Testsuite: workaround older-perl bug
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
260958d6 54# define EXIM_HAVE_SHA256 /*MMMM*/
c8dfb21d 55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
34e3241d
PP
74# endif
75# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 76 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
77# define EXIM_HAVE_OPENSSL_CHECKHOST
78# endif
11aa88b0 79#endif
10ca4f1c 80
11aa88b0
RA
81#if !defined(LIBRESSL_VERSION_NUMBER) \
82 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
83# if !defined(OPENSSL_NO_ECDH)
84# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
260958d6 85# define EXIM_HAVE_ECDH /*MMMM*/
10ca4f1c
JH
86# endif
87# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
88# define EXIM_HAVE_OPENSSL_EC_NIST2NID
89# endif
90# endif
2dfb468b 91#endif
3bcbbbe2 92
67791ce4
JH
93#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
94# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
95# define DISABLE_OCSP
96#endif
97
a6510420
JH
98#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
99# include <openssl/x509v3.h>
100#endif
101
059ec3d9
PH
102/* Structure for collecting random data for seeding. */
103
104typedef struct randstuff {
9e3331ea
TK
105 struct timeval tv;
106 pid_t p;
059ec3d9
PH
107} randstuff;
108
109/* Local static variables */
110
a2ff477a
JH
111static BOOL client_verify_callback_called = FALSE;
112static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
113static const uschar *sid_ctx = US"exim";
114
d4f09789
PP
115/* We have three different contexts to care about.
116
117Simple case: client, `client_ctx`
118 As a client, we can be doing a callout or cut-through delivery while receiving
119 a message. So we have a client context, which should have options initialised
120 from the SMTP Transport.
121
122Server:
123 There are two cases: with and without ServerNameIndication from the client.
124 Given TLS SNI, we can be using different keys, certs and various other
125 configuration settings, because they're re-expanded with $tls_sni set. This
126 allows vhosting with TLS. This SNI is sent in the handshake.
127 A client might not send SNI, so we need a fallback, and an initial setup too.
128 So as a server, we start out using `server_ctx`.
129 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
130 `server_sni` from `server_ctx` and then initialise settings by re-expanding
131 configuration.
132*/
133
817d9f57
JH
134static SSL_CTX *client_ctx = NULL;
135static SSL_CTX *server_ctx = NULL;
136static SSL *client_ssl = NULL;
137static SSL *server_ssl = NULL;
389ca47a 138
35731706 139#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 140static SSL_CTX *server_sni = NULL;
35731706 141#endif
059ec3d9
PH
142
143static char ssl_errstring[256];
144
145static int ssl_session_timeout = 200;
a2ff477a
JH
146static BOOL client_verify_optional = FALSE;
147static BOOL server_verify_optional = FALSE;
059ec3d9 148
f5d78688 149static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
150
151
7be682ca
PP
152typedef struct tls_ext_ctx_cb {
153 uschar *certificate;
154 uschar *privatekey;
f5d78688 155 BOOL is_server;
a6510420 156#ifndef DISABLE_OCSP
c3033f13 157 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
158 union {
159 struct {
160 uschar *file;
161 uschar *file_expanded;
162 OCSP_RESPONSE *response;
163 } server;
164 struct {
44662487
JH
165 X509_STORE *verify_store; /* non-null if status requested */
166 BOOL verify_required;
f5d78688
JH
167 } client;
168 } u_ocsp;
3f7eeb86 169#endif
7be682ca
PP
170 uschar *dhparam;
171 /* these are cached from first expand */
172 uschar *server_cipher_list;
173 /* only passed down to tls_error: */
174 host_item *host;
55414b25 175 const uschar * verify_cert_hostnames;
0cbf2b82 176#ifndef DISABLE_EVENT
a7538db1
JH
177 uschar * event_action;
178#endif
7be682ca
PP
179} tls_ext_ctx_cb;
180
181/* should figure out a cleanup of API to handle state preserved per
182implementation, for various reasons, which can be void * in the APIs.
183For now, we hack around it. */
817d9f57
JH
184tls_ext_ctx_cb *client_static_cbinfo = NULL;
185tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
186
187static int
983207c1 188setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 189 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 190
3f7eeb86 191/* Callbacks */
3bcbbbe2 192#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 193static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 194#endif
f2de3a33 195#ifndef DISABLE_OCSP
f5d78688 196static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
197#endif
198
059ec3d9
PH
199
200/*************************************************
201* Handle TLS error *
202*************************************************/
203
204/* Called from lots of places when errors occur before actually starting to do
205the TLS handshake, that is, while the session is still in clear. Always returns
206DEFER for a server and FAIL for a client so that most calls can use "return
207tls_error(...)" to do this processing and then give an appropriate return. A
208single function is used for both server and client, because it is called from
209some shared functions.
210
211Argument:
212 prefix text to include in the logged error
213 host NULL if setting up a server;
214 the connected host if setting up a client
7199e1ee 215 msg error message or NULL if we should ask OpenSSL
cf0c6164 216 errstr pointer to output error message
059ec3d9
PH
217
218Returns: OK/DEFER/FAIL
219*/
220
221static int
cf0c6164 222tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 223{
c562fd30 224if (!msg)
7199e1ee
TF
225 {
226 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 227 msg = US ssl_errstring;
7199e1ee
TF
228 }
229
cf0c6164
JH
230if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
231return host ? FAIL : DEFER;
059ec3d9
PH
232}
233
234
235
236/*************************************************
237* Callback to generate RSA key *
238*************************************************/
239
240/*
241Arguments:
3ae79556 242 s SSL connection (not used)
059ec3d9
PH
243 export not used
244 keylength keylength
245
246Returns: pointer to generated key
247*/
248
249static RSA *
250rsa_callback(SSL *s, int export, int keylength)
251{
252RSA *rsa_key;
c8dfb21d
JH
253#ifdef EXIM_HAVE_RSA_GENKEY_EX
254BIGNUM *bn = BN_new();
255#endif
256
059ec3d9
PH
257export = export; /* Shut picky compilers up */
258DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
259
260#ifdef EXIM_HAVE_RSA_GENKEY_EX
261if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 262 || !(rsa_key = RSA_new())
c8dfb21d
JH
263 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
264 )
265#else
23bb6982 266if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
267#endif
268
059ec3d9
PH
269 {
270 ERR_error_string(ERR_get_error(), ssl_errstring);
271 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
272 ssl_errstring);
273 return NULL;
274 }
275return rsa_key;
276}
277
278
279
f5d78688 280/* Extreme debug
f2de3a33 281#ifndef DISABLE_OCSP
f5d78688
JH
282void
283x509_store_dump_cert_s_names(X509_STORE * store)
284{
285STACK_OF(X509_OBJECT) * roots= store->objs;
286int i;
287static uschar name[256];
288
289for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
290 {
291 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
292 if(tmp_obj->type == X509_LU_X509)
293 {
294 X509 * current_cert= tmp_obj->data.x509;
295 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 296 name[sizeof(name)-1] = '\0';
f5d78688
JH
297 debug_printf(" %s\n", name);
298 }
299 }
300}
301#endif
302*/
303
059ec3d9 304
0cbf2b82 305#ifndef DISABLE_EVENT
f69979cf
JH
306static int
307verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
308 BOOL *calledp, const BOOL *optionalp, const uschar * what)
309{
310uschar * ev;
311uschar * yield;
312X509 * old_cert;
313
314ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
315if (ev)
316 {
aaba7d03 317 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
318 old_cert = tlsp->peercert;
319 tlsp->peercert = X509_dup(cert);
320 /* NB we do not bother setting peerdn */
321 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
322 {
323 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
324 "depth=%d cert=%s: %s",
325 tlsp == &tls_out ? deliver_host_address : sender_host_address,
326 what, depth, dn, yield);
327 *calledp = TRUE;
328 if (!*optionalp)
329 {
330 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
331 return 1; /* reject (leaving peercert set) */
332 }
333 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
334 "(host in tls_try_verify_hosts)\n");
335 }
336 X509_free(tlsp->peercert);
337 tlsp->peercert = old_cert;
338 }
339return 0;
340}
341#endif
342
059ec3d9
PH
343/*************************************************
344* Callback for verification *
345*************************************************/
346
347/* The SSL library does certificate verification if set up to do so. This
348callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
349we set the certificate-verified flag. If verification failed, what happens
350depends on whether the client is required to present a verifiable certificate
351or not.
059ec3d9
PH
352
353If verification is optional, we change the state to yes, but still log the
354verification error. For some reason (it really would help to have proper
355documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
356time with state = 1. We must take care not to set the private verified flag on
357the second time through.
059ec3d9
PH
358
359Note: this function is not called if the client fails to present a certificate
360when asked. We get here only if a certificate has been received. Handling of
361optional verification for this case is done when requesting SSL to verify, by
362setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
363
a7538db1
JH
364May be called multiple times for different issues with a certificate, even
365for a given "depth" in the certificate chain.
366
059ec3d9 367Arguments:
f2f2c91b
JH
368 preverify_ok current yes/no state as 1/0
369 x509ctx certificate information.
370 tlsp per-direction (client vs. server) support data
371 calledp has-been-called flag
372 optionalp verification-is-optional flag
059ec3d9 373
f2f2c91b 374Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
375*/
376
377static int
f2f2c91b 378verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
421aff85 379 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 380{
421aff85 381X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 382int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 383uschar dn[256];
059ec3d9 384
f69979cf
JH
385X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
386dn[sizeof(dn)-1] = '\0';
059ec3d9 387
f2f2c91b 388if (preverify_ok == 0)
059ec3d9 389 {
f77197ae
JH
390 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
391 *verify_mode, sender_host_address)
392 : US"";
393 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
394 tlsp == &tls_out ? deliver_host_address : sender_host_address,
395 extra, depth,
396 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 397 *calledp = TRUE;
9d1c15ef
JH
398 if (!*optionalp)
399 {
f69979cf
JH
400 if (!tlsp->peercert)
401 tlsp->peercert = X509_dup(cert); /* record failing cert */
402 return 0; /* reject */
9d1c15ef 403 }
059ec3d9
PH
404 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
405 "tls_try_verify_hosts)\n");
059ec3d9
PH
406 }
407
a7538db1 408else if (depth != 0)
059ec3d9 409 {
f69979cf 410 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 411#ifndef DISABLE_OCSP
f5d78688
JH
412 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
413 { /* client, wanting stapling */
414 /* Add the server cert's signing chain as the one
415 for the verification of the OCSP stapled information. */
94431adb 416
f5d78688 417 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 418 cert))
f5d78688 419 ERR_clear_error();
c3033f13 420 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
421 }
422#endif
0cbf2b82 423#ifndef DISABLE_EVENT
f69979cf
JH
424 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
425 return 0; /* reject, with peercert set */
a7538db1 426#endif
059ec3d9
PH
427 }
428else
429 {
55414b25 430 const uschar * verify_cert_hostnames;
e51c7be2 431
e51c7be2
JH
432 if ( tlsp == &tls_out
433 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
434 /* client, wanting hostname check */
e51c7be2 435 {
f69979cf 436
740f36d4 437#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
438# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
439# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
440# endif
441# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
442# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
443# endif
e51c7be2 444 int sep = 0;
55414b25 445 const uschar * list = verify_cert_hostnames;
e51c7be2 446 uschar * name;
d8e7834a
JH
447 int rc;
448 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 449 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 450 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
451 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
452 NULL)))
d8e7834a
JH
453 {
454 if (rc < 0)
455 {
93a6fce2 456 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 457 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
458 name = NULL;
459 }
e51c7be2 460 break;
d8e7834a 461 }
e51c7be2 462 if (!name)
f69979cf 463#else
e51c7be2 464 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 465#endif
e51c7be2 466 {
f77197ae
JH
467 uschar * extra = verify_mode
468 ? string_sprintf(" (during %c-verify for [%s])",
469 *verify_mode, sender_host_address)
470 : US"";
e51c7be2 471 log_write(0, LOG_MAIN,
f77197ae
JH
472 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
473 tlsp == &tls_out ? deliver_host_address : sender_host_address,
474 extra, dn, verify_cert_hostnames);
a3ef7310
JH
475 *calledp = TRUE;
476 if (!*optionalp)
f69979cf
JH
477 {
478 if (!tlsp->peercert)
479 tlsp->peercert = X509_dup(cert); /* record failing cert */
480 return 0; /* reject */
481 }
a3ef7310
JH
482 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
483 "tls_try_verify_hosts)\n");
e51c7be2 484 }
f69979cf 485 }
e51c7be2 486
0cbf2b82 487#ifndef DISABLE_EVENT
f69979cf
JH
488 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
489 return 0; /* reject, with peercert set */
e51c7be2
JH
490#endif
491
93dcb1c2 492 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 493 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
494 if (!*calledp) tlsp->certificate_verified = TRUE;
495 *calledp = TRUE;
059ec3d9
PH
496 }
497
a7538db1 498return 1; /* accept, at least for this level */
059ec3d9
PH
499}
500
a2ff477a 501static int
f2f2c91b 502verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 503{
f2f2c91b
JH
504return verify_callback(preverify_ok, x509ctx, &tls_out,
505 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
506}
507
508static int
f2f2c91b 509verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 510{
f2f2c91b
JH
511return verify_callback(preverify_ok, x509ctx, &tls_in,
512 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
513}
514
059ec3d9 515
c0635b6d 516#ifdef SUPPORT_DANE
53a7196b 517
e5cccda9
JH
518/* This gets called *by* the dane library verify callback, which interposes
519itself.
