and tends to
1402make them disconnect. We need to have an explicit fflush() here, to force out
1403the response. Other smtp_printf() calls do not need it, because in non-TLS
1404mode, the fflush() happens when smtp_getc() is called. */
1405
817d9f57
JH
1406SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1407if (!tls_in.on_connect)
059ec3d9
PH
1408 {
1409 smtp_printf("220 TLS go ahead\r\n");
1410 fflush(smtp_out);
1411 }
1412
1413/* Now negotiate the TLS session. We put our own timer on it, since it seems
1414that the OpenSSL library doesn't. */
1415
817d9f57
JH
1416SSL_set_wfd(server_ssl, fileno(smtp_out));
1417SSL_set_rfd(server_ssl, fileno(smtp_in));
1418SSL_set_accept_state(server_ssl);
059ec3d9
PH
1419
1420DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1421
1422sigalrm_seen = FALSE;
1423if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1424rc = SSL_accept(server_ssl);
059ec3d9
PH
1425alarm(0);
1426
1427if (rc <= 0)
1428 {
7199e1ee 1429 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1430 if (ERR_get_error() == 0)
1431 log_write(0, LOG_MAIN,
a053d125 1432 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1433 return FAIL;
1434 }
1435
1436DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1437
1438/* TLS has been set up. Adjust the input functions to read via TLS,
1439and initialize things. */
1440
817d9f57
JH
1441construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1442tls_in.cipher = cipherbuf;
059ec3d9
PH
1443
1444DEBUG(D_tls)
1445 {
1446 uschar buf[2048];
817d9f57 1447 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1448 debug_printf("Shared ciphers: %s\n", buf);
1449 }
1450
9d1c15ef
JH
1451/* Record the certificate we presented */
1452 {
1453 X509 * crt = SSL_get_certificate(server_ssl);
1454 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1455 }
059ec3d9 1456
817d9f57
JH
1457/* Only used by the server-side tls (tls_in), including tls_getc.
1458 Client-side (tls_out) reads (seem to?) go via
1459 smtp_read_response()/ip_recv().
1460 Hence no need to duplicate for _in and _out.
1461 */
059ec3d9
PH
1462ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1463ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1464ssl_xfer_eof = ssl_xfer_error = 0;
1465
1466receive_getc = tls_getc;
1467receive_ungetc = tls_ungetc;
1468receive_feof = tls_feof;
1469receive_ferror = tls_ferror;
58eb016e 1470receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1471
817d9f57 1472tls_in.active = fileno(smtp_out);
059ec3d9
PH
1473return OK;
1474}
1475
1476
1477
1478
1479
1480/*************************************************
1481* Start a TLS session in a client *
1482*************************************************/
1483
1484/* Called from the smtp transport after STARTTLS has been accepted.
1485
1486Argument:
1487 fd the fd of the connection
1488 host connected host (for messages)
83da1223 1489 addr the first address
65867078 1490 ob smtp transport options
059ec3d9
PH
1491
1492Returns: OK on success
1493 FAIL otherwise - note that tls_error() will not give DEFER
1494 because this is not a server
1495*/
1496
1497int
f5d78688 1498tls_client_start(int fd, host_item *host, address_item *addr,
65867078 1499 void *v_ob)
059ec3d9 1500{
65867078 1501smtp_transport_options_block * ob = v_ob;
059ec3d9
PH
1502static uschar txt[256];
1503uschar *expciphers;
1504X509* server_cert;
1505int rc;
817d9f57 1506static uschar cipherbuf[256];
f5d78688 1507#ifdef EXPERIMENTAL_OCSP
65867078 1508BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
f5d78688 1509 NULL, host->name, host->address, NULL) == OK;
44662487
JH
1510BOOL request_ocsp = require_ocsp ? TRUE
1511 : verify_check_this_host(&ob->hosts_request_ocsp,
1512 NULL, host->name, host->address, NULL) == OK;
f5d78688 1513#endif
059ec3d9 1514
65867078
JH
1515rc = tls_init(&client_ctx, host, NULL,
1516 ob->tls_certificate, ob->tls_privatekey,
3f7eeb86 1517#ifdef EXPERIMENTAL_OCSP
44662487 1518 (void *)(long)request_ocsp,
3f7eeb86 1519#endif
817d9f57 1520 addr, &client_static_cbinfo);
059ec3d9
PH
1521if (rc != OK) return rc;
1522
817d9f57 1523tls_out.certificate_verified = FALSE;
a2ff477a 1524client_verify_callback_called = FALSE;
059ec3d9 1525
65867078
JH
1526if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1527 &expciphers))
059ec3d9
PH
1528 return FAIL;
1529
