">" -> ">=" for EXIM_CLIENT_DH_MIN_BITS+10
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
45static BOOL verify_callback_called = FALSE;
46static const uschar *sid_ctx = US"exim";
47
48static SSL_CTX *ctx = NULL;
35731706 49#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 50static SSL_CTX *ctx_sni = NULL;
35731706 51#endif
059ec3d9
PH
52static SSL *ssl = NULL;
53
54static char ssl_errstring[256];
55
56static int ssl_session_timeout = 200;
57static BOOL verify_optional = FALSE;
58
7be682ca 59static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
60
61
7be682ca
PP
62typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
3f7eeb86
PP
65#ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69#endif
7be682ca
PP
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75} tls_ext_ctx_cb;
76
77/* should figure out a cleanup of API to handle state preserved per
78implementation, for various reasons, which can be void * in the APIs.
79For now, we hack around it. */
80tls_ext_ctx_cb *static_cbinfo = NULL;
81
82static int
83setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9 84
3f7eeb86 85/* Callbacks */
3bcbbbe2 86#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 87static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 88#endif
3f7eeb86
PP
89#ifdef EXPERIMENTAL_OCSP
90static int tls_stapling_cb(SSL *s, void *arg);
91#endif
92
059ec3d9
PH
93
94/*************************************************
95* Handle TLS error *
96*************************************************/
97
98/* Called from lots of places when errors occur before actually starting to do
99the TLS handshake, that is, while the session is still in clear. Always returns
100DEFER for a server and FAIL for a client so that most calls can use "return
101tls_error(...)" to do this processing and then give an appropriate return. A
102single function is used for both server and client, because it is called from
103some shared functions.
104
105Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
7199e1ee 109 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
110
111Returns: OK/DEFER/FAIL
112*/
113
114static int
7199e1ee 115tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 116{
7199e1ee
TF
117if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 120 msg = (uschar *)ssl_errstring;
7199e1ee
TF
121 }
122
059ec3d9
PH
123if (host == NULL)
124 {
7199e1ee 125 uschar *conn_info = smtp_get_connection_info();
5ca6d115 126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
059ec3d9
PH
130 return DEFER;
131 }
132else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 135 host->name, host->address, prefix, msg);
059ec3d9
PH
136 return FAIL;
137 }
138}
139
140
141
142/*************************************************
143* Callback to generate RSA key *
144*************************************************/
145
146/*
147Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152Returns: pointer to generated key
153*/
154
155static RSA *
156rsa_callback(SSL *s, int export, int keylength)
157{
158RSA *rsa_key;
159export = export; /* Shut picky compilers up */
160DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169return rsa_key;
170}
171
172
173
174
175/*************************************************
176* Callback for verification *
177*************************************************/
178
179/* The SSL library does certificate verification if set up to do so. This
180callback has the current yes/no state is in "state". If verification succeeded,
181we set up the tls_peerdn string. If verification failed, what happens depends
182on whether the client is required to present a verifiable certificate or not.
183
184If verification is optional, we change the state to yes, but still log the
185verification error. For some reason (it really would help to have proper
186documentation of OpenSSL), this callback function then gets called again, this
187time with state = 1. In fact, that's useful, because we can set up the peerdn
188value, but we must take care not to set the private verified flag on the second
189time through.
190
191Note: this function is not called if the client fails to present a certificate
192when asked. We get here only if a certificate has been received. Handling of
193optional verification for this case is done when requesting SSL to verify, by
194setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200Returns: 1 if verified, 0 if not
201*/
202
203static int
204verify_callback(int state, X509_STORE_CTX *x509ctx)
205{
206static uschar txt[256];
207
208X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
059ec3d9
PH
237if (!verify_callback_called) tls_certificate_verified = TRUE;
238verify_callback_called = TRUE;
239
240return 1; /* accept */
241}
242
243
244
245/*************************************************
246* Information callback *
247*************************************************/
248
249/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
250are doing. We copy the string to the debugging output when TLS debugging has
251been requested.
059ec3d9
PH
252
253Arguments:
254 s the SSL connection
255 where
256 ret
257
258Returns: nothing
259*/
260
261static void
262info_callback(SSL *s, int where, int ret)
263{
264where = where;
265ret = ret;
266DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267}
268
269
270
271/*************************************************
272* Initialize for DH *
273*************************************************/
274
275/* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277Arguments:
278 dhparam DH parameter file
7199e1ee 279 host connected host, if client; NULL if server
059ec3d9
PH
280
281Returns: TRUE if OK (nothing to set up, or setup worked)
282*/
283
284static BOOL
7199e1ee 285init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH
286{
287BOOL yield = TRUE;
288BIO *bio;
289DH *dh;
290uschar *dhexpanded;
291
292if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
295if (dhexpanded == NULL) return TRUE;
296
297if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
298 {
7199e1ee 299 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 300 host, (uschar *)strerror(errno));
059ec3d9
PH
301 yield = FALSE;
302 }
303else
304 {
305 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
306 {
7199e1ee
TF
307 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
308 host, NULL);
059ec3d9
PH
309 yield = FALSE;
310 }
311 else
312 {
3375e053
PP
313 if ((8*DH_size(dh)) > tls_dh_max_bits)
314 {
315 DEBUG(D_tls)
316 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
317 8*DH_size(dh), tls_dh_max_bits);
318 }
319 else
320 {
321 SSL_CTX_set_tmp_dh(ctx, dh);
322 DEBUG(D_tls)
323 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
324 dhexpanded, 8*DH_size(dh));
325 }
059ec3d9
PH
326 DH_free(dh);
327 }
328 BIO_free(bio);
329 }
330
331return yield;
332}
333
334
335
336
3f7eeb86
PP
337#ifdef EXPERIMENTAL_OCSP
338/*************************************************
339* Load OCSP information into state *
340*************************************************/
341
342/* Called to load the OCSP response from the given file into memory, once
343caller has determined this is needed. Checks validity. Debugs a message
344if invalid.