520*/
521static int
f2f2c91b 522verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
523{
524X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 525uschar dn[256];
83b27293 526int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 527#ifndef DISABLE_EVENT
f69979cf 528BOOL dummy_called, optional = FALSE;
83b27293 529#endif
e5cccda9 530
f69979cf
JH
531X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
532dn[sizeof(dn)-1] = '\0';
e5cccda9 533
f2f2c91b
JH
534DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
535 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 536
0cbf2b82 537#ifndef DISABLE_EVENT
f69979cf
JH
538 if (verify_event(&tls_out, cert, depth, dn,
539 &dummy_called, &optional, US"DANE"))
540 return 0; /* reject, with peercert set */
83b27293
JH
541#endif
542
f2f2c91b 543if (preverify_ok == 1)
6fbf3599
JH
544 {
545 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
546#ifndef DISABLE_OCSP
547 if (client_static_cbinfo->u_ocsp.client.verify_store)
548 { /* client, wanting stapling */
549 /* Add the server cert's signing chain as the one
550 for the verification of the OCSP stapled information. */
551
552 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
553 cert))
554 ERR_clear_error();
555 sk_X509_push(client_static_cbinfo->verify_stack, cert);
556 }
557#endif
558 }
f2f2c91b
JH
559else
560 {
561 int err = X509_STORE_CTX_get_error(x509ctx);
562 DEBUG(D_tls)
563 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 564 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
565 preverify_ok = 1;
566 }
567return preverify_ok;
e5cccda9 568}
53a7196b 569
c0635b6d 570#endif /*SUPPORT_DANE*/
e5cccda9 571
059ec3d9
PH
572
573/*************************************************
574* Information callback *
575*************************************************/
576
577/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
578are doing. We copy the string to the debugging output when TLS debugging has
579been requested.
059ec3d9
PH
580
581Arguments:
582 s the SSL connection
583 where
584 ret
585
586Returns: nothing
587*/
588
589static void
590info_callback(SSL *s, int where, int ret)
591{
592where = where;
593ret = ret;
594DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
595}
596
597
598
599/*************************************************
600* Initialize for DH *
601*************************************************/
602
603/* If dhparam is set, expand it, and load up the parameters for DH encryption.
604
605Arguments:
038597d2 606 sctx The current SSL CTX (inbound or outbound)
a799883d 607 dhparam DH parameter file or fixed parameter identity string
7199e1ee 608 host connected host, if client; NULL if server
cf0c6164 609 errstr error string pointer
059ec3d9
PH
610
611Returns: TRUE if OK (nothing to set up, or setup worked)
612*/
613
614static BOOL
cf0c6164 615init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 616{
059ec3d9
PH
617BIO *bio;
618DH *dh;
619uschar *dhexpanded;
a799883d 620const char *pem;
6600985a 621int dh_bitsize;
059ec3d9 622
cf0c6164 623if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
624 return FALSE;
625
0df4ab80 626if (!dhexpanded || !*dhexpanded)
a799883d 627 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 628else if (dhexpanded[0] == '/')
059ec3d9 629 {
0df4ab80 630 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 631 {
7199e1ee 632 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 633 host, US strerror(errno), errstr);
a799883d 634 return FALSE;
059ec3d9 635 }
a799883d
PP
636 }
637else
638 {
639 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 640 {
a799883d
PP
641 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
642 return TRUE;
059ec3d9 643 }
a799883d 644
0df4ab80 645 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
646 {
647 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 648 host, US strerror(errno), errstr);
a799883d
PP
649 return FALSE;
650 }
651 bio = BIO_new_mem_buf(CS pem, -1);
652 }
653
0df4ab80 654if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 655 {
059ec3d9 656 BIO_free(bio);
a799883d 657 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 658 host, NULL, errstr);
a799883d
PP
659 return FALSE;
660 }
661
6600985a
PP
662/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
663 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
664 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
665 * If someone wants to dance at the edge, then they can raise the limit or use
666 * current libraries. */
667#ifdef EXIM_HAVE_OPENSSL_DH_BITS
668/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
669 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
670dh_bitsize = DH_bits(dh);
671#else
672dh_bitsize = 8 * DH_size(dh);
673#endif
674
a799883d
PP
675/* Even if it is larger, we silently return success rather than cause things
676 * to fail out, so that a too-large DH will not knock out all TLS; it's a
677 * debatable choice. */
6600985a 678if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
679 {
680 DEBUG(D_tls)
170f4904 681 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 682 dh_bitsize, tls_dh_max_bits);
a799883d
PP
683 }
684else
685 {
686 SSL_CTX_set_tmp_dh(sctx, dh);
687 DEBUG(D_tls)
688 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 689 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
690 }
691
a799883d
PP
692DH_free(dh);
693BIO_free(bio);
694
695return TRUE;
059ec3d9
PH
696}
697
698
699
700
038597d2
PP
701/*************************************************
702* Initialize for ECDH *
703*************************************************/
704
705/* Load parameters for ECDH encryption.
706
707For now, we stick to NIST P-256 because: it's simple and easy to configure;
708it avoids any patent issues that might bite redistributors; despite events in
709the news and concerns over curve choices, we're not cryptographers, we're not
710pretending to be, and this is "good enough" to be better than no support,
711protecting against most adversaries. Given another year or two, there might
712be sufficient clarity about a "right" way forward to let us make an informed
713decision, instead of a knee-jerk reaction.
714
715Longer-term, we should look at supporting both various named curves and
716external files generated with "openssl ecparam", much as we do for init_dh().
717We should also support "none" as a value, to explicitly avoid initialisation.
718
719Patches welcome.
720
721Arguments:
722 sctx The current SSL CTX (inbound or outbound)
723 host connected host, if client; NULL if server
cf0c6164 724 errstr error string pointer
038597d2
PP
725
726Returns: TRUE if OK (nothing to set up, or setup worked)
727*/
728
729static BOOL
cf0c6164 730init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 731{
63f0dbe0
JH
732#ifdef OPENSSL_NO_ECDH
733return TRUE;
734#else
735
10ca4f1c
JH
736EC_KEY * ecdh;
737uschar * exp_curve;
738int nid;
739BOOL rv;
740
038597d2
PP
741if (host) /* No ECDH setup for clients, only for servers */
742 return TRUE;
743
10ca4f1c 744# ifndef EXIM_HAVE_ECDH
038597d2
PP
745DEBUG(D_tls)
746 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
747return TRUE;
038597d2 748# else
10ca4f1c 749
cf0c6164 750if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
751 return FALSE;
752if (!exp_curve || !*exp_curve)
753 return TRUE;
754
8e53a4fc 755/* "auto" needs to be handled carefully.
4c04137d 756 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 757 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 758 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
759 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
760 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
761 */
10ca4f1c 762if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 763 {
8e53a4fc 764#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 765 DEBUG(D_tls) debug_printf(
8e53a4fc 766 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 767 exp_curve = US"prime256v1";
8e53a4fc
HSHR
768#else
769# if defined SSL_CTRL_SET_ECDH_AUTO
770 DEBUG(D_tls) debug_printf(
771 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
772 SSL_CTX_set_ecdh_auto(sctx, 1);
773 return TRUE;
8e53a4fc
HSHR
774# else
775 DEBUG(D_tls) debug_printf(
776 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
777 return TRUE;
778# endif
779#endif
10ca4f1c 780 }
038597d2 781
10ca4f1c
JH
782DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
783if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
784# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
785 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
786# endif
787 )
788 {
cf0c6164
JH
789 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
790 host, NULL, errstr);
10ca4f1c
JH
791 return FALSE;
792 }
038597d2 793
10ca4f1c
JH
794if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
795 {
cf0c6164 796 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 797 return FALSE;
038597d2 798 }
10ca4f1c
JH
799
800/* The "tmp" in the name here refers to setting a temporary key
801not to the stability of the interface. */
802
803if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 804 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
805else
806 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
807
808EC_KEY_free(ecdh);
809return !rv;
810
811# endif /*EXIM_HAVE_ECDH*/
812#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
813}
814
815
816
817
f2de3a33 818#ifndef DISABLE_OCSP
3f7eeb86
PP
819/*************************************************
820* Load OCSP information into state *
821*************************************************/
f5d78688 822/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
823caller has determined this is needed. Checks validity. Debugs a message
824if invalid.
825
826ASSUMES: single response, for single cert.
827
828Arguments:
829 sctx the SSL_CTX* to update
830 cbinfo various parts of session state
831 expanded the filename putatively holding an OCSP response
832
833*/
834
835static void
f5d78688 836ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 837{
ee5b1e28
JH
838BIO * bio;
839OCSP_RESPONSE * resp;
840OCSP_BASICRESP * basic_response;
841OCSP_SINGLERESP * single_response;
842ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 843STACK_OF(X509) * sk;
3f7eeb86
PP
844unsigned long verify_flags;
845int status, reason, i;
846
f5d78688
JH
847cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
848if (cbinfo->u_ocsp.server.response)
3f7eeb86 849 {
f5d78688
JH
850 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
851 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
852 }
853
ee5b1e28 854if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
855 {
856 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 857 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
858 return;
859 }
860
861resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
862BIO_free(bio);
863if (!resp)
864 {
865 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
866 return;
867 }
868
ee5b1e28 869if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
870 {
871 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
872 OCSP_response_status_str(status), status);
f5d78688 873 goto bad;
3f7eeb86
PP
874 }
875
ee5b1e28 876if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
877 {
878 DEBUG(D_tls)
879 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 880 goto bad;
3f7eeb86
PP
881 }
882
c3033f13 883sk = cbinfo->verify_stack;
3f7eeb86
PP
884verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
885
886/* May need to expose ability to adjust those flags?
887OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
888OCSP_TRUSTOTHER OCSP_NOINTERN */
889
4c04137d 890/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
891up; possibly overkill - just date-checks might be nice enough.
892
893OCSP_basic_verify takes a "store" arg, but does not
894use it for the chain verification, which is all we do
895when OCSP_NOVERIFY is set. The content from the wire
896"basic_response" and a cert-stack "sk" are all that is used.
897
c3033f13
JH
898We have a stack, loaded in setup_certs() if tls_verify_certificates
899was a file (not a directory, or "system"). It is unfortunate we
900cannot used the connection context store, as that would neatly
901handle the "system" case too, but there seems to be no library
902function for getting a stack from a store.
e3555426 903[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
904We do not free the stack since it could be needed a second time for
905SNI handling.
906
4c04137d 907Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 908be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 909But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 910And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
911library does it for us anyway? */
912
913if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 914 {
ee5b1e28
JH
915 DEBUG(D_tls)
916 {
3f7eeb86
PP
917 ERR_error_string(ERR_get_error(), ssl_errstring);
918 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
919 }
920 goto bad;
3f7eeb86
PP
921 }
922
923/* Here's the simplifying assumption: there's only one response, for the
924one certificate we use, and nothing for anything else in a chain. If this
925proves false, we need to extract a cert id from our issued cert
926(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
927right cert in the stack and then calls OCSP_single_get0_status()).
928
929I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
930
931if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
932 {
933 DEBUG(D_tls)
934 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 935 goto bad;
3f7eeb86
PP
936 }
937
938status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 939if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 940 {
f5d78688
JH
941 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
942 OCSP_cert_status_str(status), status,
943 OCSP_crl_reason_str(reason), reason);
944 goto bad;
3f7eeb86
PP
945 }
946
947if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
948 {
949 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 950 goto bad;
3f7eeb86
PP
951 }
952
f5d78688 953supply_response:
47195144 954 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
955return;
956
957bad:
018058b2
JH
958 if (running_in_test_harness)
959 {
960 extern char ** environ;
961 uschar ** p;
47195144 962 if (environ) for (p = USS environ; *p; p++)
018058b2
JH
963 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
964 {
965 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
966 goto supply_response;
967 }
968 }
f5d78688 969return;
3f7eeb86 970}
f2de3a33 971#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
972
973
974
975
23bb6982
JH
976/* Create and install a selfsigned certificate, for use in server mode */
977
978static int
cf0c6164 979tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
980{
981X509 * x509 = NULL;
982EVP_PKEY * pkey;
983RSA * rsa;
984X509_NAME * name;
985uschar * where;
986
987where = US"allocating pkey";
988if (!(pkey = EVP_PKEY_new()))
989 goto err;
990
991where = US"allocating cert";
992if (!(x509 = X509_new()))
993 goto err;
994
995where = US"generating pkey";
3ae79556 996if (!(rsa = rsa_callback(NULL, 0, 1024)))
23bb6982
JH
997 goto err;
998
4c04137d 999where = US"assigning pkey";
23bb6982
JH
1000if (!EVP_PKEY_assign_RSA(pkey, rsa))
1001 goto err;
1002
1003X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1004ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1005X509_gmtime_adj(X509_get_notBefore(x509), 0);
1006X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1007X509_set_pubkey(x509, pkey);
1008
1009name = X509_get_subject_name(x509);
1010X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1011 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1012X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1013 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1014X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1015 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1016X509_set_issuer_name(x509, name);
1017
1018where = US"signing cert";
1019if (!X509_sign(x509, pkey, EVP_md5()))
1020 goto err;
1021
1022where = US"installing selfsign cert";
1023if (!SSL_CTX_use_certificate(sctx, x509))
1024 goto err;
1025
1026where = US"installing selfsign key";
1027if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1028 goto err;
1029
1030return OK;
1031
1032err:
cf0c6164 1033 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1034 if (x509) X509_free(x509);
1035 if (pkey) EVP_PKEY_free(pkey);
1036 return DEFER;
1037}
1038
1039
1040
1041
ba86e143
JH
1042static int
1043tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1044 uschar ** errstr)
1045{
1046DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1047if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1048 return tls_error(string_sprintf(
1049 "SSL_CTX_use_certificate_chain_file file=%s", file),
1050 cbinfo->host, NULL, errstr);
1051return 0;
1052}
1053
1054static int
1055tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1056 uschar ** errstr)
1057{
1058DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1059if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1060 return tls_error(string_sprintf(
1061 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1062return 0;
1063}
1064
1065
059ec3d9 1066/*************************************************
7be682ca
PP
1067* Expand key and cert file specs *
1068*************************************************/
1069
f5d78688 1070/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1071new context, if Server Name Indication was used and tls_sni was seen in
1072the certificate string.
1073
1074Arguments:
1075 sctx the SSL_CTX* to update
1076 cbinfo various parts of session state
cf0c6164 1077 errstr error string pointer
7be682ca
PP
1078
1079Returns: OK/DEFER/FAIL
1080*/
1081
1082static int
cf0c6164
JH
1083tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1084 uschar ** errstr)
7be682ca
PP
1085{
1086uschar *expanded;
1087
23bb6982 1088if (!cbinfo->certificate)
7be682ca 1089 {
ba86e143 1090 if (!cbinfo->is_server) /* client */
23bb6982
JH
1091 return OK;
1092 /* server */
cf0c6164 1093 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1094 return DEFER;
7be682ca 1095 }
23bb6982
JH
1096else
1097 {
ba86e143
JH
1098 int err;
1099
23bb6982
JH
1100 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1101 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1102 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1103 )
1104 reexpand_tls_files_for_sni = TRUE;
7be682ca 1105
cf0c6164 1106 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1107 return DEFER;
1108
ba86e143
JH
1109 if (expanded)
1110 if (cbinfo->is_server)
1111 {
1112 const uschar * file_list = expanded;
1113 int sep = 0;
1114 uschar * file;
1115
1116 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1117 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1118 return err;
1119 }
1120 else /* would there ever be a need for multiple client certs? */
1121 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1122 return err;
7be682ca 1123
23bb6982 1124 if (cbinfo->privatekey != NULL &&
cf0c6164 1125 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1126 return DEFER;
7be682ca 1127
23bb6982
JH
1128 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1129 of the expansion is an empty string, ignore it also, and assume the private
1130 key is in the same file as the certificate. */
1131
1132 if (expanded && *expanded)
ba86e143
JH
1133 if (cbinfo->is_server)
1134 {
1135 const uschar * file_list = expanded;
1136 int sep = 0;
1137 uschar * file;
1138
1139 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1140 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1141 return err;
1142 }
1143 else /* would there ever be a need for multiple client certs? */
1144 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1145 return err;
7be682ca
PP
1146 }
1147
f2de3a33 1148#ifndef DISABLE_OCSP
f40d5be3 1149if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1150 {
47195144 1151 /*XXX stack*/
cf0c6164 1152 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1153 return DEFER;
1154
f40d5be3 1155 if (expanded && *expanded)
3f7eeb86
PP
1156 {
1157 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1158 if ( cbinfo->u_ocsp.server.file_expanded
1159 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1160 {
f40d5be3
JH
1161 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1162 }
1163 else
f40d5be3 1164 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1165 }
1166 }
1167#endif
1168
7be682ca
PP
1169return OK;
1170}
1171
1172
1173
1174
1175/*************************************************
1176* Callback to handle SNI *
1177*************************************************/
1178
1179/* Called when acting as server during the TLS session setup if a Server Name
1180Indication extension was sent by the client.
1181
1182API documentation is OpenSSL s_server.c implementation.
1183
1184Arguments:
1185 s SSL* of the current session
1186 ad unknown (part of OpenSSL API) (unused)
1187 arg Callback of "our" registered data
1188
1189Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1190*/
1191
3bcbbbe2 1192#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1193static int
7be682ca
PP
1194tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1195{
1196const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1197tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1198int rc;
3f0945ff 1199int old_pool = store_pool;
cf0c6164 1200uschar * dummy_errstr;
7be682ca
PP
1201
1202if (!servername)
1203 return SSL_TLSEXT_ERR_OK;
1204
3f0945ff 1205DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1206 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1207
1208/* Make the extension value available for expansion */
3f0945ff 1209store_pool = POOL_PERM;
817d9f57 1210tls_in.sni = string_copy(US servername);
3f0945ff 1211store_pool = old_pool;
7be682ca
PP
1212
1213if (!reexpand_tls_files_for_sni)
1214 return SSL_TLSEXT_ERR_OK;
1215
1216/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1217not confident that memcpy wouldn't break some internal reference counting.
1218Especially since there's a references struct member, which would be off. */
1219
7a8b9519
JH
1220#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1221if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1222#else
0df4ab80 1223if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1224#endif
7be682ca
PP
1225 {
1226 ERR_error_string(ERR_get_error(), ssl_errstring);
1227 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1228 return SSL_TLSEXT_ERR_NOACK;
1229 }
1230
1231/* Not sure how many of these are actually needed, since SSL object
1232already exists. Might even need this selfsame callback, for reneg? */
1233
817d9f57
JH
1234SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1235SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1236SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1237SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1238SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1239SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1240
cf0c6164
JH
1241if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1242 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP
1243 )
1244 return SSL_TLSEXT_ERR_NOACK;
1245
7be682ca 1246if (cbinfo->server_cipher_list)
817d9f57 1247 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 1248#ifndef DISABLE_OCSP
f5d78688 1249if (cbinfo->u_ocsp.server.file)
3f7eeb86 1250 {
f5d78688 1251 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1252 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1253 }
1254#endif
7be682ca 1255
c3033f13 1256if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1257 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1258 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1259
3f7eeb86
PP
1260/* do this after setup_certs, because this can require the certs for verifying
1261OCSP information. */
cf0c6164 1262if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1263 return SSL_TLSEXT_ERR_NOACK;
a799883d 1264
7be682ca 1265DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1266SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
1267
1268return SSL_TLSEXT_ERR_OK;
1269}
3bcbbbe2 1270#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1271
1272
1273
1274
f2de3a33 1275#ifndef DISABLE_OCSP
f5d78688 1276
3f7eeb86
PP
1277/*************************************************
1278* Callback to handle OCSP Stapling *
1279*************************************************/
1280
1281/* Called when acting as server during the TLS session setup if the client
1282requests OCSP information with a Certificate Status Request.
1283
1284Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1285project.
