projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'master' into 4.next
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
d4e5e70b 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
85098ee7
JH		 31#ifdef EXPERIMENTAL_DANE
32# include <danessl.h>
33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256
55#endif
34e3241d
PP		 56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
34e3241d
PP		 73# endif
74# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 76# define EXIM_HAVE_OPENSSL_CHECKHOST
77# endif
11aa88b0 78#endif
10ca4f1c 79
11aa88b0
RA		 80#if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 82# if !defined(OPENSSL_NO_ECDH)
83# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84# define EXIM_HAVE_ECDH
85# endif
86# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 87# define EXIM_HAVE_OPENSSL_EC_NIST2NID
88# endif
89# endif
2dfb468b 90#endif
3bcbbbe2 91
67791ce4
JH		 92#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94# define DISABLE_OCSP
95#endif
96
059ec3d9
PH		 97/* Structure for collecting random data for seeding. */
98
99typedef struct randstuff {
9e3331ea
TK		 100 struct timeval tv;
101 pid_t p;
059ec3d9
PH		 102} randstuff;
103
104/* Local static variables */
105
a2ff477a
JH		 106static BOOL client_verify_callback_called = FALSE;
107static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 108static const uschar *sid_ctx = US"exim";
109
d4f09789
PP		 110/* We have three different contexts to care about.
111
112Simple case: client, `client_ctx`
113 As a client, we can be doing a callout or cut-through delivery while receiving
114 a message. So we have a client context, which should have options initialised
115 from the SMTP Transport.
116
117Server:
118 There are two cases: with and without ServerNameIndication from the client.
119 Given TLS SNI, we can be using different keys, certs and various other
120 configuration settings, because they're re-expanded with $tls_sni set. This
121 allows vhosting with TLS. This SNI is sent in the handshake.
122 A client might not send SNI, so we need a fallback, and an initial setup too.
123 So as a server, we start out using `server_ctx`.
124 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
125 `server_sni` from `server_ctx` and then initialise settings by re-expanding
126 configuration.
127*/
128
817d9f57
JH		 129static SSL_CTX *client_ctx = NULL;
130static SSL_CTX *server_ctx = NULL;
131static SSL *client_ssl = NULL;
132static SSL *server_ssl = NULL;
389ca47a 133
35731706 134#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 135static SSL_CTX *server_sni = NULL;
35731706 136#endif
059ec3d9
PH		 137
138static char ssl_errstring[256];
139
140static int ssl_session_timeout = 200;
a2ff477a
JH		 141static BOOL client_verify_optional = FALSE;
142static BOOL server_verify_optional = FALSE;
059ec3d9 143
f5d78688 144static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 145
146
7be682ca
PP		 147typedef struct tls_ext_ctx_cb {
148 uschar *certificate;
149 uschar *privatekey;
f2de3a33 150#ifndef DISABLE_OCSP
f5d78688 151 BOOL is_server;
c3033f13 152 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 153 union {
154 struct {
155 uschar *file;
156 uschar *file_expanded;
157 OCSP_RESPONSE *response;
158 } server;
159 struct {
44662487
JH		 160 X509_STORE *verify_store; /* non-null if status requested */
161 BOOL verify_required;
f5d78688
JH		 162 } client;
163 } u_ocsp;
3f7eeb86 164#endif
7be682ca
PP		 165 uschar *dhparam;
166 /* these are cached from first expand */
167 uschar *server_cipher_list;
168 /* only passed down to tls_error: */
169 host_item *host;
55414b25 170 const uschar * verify_cert_hostnames;
0cbf2b82 171#ifndef DISABLE_EVENT
a7538db1
JH		 172 uschar * event_action;
173#endif
7be682ca
PP		 174} tls_ext_ctx_cb;
175
176/* should figure out a cleanup of API to handle state preserved per
177implementation, for various reasons, which can be void * in the APIs.
178For now, we hack around it. */
817d9f57
JH		 179tls_ext_ctx_cb *client_static_cbinfo = NULL;
180tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 181
182static int
983207c1 183setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 184 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 185
3f7eeb86 186/* Callbacks */
3bcbbbe2 187#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 188static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 189#endif
f2de3a33 190#ifndef DISABLE_OCSP
f5d78688 191static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 192#endif
193
059ec3d9
PH		 194
195/*************************************************
196* Handle TLS error *
197*************************************************/
198
199/* Called from lots of places when errors occur before actually starting to do
200the TLS handshake, that is, while the session is still in clear. Always returns
201DEFER for a server and FAIL for a client so that most calls can use "return
202tls_error(...)" to do this processing and then give an appropriate return. A
203single function is used for both server and client, because it is called from
204some shared functions.