345
346ASSUMES: single response, for single cert.
347
348Arguments:
349 sctx the SSL_CTX* to update
350 cbinfo various parts of session state
351 expanded the filename putatively holding an OCSP response
352
353*/
354
355static void
356ocsp_load_response(SSL_CTX *sctx,
357 tls_ext_ctx_cb *cbinfo,
358 const uschar *expanded)
359{
360BIO *bio;
361OCSP_RESPONSE *resp;
362OCSP_BASICRESP *basic_response;
363OCSP_SINGLERESP *single_response;
364ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
365X509_STORE *store;
366unsigned long verify_flags;
367int status, reason, i;
368
369cbinfo->ocsp_file_expanded = string_copy(expanded);
370if (cbinfo->ocsp_response)
371 {
372 OCSP_RESPONSE_free(cbinfo->ocsp_response);
373 cbinfo->ocsp_response = NULL;
374 }
375
376bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
377if (!bio)
378 {
379 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
380 cbinfo->ocsp_file_expanded);
381 return;
382 }
383
384resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
385BIO_free(bio);
386if (!resp)
387 {
388 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
389 return;
390 }
391
392status = OCSP_response_status(resp);
393if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
394 {
395 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
396 OCSP_response_status_str(status), status);
397 return;
398 }
399
400basic_response = OCSP_response_get1_basic(resp);
401if (!basic_response)
402 {
403 DEBUG(D_tls)
404 debug_printf("OCSP response parse error: unable to extract basic response.\n");
405 return;
406 }
407
408store = SSL_CTX_get_cert_store(sctx);
409verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
410
411/* May need to expose ability to adjust those flags?
412OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
413OCSP_TRUSTOTHER OCSP_NOINTERN */
414
415i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
416if (i <= 0)
417 {
418 DEBUG(D_tls) {
419 ERR_error_string(ERR_get_error(), ssl_errstring);
420 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
421 }
422 return;
423 }
424
425/* Here's the simplifying assumption: there's only one response, for the
426one certificate we use, and nothing for anything else in a chain. If this
427proves false, we need to extract a cert id from our issued cert
428(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
429right cert in the stack and then calls OCSP_single_get0_status()).
430
431I'm hoping to avoid reworking a bunch more of how we handle state here. */
432single_response = OCSP_resp_get0(basic_response, 0);
433if (!single_response)
434 {
435 DEBUG(D_tls)
436 debug_printf("Unable to get first response from OCSP basic response.\n");
437 return;
438 }
439
440status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
441/* how does this status differ from the one above? */
442if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
443 {
444 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
445 OCSP_response_status_str(status), status);
446 return;
447 }
448
449if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
450 {
451 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
452 return;
453 }
454
455cbinfo->ocsp_response = resp;
456}
457#endif
458
459
460
461
059ec3d9 462/*************************************************
7be682ca
PP
463* Expand key and cert file specs *
464*************************************************/
465
466/* Called once during tls_init and possibly againt during TLS setup, for a
467new context, if Server Name Indication was used and tls_sni was seen in
468the certificate string.
469
470Arguments:
471 sctx the SSL_CTX* to update
472 cbinfo various parts of session state
473
474Returns: OK/DEFER/FAIL
475*/
476
477static int
3f7eeb86 478tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
479{
480uschar *expanded;
481
482if (cbinfo->certificate == NULL)
483 return OK;
484
485if (Ustrstr(cbinfo->certificate, US"tls_sni"))
486 reexpand_tls_files_for_sni = TRUE;
487
488if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
489 return DEFER;
490
491if (expanded != NULL)
492 {
493 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
494 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
495 return tls_error(string_sprintf(
496 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
497 cbinfo->host, NULL);
498 }
499
500if (cbinfo->privatekey != NULL &&
501 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
502 return DEFER;
503
504/* If expansion was forced to fail, key_expanded will be NULL. If the result
505of the expansion is an empty string, ignore it also, and assume the private
506key is in the same file as the certificate. */
507
508if (expanded != NULL && *expanded != 0)
509 {
510 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
511 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
512 return tls_error(string_sprintf(
513 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
514 }
515
3f7eeb86
PP
516#ifdef EXPERIMENTAL_OCSP
517if (cbinfo->ocsp_file != NULL)
518 {
519 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
520 return DEFER;
521
522 if (expanded != NULL && *expanded != 0)
523 {
524 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
525 if (cbinfo->ocsp_file_expanded &&
526 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
527 {
528 DEBUG(D_tls)
529 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
530 } else {
531 ocsp_load_response(sctx, cbinfo, expanded);
532 }
533 }
534 }
535#endif
536
7be682ca
PP
537return OK;
538}
539
540
541
542
543/*************************************************
544* Callback to handle SNI *
545*************************************************/
546
547/* Called when acting as server during the TLS session setup if a Server Name
548Indication extension was sent by the client.
549
550API documentation is OpenSSL s_server.c implementation.
551
552Arguments:
553 s SSL* of the current session
554 ad unknown (part of OpenSSL API) (unused)
555 arg Callback of "our" registered data
556
557Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
558*/
559
3bcbbbe2 560#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 561static int
7be682ca
PP
562tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
563{
564const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 565tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 566int rc;
3f0945ff 567int old_pool = store_pool;
7be682ca
PP
568
569if (!servername)
570 return SSL_TLSEXT_ERR_OK;
571
3f0945ff 572DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
573 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
574
575/* Make the extension value available for expansion */
3f0945ff
PP
576store_pool = POOL_PERM;
577tls_sni = string_copy(US servername);
578store_pool = old_pool;
7be682ca
PP
579
580if (!reexpand_tls_files_for_sni)
581 return SSL_TLSEXT_ERR_OK;
582
583/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
584not confident that memcpy wouldn't break some internal reference counting.