1286
1287*/
1288
1289static int
f5d78688 1290tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1291{
1292const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1293uschar *response_der; /*XXX blob */
3f7eeb86
PP
1294int response_der_len;
1295
47195144
JH
1296/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1297out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1298buggy in current OpenSSL; it returns the last cert loaded always rather than
1299the one actually presented. So we can't support a stack of OCSP proofs at
1300this time. */
1301
af4a1bca 1302DEBUG(D_tls)
b3ef41c9 1303 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1304 cbinfo->u_ocsp.server.response ? "have" : "lack");
1305
44662487 1306tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1307if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1308 return SSL_TLSEXT_ERR_NOACK;
1309
1310response_der = NULL;
47195144 1311response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1312 &response_der);
3f7eeb86
PP
1313if (response_der_len <= 0)
1314 return SSL_TLSEXT_ERR_NOACK;
1315
5e55c7a9 1316SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1317tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1318return SSL_TLSEXT_ERR_OK;
1319}
1320
3f7eeb86 1321
f5d78688
JH
1322static void
1323time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1324{
1325BIO_printf(bp, "\t%s: ", str);
1326ASN1_GENERALIZEDTIME_print(bp, time);
1327BIO_puts(bp, "\n");
1328}
1329
1330static int
1331tls_client_stapling_cb(SSL *s, void *arg)
1332{
1333tls_ext_ctx_cb * cbinfo = arg;
1334const unsigned char * p;
1335int len;
1336OCSP_RESPONSE * rsp;
1337OCSP_BASICRESP * bs;
1338int i;
1339
1340DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1341len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1342if(!p)
1343 {
44662487 1344 /* Expect this when we requested ocsp but got none */
6c6d6e48 1345 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1346 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1347 else
1348 DEBUG(D_tls) debug_printf(" null\n");
44662487 1349 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1350 }
018058b2 1351
f5d78688
JH
1352if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1353 {
018058b2 1354 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1355 if (LOGGING(tls_cipher))
1eca31ca 1356 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1357 else
1358 DEBUG(D_tls) debug_printf(" parse error\n");
1359 return 0;
1360 }
1361
1362if(!(bs = OCSP_response_get1_basic(rsp)))
1363 {
018058b2 1364 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1365 if (LOGGING(tls_cipher))
1eca31ca 1366 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1367 else
1368 DEBUG(D_tls) debug_printf(" error parsing response\n");
1369 OCSP_RESPONSE_free(rsp);
1370 return 0;
1371 }
1372
1373/* We'd check the nonce here if we'd put one in the request. */
1374/* However that would defeat cacheability on the server so we don't. */
1375
f5d78688
JH
1376/* This section of code reworked from OpenSSL apps source;
1377 The OpenSSL Project retains copyright:
1378 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1379*/
1380 {
1381 BIO * bp = NULL;
f5d78688
JH
1382 int status, reason;
1383 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1384
57887ecc 1385 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1386
1387 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1388
1389 /* Use the chain that verified the server cert to verify the stapled info */
1390 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1391
c3033f13 1392 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1393 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1394 {
018058b2 1395 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1396 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1397 "Received TLS cert status response, itself unverifiable: %s",
1398 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1399 BIO_printf(bp, "OCSP response verify failure\n");
1400 ERR_print_errors(bp);
57887ecc 1401 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1402 goto failed;
f5d78688
JH
1403 }
1404
1405 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1406
c8dfb21d
JH
1407 /*XXX So we have a good stapled OCSP status. How do we know
1408 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1409 OCSP_resp_find_status() which matches on a cert id, which presumably
1410 we should use. Making an id needs OCSP_cert_id_new(), which takes
1411 issuerName, issuerKey, serialNumber. Are they all in the cert?
1412
1413 For now, carry on blindly accepting the resp. */
1414
f5d78688 1415 {
f5d78688
JH
1416 OCSP_SINGLERESP * single;
1417
c8dfb21d
JH
1418#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1419 if (OCSP_resp_count(bs) != 1)
1420#else
1421 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1422 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1423#endif
f5d78688 1424 {
018058b2 1425 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1426 log_write(0, LOG_MAIN, "OCSP stapling "
1427 "with multiple responses not handled");
c8dfb21d 1428 goto failed;
f5d78688
JH
1429 }
1430 single = OCSP_resp_get0(bs, 0);
44662487
JH
1431 status = OCSP_single_get0_status(single, &reason, &rev,
1432 &thisupd, &nextupd);
f5d78688
JH
1433 }
1434
f5d78688
JH
1435 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1436 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1437 if (!OCSP_check_validity(thisupd, nextupd,
1438 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1439 {
018058b2 1440 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1441 DEBUG(D_tls) ERR_print_errors(bp);
1442 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1443 }
44662487 1444 else
f5d78688 1445 {
44662487
JH
1446 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1447 OCSP_cert_status_str(status));
1448 switch(status)
1449 {
1450 case V_OCSP_CERTSTATUS_GOOD:
44662487 1451 tls_out.ocsp = OCSP_VFIED;
018058b2 1452 i = 1;
c8dfb21d 1453 goto good;
44662487 1454 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1455 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1456 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1457 reason != -1 ? "; reason: " : "",
1458 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1459 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1460 break;
1461 default:
018058b2 1462 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1463 log_write(0, LOG_MAIN,
1464 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1465 break;
1466 }
f5d78688 1467 }
c8dfb21d
JH
1468 failed:
1469 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1470 good:
f5d78688
JH
1471 BIO_free(bp);
1472 }
1473
1474OCSP_RESPONSE_free(rsp);
1475return i;
1476}
f2de3a33 1477#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1478
1479
7be682ca 1480/*************************************************
059ec3d9
PH
1481* Initialize for TLS *
1482*************************************************/
1483
e51c7be2
JH
1484/* Called from both server and client code, to do preliminary initialization
1485of the library. We allocate and return a context structure.
059ec3d9
PH
1486
1487Arguments:
946ecbe0 1488 ctxp returned SSL context
059ec3d9
PH
1489 host connected host, if client; NULL if server
1490 dhparam DH parameter file
1491 certificate certificate file
1492 privatekey private key
f5d78688 1493 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1494 addr address if client; NULL if server (for some randomness)
946ecbe0 1495 cbp place to put allocated callback context
cf0c6164 1496 errstr error string pointer
059ec3d9
PH
1497
1498Returns: OK/DEFER/FAIL
1499*/
1500
1501static int
817d9f57 1502tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1503 uschar *privatekey,
f2de3a33 1504#ifndef DISABLE_OCSP
47195144 1505 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1506#endif
cf0c6164 1507 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1508{
7006ee24 1509SSL_CTX * ctx;
77bb000f 1510long init_options;
7be682ca 1511int rc;
a7538db1 1512tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1513
1514cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1515cbinfo->certificate = certificate;
1516cbinfo->privatekey = privatekey;
a6510420 1517cbinfo->is_server = host==NULL;
f2de3a33 1518#ifndef DISABLE_OCSP
c3033f13 1519cbinfo->verify_stack = NULL;
a6510420 1520if (!host)
f5d78688
JH
1521 {
1522 cbinfo->u_ocsp.server.file = ocsp_file;
1523 cbinfo->u_ocsp.server.file_expanded = NULL;
1524 cbinfo->u_ocsp.server.response = NULL;
1525 }
1526else
1527 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1528#endif
7be682ca 1529cbinfo->dhparam = dhparam;
0df4ab80 1530cbinfo->server_cipher_list = NULL;
7be682ca 1531cbinfo->host = host;
0cbf2b82 1532#ifndef DISABLE_EVENT
a7538db1
JH
1533cbinfo->event_action = NULL;
1534#endif
77bb000f 1535
059ec3d9
PH
1536SSL_load_error_strings(); /* basic set up */
1537OpenSSL_add_ssl_algorithms();
1538
c8dfb21d 1539#ifdef EXIM_HAVE_SHA256
77bb000f 1540/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1541list of available digests. */
1542EVP_add_digest(EVP_sha256());
cf1ef1a9 1543#endif
a0475b69 1544
f0f5a555
PP
1545/* Create a context.
1546The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1547negotiation in the different methods; as far as I can tell, the only
1548*_{server,client}_method which allows negotiation is SSLv23, which exists even
1549when OpenSSL is built without SSLv2 support.
1550By disabling with openssl_options, we can let admins re-enable with the
1551existing knob. */
059ec3d9 1552
7a8b9519
JH
1553#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1554if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1555#else
7006ee24 1556if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1557#endif
7006ee24 1558 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1559
1560/* It turns out that we need to seed the random number generator this early in
1561order to get the full complement of ciphers to work. It took me roughly a day
1562of work to discover this by experiment.
1563
1564On systems that have /dev/urandom, SSL may automatically seed itself from
1565there. Otherwise, we have to make something up as best we can. Double check
1566afterwards. */
1567
1568if (!RAND_status())
1569 {
1570 randstuff r;
9e3331ea 1571 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1572 r.p = getpid();
1573
5903c6ff
JH
1574 RAND_seed(US (&r), sizeof(r));
1575 RAND_seed(US big_buffer, big_buffer_size);
1576 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1577
1578 if (!RAND_status())
7199e1ee 1579 return tls_error(US"RAND_status", host,
cf0c6164 1580 US"unable to seed random number generator", errstr);
059ec3d9
PH
1581 }
1582
1583/* Set up the information callback, which outputs if debugging is at a suitable
1584level. */
1585
7006ee24 1586DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1587
c80c5570 1588/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1589(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1590
77bb000f
PP
1591/* Apply administrator-supplied work-arounds.
1592Historically we applied just one requested option,
1593SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1594moved to an administrator-controlled list of options to specify and
1595grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1596
77bb000f
PP
1597No OpenSSL version number checks: the options we accept depend upon the
1598availability of the option value macros from OpenSSL. */
059ec3d9 1599
7006ee24 1600if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1601 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1602
1603if (init_options)
1604 {
1605 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1606 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1607 return tls_error(string_sprintf(
cf0c6164 1608 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1609 }
1610else
1611 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1612
a28050f8
JH
1613/* We'd like to disable session cache unconditionally, but foolish Outlook
1614Express clients then give up the first TLS connection and make a second one
1615(which works). Only when there is an IMAP service on the same machine.
1616Presumably OE is trying to use the cache for A on B. Leave it enabled for
1617now, until we work out a decent way of presenting control to the config. It
1618will never be used because we use a new context every time. */
1619#ifdef notdef
7006ee24 1620(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1621#endif
7006ee24 1622
059ec3d9 1623/* Initialize with DH parameters if supplied */
10ca4f1c 1624/* Initialize ECDH temp key parameter selection */
059ec3d9 1625
7006ee24
JH
1626if ( !init_dh(ctx, dhparam, host, errstr)
1627 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1628 )
1629 return DEFER;
059ec3d9 1630
3f7eeb86 1631/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1632
7006ee24 1633if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1634 return rc;
c91535f3 1635
c3033f13
JH
1636/* If we need to handle SNI or OCSP, do so */
1637
3bcbbbe2 1638#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1639# ifndef DISABLE_OCSP
1640 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1641 {
1642 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1643 return FAIL;
1644 }
1645# endif
1646
7a8b9519 1647if (!host) /* server */
3f0945ff 1648 {
f2de3a33 1649# ifndef DISABLE_OCSP
f5d78688 1650 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1651 the option exists, not what the current expansion might be, as SNI might
1652 change the certificate and OCSP file in use between now and the time the
1653 callback is invoked. */
f5d78688 1654 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1655 {
7006ee24
JH
1656 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1657 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1658 }
f5d78688 1659# endif
3f0945ff
PP
1660 /* We always do this, so that $tls_sni is available even if not used in
1661 tls_certificate */
7006ee24
JH
1662 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1663 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1664 }
f2de3a33 1665# ifndef DISABLE_OCSP
f5d78688
JH
1666else /* client */
1667 if(ocsp_file) /* wanting stapling */
1668 {
1669 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1670 {
1671 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1672 return FAIL;
1673 }
7006ee24
JH
1674 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1675 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1676 }
1677# endif
7be682ca 1678#endif
059ec3d9 1679
e51c7be2 1680cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1681
c8dfb21d 1682#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1683/* Set up the RSA callback */
7006ee24 1684SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1685#endif
059ec3d9
PH
1686
1687/* Finally, set the timeout, and we are done */
1688
7006ee24 1689SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1690DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1691
817d9f57 1692*cbp = cbinfo;
7006ee24 1693*ctxp = ctx;
7be682ca 1694
059ec3d9
PH
1695return OK;
1696}
1697
1698
1699
1700
1701/*************************************************
1702* Get name of cipher in use *
1703*************************************************/
1704
817d9f57 1705/*
059ec3d9 1706Argument: pointer to an SSL structure for the connection
817d9f57
JH
1707 buffer to use for answer
1708 size of buffer
1709 pointer to number of bits for cipher
059ec3d9
PH
1710Returns: nothing
1711*/
1712
1713static void
817d9f57 1714construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1715{
7a8b9519 1716/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1717yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1718the accessor functions use const in the prototype. */
059ec3d9 1719
7a8b9519
JH
1720const uschar * ver = CUS SSL_get_version(ssl);
1721const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1722
817d9f57 1723SSL_CIPHER_get_bits(c, bits);
059ec3d9 1724
817d9f57
JH
1725string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1726 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1727
1728DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1729}
1730
1731
f69979cf
JH
1732static void
1733peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1734{
1735/*XXX we might consider a list-of-certs variable for the cert chain.