205
206Argument:
207 prefix text to include in the logged error
208 host NULL if setting up a server;
209 the connected host if setting up a client
7199e1ee 210 msg error message or NULL if we should ask OpenSSL
cf0c6164 211 errstr pointer to output error message
059ec3d9
PH		 212
213Returns: OK/DEFER/FAIL
214*/
215
216static int
cf0c6164 217tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 218{
c562fd30 219if (!msg)
7199e1ee
TF		 220 {
221 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 222 msg = US ssl_errstring;
7199e1ee
TF		 223 }
224
cf0c6164
JH		 225if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
226return host ? FAIL : DEFER;
059ec3d9
PH		 227}
228
229
230
c8dfb21d 231#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9
PH		 232/*************************************************
233* Callback to generate RSA key *
234*************************************************/
235
236/*
237Arguments:
238 s SSL connection
239 export not used
240 keylength keylength
241
242Returns: pointer to generated key
243*/
244
245static RSA *
246rsa_callback(SSL *s, int export, int keylength)
247{
248RSA *rsa_key;
c8dfb21d
JH		 249#ifdef EXIM_HAVE_RSA_GENKEY_EX
250BIGNUM *bn = BN_new();
251#endif
252
059ec3d9
PH		 253export = export; /* Shut picky compilers up */
254DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 255
256#ifdef EXIM_HAVE_RSA_GENKEY_EX
257if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 258 || !(rsa_key = RSA_new())
c8dfb21d
JH		 259 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
260 )
261#else
23bb6982 262if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 263#endif
264
059ec3d9
PH		 265 {
266 ERR_error_string(ERR_get_error(), ssl_errstring);
267 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
268 ssl_errstring);
269 return NULL;
270 }
271return rsa_key;
272}
c8dfb21d 273#endif
059ec3d9
PH		 274
275
276
f5d78688 277/* Extreme debug
f2de3a33 278#ifndef DISABLE_OCSP
f5d78688
JH		 279void
280x509_store_dump_cert_s_names(X509_STORE * store)
281{
282STACK_OF(X509_OBJECT) * roots= store->objs;
283int i;
284static uschar name[256];
285
286for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
287 {
288 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
289 if(tmp_obj->type == X509_LU_X509)
290 {
291 X509 * current_cert= tmp_obj->data.x509;
292 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 293 name[sizeof(name)-1] = '\0';
f5d78688
JH		 294 debug_printf(" %s\n", name);
295 }
296 }
297}
298#endif
299*/
300
059ec3d9 301
0cbf2b82 302#ifndef DISABLE_EVENT
f69979cf
JH		 303static int
304verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
305 BOOL *calledp, const BOOL *optionalp, const uschar * what)
306{
307uschar * ev;
308uschar * yield;
309X509 * old_cert;
310
311ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
312if (ev)
313 {
aaba7d03 314 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 315 old_cert = tlsp->peercert;
316 tlsp->peercert = X509_dup(cert);
317 /* NB we do not bother setting peerdn */
318 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
319 {
320 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
321 "depth=%d cert=%s: %s",
322 tlsp == &tls_out ? deliver_host_address : sender_host_address,
323 what, depth, dn, yield);
324 *calledp = TRUE;
325 if (!*optionalp)
326 {
327 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
328 return 1; /* reject (leaving peercert set) */
329 }
330 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
331 "(host in tls_try_verify_hosts)\n");
332 }
333 X509_free(tlsp->peercert);
334 tlsp->peercert = old_cert;
335 }
336return 0;
337}
338#endif
339
059ec3d9
PH		 340/*************************************************
341* Callback for verification *
342*************************************************/
343
344/* The SSL library does certificate verification if set up to do so. This
345callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 346we set the certificate-verified flag. If verification failed, what happens
347depends on whether the client is required to present a verifiable certificate
348or not.
059ec3d9
PH		 349
350If verification is optional, we change the state to yes, but still log the
351verification error. For some reason (it really would help to have proper
352documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 353time with state = 1. We must take care not to set the private verified flag on
354the second time through.