585Especially since there's a references struct member, which would be off. */
586
587ctx_sni = SSL_CTX_new(SSLv23_server_method());
588if (!ctx_sni)
589 {
590 ERR_error_string(ERR_get_error(), ssl_errstring);
591 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
592 return SSL_TLSEXT_ERR_NOACK;
593 }
594
595/* Not sure how many of these are actually needed, since SSL object
596already exists. Might even need this selfsame callback, for reneg? */
597
598SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
599SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
600SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
601SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
602SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
603SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
604if (cbinfo->server_cipher_list)
605 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
606#ifdef EXPERIMENTAL_OCSP
607if (cbinfo->ocsp_file)
608 {
609 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
610 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
611 }
612#endif
7be682ca 613
3f7eeb86 614rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
7be682ca
PP
615if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
616
3f7eeb86
PP
617/* do this after setup_certs, because this can require the certs for verifying
618OCSP information. */
619rc = tls_expand_session_files(ctx_sni, cbinfo);
7be682ca
PP
620if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
621
622DEBUG(D_tls) debug_printf("Switching SSL context.\n");
623SSL_set_SSL_CTX(s, ctx_sni);
624
625return SSL_TLSEXT_ERR_OK;
626}
3bcbbbe2 627#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
628
629
630
631
3f7eeb86
PP
632#ifdef EXPERIMENTAL_OCSP
633/*************************************************
634* Callback to handle OCSP Stapling *
635*************************************************/
636
637/* Called when acting as server during the TLS session setup if the client
638requests OCSP information with a Certificate Status Request.
639
640Documentation via openssl s_server.c and the Apache patch from the OpenSSL
641project.
642
643*/
644
645static int
646tls_stapling_cb(SSL *s, void *arg)
647{
648const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
649uschar *response_der;
650int response_der_len;
651
652DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
653 cbinfo->ocsp_response ? "have" : "lack");
654if (!cbinfo->ocsp_response)
655 return SSL_TLSEXT_ERR_NOACK;
656
657response_der = NULL;
658response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
659if (response_der_len <= 0)
660 return SSL_TLSEXT_ERR_NOACK;
661
662SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
663return SSL_TLSEXT_ERR_OK;
664}
665
666#endif /* EXPERIMENTAL_OCSP */
667
668
669
670
7be682ca 671/*************************************************
059ec3d9
PH
672* Initialize for TLS *
673*************************************************/
674
675/* Called from both server and client code, to do preliminary initialization of
676the library.
677
678Arguments:
679 host connected host, if client; NULL if server
680 dhparam DH parameter file
681 certificate certificate file
682 privatekey private key
683 addr address if client; NULL if server (for some randomness)
684
685Returns: OK/DEFER/FAIL
686*/
687
688static int
c91535f3 689tls_init(host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
690 uschar *privatekey,
691#ifdef EXPERIMENTAL_OCSP
692 uschar *ocsp_file,
693#endif
694 address_item *addr)
059ec3d9 695{
77bb000f 696long init_options;
7be682ca 697int rc;
77bb000f 698BOOL okay;
7be682ca
PP
699tls_ext_ctx_cb *cbinfo;
700
701cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
702cbinfo->certificate = certificate;
703cbinfo->privatekey = privatekey;
3f7eeb86
PP
704#ifdef EXPERIMENTAL_OCSP
705cbinfo->ocsp_file = ocsp_file;
706#endif
7be682ca
PP
707cbinfo->dhparam = dhparam;
708cbinfo->host = host;
77bb000f 709
059ec3d9
PH
710SSL_load_error_strings(); /* basic set up */
711OpenSSL_add_ssl_algorithms();
712
388d6564 713#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 714/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
715list of available digests. */
716EVP_add_digest(EVP_sha256());
cf1ef1a9 717#endif
a0475b69 718
059ec3d9
PH
719/* Create a context */
720
721ctx = SSL_CTX_new((host == NULL)?
722 SSLv23_server_method() : SSLv23_client_method());
723
7199e1ee 724if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
725
726/* It turns out that we need to seed the random number generator this early in
727order to get the full complement of ciphers to work. It took me roughly a day
728of work to discover this by experiment.
729
730On systems that have /dev/urandom, SSL may automatically seed itself from
731there. Otherwise, we have to make something up as best we can. Double check
732afterwards. */
733
734if (!RAND_status())
735 {
736 randstuff r;
9e3331ea 737 gettimeofday(&r.tv, NULL);
059ec3d9
PH
738 r.p = getpid();
739
740 RAND_seed((uschar *)(&r), sizeof(r));
741 RAND_seed((uschar *)big_buffer, big_buffer_size);
742 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
743
744 if (!RAND_status())
7199e1ee 745 return tls_error(US"RAND_status", host,
5ca6d115 746 US"unable to seed random number generator");
059ec3d9
PH
747 }
748
749/* Set up the information callback, which outputs if debugging is at a suitable
750level. */
751
58c01c94 752SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 753
c80c5570
PP
754/* Automatically re-try reads/writes after renegotiation. */
755(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
756
77bb000f
PP
757/* Apply administrator-supplied work-arounds.
758Historically we applied just one requested option,
759SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
760moved to an administrator-controlled list of options to specify and
761grandfathered in the first one as the default value for "openssl_options".