1530/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1531are separated by underscores. So that I can use either form in my tests, and
1532also for general convenience, we turn underscores into hyphens here. */
1533
1534if (expciphers != NULL)
1535 {
1536 uschar *s = expciphers;
1537 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1538 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1539 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1540 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1541 }
1542
a63be306 1543/* stick to the old behaviour for compatibility if tls_verify_certificates is
65867078 1544 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
a63be306 1545 the specified host patterns if one of them is defined */
65867078
JH
1546if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
1547 (verify_check_host(&ob->tls_verify_hosts) == OK))
a63be306 1548 {
65867078
JH
1549 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1550 ob->tls_crl, host, FALSE, verify_callback_client)) != OK)
1551 return rc;
a63be306
WB
1552 client_verify_optional = FALSE;
1553 }
65867078 1554else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
a63be306 1555 {
65867078
JH
1556 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1557 ob->tls_crl, host, TRUE, verify_callback_client)) != OK)
1558 return rc;
a63be306
WB
1559 client_verify_optional = TRUE;
1560 }
059ec3d9 1561
65867078
JH
1562if ((client_ssl = SSL_new(client_ctx)) == NULL)
1563 return tls_error(US"SSL_new", host, NULL);
817d9f57
JH
1564SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1565SSL_set_fd(client_ssl, fd);
1566SSL_set_connect_state(client_ssl);
059ec3d9 1567
65867078 1568if (ob->tls_sni)
3f0945ff 1569 {
65867078 1570 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
3f0945ff 1571 return FAIL;
ec4b68e5 1572 if (tls_out.sni == NULL)
2c9a0e86
PP
1573 {
1574 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1575 }
ec4b68e5 1576 else if (!Ustrlen(tls_out.sni))
817d9f57 1577 tls_out.sni = NULL;
3f0945ff
PP
1578 else
1579 {
35731706 1580#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
1581 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1582 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
1583#else
1584 DEBUG(D_tls)
1585 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
02d9264f 1586 tls_out.sni);
35731706 1587#endif
3f0945ff
PP
1588 }
1589 }
1590
f5d78688
JH
1591#ifdef EXPERIMENTAL_OCSP
1592/* Request certificate status at connection-time. If the server
1593does OCSP stapling we will get the callback (set in tls_init()) */
44662487
JH
1594if (request_ocsp)
1595 {
f5d78688 1596 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
1597 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
1598 tls_out.ocsp = OCSP_NOT_RESP;
1599 }
f5d78688
JH
1600#endif
1601
059ec3d9
PH
1602/* There doesn't seem to be a built-in timeout on connection. */
1603
1604DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1605sigalrm_seen = FALSE;
65867078 1606alarm(ob->command_timeout);
817d9f57 1607rc = SSL_connect(client_ssl);
059ec3d9
PH
1608alarm(0);
1609
1610if (rc <= 0)
7199e1ee 1611 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1612
1613DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1614
453a6645 1615/* Beware anonymous ciphers which lead to server_cert being NULL */
9d1c15ef 1616/*XXX server_cert is never freed... use X509_free() */
817d9f57 1617server_cert = SSL_get_peer_certificate (client_ssl);
453a6645
PP
1618if (server_cert)
1619 {
817d9f57 1620 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
453a6645 1621 CS txt, sizeof(txt));
9d1c15ef 1622 tls_out.peerdn = txt; /*XXX a static buffer... */
453a6645
PP
1623 }
1624else
817d9f57 1625 tls_out.peerdn = NULL;
059ec3d9 1626
817d9f57
JH
1627construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1628tls_out.cipher = cipherbuf;
059ec3d9 1629
9d1c15ef
JH
1630/* Record the certificate we presented */
1631 {
1632 X509 * crt = SSL_get_certificate(client_ssl);
1633 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
1634 }
1635
817d9f57 1636tls_out.active = fd;
059ec3d9
PH
1637return OK;
1638}
1639
1640
1641
1642
1643
1644/*************************************************
1645* TLS version of getc *
1646*************************************************/
1647
1648/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1649it refills the buffer via the SSL reading function.