1736SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1737in list-handling functions, also consider the difference between the entire
1738chain and the elements sent by the peer. */
1739
1740/* Will have already noted peercert on a verify fail; possibly not the leaf */
1741if (!tlsp->peercert)
1742 tlsp->peercert = SSL_get_peer_certificate(ssl);
1743/* Beware anonymous ciphers which lead to server_cert being NULL */
1744if (tlsp->peercert)
1745 {
1746 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1747 peerdn[bsize-1] = '\0';
1748 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1749 }
1750else
1751 tlsp->peerdn = NULL;
1752}
1753
1754
059ec3d9
PH
1755
1756
1757
1758/*************************************************
1759* Set up for verifying certificates *
1760*************************************************/
1761
0e8aed8a 1762#ifndef DISABLE_OCSP
c3033f13
JH
1763/* Load certs from file, return TRUE on success */
1764
1765static BOOL
1766chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1767{
1768BIO * bp;
1769X509 * x;
1770
dec766a1
WB
1771while (sk_X509_num(verify_stack) > 0)
1772 X509_free(sk_X509_pop(verify_stack));
1773
c3033f13
JH
1774if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1775while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1776 sk_X509_push(verify_stack, x);
1777BIO_free(bp);
1778return TRUE;
1779}
0e8aed8a 1780#endif
c3033f13
JH
1781
1782
1783
dec766a1
WB
1784/* Called by both client and server startup; on the server possibly
1785repeated after a Server Name Indication.
059ec3d9
PH
1786
1787Arguments:
7be682ca 1788 sctx SSL_CTX* to initialise
059ec3d9
PH
1789 certs certs file or NULL
1790 crl CRL file or NULL
1791 host NULL in a server; the remote host in a client
1792 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1793 otherwise passed as FALSE
983207c1 1794 cert_vfy_cb Callback function for certificate verification
cf0c6164 1795 errstr error string pointer
059ec3d9
PH
1796
1797Returns: OK/DEFER/FAIL
1798*/
1799
1800static int
983207c1 1801setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1802 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1803{
1804uschar *expcerts, *expcrl;
1805
cf0c6164 1806if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1807 return DEFER;
57cc2785 1808DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1809
10a831a3 1810if (expcerts && *expcerts)
059ec3d9 1811 {
10a831a3
JH
1812 /* Tell the library to use its compiled-in location for the system default
1813 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1814
10a831a3 1815 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1816 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
1817
1818 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1819 {
cb1d7830
JH
1820 struct stat statbuf;
1821
cb1d7830
JH
1822 if (Ustat(expcerts, &statbuf) < 0)
1823 {
1824 log_write(0, LOG_MAIN|LOG_PANIC,
1825 "failed to stat %s for certificates", expcerts);
1826 return DEFER;
1827 }
059ec3d9 1828 else
059ec3d9 1829 {
cb1d7830
JH
1830 uschar *file, *dir;
1831 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1832 { file = NULL; dir = expcerts; }
1833 else
c3033f13
JH
1834 {
1835 file = expcerts; dir = NULL;
1836#ifndef DISABLE_OCSP
1837 /* In the server if we will be offering an OCSP proof, load chain from
1838 file for verifying the OCSP proof at load time. */
1839
1840 if ( !host
1841 && statbuf.st_size > 0
1842 && server_static_cbinfo->u_ocsp.server.file
1843 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1844 )
1845 {
1846 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 1847 "failed to load cert chain from %s", file);
c3033f13
JH
1848 return DEFER;
1849 }
1850#endif
1851 }
cb1d7830
JH
1852
1853 /* If a certificate file is empty, the next function fails with an
1854 unhelpful error message. If we skip it, we get the correct behaviour (no
1855 certificates are recognized, but the error message is still misleading (it
c3033f13 1856 says no certificate was supplied). But this is better. */
cb1d7830 1857
f2f2c91b
JH
1858 if ( (!file || statbuf.st_size > 0)
1859 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 1860 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
1861
1862 /* Load the list of CAs for which we will accept certs, for sending
1863 to the client. This is only for the one-file tls_verify_certificates
1864 variant.
1865 If a list isn't loaded into the server, but
1866 some verify locations are set, the server end appears to make
4c04137d 1867 a wildcard request for client certs.
10a831a3 1868 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
1869 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1870 Because of this, and that the dir variant is likely only used for
1871 the public-CA bundle (not for a private CA), not worth fixing.
1872 */
f2f2c91b 1873 if (file)
cb1d7830 1874 {
2009ecca 1875 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
1876
1877 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 1878 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 1879 sk_X509_NAME_num(names));
cb1d7830 1880 }
059ec3d9
PH
1881 }
1882 }
1883
1884 /* Handle a certificate revocation list. */
1885
10a831a3 1886#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 1887
8b417f2c 1888 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 1889 merely reformatted it into the Exim code style.)
8b417f2c 1890
10a831a3
JH
1891 "From here I changed the code to add support for multiple crl's
1892 in pem format in one file or to support hashed directory entries in
1893 pem format instead of a file. This method now uses the library function
1894 X509_STORE_load_locations to add the CRL location to the SSL context.
1895 OpenSSL will then handle the verify against CA certs and CRLs by
1896 itself in the verify callback." */
8b417f2c 1897
cf0c6164 1898 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 1899 if (expcrl && *expcrl)
059ec3d9 1900 {
8b417f2c
PH
1901 struct stat statbufcrl;
1902 if (Ustat(expcrl, &statbufcrl) < 0)
1903 {
1904 log_write(0, LOG_MAIN|LOG_PANIC,
1905 "failed to stat %s for certificates revocation lists", expcrl);
1906 return DEFER;
1907 }
1908 else
059ec3d9 1909 {
8b417f2c
PH
1910 /* is it a file or directory? */
1911 uschar *file, *dir;
7be682ca 1912 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1913 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1914 {
8b417f2c
PH
1915 file = NULL;
1916 dir = expcrl;
1917 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1918 }
1919 else
1920 {
8b417f2c
PH
1921 file = expcrl;
1922 dir = NULL;
1923 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1924 }
8b417f2c 1925 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 1926 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
1927
1928 /* setting the flags to check against the complete crl chain */
1929
1930 X509_STORE_set_flags(cvstore,
1931 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1932 }
059ec3d9
PH
1933 }
1934
10a831a3 1935#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
1936
1937 /* If verification is optional, don't fail if no certificate */
1938
7be682ca 1939 SSL_CTX_set_verify(sctx,
059ec3d9 1940 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1941 cert_vfy_cb);
059ec3d9
PH
1942 }
1943
1944return OK;
1945}
1946
1947
1948
1949/*************************************************
1950* Start a TLS session in a server *
1951*************************************************/
1952
1953/* This is called when Exim is running as a server, after having received
1954the STARTTLS command. It must respond to that command, and then negotiate
1955a TLS session.
1956
1957Arguments:
1958 require_ciphers allowed ciphers
cf0c6164 1959 errstr pointer to error message
059ec3d9
PH
1960
1961Returns: OK on success
1962 DEFER for errors before the start of the negotiation
4c04137d 1963 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
1964 continue running.
1965*/
1966
1967int
cf0c6164 1968tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
1969{
1970int rc;
cf0c6164
JH
1971uschar * expciphers;
1972tls_ext_ctx_cb * cbinfo;
f69979cf 1973static uschar peerdn[256];
817d9f57 1974static uschar cipherbuf[256];
059ec3d9
PH
1975
1976/* Check for previous activation */
1977
817d9f57 1978if (tls_in.active >= 0)
059ec3d9 1979 {
cf0c6164 1980 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 1981 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
1982 return FAIL;
1983 }
1984
1985/* Initialize the SSL library. If it fails, it will already have logged
1986the error. */
1987
817d9f57 1988rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1989#ifndef DISABLE_OCSP
47195144 1990 tls_ocsp_file, /*XXX stack*/
3f7eeb86 1991#endif
cf0c6164 1992 NULL, &server_static_cbinfo, errstr);
059ec3d9 1993if (rc != OK) return rc;
817d9f57 1994cbinfo = server_static_cbinfo;
059ec3d9 1995
cf0c6164 1996if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
1997 return FAIL;
1998
1999/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2000were historically separated by underscores. So that I can use either form in my
2001tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2002
2003XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2004for TLS 1.3 . Since we do not call it at present we get the default list:
2005TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2006*/
059ec3d9 2007
c3033f13 2008if (expciphers)
059ec3d9 2009 {
c3033f13 2010 uschar * s = expciphers;
059ec3d9
PH
2011 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2012 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2013 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2014 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2015 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2016 }
2017
2018/* If this is a host for which certificate verification is mandatory or
2019optional, set up appropriately. */
2020
817d9f57 2021tls_in.certificate_verified = FALSE;
c0635b6d 2022#ifdef SUPPORT_DANE
53a7196b
JH
2023tls_in.dane_verified = FALSE;
2024#endif
a2ff477a 2025server_verify_callback_called = FALSE;
059ec3d9
PH
2026
2027if (verify_check_host(&tls_verify_hosts) == OK)
2028 {
983207c1 2029 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 2030 FALSE, verify_callback_server, errstr);
059ec3d9 2031 if (rc != OK) return rc;
a2ff477a 2032 server_verify_optional = FALSE;
059ec3d9
PH
2033 }
2034else if (verify_check_host(&tls_try_verify_hosts) == OK)
2035 {
983207c1 2036 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 2037 TRUE, verify_callback_server, errstr);
059ec3d9 2038 if (rc != OK) return rc;
a2ff477a 2039 server_verify_optional = TRUE;
059ec3d9
PH
2040 }
2041
2042/* Prepare for new connection */
2043
cf0c6164
JH
2044if (!(server_ssl = SSL_new(server_ctx)))
2045 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2046
2047/* Warning: we used to SSL_clear(ssl) here, it was removed.
2048 *
2049 * With the SSL_clear(), we get strange interoperability bugs with
2050 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2051 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2052 *
2053 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2054 * session shutdown. In this case, we have a brand new object and there's no
2055 * obvious reason to immediately clear it. I'm guessing that this was
2056 * originally added because of incomplete initialisation which the clear fixed,
2057 * in some historic release.