059ec3d9 762
77bb000f
PP
763No OpenSSL version number checks: the options we accept depend upon the
764availability of the option value macros from OpenSSL. */
059ec3d9 765
77bb000f
PP
766okay = tls_openssl_options_parse(openssl_options, &init_options);
767if (!okay)
73a46702 768 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
769
770if (init_options)
771 {
772 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
773 if (!(SSL_CTX_set_options(ctx, init_options)))
774 return tls_error(string_sprintf(
775 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
776 }
777else
778 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
779
780/* Initialize with DH parameters if supplied */
781
7199e1ee 782if (!init_dh(dhparam, host)) return DEFER;
059ec3d9 783
3f7eeb86 784/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 785
7be682ca
PP
786rc = tls_expand_session_files(ctx, cbinfo);
787if (rc != OK) return rc;
c91535f3 788
7be682ca 789/* If we need to handle SNI, do so */
3bcbbbe2 790#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
791if (host == NULL)
792 {
3f7eeb86
PP
793#ifdef EXPERIMENTAL_OCSP
794 /* We check ocsp_file, not ocsp_response, because we care about if
795 the option exists, not what the current expansion might be, as SNI might
796 change the certificate and OCSP file in use between now and the time the
797 callback is invoked. */
798 if (cbinfo->ocsp_file)
799 {
800 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
801 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
802 }
803#endif
3f0945ff
PP
804 /* We always do this, so that $tls_sni is available even if not used in
805 tls_certificate */
806 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
807 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
808 }
7be682ca 809#endif
059ec3d9
PH
810
811/* Set up the RSA callback */
812
813SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
814
815/* Finally, set the timeout, and we are done */
816
817SSL_CTX_set_timeout(ctx, ssl_session_timeout);
818DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP
819
820static_cbinfo = cbinfo;
821
059ec3d9
PH
822return OK;
823}
824
825
826
827
828/*************************************************
829* Get name of cipher in use *
830*************************************************/
831
832/* The answer is left in a static buffer, and tls_cipher is set to point
833to it.
834
835Argument: pointer to an SSL structure for the connection
836Returns: nothing
837*/
838
839static void
840construct_cipher_name(SSL *ssl)
841{
842static uschar cipherbuf[256];
57b3a7f5
PP
843/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
844yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
845the accessor functions use const in the prototype. */
846const SSL_CIPHER *c;
059ec3d9 847uschar *ver;
059ec3d9
PH
848
849switch (ssl->session->ssl_version)
850 {
851 case SSL2_VERSION:
852 ver = US"SSLv2";
853 break;
854
855 case SSL3_VERSION:
856 ver = US"SSLv3";
857 break;
858
859 case TLS1_VERSION:
860 ver = US"TLSv1";
861 break;
862
c80c5570
PP
863#ifdef TLS1_1_VERSION
864 case TLS1_1_VERSION:
865 ver = US"TLSv1.1";
866 break;
867#endif
868
869#ifdef TLS1_2_VERSION
870 case TLS1_2_VERSION:
871 ver = US"TLSv1.2";
872 break;
873#endif
874
059ec3d9
PH
875 default:
876 ver = US"UNKNOWN";
877 }
878
57b3a7f5 879c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 880SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH
881
882string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 883 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH
884tls_cipher = cipherbuf;
885
886DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
887}
888
889
890
891
892
893/*************************************************
894* Set up for verifying certificates *
895*************************************************/
896
897/* Called by both client and server startup
898
899Arguments:
7be682ca 900 sctx SSL_CTX* to initialise
059ec3d9
PH
901 certs certs file or NULL
902 crl CRL file or NULL
903 host NULL in a server; the remote host in a client
904 optional TRUE if called from a server for a host in tls_try_verify_hosts;
905 otherwise passed as FALSE
906
907Returns: OK/DEFER/FAIL
908*/
909
910static int
7be682ca 911setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH
912{
913uschar *expcerts, *expcrl;
914
915if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
916 return DEFER;
917
918if (expcerts != NULL)
919 {
920 struct stat statbuf;
7be682ca 921 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 922 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
923
924 if (Ustat(expcerts, &statbuf) < 0)
925 {
926 log_write(0, LOG_MAIN|LOG_PANIC,
927 "failed to stat %s for certificates", expcerts);
928 return DEFER;
929 }
930 else
931 {
932 uschar *file, *dir;
933 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
934 { file = NULL; dir = expcerts; }
935 else
936 { file = expcerts; dir = NULL; }
937
938 /* If a certificate file is empty, the next function fails with an
939 unhelpful error message. If we skip it, we get the correct behaviour (no
940 certificates are recognized, but the error message is still misleading (it
941 says no certificate was supplied.) But this is better. */
942
943 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 944 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 945 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
946
947 if (file != NULL)
948 {
7be682ca 949 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
950 }
951 }
952
953 /* Handle a certificate revocation list. */
954
955 #if OPENSSL_VERSION_NUMBER > 0x00907000L
956
8b417f2c
PH
957 /* This bit of code is now the version supplied by Lars Mainka. (I have
958 * merely reformatted it into the Exim code style.)
959
960 * "From here I changed the code to add support for multiple crl's
961 * in pem format in one file or to support hashed directory entries in
962 * pem format instead of a file. This method now uses the library function
963 * X509_STORE_load_locations to add the CRL location to the SSL context.
964 * OpenSSL will then handle the verify against CA certs and CRLs by
965 * itself in the verify callback." */
966
059ec3d9
PH
967 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
968 if (expcrl != NULL && *expcrl != 0)
969 {
8b417f2c
PH
970 struct stat statbufcrl;
971 if (Ustat(expcrl, &statbufcrl) < 0)
972 {
973 log_write(0, LOG_MAIN|LOG_PANIC,
974 "failed to stat %s for certificates revocation lists", expcrl);
975 return DEFER;
976 }
977 else
059ec3d9 978 {
8b417f2c
PH
979 /* is it a file or directory? */
980 uschar *file, *dir;
7be682ca 981 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 982 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 983 {
8b417f2c
PH
984 file = NULL;
985 dir = expcrl;
986 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
987 }
988 else
989 {
8b417f2c
PH
990 file = expcrl;
991 dir = NULL;
992 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 993 }
8b417f2c 994 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 995 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
996
997 /* setting the flags to check against the complete crl chain */
998
999 X509_STORE_set_flags(cvstore,
1000 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1001 }
059ec3d9
PH
1002 }
1003
1004 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1005
1006 /* If verification is optional, don't fail if no certificate */
1007
7be682ca 1008 SSL_CTX_set_verify(sctx,
059ec3d9
PH
1009 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1010 verify_callback);
1011 }
1012
1013return OK;
1014}
1015
1016
1017
1018/*************************************************
1019* Start a TLS session in a server *
1020*************************************************/
1021
1022/* This is called when Exim is running as a server, after having received
1023the STARTTLS command. It must respond to that command, and then negotiate
1024a TLS session.