1650
1651Arguments: none
1652Returns: the next character or EOF
817d9f57
JH
1653
1654Only used by the server-side TLS.
059ec3d9
PH
1655*/
1656
1657int
1658tls_getc(void)
1659{
1660if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1661 {
1662 int error;
1663 int inbytes;
1664
817d9f57 1665 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 1666 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1667
1668 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
1669 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1670 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
1671 alarm(0);
1672
1673 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1674 closed down, not that the socket itself has been closed down. Revert to
1675 non-SSL handling. */
1676
1677 if (error == SSL_ERROR_ZERO_RETURN)
1678 {
1679 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1680
1681 receive_getc = smtp_getc;
1682 receive_ungetc = smtp_ungetc;
1683 receive_feof = smtp_feof;
1684 receive_ferror = smtp_ferror;
58eb016e 1685 receive_smtp_buffered = smtp_buffered;
059ec3d9 1686
817d9f57
JH
1687 SSL_free(server_ssl);
1688 server_ssl = NULL;
1689 tls_in.active = -1;
1690 tls_in.bits = 0;
1691 tls_in.cipher = NULL;
1692 tls_in.peerdn = NULL;
1693 tls_in.sni = NULL;
059ec3d9
PH
1694
1695 return smtp_getc();
1696 }
1697
1698 /* Handle genuine errors */
1699
ba084640
PP
1700 else if (error == SSL_ERROR_SSL)
1701 {
1702 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1703 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1704 ssl_xfer_error = 1;
1705 return EOF;
1706 }
1707
059ec3d9
PH
1708 else if (error != SSL_ERROR_NONE)
1709 {
1710 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1711 ssl_xfer_error = 1;
1712 return EOF;
1713 }
c80c5570 1714
80a47a2c
TK
1715#ifndef DISABLE_DKIM
1716 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1717#endif
059ec3d9
PH
1718 ssl_xfer_buffer_hwm = inbytes;
1719 ssl_xfer_buffer_lwm = 0;
1720 }
1721
1722/* Something in the buffer; return next uschar */
1723
1724return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1725}
1726
1727
1728
1729/*************************************************
1730* Read bytes from TLS channel *
1731*************************************************/
1732
1733/*
1734Arguments:
1735 buff buffer of data
1736 len size of buffer
1737
1738Returns: the number of bytes read
1739 -1 after a failed read
817d9f57
JH
1740
1741Only used by the client-side TLS.
059ec3d9
PH
1742*/
1743
1744int
389ca47a 1745tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 1746{
389ca47a 1747SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
1748int inbytes;
1749int error;
1750
389ca47a 1751DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 1752 buff, (unsigned int)len);
059ec3d9 1753
389ca47a
JH
1754inbytes = SSL_read(ssl, CS buff, len);
1755error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
1756
1757if (error == SSL_ERROR_ZERO_RETURN)
1758 {
1759 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1760 return -1;
1761 }
1762else if (error != SSL_ERROR_NONE)
1763 {
1764 return -1;
1765 }
1766
1767return inbytes;
1768}
1769
1770
1771
1772
1773
1774/*************************************************
1775* Write bytes down TLS channel *
1776*************************************************/
1777
1778/*
1779Arguments:
817d9f57 1780 is_server channel specifier
059ec3d9
PH
1781 buff buffer of data
1782 len number of bytes
1783
1784Returns: the number of bytes after a successful write,
1785 -1 after a failed write
817d9f57
JH
1786
1787Used by both server-side and client-side TLS.