059ec3d9
PH		 355
356Note: this function is not called if the client fails to present a certificate
357when asked. We get here only if a certificate has been received. Handling of
358optional verification for this case is done when requesting SSL to verify, by
359setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
360
a7538db1
JH		 361May be called multiple times for different issues with a certificate, even
362for a given "depth" in the certificate chain.
363
059ec3d9 364Arguments:
f2f2c91b
JH		 365 preverify_ok current yes/no state as 1/0
366 x509ctx certificate information.
367 tlsp per-direction (client vs. server) support data
368 calledp has-been-called flag
369 optionalp verification-is-optional flag
059ec3d9 370
f2f2c91b 371Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 372*/
373
374static int
f2f2c91b 375verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
421aff85 376 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 377{
421aff85 378X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 379int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 380uschar dn[256];
059ec3d9 381
f69979cf
JH		 382X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
383dn[sizeof(dn)-1] = '\0';
059ec3d9 384
f2f2c91b 385if (preverify_ok == 0)
059ec3d9 386 {
f77197ae
JH		 387 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
388 *verify_mode, sender_host_address)
389 : US"";
390 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
391 tlsp == &tls_out ? deliver_host_address : sender_host_address,
392 extra, depth,
393 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 394 *calledp = TRUE;
9d1c15ef
JH		 395 if (!*optionalp)
396 {
f69979cf
JH		 397 if (!tlsp->peercert)
398 tlsp->peercert = X509_dup(cert); /* record failing cert */
399 return 0; /* reject */
9d1c15ef 400 }
059ec3d9
PH		 401 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
402 "tls_try_verify_hosts)\n");
059ec3d9
PH		 403 }
404
a7538db1 405else if (depth != 0)
059ec3d9 406 {
f69979cf 407 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 408#ifndef DISABLE_OCSP
f5d78688
JH		 409 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
410 { /* client, wanting stapling */
411 /* Add the server cert's signing chain as the one
412 for the verification of the OCSP stapled information. */
94431adb 413
f5d78688 414 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 415 cert))
f5d78688 416 ERR_clear_error();
c3033f13 417 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 418 }
a7538db1 419#endif
0cbf2b82 420#ifndef DISABLE_EVENT
f69979cf
JH		 421 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
422 return 0; /* reject, with peercert set */
f5d78688 423#endif
059ec3d9
PH		 424 }
425else
426 {
55414b25 427 const uschar * verify_cert_hostnames;
e51c7be2 428
e51c7be2
JH		 429 if ( tlsp == &tls_out
430 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
431 /* client, wanting hostname check */
e51c7be2 432 {
f69979cf 433
740f36d4 434#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 435# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
436# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
437# endif
438# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
439# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
440# endif
e51c7be2 441 int sep = 0;
55414b25 442 const uschar * list = verify_cert_hostnames;
e51c7be2 443 uschar * name;
d8e7834a
JH		 444 int rc;
445 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 446 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 447 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 448 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
449 NULL)))
d8e7834a
JH		 450 {
451 if (rc < 0)
452 {
93a6fce2 453 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 454 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH		 455 name = NULL;
456 }
e51c7be2 457 break;
d8e7834a 458 }
e51c7be2 459 if (!name)
f69979cf 460#else
e51c7be2 461 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 462#endif
e51c7be2 463 {
f77197ae
JH		 464 uschar * extra = verify_mode
465 ? string_sprintf(" (during %c-verify for [%s])",
466 *verify_mode, sender_host_address)
467 : US"";
e51c7be2 468 log_write(0, LOG_MAIN,
f77197ae
JH		 469 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
470 tlsp == &tls_out ? deliver_host_address : sender_host_address,
471 extra, dn, verify_cert_hostnames);
a3ef7310
JH		 472 *calledp = TRUE;
473 if (!*optionalp)
f69979cf
JH		 474 {
475 if (!tlsp->peercert)
476 tlsp->peercert = X509_dup(cert); /* record failing cert */
477 return 0; /* reject */
478 }
a3ef7310
JH		 479 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
480 "tls_try_verify_hosts)\n");
e51c7be2 481 }
f69979cf 482 }
e51c7be2 483
0cbf2b82 484#ifndef DISABLE_EVENT
f69979cf
JH		 485 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
486 return 0; /* reject, with peercert set */
e51c7be2
JH		 487#endif
488
93dcb1c2 489 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 490 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH		 491 if (!*calledp) tlsp->certificate_verified = TRUE;
492 *calledp = TRUE;
059ec3d9
PH		 493 }
494
a7538db1 495return 1; /* accept, at least for this level */
059ec3d9
PH		 496}
497
a2ff477a 498static int
f2f2c91b 499verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 500{
f2f2c91b
JH		 501return verify_callback(preverify_ok, x509ctx, &tls_out,
502 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 503}
504
505static int
f2f2c91b 506verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 507{
f2f2c91b
JH		 508return verify_callback(preverify_ok, x509ctx, &tls_in,
509 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 510}
511
059ec3d9 512
e5cccda9 513#ifdef EXPERIMENTAL_DANE
53a7196b 514
e5cccda9
JH		 515/* This gets called *by* the dane library verify callback, which interposes
516itself.