1025
1026Arguments:
1027 require_ciphers allowed ciphers
1028
1029Returns: OK on success
1030 DEFER for errors before the start of the negotiation
1031 FAIL for errors during the negotation; the server can't
1032 continue running.
1033*/
1034
1035int
17c76198 1036tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1037{
1038int rc;
1039uschar *expciphers;
7be682ca 1040tls_ext_ctx_cb *cbinfo;
059ec3d9
PH
1041
1042/* Check for previous activation */
1043
1044if (tls_active >= 0)
1045 {
5ca6d115 1046 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1047 smtp_printf("554 Already in TLS\r\n");
1048 return FAIL;
1049 }
1050
1051/* Initialize the SSL library. If it fails, it will already have logged
1052the error. */
1053
3f7eeb86
PP
1054rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1055#ifdef EXPERIMENTAL_OCSP
1056 tls_ocsp_file,
1057#endif
1058 NULL);
059ec3d9 1059if (rc != OK) return rc;
7be682ca 1060cbinfo = static_cbinfo;
059ec3d9
PH
1061
1062if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1063 return FAIL;
1064
1065/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1066were historically separated by underscores. So that I can use either form in my
1067tests, and also for general convenience, we turn underscores into hyphens here.
1068*/
059ec3d9
PH
1069
1070if (expciphers != NULL)
1071 {
1072 uschar *s = expciphers;
1073 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1074 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1075 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1076 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1077 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1078 }
1079
1080/* If this is a host for which certificate verification is mandatory or
1081optional, set up appropriately. */
1082
1083tls_certificate_verified = FALSE;
1084verify_callback_called = FALSE;
1085
1086if (verify_check_host(&tls_verify_hosts) == OK)
1087 {
7be682ca 1088 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH
1089 if (rc != OK) return rc;
1090 verify_optional = FALSE;
1091 }
1092else if (verify_check_host(&tls_try_verify_hosts) == OK)
1093 {
7be682ca 1094 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH
1095 if (rc != OK) return rc;
1096 verify_optional = TRUE;
1097 }
1098
1099/* Prepare for new connection */
1100
7199e1ee 1101if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1102
1103/* Warning: we used to SSL_clear(ssl) here, it was removed.
1104 *
1105 * With the SSL_clear(), we get strange interoperability bugs with
1106 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1107 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1108 *
1109 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1110 * session shutdown. In this case, we have a brand new object and there's no
1111 * obvious reason to immediately clear it. I'm guessing that this was
1112 * originally added because of incomplete initialisation which the clear fixed,
1113 * in some historic release.
1114 */
059ec3d9
PH
1115
1116/* Set context and tell client to go ahead, except in the case of TLS startup
1117on connection, where outputting anything now upsets the clients and tends to
1118make them disconnect. We need to have an explicit fflush() here, to force out
1119the response. Other smtp_printf() calls do not need it, because in non-TLS
1120mode, the fflush() happens when smtp_getc() is called. */
1121
1122SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1123if (!tls_on_connect)
1124 {
1125 smtp_printf("220 TLS go ahead\r\n");
1126 fflush(smtp_out);
1127 }
1128
1129/* Now negotiate the TLS session. We put our own timer on it, since it seems
1130that the OpenSSL library doesn't. */
1131
56f5d9bd
PH
1132SSL_set_wfd(ssl, fileno(smtp_out));
1133SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
1134SSL_set_accept_state(ssl);
1135
1136DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1137
1138sigalrm_seen = FALSE;
1139if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1140rc = SSL_accept(ssl);
1141alarm(0);
1142
1143if (rc <= 0)
1144 {
7199e1ee 1145 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1146 if (ERR_get_error() == 0)
1147 log_write(0, LOG_MAIN,
a053d125 1148 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1149 return FAIL;
1150 }
1151
1152DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1153
1154/* TLS has been set up. Adjust the input functions to read via TLS,
1155and initialize things. */
1156
1157construct_cipher_name(ssl);
1158
1159DEBUG(D_tls)
1160 {
1161 uschar buf[2048];
1162 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1163 debug_printf("Shared ciphers: %s\n", buf);
1164 }
1165
1166
1167ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1168ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1169ssl_xfer_eof = ssl_xfer_error = 0;
1170
1171receive_getc = tls_getc;
1172receive_ungetc = tls_ungetc;
1173receive_feof = tls_feof;
1174receive_ferror = tls_ferror;
58eb016e 1175receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
1176
1177tls_active = fileno(smtp_out);
1178return OK;
1179}
1180
1181
1182
1183
1184
1185/*************************************************
1186* Start a TLS session in a client *
1187*************************************************/
1188
1189/* Called from the smtp transport after STARTTLS has been accepted.