059ec3d9
PH
1788*/
1789
1790int
817d9f57 1791tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
1792{
1793int outbytes;
1794int error;
1795int left = len;
817d9f57 1796SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 1797
c80c5570 1798DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1799while (left > 0)
1800 {
c80c5570 1801 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1802 outbytes = SSL_write(ssl, CS buff, left);
1803 error = SSL_get_error(ssl, outbytes);
1804 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1805 switch (error)
1806 {
1807 case SSL_ERROR_SSL:
1808 ERR_error_string(ERR_get_error(), ssl_errstring);
1809 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1810 return -1;
1811
1812 case SSL_ERROR_NONE:
1813 left -= outbytes;
1814 buff += outbytes;
1815 break;
1816
1817 case SSL_ERROR_ZERO_RETURN:
1818 log_write(0, LOG_MAIN, "SSL channel closed on write");
1819 return -1;
1820
817d9f57
JH
1821 case SSL_ERROR_SYSCALL:
1822 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1823 sender_fullhost ? sender_fullhost : US"<unknown>",
1824 strerror(errno));
1825
059ec3d9
PH
1826 default:
1827 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1828 return -1;
1829 }
1830 }
1831return len;
1832}
1833
1834
1835
1836/*************************************************
1837* Close down a TLS session *
1838*************************************************/
1839
1840/* This is also called from within a delivery subprocess forked from the
1841daemon, to shut down the TLS library, without actually doing a shutdown (which
1842would tamper with the SSL session in the parent process).
1843
1844Arguments: TRUE if SSL_shutdown is to be called
1845Returns: nothing
817d9f57
JH
1846
1847Used by both server-side and client-side TLS.
059ec3d9
PH
1848*/
1849
1850void
817d9f57 1851tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 1852{
817d9f57 1853SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 1854int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
1855
1856if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
1857
1858if (shutdown)
1859 {
1860 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 1861 SSL_shutdown(*sslp);
059ec3d9
PH
1862 }
1863
817d9f57
JH
1864SSL_free(*sslp);
1865*sslp = NULL;
059ec3d9 1866
817d9f57 1867*fdp = -1;
059ec3d9
PH
1868}
1869
36f12725
NM
1870
1871
1872
1873/*************************************************
3375e053
PP
1874* Let tls_require_ciphers be checked at startup *
1875*************************************************/
1876
1877/* The tls_require_ciphers option, if set, must be something which the
1878library can parse.
1879
1880Returns: NULL on success, or error message
1881*/
1882
1883uschar *
1884tls_validate_require_cipher(void)
1885{
1886SSL_CTX *ctx;
1887uschar *s, *expciphers, *err;
1888
1889/* this duplicates from tls_init(), we need a better "init just global
1890state, for no specific purpose" singleton function of our own */
1891
1892SSL_load_error_strings();
1893OpenSSL_add_ssl_algorithms();
1894#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1895/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1896list of available digests. */
1897EVP_add_digest(EVP_sha256());
1898#endif
1899
1900if (!(tls_require_ciphers && *tls_require_ciphers))
1901 return NULL;
1902
1903if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1904 return US"failed to expand tls_require_ciphers";
1905
1906if (!(expciphers && *expciphers))
1907 return NULL;
1908
1909/* normalisation ripped from above */
1910s = expciphers;
1911while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1912
1913err = NULL;
1914
1915ctx = SSL_CTX_new(SSLv23_server_method());
1916if (!ctx)
1917 {
1918 ERR_error_string(ERR_get_error(), ssl_errstring);
1919 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1920 }
1921
1922DEBUG(D_tls)
1923 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1924
1925if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1926 {
1927 ERR_error_string(ERR_get_error(), ssl_errstring);
1928 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1929 }
1930
1931SSL_CTX_free(ctx);
1932
1933return err;
1934}
1935
1936
1937
1938
1939/*************************************************
36f12725
NM
1940* Report the library versions. *
1941*************************************************/
1942
1943/* There have historically been some issues with binary compatibility in
1944OpenSSL libraries; if Exim (like many other applications) is built against
1945one version of OpenSSL but the run-time linker picks up another version,
1946it can result in serious failures, including crashing with a SIGSEGV. So
1947report the version found by the compiler and the run-time version.
1948
f64a1e23
PP
1949Note: some OS vendors backport security fixes without changing the version
1950number/string, and the version date remains unchanged. The _build_ date
1951will change, so we can more usefully assist with version diagnosis by also
1952reporting the build date.