2058 */
059ec3d9
PH
2059
2060/* Set context and tell client to go ahead, except in the case of TLS startup
2061on connection, where outputting anything now upsets the clients and tends to
2062make them disconnect. We need to have an explicit fflush() here, to force out
2063the response. Other smtp_printf() calls do not need it, because in non-TLS
2064mode, the fflush() happens when smtp_getc() is called. */
2065
817d9f57
JH
2066SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2067if (!tls_in.on_connect)
059ec3d9 2068 {
925ac8e4 2069 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2070 fflush(smtp_out);
2071 }
2072
2073/* Now negotiate the TLS session. We put our own timer on it, since it seems
2074that the OpenSSL library doesn't. */
2075
817d9f57
JH
2076SSL_set_wfd(server_ssl, fileno(smtp_out));
2077SSL_set_rfd(server_ssl, fileno(smtp_in));
2078SSL_set_accept_state(server_ssl);
059ec3d9
PH
2079
2080DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2081
2082sigalrm_seen = FALSE;
2083if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 2084rc = SSL_accept(server_ssl);
059ec3d9
PH
2085alarm(0);
2086
2087if (rc <= 0)
2088 {
cf0c6164 2089 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2090 return FAIL;
2091 }
2092
2093DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2094
2095/* TLS has been set up. Adjust the input functions to read via TLS,
2096and initialize things. */
2097
f69979cf
JH
2098peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2099
817d9f57
JH
2100construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2101tls_in.cipher = cipherbuf;
059ec3d9
PH
2102
2103DEBUG(D_tls)
2104 {
2105 uschar buf[2048];
817d9f57 2106 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2107 debug_printf("Shared ciphers: %s\n", buf);
2108 }
2109
9d1c15ef
JH
2110/* Record the certificate we presented */
2111 {
2112 X509 * crt = SSL_get_certificate(server_ssl);
2113 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2114 }
059ec3d9 2115
817d9f57
JH
2116/* Only used by the server-side tls (tls_in), including tls_getc.
2117 Client-side (tls_out) reads (seem to?) go via
2118 smtp_read_response()/ip_recv().
2119 Hence no need to duplicate for _in and _out.
2120 */
b808677c 2121if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2122ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2123ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2124
2125receive_getc = tls_getc;
0d81dabc 2126receive_getbuf = tls_getbuf;
584e96c6 2127receive_get_cache = tls_get_cache;
059ec3d9
PH
2128receive_ungetc = tls_ungetc;
2129receive_feof = tls_feof;
2130receive_ferror = tls_ferror;
58eb016e 2131receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2132
817d9f57 2133tls_in.active = fileno(smtp_out);
059ec3d9
PH
2134return OK;
2135}
2136
2137
2138
2139
043b1248
JH
2140static int
2141tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2142 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2143 uschar ** errstr)
043b1248
JH
2144{
2145int rc;
94431adb 2146/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2147 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2148 the specified host patterns if one of them is defined */
2149
610ff438
JH
2150if ( ( !ob->tls_verify_hosts
2151 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2152 )
5130845b 2153 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 2154 )
043b1248 2155 client_verify_optional = FALSE;
5130845b 2156else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2157 client_verify_optional = TRUE;
2158else
2159 return OK;
2160
2161if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2162 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2163 errstr)) != OK)
aa2a70ba 2164 return rc;
043b1248 2165
5130845b 2166if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2167 {
4af0d74a 2168 cbinfo->verify_cert_hostnames =
8c5d388a 2169#ifdef SUPPORT_I18N
4af0d74a
JH
2170 string_domain_utf8_to_alabel(host->name, NULL);
2171#else
2172 host->name;
2173#endif
aa2a70ba
JH
2174 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2175 cbinfo->verify_cert_hostnames);
043b1248 2176 }
043b1248
JH
2177return OK;
2178}
059ec3d9 2179
fde080a4 2180
c0635b6d 2181#ifdef SUPPORT_DANE
fde080a4 2182static int
cf0c6164 2183dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2184{
2185dns_record * rr;
2186dns_scan dnss;
2187const char * hostnames[2] = { CS host->name, NULL };
2188int found = 0;
2189
2190if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2191 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2192
2193for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2194 rr;
2195 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2196 ) if (rr->type == T_TLSA)
2197 {
c3033f13 2198 const uschar * p = rr->data;
fde080a4
JH
2199 uint8_t usage, selector, mtype;
2200 const char * mdname;
2201
fde080a4 2202 usage = *p++;
133d2546
JH
2203
2204 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2205 if (usage != 2 && usage != 3) continue;
2206
fde080a4
JH
2207 selector = *p++;
2208 mtype = *p++;
2209
2210 switch (mtype)
2211 {
133d2546
JH
2212 default: continue; /* Only match-types 0, 1, 2 are supported */
2213 case 0: mdname = NULL; break;
2214 case 1: mdname = "sha256"; break;
2215 case 2: mdname = "sha512"; break;
fde080a4
JH
2216 }
2217
133d2546 2218 found++;
fde080a4
JH
2219 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2220 {
2221 default:
cf0c6164 2222 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2223 case 0: /* action not taken */
fde080a4
JH
2224 case 1: break;
2225 }
594706ea
JH
2226
2227 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2228 }
2229
2230if (found)
2231 return OK;
2232
133d2546 2233log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2234return DEFER;
fde080a4 2235}
c0635b6d 2236#endif /*SUPPORT_DANE*/
fde080a4
JH
2237
2238
2239
059ec3d9
PH
2240/*************************************************
2241* Start a TLS session in a client *
2242*************************************************/
2243
2244/* Called from the smtp transport after STARTTLS has been accepted.
2245
2246Argument:
2247 fd the fd of the connection
2248 host connected host (for messages)
83da1223 2249 addr the first address
a7538db1 2250 tb transport (always smtp)
0e66b3b6 2251 tlsa_dnsa tlsa lookup, if DANE, else null
cf0c6164 2252 errstr error string pointer
059ec3d9
PH
2253
2254Returns: OK on success
2255 FAIL otherwise - note that tls_error() will not give DEFER
2256 because this is not a server
2257*/
2258
2259int
f5d78688 2260tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2261 transport_instance * tb,
c0635b6d 2262#ifdef SUPPORT_DANE
cf0c6164 2263 dns_answer * tlsa_dnsa,
0e66b3b6 2264#endif
cf0c6164 2265 uschar ** errstr)
059ec3d9 2266{
a7538db1
JH
2267smtp_transport_options_block * ob =
2268 (smtp_transport_options_block *)tb->options_block;
f69979cf 2269static uschar peerdn[256];
868f5672 2270uschar * expciphers;
059ec3d9 2271int rc;
817d9f57 2272static uschar cipherbuf[256];
043b1248
JH
2273
2274#ifndef DISABLE_OCSP
043b1248 2275BOOL request_ocsp = FALSE;
6634ac8d 2276BOOL require_ocsp = FALSE;
043b1248 2277#endif
043b1248 2278
c0635b6d 2279#ifdef SUPPORT_DANE
594706ea 2280tls_out.tlsa_usage = 0;
043b1248
JH
2281#endif
2282
f2de3a33 2283#ifndef DISABLE_OCSP
043b1248 2284 {
c0635b6d 2285# ifdef SUPPORT_DANE
4f59c424
JH
2286 if ( tlsa_dnsa
2287 && ob->hosts_request_ocsp[0] == '*'
2288 && ob->hosts_request_ocsp[1] == '\0'
2289 )
2290 {
2291 /* Unchanged from default. Use a safer one under DANE */
2292 request_ocsp = TRUE;
2293 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2294 " {= {4}{$tls_out_tlsa_usage}} } "
2295 " {*}{}}";
2296 }
2297# endif
2298
5130845b
JH
2299 if ((require_ocsp =
2300 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2301 request_ocsp = TRUE;
2302 else
c0635b6d 2303# ifdef SUPPORT_DANE
4f59c424 2304 if (!request_ocsp)
fca41d5a 2305# endif
5130845b
JH
2306 request_ocsp =
2307 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 2308 }
f5d78688 2309#endif
059ec3d9 2310
65867078
JH
2311rc = tls_init(&client_ctx, host, NULL,
2312 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2313#ifndef DISABLE_OCSP
44662487 2314 (void *)(long)request_ocsp,
3f7eeb86 2315#endif
cf0c6164 2316 addr, &client_static_cbinfo, errstr);
059ec3d9
PH
2317if (rc != OK) return rc;
2318
817d9f57 2319tls_out.certificate_verified = FALSE;
a2ff477a 2320client_verify_callback_called = FALSE;
059ec3d9 2321
5ec37a55
PP
2322expciphers = NULL;
2323#ifdef SUPPORT_DANE
2324if (tlsa_dnsa)
2325 {
2326 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2327 other failures should be treated as problems. */
2328 if (ob->dane_require_tls_ciphers &&
2329 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2330 &expciphers, errstr))
2331 return FAIL;
2332 if (expciphers && *expciphers == '\0')
2333 expciphers = NULL;
2334 }
2335#endif
2336if (!expciphers &&
2337 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2338 &expciphers, errstr))
059ec3d9
PH
2339 return FAIL;
2340
2341/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2342are separated by underscores. So that I can use either form in my tests, and
2343also for general convenience, we turn underscores into hyphens here. */
2344
cf0c6164 2345if (expciphers)
059ec3d9
PH
2346 {
2347 uschar *s = expciphers;
cf0c6164 2348 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2349 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2350 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
cf0c6164 2351 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
059ec3d9
PH
2352 }
2353
c0635b6d 2354#ifdef SUPPORT_DANE
0e66b3b6 2355if (tlsa_dnsa)
a63be306 2356 {
02af313d
JH
2357 SSL_CTX_set_verify(client_ctx,
2358 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2359 verify_callback_client_dane);
e5cccda9 2360
043b1248 2361 if (!DANESSL_library_init())
cf0c6164 2362 return tls_error(US"library init", host, NULL, errstr);
043b1248 2363 if (DANESSL_CTX_init(client_ctx) <= 0)
cf0c6164 2364 return tls_error(US"context init", host, NULL, errstr);
043b1248
JH
2365 }
2366else
e51c7be2 2367
043b1248
JH
2368#endif
2369
cf0c6164
JH
2370 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2371 client_static_cbinfo, errstr)) != OK)
65867078 2372 return rc;
059ec3d9 2373
7a8b9519 2374if (!(client_ssl = SSL_new(client_ctx)))
cf0c6164 2375 return tls_error(US"SSL_new", host, NULL, errstr);
817d9f57
JH
2376SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2377SSL_set_fd(client_ssl, fd);
2378SSL_set_connect_state(client_ssl);
059ec3d9 2379
65867078 2380if (ob->tls_sni)
3f0945ff 2381 {
cf0c6164 2382 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
3f0945ff 2383 return FAIL;
cf0c6164 2384 if (!tls_out.sni)
2c9a0e86
PP
2385 {
2386 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2387 }
ec4b68e5 2388 else if (!Ustrlen(tls_out.sni))
817d9f57 2389 tls_out.sni = NULL;
3f0945ff
PP
2390 else
2391 {
35731706 2392#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
2393 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2394 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706 2395#else
66802652 2396 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
02d9264f 2397 tls_out.sni);
35731706 2398#endif
3f0945ff
PP
2399 }
2400 }
2401
c0635b6d 2402#ifdef SUPPORT_DANE
0e66b3b6 2403if (tlsa_dnsa)
cf0c6164 2404 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
594706ea
JH
2405 return rc;
2406#endif
2407
f2de3a33 2408#ifndef DISABLE_OCSP
f5d78688
JH
2409/* Request certificate status at connection-time. If the server
2410does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2411# ifdef SUPPORT_DANE
44662487
JH
2412if (request_ocsp)
2413 {
594706ea 2414 const uschar * s;
41afb5cb
JH
2415 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2416 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2417 )
2418 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2419 this means we avoid the OCSP request, we wasted the setup