1190
1191Argument:
1192 fd the fd of the connection
1193 host connected host (for messages)
83da1223 1194 addr the first address
059ec3d9
PH
1195 dhparam DH parameter file
1196 certificate certificate file
1197 privatekey private key file
3f0945ff 1198 sni TLS SNI to send to remote host
059ec3d9
PH
1199 verify_certs file for certificate verify
1200 crl file containing CRL
1201 require_ciphers list of allowed ciphers
83da1223 1202 timeout startup timeout
059ec3d9
PH
1203
1204Returns: OK on success
1205 FAIL otherwise - note that tls_error() will not give DEFER
1206 because this is not a server
1207*/
1208
1209int
1210tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1211 uschar *certificate, uschar *privatekey, uschar *sni,
1212 uschar *verify_certs, uschar *crl,
17c76198 1213 uschar *require_ciphers, int timeout)
059ec3d9
PH
1214{
1215static uschar txt[256];
1216uschar *expciphers;
1217X509* server_cert;
1218int rc;
1219
3f7eeb86
PP
1220rc = tls_init(host, dhparam, certificate, privatekey,
1221#ifdef EXPERIMENTAL_OCSP
1222 NULL,
1223#endif
1224 addr);
059ec3d9
PH
1225if (rc != OK) return rc;
1226
1227tls_certificate_verified = FALSE;
1228verify_callback_called = FALSE;
1229
1230if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1231 return FAIL;
1232
1233/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1234are separated by underscores. So that I can use either form in my tests, and
1235also for general convenience, we turn underscores into hyphens here. */
1236
1237if (expciphers != NULL)
1238 {
1239 uschar *s = expciphers;
1240 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1241 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1242 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1243 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1244 }
1245
7be682ca 1246rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH
1247if (rc != OK) return rc;
1248
7199e1ee 1249if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
1250SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1251SSL_set_fd(ssl, fd);
1252SSL_set_connect_state(ssl);
1253
3f0945ff
PP
1254if (sni)
1255 {
1256 if (!expand_check(sni, US"tls_sni", &tls_sni))
1257 return FAIL;
1258 if (!Ustrlen(tls_sni))
1259 tls_sni = NULL;
1260 else
1261 {
35731706 1262#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
1263 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1264 SSL_set_tlsext_host_name(ssl, tls_sni);
35731706
PP
1265#else
1266 DEBUG(D_tls)
1267 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1268 tls_sni);
1269#endif
3f0945ff
PP
1270 }
1271 }
1272
059ec3d9
PH
1273/* There doesn't seem to be a built-in timeout on connection. */
1274
1275DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1276sigalrm_seen = FALSE;
1277alarm(timeout);
1278rc = SSL_connect(ssl);
1279alarm(0);
1280
1281if (rc <= 0)
7199e1ee 1282 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1283
1284DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1285
453a6645 1286/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1287server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
1288if (server_cert)
1289 {
1290 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1291 CS txt, sizeof(txt));
1292 tls_peerdn = txt;
1293 }
1294else
1295 tls_peerdn = NULL;
059ec3d9
PH
1296
1297construct_cipher_name(ssl); /* Sets tls_cipher */
1298
1299tls_active = fd;
1300return OK;
1301}
1302
1303
1304
1305
1306
1307/*************************************************
1308* TLS version of getc *
1309*************************************************/
1310
1311/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1312it refills the buffer via the SSL reading function.
1313
1314Arguments: none
1315Returns: the next character or EOF
1316*/
1317
1318int
1319tls_getc(void)
1320{
1321if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1322 {
1323 int error;
1324 int inbytes;
1325
c80c5570
PP
1326 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1327 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1328
1329 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1330 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1331 error = SSL_get_error(ssl, inbytes);
1332 alarm(0);
1333
1334 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1335 closed down, not that the socket itself has been closed down. Revert to
1336 non-SSL handling. */
1337
1338 if (error == SSL_ERROR_ZERO_RETURN)
1339 {
1340 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1341
1342 receive_getc = smtp_getc;
1343 receive_ungetc = smtp_ungetc;
1344 receive_feof = smtp_feof;
1345 receive_ferror = smtp_ferror;
58eb016e 1346 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1347
1348 SSL_free(ssl);
1349 ssl = NULL;
1350 tls_active = -1;
3f0945ff 1351 tls_bits = 0;
059ec3d9
PH
1352 tls_cipher = NULL;
1353 tls_peerdn = NULL;
3f0945ff 1354 tls_sni = NULL;
059ec3d9
PH
1355
1356 return smtp_getc();
1357 }
1358
1359 /* Handle genuine errors */
1360
ba084640
PP
1361 else if (error == SSL_ERROR_SSL)
1362 {
1363 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1364 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1365 ssl_xfer_error = 1;
1366 return EOF;
1367 }
1368
059ec3d9
PH
1369 else if (error != SSL_ERROR_NONE)
1370 {
1371 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1372 ssl_xfer_error = 1;
1373 return EOF;
1374 }
c80c5570 1375
80a47a2c
TK
1376#ifndef DISABLE_DKIM
1377 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1378#endif
059ec3d9
PH
1379 ssl_xfer_buffer_hwm = inbytes;
1380 ssl_xfer_buffer_lwm = 0;
1381 }
1382
1383/* Something in the buffer; return next uschar */
1384
1385return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1386}
1387
1388
1389
1390/*************************************************
1391* Read bytes from TLS channel *
1392*************************************************/
1393
1394/*
1395Arguments:
1396 buff buffer of data
1397 len size of buffer
1398
1399Returns: the number of bytes read
1400 -1 after a failed read
1401*/
1402
1403int
1404tls_read(uschar *buff, size_t len)
1405{
1406int inbytes;
1407int error;
1408
c80c5570
PP
1409DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1410 buff, (unsigned int)len);
059ec3d9
PH
1411
1412inbytes = SSL_read(ssl, CS buff, len);
1413error = SSL_get_error(ssl, inbytes);
1414
1415if (error == SSL_ERROR_ZERO_RETURN)
1416 {
1417 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1418 return -1;
1419 }
1420else if (error != SSL_ERROR_NONE)
1421 {
1422 return -1;
1423 }
1424
1425return inbytes;
1426}
1427
1428
1429
1430
1431
1432/*************************************************
1433* Write bytes down TLS channel *
1434*************************************************/
1435
1436/*
1437Arguments:
1438 buff buffer of data
1439 len number of bytes
1440
1441Returns: the number of bytes after a successful write,
1442 -1 after a failed write
1443*/
1444
1445int
1446tls_write(const uschar *buff, size_t len)
1447{
1448int outbytes;
1449int error;
1450int left = len;
1451
c80c5570 1452DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1453while (left > 0)
1454 {
c80c5570 1455 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1456 outbytes = SSL_write(ssl, CS buff, left);
1457 error = SSL_get_error(ssl, outbytes);
1458 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1459 switch (error)
1460 {
1461 case SSL_ERROR_SSL:
1462 ERR_error_string(ERR_get_error(), ssl_errstring);
1463 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1464 return -1;
1465
1466 case SSL_ERROR_NONE:
1467 left -= outbytes;
1468 buff += outbytes;
1469 break;
1470
1471 case SSL_ERROR_ZERO_RETURN:
1472 log_write(0, LOG_MAIN, "SSL channel closed on write");
1473 return -1;
1474
1475 default:
1476 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1477 return -1;
1478 }
1479 }
1480return len;
1481}
1482
1483
1484
1485/*************************************************
1486* Close down a TLS session *
1487*************************************************/
1488
1489/* This is also called from within a delivery subprocess forked from the
1490daemon, to shut down the TLS library, without actually doing a shutdown (which
1491would tamper with the SSL session in the parent process).