1953
36f12725
NM
1954Arguments: a FILE* to print the results to
1955Returns: nothing
1956*/
1957
1958void
1959tls_version_report(FILE *f)
1960{
754a0503 1961fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
1962 " Runtime: %s\n"
1963 " : %s\n",
754a0503 1964 OPENSSL_VERSION_TEXT,
f64a1e23
PP
1965 SSLeay_version(SSLEAY_VERSION),
1966 SSLeay_version(SSLEAY_BUILT_ON));
1967/* third line is 38 characters for the %s and the line is 73 chars long;
1968the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
1969}
1970
9e3331ea
TK
1971
1972
1973
1974/*************************************************
17c76198 1975* Random number generation *
9e3331ea
TK
1976*************************************************/
1977
1978/* Pseudo-random number generation. The result is not expected to be
1979cryptographically strong but not so weak that someone will shoot themselves
1980in the foot using it as a nonce in input in some email header scheme or
1981whatever weirdness they'll twist this into. The result should handle fork()
1982and avoid repeating sequences. OpenSSL handles that for us.
1983
1984Arguments:
1985 max range maximum
1986Returns a random number in range [0, max-1]
1987*/
1988
1989int
17c76198 1990vaguely_random_number(int max)
9e3331ea
TK
1991{
1992unsigned int r;
1993int i, needed_len;
de6135a0
PP
1994static pid_t pidlast = 0;
1995pid_t pidnow;
9e3331ea
TK
1996uschar *p;
1997uschar smallbuf[sizeof(r)];
1998
1999if (max <= 1)
2000 return 0;
2001
de6135a0
PP
2002pidnow = getpid();
2003if (pidnow != pidlast)
2004 {
2005 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2006 is unique for each thread", this doesn't apparently apply across processes,
2007 so our own warning from vaguely_random_number_fallback() applies here too.
2008 Fix per PostgreSQL. */
2009 if (pidlast != 0)
2010 RAND_cleanup();
2011 pidlast = pidnow;
2012 }
2013
9e3331ea
TK
2014/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2015if (!RAND_status())
2016 {
2017 randstuff r;
2018 gettimeofday(&r.tv, NULL);
2019 r.p = getpid();
2020
2021 RAND_seed((uschar *)(&r), sizeof(r));
2022 }
2023/* We're after pseudo-random, not random; if we still don't have enough data
2024in the internal PRNG then our options are limited. We could sleep and hope
2025for entropy to come along (prayer technique) but if the system is so depleted
2026in the first place then something is likely to just keep taking it. Instead,
2027we'll just take whatever little bit of pseudo-random we can still manage to
2028get. */
2029
2030needed_len = sizeof(r);
2031/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2032asked for a number less than 10. */
2033for (r = max, i = 0; r; ++i)
2034 r >>= 1;
2035i = (i + 7) / 8;
2036if (i < needed_len)
2037 needed_len = i;
2038
2039/* We do not care if crypto-strong */
17c76198
PP
2040i = RAND_pseudo_bytes(smallbuf, needed_len);
2041if (i < 0)
2042 {
2043 DEBUG(D_all)
2044 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2045 return vaguely_random_number_fallback(max);
2046 }
2047
9e3331ea
TK
2048r = 0;
2049for (p = smallbuf; needed_len; --needed_len, ++p)
2050 {
2051 r *= 256;
2052 r += *p;
2053 }
2054
2055/* We don't particularly care about weighted results; if someone wants
2056smooth distribution and cares enough then they should submit a patch then. */
2057return r % max;
2058}
2059
77bb000f
PP
2060
2061
2062
2063/*************************************************
2064* OpenSSL option parse *
2065*************************************************/
2066
2067/* Parse one option for tls_openssl_options_parse below
2068
2069Arguments:
2070 name one option name
2071 value place to store a value for it
2072Returns success or failure in parsing
2073*/
2074
2075struct exim_openssl_option {
2076 uschar *name;
2077 long value;
2078};
2079/* We could use a macro to expand, but we need the ifdef and not all the
2080options document which version they were introduced in. Policylet: include
2081all options unless explicitly for DTLS, let the administrator choose which
2082to apply.