2420 cost in tls_init(). */
5130845b
JH
2421 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2422 request_ocsp = require_ocsp
2423 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2424 }
2425 }
b50c8b84
JH
2426# endif
2427
594706ea
JH
2428if (request_ocsp)
2429 {
f5d78688 2430 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
2431 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2432 tls_out.ocsp = OCSP_NOT_RESP;
2433 }
f5d78688
JH
2434#endif
2435
0cbf2b82 2436#ifndef DISABLE_EVENT
774ef2d7 2437client_static_cbinfo->event_action = tb->event_action;
a7538db1 2438#endif
043b1248 2439
059ec3d9
PH
2440/* There doesn't seem to be a built-in timeout on connection. */
2441
2442DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2443sigalrm_seen = FALSE;
65867078 2444alarm(ob->command_timeout);
817d9f57 2445rc = SSL_connect(client_ssl);
059ec3d9
PH
2446alarm(0);
2447
c0635b6d 2448#ifdef SUPPORT_DANE
0e66b3b6 2449if (tlsa_dnsa)
fde080a4 2450 DANESSL_cleanup(client_ssl);
043b1248
JH
2451#endif
2452
059ec3d9 2453if (rc <= 0)
cf0c6164
JH
2454 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2455 errstr);
059ec3d9
PH
2456
2457DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2458
f69979cf 2459peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2460
817d9f57
JH
2461construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2462tls_out.cipher = cipherbuf;
059ec3d9 2463
9d1c15ef
JH
2464/* Record the certificate we presented */
2465 {
2466 X509 * crt = SSL_get_certificate(client_ssl);
2467 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2468 }
2469
817d9f57 2470tls_out.active = fd;
059ec3d9
PH
2471return OK;
2472}
2473
2474
2475
2476
2477
0d81dabc
JH
2478static BOOL
2479tls_refill(unsigned lim)
2480{
2481int error;
2482int inbytes;
2483
2484DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2485 ssl_xfer_buffer, ssl_xfer_buffer_size);
2486
2487if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2488inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2489 MIN(ssl_xfer_buffer_size, lim));
2490error = SSL_get_error(server_ssl, inbytes);
9723f966
JH
2491if (smtp_receive_timeout > 0) alarm(0);
2492
2493if (had_command_timeout) /* set by signal handler */
2494 smtp_command_timeout_exit(); /* does not return */
2495if (had_command_sigterm)
2496 smtp_command_sigterm_exit();
2497if (had_data_timeout)
2498 smtp_data_timeout_exit();
2499if (had_data_sigint)
2500 smtp_data_sigint_exit();
0d81dabc
JH
2501
2502/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2503closed down, not that the socket itself has been closed down. Revert to
2504non-SSL handling. */
2505
2506if (error == SSL_ERROR_ZERO_RETURN)
2507 {
2508 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2509
2510 receive_getc = smtp_getc;
2511 receive_getbuf = smtp_getbuf;
2512 receive_get_cache = smtp_get_cache;
2513 receive_ungetc = smtp_ungetc;
2514 receive_feof = smtp_feof;
2515 receive_ferror = smtp_ferror;
2516 receive_smtp_buffered = smtp_buffered;
2517
dec766a1
WB
2518 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2519 SSL_shutdown(server_ssl);
2520
37f0ce65 2521#ifndef DISABLE_OCSP
dec766a1 2522 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
37f0ce65
JH
2523 server_static_cbinfo->verify_stack = NULL;
2524#endif
0d81dabc 2525 SSL_free(server_ssl);
dec766a1 2526 SSL_CTX_free(server_ctx);
dec766a1 2527 server_ctx = NULL;
0d81dabc
JH
2528 server_ssl = NULL;
2529 tls_in.active = -1;
2530 tls_in.bits = 0;
2531 tls_in.cipher = NULL;
2532 tls_in.peerdn = NULL;
2533 tls_in.sni = NULL;
2534
2535 return FALSE;
2536 }
2537
2538/* Handle genuine errors */
2539
2540else if (error == SSL_ERROR_SSL)
2541 {
2542 ERR_error_string(ERR_get_error(), ssl_errstring);
2543 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
8b77d27a 2544 ssl_xfer_error = TRUE;
0d81dabc
JH
2545 return FALSE;
2546 }
2547
2548else if (error != SSL_ERROR_NONE)
2549 {
2550 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
8b77d27a 2551 ssl_xfer_error = TRUE;
0d81dabc
JH
2552 return FALSE;
2553 }
2554
2555#ifndef DISABLE_DKIM
2556dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2557#endif
2558ssl_xfer_buffer_hwm = inbytes;
2559ssl_xfer_buffer_lwm = 0;
2560return TRUE;
2561}
2562
2563
059ec3d9
PH
2564/*************************************************
2565* TLS version of getc *
2566*************************************************/
2567
2568/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2569it refills the buffer via the SSL reading function.
2570
bd8fbe36 2571Arguments: lim Maximum amount to read/buffer
059ec3d9 2572Returns: the next character or EOF
817d9f57
JH
2573
2574Only used by the server-side TLS.
059ec3d9
PH
2575*/
2576
2577int
bd8fbe36 2578tls_getc(unsigned lim)
059ec3d9
PH
2579{
2580if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2581 if (!tls_refill(lim))
2582 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2583
0d81dabc 2584/* Something in the buffer; return next uschar */
059ec3d9 2585
0d81dabc
JH
2586return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2587}
059ec3d9 2588
0d81dabc
JH
2589uschar *
2590tls_getbuf(unsigned * len)
2591{
2592unsigned size;
2593uschar * buf;
ba084640 2594
0d81dabc
JH
2595if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2596 if (!tls_refill(*len))
059ec3d9 2597 {
0d81dabc
JH
2598 if (!ssl_xfer_error) return smtp_getbuf(len);
2599 *len = 0;
2600 return NULL;
059ec3d9 2601 }
c80c5570 2602
0d81dabc
JH
2603if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2604 size = *len;
2605buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2606ssl_xfer_buffer_lwm += size;
2607*len = size;
2608return buf;
059ec3d9
PH
2609}
2610
0d81dabc 2611
584e96c6
JH
2612void
2613tls_get_cache()
2614{
9960d1e5 2615#ifndef DISABLE_DKIM
584e96c6
JH
2616int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2617if (n > 0)
2618 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2619#endif
9960d1e5 2620}
584e96c6 2621
059ec3d9 2622
925ac8e4
JH
2623BOOL
2624tls_could_read(void)
2625{
a5ffa9b4 2626return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2627}
2628
059ec3d9
PH
2629
2630/*************************************************
2631* Read bytes from TLS channel *
2632*************************************************/
2633
2634/*
2635Arguments:
2636 buff buffer of data
2637 len size of buffer
2638
2639Returns: the number of bytes read
2640 -1 after a failed read
817d9f57
JH
2641
2642Only used by the client-side TLS.
059ec3d9
PH
2643*/
2644
2645int
389ca47a 2646tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2647{
389ca47a 2648SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2649int inbytes;
2650int error;
2651
389ca47a 2652DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2653 buff, (unsigned int)len);
059ec3d9 2654
389ca47a
JH
2655inbytes = SSL_read(ssl, CS buff, len);
2656error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2657
2658if (error == SSL_ERROR_ZERO_RETURN)
2659 {
2660 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2661 return -1;
2662 }
2663else if (error != SSL_ERROR_NONE)
059ec3d9 2664 return -1;
059ec3d9
PH
2665
2666return inbytes;
2667}
2668
2669
2670
2671
2672
2673/*************************************************
2674* Write bytes down TLS channel *
2675*************************************************/
2676
2677/*
2678Arguments:
817d9f57 2679 is_server channel specifier
059ec3d9
PH
2680 buff buffer of data
2681 len number of bytes
925ac8e4 2682 more further data expected soon
059ec3d9
PH
2683
2684Returns: the number of bytes after a successful write,
2685 -1 after a failed write
817d9f57
JH
2686
2687Used by both server-side and client-side TLS.
059ec3d9
PH
2688*/
2689
2690int
925ac8e4 2691tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2692{
a5ffa9b4 2693int outbytes, error, left;
817d9f57 2694SSL *ssl = is_server ? server_ssl : client_ssl;
acec9514 2695static gstring * corked = NULL;
a5ffa9b4 2696
ef698bf6 2697DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2698 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2699
2700/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2701"more" is notified. This hack is only ok if small amounts are involved AND only
2702one stream does it, in one context (i.e. no store reset). Currently it is used
2703for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2704
2705if (is_server && (more || corked))
2706 {
acec9514 2707 corked = string_catn(corked, buff, len);
a5ffa9b4
JH
2708 if (more)
2709 return len;
acec9514
JH
2710 buff = CUS corked->s;
2711 len = corked->ptr;
2712 corked = NULL;
a5ffa9b4 2713 }
059ec3d9 2714
a5ffa9b4 2715for (left = len; left > 0;)
059ec3d9 2716 {
c80c5570 2717 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2718 outbytes = SSL_write(ssl, CS buff, left);
2719 error = SSL_get_error(ssl, outbytes);
2720 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2721 switch (error)
2722 {
2723 case SSL_ERROR_SSL:
96f5fe4c
JH
2724 ERR_error_string(ERR_get_error(), ssl_errstring);
2725 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2726 return -1;
059ec3d9
PH
2727
2728 case SSL_ERROR_NONE:
96f5fe4c
JH
2729 left -= outbytes;
2730 buff += outbytes;
2731 break;
059ec3d9
PH
2732
2733 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2734 log_write(0, LOG_MAIN, "SSL channel closed on write");
2735 return -1;
059ec3d9 2736
817d9f57 2737 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2738 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2739 sender_fullhost ? sender_fullhost : US"<unknown>",
2740 strerror(errno));
2741 return -1;
817d9f57 2742
059ec3d9 2743 default:
96f5fe4c
JH
2744 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2745 return -1;
059ec3d9
PH
2746 }
2747 }
2748return len;
2749}
2750
2751
2752
2753/*************************************************
2754* Close down a TLS session *
2755*************************************************/
2756
2757/* This is also called from within a delivery subprocess forked from the
2758daemon, to shut down the TLS library, without actually doing a shutdown (which
2759would tamper with the SSL session in the parent process).
2760
dec766a1
WB
2761Arguments:
2762 shutdown 1 if TLS close-alert is to be sent,
2763 2 if also response to be waited for
2764
059ec3d9 2765Returns: nothing
817d9f57
JH
2766
2767Used by both server-side and client-side TLS.
059ec3d9
PH
2768*/
2769
2770void
dec766a1 2771tls_close(BOOL is_server, int shutdown)
059ec3d9 2772{
dec766a1 2773SSL_CTX **ctxp = is_server ? &server_ctx : &client_ctx;
817d9f57 2774SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2775int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2776
2777if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2778
2779if (shutdown)
2780 {
dec766a1
WB
2781 int rc;
2782 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2783 shutdown > 1 ? " (with response-wait)" : "");
2784
2785 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
2786 && shutdown > 1)
2787 {
2788 alarm(2);
2789 rc = SSL_shutdown(*sslp); /* wait for response */
2790 alarm(0);
2791 }
2792
2793 if (rc < 0) DEBUG(D_tls)
2794 {
2795 ERR_error_string(ERR_get_error(), ssl_errstring);
2796 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
2797 }
2798 }
2799
37f0ce65 2800#ifndef DISABLE_OCSP
dec766a1
WB
2801if (is_server)
2802 {
2803 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 2804 server_static_cbinfo->verify_stack = NULL;
059ec3d9 2805 }
37f0ce65 2806#endif
059ec3d9 2807
dec766a1 2808SSL_CTX_free(*ctxp);
817d9f57 2809SSL_free(*sslp);
dec766a1 2810*ctxp = NULL;
817d9f57 2811*sslp = NULL;
817d9f57 2812*fdp = -1;
059ec3d9
PH
2813}
2814
36f12725
NM
2815
2816
2817
2818/*************************************************
3375e053
PP
2819* Let tls_require_ciphers be checked at startup *
2820*************************************************/
2821
2822/* The tls_require_ciphers option, if set, must be something which the
2823library can parse.