1492
1493Arguments: TRUE if SSL_shutdown is to be called
1494Returns: nothing
1495*/
1496
1497void
1498tls_close(BOOL shutdown)
1499{
1500if (tls_active < 0) return; /* TLS was not active */
1501
1502if (shutdown)
1503 {
1504 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1505 SSL_shutdown(ssl);
1506 }
1507
1508SSL_free(ssl);
1509ssl = NULL;
1510
1511tls_active = -1;
1512}
1513
36f12725
NM
1514
1515
1516
1517/*************************************************
3375e053
PP
1518* Let tls_require_ciphers be checked at startup *
1519*************************************************/
1520
1521/* The tls_require_ciphers option, if set, must be something which the
1522library can parse.
1523
1524Returns: NULL on success, or error message
1525*/
1526
1527uschar *
1528tls_validate_require_cipher(void)
1529{
1530SSL_CTX *ctx;
1531uschar *s, *expciphers, *err;
1532
1533/* this duplicates from tls_init(), we need a better "init just global
1534state, for no specific purpose" singleton function of our own */
1535
1536SSL_load_error_strings();
1537OpenSSL_add_ssl_algorithms();
1538#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1539/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1540list of available digests. */
1541EVP_add_digest(EVP_sha256());
1542#endif
1543
1544if (!(tls_require_ciphers && *tls_require_ciphers))
1545 return NULL;
1546
1547if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1548 return US"failed to expand tls_require_ciphers";
1549
1550if (!(expciphers && *expciphers))
1551 return NULL;
1552
1553/* normalisation ripped from above */
1554s = expciphers;
1555while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1556
1557err = NULL;
1558
1559ctx = SSL_CTX_new(SSLv23_server_method());
1560if (!ctx)
1561 {
1562 ERR_error_string(ERR_get_error(), ssl_errstring);
1563 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1564 }
1565
1566DEBUG(D_tls)
1567 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1568
1569if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1570 {
1571 ERR_error_string(ERR_get_error(), ssl_errstring);
1572 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1573 }
1574
1575SSL_CTX_free(ctx);
1576
1577return err;
1578}
1579
1580
1581
1582
1583/*************************************************
36f12725
NM
1584* Report the library versions. *
1585*************************************************/
1586
1587/* There have historically been some issues with binary compatibility in
1588OpenSSL libraries; if Exim (like many other applications) is built against
1589one version of OpenSSL but the run-time linker picks up another version,
1590it can result in serious failures, including crashing with a SIGSEGV. So
1591report the version found by the compiler and the run-time version.
1592
1593Arguments: a FILE* to print the results to
1594Returns: nothing
1595*/
1596
1597void
1598tls_version_report(FILE *f)
1599{
754a0503
PP
1600fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1601 " Runtime: %s\n",
1602 OPENSSL_VERSION_TEXT,
1603 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1604}
1605
9e3331ea
TK
1606
1607
1608
1609/*************************************************
17c76198 1610* Random number generation *
9e3331ea
TK
1611*************************************************/
1612
1613/* Pseudo-random number generation. The result is not expected to be
1614cryptographically strong but not so weak that someone will shoot themselves
1615in the foot using it as a nonce in input in some email header scheme or
1616whatever weirdness they'll twist this into. The result should handle fork()
1617and avoid repeating sequences. OpenSSL handles that for us.