2083
2084This list is current as of:
e2fbf4a2
PP
2085 ==> 1.0.1b <==
2086Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2087*/
77bb000f
PP
2088static struct exim_openssl_option exim_openssl_options[] = {
2089/* KEEP SORTED ALPHABETICALLY! */
2090#ifdef SSL_OP_ALL
73a46702 2091 { US"all", SSL_OP_ALL },
77bb000f
PP
2092#endif
2093#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2094 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2095#endif
2096#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2097 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2098#endif
2099#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2100 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2101#endif
2102#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2103 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2104#endif
2105#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2106 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2107#endif
2108#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2109 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2110#endif
2111#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2112 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2113#endif
2114#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2115 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2116#endif
2117#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2118 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2119#endif
2120#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2121 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2122#endif
c80c5570
PP
2123#ifdef SSL_OP_NO_COMPRESSION
2124 { US"no_compression", SSL_OP_NO_COMPRESSION },
2125#endif
77bb000f 2126#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2127 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2128#endif
c0c7b2da
PP
2129#ifdef SSL_OP_NO_SSLv2
2130 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2131#endif
2132#ifdef SSL_OP_NO_SSLv3
2133 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2134#endif
2135#ifdef SSL_OP_NO_TICKET
2136 { US"no_ticket", SSL_OP_NO_TICKET },
2137#endif
2138#ifdef SSL_OP_NO_TLSv1
2139 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2140#endif
c80c5570
PP
2141#ifdef SSL_OP_NO_TLSv1_1
2142#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2143 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2144#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2145#else
2146 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2147#endif
2148#endif
2149#ifdef SSL_OP_NO_TLSv1_2
2150 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2151#endif
e2fbf4a2
PP
2152#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2153 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2154#endif
77bb000f 2155#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2156 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2157#endif
2158#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2159 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2160#endif
2161#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2162 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2163#endif
2164#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2165 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2166#endif
2167#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2168 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2169#endif
2170#ifdef SSL_OP_TLS_D5_BUG
73a46702 2171 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2172#endif
2173#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2174 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2175#endif
2176};
2177static int exim_openssl_options_size =
2178 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2179
c80c5570 2180
77bb000f
PP
2181static BOOL
2182tls_openssl_one_option_parse(uschar *name, long *value)
2183{
2184int first = 0;
2185int last = exim_openssl_options_size;
2186while (last > first)
2187 {
2188 int middle = (first + last)/2;
2189 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2190 if (c == 0)
2191 {
2192 *value = exim_openssl_options[middle].value;
2193 return TRUE;
2194 }
2195 else if (c > 0)
2196 first = middle + 1;
2197 else
2198 last = middle;
2199 }
2200return FALSE;
2201}
2202
2203
2204
2205
2206/*************************************************
2207* OpenSSL option parsing logic *
2208*************************************************/
2209
2210/* OpenSSL has a number of compatibility options which an administrator might
2211reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2212we look like log_selector.
2213
2214Arguments:
2215 option_spec the administrator-supplied string of options
2216 results ptr to long storage for the options bitmap
2217Returns success or failure
2218*/
2219
2220BOOL
2221tls_openssl_options_parse(uschar *option_spec, long *results)
2222{
2223long result, item;
2224uschar *s, *end;
2225uschar keep_c;
2226BOOL adding, item_parsed;
2227
0e944a0d 2228result = 0L;
b1770b6e 2229/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 2230 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
2231#ifdef SSL_OP_NO_SSLv2
2232result |= SSL_OP_NO_SSLv2;
2233#endif
77bb000f
PP
2234
2235if (option_spec == NULL)
2236 {
2237 *results = result;
2238 return TRUE;
2239 }
2240
2241for (s=option_spec; *s != '\0'; /**/)
2242 {
2243 while (isspace(*s)) ++s;
2244 if (*s == '\0')
2245 break;
2246 if (*s != '+' && *s != '-')
2247 {
2248 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 2249 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
2250 return FALSE;
2251 }
2252 adding = *s++ == '+';
2253 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2254 keep_c = *end;
2255 *end = '\0';
2256 item_parsed = tls_openssl_one_option_parse(s, &item);
2257 if (!item_parsed)
2258 {
0e944a0d 2259 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
2260 return FALSE;
2261 }
2262 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2263 adding ? "adding" : "removing", result, item, s);
2264 if (adding)
2265 result |= item;
2266 else
2267 result &= ~item;
2268 *end = keep_c;
2269 s = end;
2270 }
2271
2272*results = result;
2273return TRUE;
2274}
2275
9d1c15ef
JH
2276/* vi: aw ai sw=2
2277*/
059ec3d9 2278/* End of tls-openssl.c */