2824
2825Returns: NULL on success, or error message
2826*/
2827
2828uschar *
2829tls_validate_require_cipher(void)
2830{
2831SSL_CTX *ctx;
2832uschar *s, *expciphers, *err;
2833
2834/* this duplicates from tls_init(), we need a better "init just global
2835state, for no specific purpose" singleton function of our own */
2836
2837SSL_load_error_strings();
2838OpenSSL_add_ssl_algorithms();
2839#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2840/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2841list of available digests. */
2842EVP_add_digest(EVP_sha256());
2843#endif
2844
2845if (!(tls_require_ciphers && *tls_require_ciphers))
2846 return NULL;
2847
cf0c6164
JH
2848if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2849 &err))
3375e053
PP
2850 return US"failed to expand tls_require_ciphers";
2851
2852if (!(expciphers && *expciphers))
2853 return NULL;
2854
2855/* normalisation ripped from above */
2856s = expciphers;
2857while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2858
2859err = NULL;
2860
7a8b9519
JH
2861#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2862if (!(ctx = SSL_CTX_new(TLS_server_method())))
2863#else
2864if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
2865#endif
3375e053
PP
2866 {
2867 ERR_error_string(ERR_get_error(), ssl_errstring);
2868 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2869 }
2870
2871DEBUG(D_tls)
2872 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2873
2874if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2875 {
2876 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH
2877 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2878 expciphers, ssl_errstring);
3375e053
PP
2879 }
2880
2881SSL_CTX_free(ctx);
2882
2883return err;
2884}
2885
2886
2887
2888
2889/*************************************************
36f12725
NM
2890* Report the library versions. *
2891*************************************************/
2892
2893/* There have historically been some issues with binary compatibility in
2894OpenSSL libraries; if Exim (like many other applications) is built against
2895one version of OpenSSL but the run-time linker picks up another version,
2896it can result in serious failures, including crashing with a SIGSEGV. So
2897report the version found by the compiler and the run-time version.
2898
f64a1e23
PP
2899Note: some OS vendors backport security fixes without changing the version
2900number/string, and the version date remains unchanged. The _build_ date
2901will change, so we can more usefully assist with version diagnosis by also
2902reporting the build date.
2903
36f12725
NM
2904Arguments: a FILE* to print the results to
2905Returns: nothing
2906*/
2907
2908void
2909tls_version_report(FILE *f)
2910{
754a0503 2911fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2912 " Runtime: %s\n"
2913 " : %s\n",
754a0503 2914 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2915 SSLeay_version(SSLEAY_VERSION),
2916 SSLeay_version(SSLEAY_BUILT_ON));
2917/* third line is 38 characters for the %s and the line is 73 chars long;
2918the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2919}
2920
9e3331ea
TK
2921
2922
2923
2924/*************************************************
17c76198 2925* Random number generation *
9e3331ea
TK
2926*************************************************/
2927
2928/* Pseudo-random number generation. The result is not expected to be
2929cryptographically strong but not so weak that someone will shoot themselves
2930in the foot using it as a nonce in input in some email header scheme or
2931whatever weirdness they'll twist this into. The result should handle fork()
2932and avoid repeating sequences. OpenSSL handles that for us.
2933
2934Arguments:
2935 max range maximum
2936Returns a random number in range [0, max-1]
2937*/
2938
2939int
17c76198 2940vaguely_random_number(int max)
9e3331ea
TK
2941{
2942unsigned int r;
2943int i, needed_len;
de6135a0
PP
2944static pid_t pidlast = 0;
2945pid_t pidnow;
9e3331ea
TK
2946uschar *p;
2947uschar smallbuf[sizeof(r)];
2948
2949if (max <= 1)
2950 return 0;
2951
de6135a0
PP
2952pidnow = getpid();
2953if (pidnow != pidlast)
2954 {
2955 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2956 is unique for each thread", this doesn't apparently apply across processes,
2957 so our own warning from vaguely_random_number_fallback() applies here too.
2958 Fix per PostgreSQL. */
2959 if (pidlast != 0)
2960 RAND_cleanup();
2961 pidlast = pidnow;
2962 }
2963
9e3331ea
TK
2964/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2965if (!RAND_status())
2966 {
2967 randstuff r;
2968 gettimeofday(&r.tv, NULL);
2969 r.p = getpid();
2970
5903c6ff 2971 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
2972 }
2973/* We're after pseudo-random, not random; if we still don't have enough data
2974in the internal PRNG then our options are limited. We could sleep and hope
2975for entropy to come along (prayer technique) but if the system is so depleted
2976in the first place then something is likely to just keep taking it. Instead,
2977we'll just take whatever little bit of pseudo-random we can still manage to
2978get. */
2979
2980needed_len = sizeof(r);
2981/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2982asked for a number less than 10. */
2983for (r = max, i = 0; r; ++i)
2984 r >>= 1;
2985i = (i + 7) / 8;
2986if (i < needed_len)
2987 needed_len = i;
2988
c8dfb21d 2989#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 2990/* We do not care if crypto-strong */
17c76198 2991i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
2992#else
2993i = RAND_bytes(smallbuf, needed_len);
2994#endif
2995
17c76198
PP
2996if (i < 0)
2997 {
2998 DEBUG(D_all)
2999 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3000 return vaguely_random_number_fallback(max);
3001 }
3002
9e3331ea
TK
3003r = 0;
3004for (p = smallbuf; needed_len; --needed_len, ++p)
3005 {
3006 r *= 256;
3007 r += *p;
3008 }
3009
3010/* We don't particularly care about weighted results; if someone wants
3011smooth distribution and cares enough then they should submit a patch then. */
3012return r % max;
3013}
3014
77bb000f
PP
3015
3016
3017
3018/*************************************************
3019* OpenSSL option parse *
3020*************************************************/
3021
3022/* Parse one option for tls_openssl_options_parse below
3023
3024Arguments:
3025 name one option name
3026 value place to store a value for it
3027Returns success or failure in parsing
3028*/
3029
3030struct exim_openssl_option {
3031 uschar *name;
3032 long value;
3033};
3034/* We could use a macro to expand, but we need the ifdef and not all the
3035options document which version they were introduced in. Policylet: include
3036all options unless explicitly for DTLS, let the administrator choose which
3037to apply.
3038
3039This list is current as of:
e2fbf4a2
PP
3040 ==> 1.0.1b <==
3041Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
3042*/
77bb000f
PP
3043static struct exim_openssl_option exim_openssl_options[] = {
3044/* KEEP SORTED ALPHABETICALLY! */
3045#ifdef SSL_OP_ALL
73a46702 3046 { US"all", SSL_OP_ALL },
77bb000f
PP
3047#endif
3048#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 3049 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
3050#endif
3051#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 3052 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
3053#endif
3054#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 3055 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
3056#endif
3057#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 3058 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
3059#endif
3060#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 3061 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
3062#endif
3063#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 3064 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
3065#endif
3066#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 3067 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
3068#endif
3069#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 3070 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
3071#endif
3072#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 3073 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
3074#endif
3075#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 3076 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 3077#endif
c80c5570
PP
3078#ifdef SSL_OP_NO_COMPRESSION
3079 { US"no_compression", SSL_OP_NO_COMPRESSION },
3080#endif
77bb000f 3081#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 3082 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 3083#endif
c0c7b2da
PP
3084#ifdef SSL_OP_NO_SSLv2
3085 { US"no_sslv2", SSL_OP_NO_SSLv2 },
3086#endif
3087#ifdef SSL_OP_NO_SSLv3
3088 { US"no_sslv3", SSL_OP_NO_SSLv3 },
3089#endif
3090#ifdef SSL_OP_NO_TICKET
3091 { US"no_ticket", SSL_OP_NO_TICKET },
3092#endif
3093#ifdef SSL_OP_NO_TLSv1
3094 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
3095#endif
c80c5570
PP
3096#ifdef SSL_OP_NO_TLSv1_1
3097#if SSL_OP_NO_TLSv1_1 == 0x00000400L
3098 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
3099#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
3100#else
3101 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
3102#endif
3103#endif
3104#ifdef SSL_OP_NO_TLSv1_2
3105 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
3106#endif
e2fbf4a2
PP
3107#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
3108 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
3109#endif
77bb000f 3110#ifdef SSL_OP_SINGLE_DH_USE
73a46702 3111 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
3112#endif
3113#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 3114 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
3115#endif
3116#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 3117 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
3118#endif
3119#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 3120 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
3121#endif
3122#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 3123 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
3124#endif
3125#ifdef SSL_OP_TLS_D5_BUG
73a46702 3126 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
3127#endif
3128#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 3129 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
3130#endif
3131};
3132static int exim_openssl_options_size =
3133 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
3134
c80c5570 3135
77bb000f
PP
3136static BOOL
3137tls_openssl_one_option_parse(uschar *name, long *value)
3138{
3139int first = 0;
3140int last = exim_openssl_options_size;
3141while (last > first)
3142 {
3143 int middle = (first + last)/2;
3144 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3145 if (c == 0)
3146 {
3147 *value = exim_openssl_options[middle].value;
3148 return TRUE;
3149 }
3150 else if (c > 0)
3151 first = middle + 1;
3152 else
3153 last = middle;
3154 }
3155return FALSE;
3156}
3157
3158
3159
3160
3161/*************************************************
3162* OpenSSL option parsing logic *
3163*************************************************/
3164
3165/* OpenSSL has a number of compatibility options which an administrator might
3166reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3167we look like log_selector.
3168
3169Arguments:
3170 option_spec the administrator-supplied string of options
3171 results ptr to long storage for the options bitmap
3172Returns success or failure
3173*/
3174
3175BOOL
3176tls_openssl_options_parse(uschar *option_spec, long *results)
3177{
3178long result, item;
3179uschar *s, *end;
3180uschar keep_c;
3181BOOL adding, item_parsed;
3182
7006ee24 3183result = SSL_OP_NO_TICKET;
b1770b6e 3184/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3185 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
3186#ifdef SSL_OP_NO_SSLv2
3187result |= SSL_OP_NO_SSLv2;
3188#endif
a57b6200
JH
3189#ifdef SSL_OP_SINGLE_DH_USE
3190result |= SSL_OP_SINGLE_DH_USE;
3191#endif
77bb000f 3192
7006ee24 3193if (!option_spec)
77bb000f
PP
3194 {
3195 *results = result;
3196 return TRUE;
3197 }
3198
3199for (s=option_spec; *s != '\0'; /**/)
3200 {
3201 while (isspace(*s)) ++s;
3202 if (*s == '\0')
3203 break;
3204 if (*s != '+' && *s != '-')
3205 {
3206 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3207 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
3208 return FALSE;
3209 }
3210 adding = *s++ == '+';
3211 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3212 keep_c = *end;
3213 *end = '\0';
3214 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3215 *end = keep_c;
77bb000f
PP
3216 if (!item_parsed)
3217 {
0e944a0d 3218 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
3219 return FALSE;
3220 }
3221 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3222 adding ? "adding" : "removing", result, item, s);
3223 if (adding)
3224 result |= item;
3225 else
3226 result &= ~item;
77bb000f
PP
3227 s = end;
3228 }
3229
3230*results = result;
3231return TRUE;
3232}
3233
9d1c15ef
JH
3234/* vi: aw ai sw=2
3235*/
059ec3d9 3236/* End of tls-openssl.c */