1618
1619Arguments:
1620 max range maximum
1621Returns a random number in range [0, max-1]
1622*/
1623
1624int
17c76198 1625vaguely_random_number(int max)
9e3331ea
TK
1626{
1627unsigned int r;
1628int i, needed_len;
1629uschar *p;
1630uschar smallbuf[sizeof(r)];
1631
1632if (max <= 1)
1633 return 0;
1634
1635/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1636if (!RAND_status())
1637 {
1638 randstuff r;
1639 gettimeofday(&r.tv, NULL);
1640 r.p = getpid();
1641
1642 RAND_seed((uschar *)(&r), sizeof(r));
1643 }
1644/* We're after pseudo-random, not random; if we still don't have enough data
1645in the internal PRNG then our options are limited. We could sleep and hope
1646for entropy to come along (prayer technique) but if the system is so depleted
1647in the first place then something is likely to just keep taking it. Instead,
1648we'll just take whatever little bit of pseudo-random we can still manage to
1649get. */
1650
1651needed_len = sizeof(r);
1652/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1653asked for a number less than 10. */
1654for (r = max, i = 0; r; ++i)
1655 r >>= 1;
1656i = (i + 7) / 8;
1657if (i < needed_len)
1658 needed_len = i;
1659
1660/* We do not care if crypto-strong */
17c76198
PP
1661i = RAND_pseudo_bytes(smallbuf, needed_len);
1662if (i < 0)
1663 {
1664 DEBUG(D_all)
1665 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1666 return vaguely_random_number_fallback(max);
1667 }
1668
9e3331ea
TK
1669r = 0;
1670for (p = smallbuf; needed_len; --needed_len, ++p)
1671 {
1672 r *= 256;
1673 r += *p;
1674 }
1675
1676/* We don't particularly care about weighted results; if someone wants
1677smooth distribution and cares enough then they should submit a patch then. */
1678return r % max;
1679}
1680
77bb000f
PP
1681
1682
1683
1684/*************************************************
1685* OpenSSL option parse *
1686*************************************************/
1687
1688/* Parse one option for tls_openssl_options_parse below
1689
1690Arguments:
1691 name one option name
1692 value place to store a value for it
1693Returns success or failure in parsing
1694*/
1695
1696struct exim_openssl_option {
1697 uschar *name;
1698 long value;
1699};
1700/* We could use a macro to expand, but we need the ifdef and not all the
1701options document which version they were introduced in. Policylet: include
1702all options unless explicitly for DTLS, let the administrator choose which
1703to apply.
1704
1705This list is current as of:
c80c5570 1706 ==> 1.0.1b <== */
77bb000f
PP
1707static struct exim_openssl_option exim_openssl_options[] = {
1708/* KEEP SORTED ALPHABETICALLY! */
1709#ifdef SSL_OP_ALL
73a46702 1710 { US"all", SSL_OP_ALL },
77bb000f
PP
1711#endif
1712#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1713 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1714#endif
1715#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1716 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1717#endif
1718#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1719 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1720#endif
1721#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1722 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1723#endif
1724#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1725 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1726#endif
1727#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1728 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1729#endif
1730#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1731 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1732#endif
1733#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1734 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1735#endif
1736#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1737 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1738#endif
1739#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1740 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1741#endif
c80c5570
PP
1742#ifdef SSL_OP_NO_COMPRESSION
1743 { US"no_compression", SSL_OP_NO_COMPRESSION },
1744#endif
77bb000f 1745#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1746 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1747#endif
c0c7b2da
PP
1748#ifdef SSL_OP_NO_SSLv2
1749 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1750#endif
1751#ifdef SSL_OP_NO_SSLv3
1752 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1753#endif
1754#ifdef SSL_OP_NO_TICKET
1755 { US"no_ticket", SSL_OP_NO_TICKET },
1756#endif
1757#ifdef SSL_OP_NO_TLSv1
1758 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1759#endif
c80c5570
PP
1760#ifdef SSL_OP_NO_TLSv1_1
1761#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1762 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1763#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1764#else
1765 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1766#endif
1767#endif
1768#ifdef SSL_OP_NO_TLSv1_2
1769 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1770#endif
77bb000f 1771#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1772 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1773#endif
1774#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1775 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1776#endif
1777#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1778 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1779#endif
1780#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1781 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1782#endif
1783#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1784 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1785#endif
1786#ifdef SSL_OP_TLS_D5_BUG
73a46702 1787 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1788#endif
1789#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1790 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1791#endif
1792};
1793static int exim_openssl_options_size =
1794 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1795
c80c5570 1796
77bb000f
PP
1797static BOOL
1798tls_openssl_one_option_parse(uschar *name, long *value)
1799{
1800int first = 0;
1801int last = exim_openssl_options_size;
1802while (last > first)
1803 {
1804 int middle = (first + last)/2;
1805 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1806 if (c == 0)
1807 {
1808 *value = exim_openssl_options[middle].value;
1809 return TRUE;
1810 }
1811 else if (c > 0)
1812 first = middle + 1;
1813 else
1814 last = middle;
1815 }
1816return FALSE;
1817}
1818
1819
1820
1821
1822/*************************************************
1823* OpenSSL option parsing logic *
1824*************************************************/
1825
1826/* OpenSSL has a number of compatibility options which an administrator might
1827reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1828we look like log_selector.
1829
1830Arguments:
1831 option_spec the administrator-supplied string of options
1832 results ptr to long storage for the options bitmap
1833Returns success or failure
1834*/
1835
1836BOOL
1837tls_openssl_options_parse(uschar *option_spec, long *results)
1838{
1839long result, item;
1840uschar *s, *end;
1841uschar keep_c;
1842BOOL adding, item_parsed;
1843
0e944a0d 1844result = 0L;
b1770b6e 1845/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1846 * from default because it increases BEAST susceptibility. */
77bb000f
PP
1847
1848if (option_spec == NULL)
1849 {
1850 *results = result;
1851 return TRUE;
1852 }
1853
1854for (s=option_spec; *s != '\0'; /**/)
1855 {
1856 while (isspace(*s)) ++s;
1857 if (*s == '\0')
1858 break;
1859 if (*s != '+' && *s != '-')
1860 {
1861 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1862 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1863 return FALSE;
1864 }
1865 adding = *s++ == '+';
1866 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1867 keep_c = *end;
1868 *end = '\0';
1869 item_parsed = tls_openssl_one_option_parse(s, &item);
1870 if (!item_parsed)
1871 {
0e944a0d 1872 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1873 return FALSE;
1874 }
1875 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1876 adding ? "adding" : "removing", result, item, s);
1877 if (adding)
1878 result |= item;
1879 else
1880 result &= ~item;
1881 *end = keep_c;
1882 s = end;
1883 }
1884
1885*results = result;
1886return TRUE;
1887}
1888
059ec3d9 1889/* End of tls-openssl.c */