517*/
518static int
f2f2c91b 519verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 520{
521X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 522uschar dn[256];
83b27293 523int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 524#ifndef DISABLE_EVENT
f69979cf 525BOOL dummy_called, optional = FALSE;
83b27293 526#endif
e5cccda9 527
f69979cf
JH		 528X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
529dn[sizeof(dn)-1] = '\0';
e5cccda9 530
f2f2c91b
JH		 531DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
532 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 533
0cbf2b82 534#ifndef DISABLE_EVENT
f69979cf
JH		 535 if (verify_event(&tls_out, cert, depth, dn,
536 &dummy_called, &optional, US"DANE"))
537 return 0; /* reject, with peercert set */
83b27293
JH		 538#endif
539
f2f2c91b 540if (preverify_ok == 1)
53a7196b 541 tls_out.dane_verified =
e5cccda9 542 tls_out.certificate_verified = TRUE;
f2f2c91b
JH		 543else
544 {
545 int err = X509_STORE_CTX_get_error(x509ctx);
546 DEBUG(D_tls)
547 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 548 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 549 preverify_ok = 1;
550 }
551return preverify_ok;
e5cccda9 552}
53a7196b
JH		 553
554#endif /*EXPERIMENTAL_DANE*/
e5cccda9 555
059ec3d9
PH		 556
557/*************************************************
558* Information callback *
559*************************************************/
560
561/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 562are doing. We copy the string to the debugging output when TLS debugging has
563been requested.
059ec3d9
PH		 564
565Arguments:
566 s the SSL connection
567 where
568 ret
569
570Returns: nothing
571*/
572
573static void
574info_callback(SSL *s, int where, int ret)
575{
576where = where;
577ret = ret;
578DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
579}
580
581
582
583/*************************************************
584* Initialize for DH *
585*************************************************/
586
587/* If dhparam is set, expand it, and load up the parameters for DH encryption.
588
589Arguments:
038597d2 590 sctx The current SSL CTX (inbound or outbound)
a799883d 591 dhparam DH parameter file or fixed parameter identity string
7199e1ee 592 host connected host, if client; NULL if server
cf0c6164 593 errstr error string pointer
059ec3d9
PH		 594
595Returns: TRUE if OK (nothing to set up, or setup worked)
596*/
597
598static BOOL
cf0c6164 599init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 600{
059ec3d9
PH		 601BIO *bio;
602DH *dh;
603uschar *dhexpanded;
a799883d 604const char *pem;
6600985a 605int dh_bitsize;
059ec3d9 606
cf0c6164 607if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 608 return FALSE;
609
0df4ab80 610if (!dhexpanded || !*dhexpanded)
a799883d 611 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 612else if (dhexpanded[0] == '/')
059ec3d9 613 {
0df4ab80 614 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 615 {
7199e1ee 616 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 617 host, US strerror(errno), errstr);
a799883d 618 return FALSE;
059ec3d9 619 }
a799883d
PP		 620 }
621else
622 {
623 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 624 {
a799883d
PP		 625 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
626 return TRUE;
059ec3d9 627 }
a799883d 628
0df4ab80 629 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 630 {
631 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 632 host, US strerror(errno), errstr);
a799883d
PP		 633 return FALSE;
634 }
635 bio = BIO_new_mem_buf(CS pem, -1);
636 }
637
0df4ab80 638if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 639 {
059ec3d9 640 BIO_free(bio);
a799883d 641 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 642 host, NULL, errstr);
a799883d
PP		 643 return FALSE;
644 }
645
6600985a
PP		 646/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
647 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
648 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
649 * If someone wants to dance at the edge, then they can raise the limit or use
650 * current libraries. */
651#ifdef EXIM_HAVE_OPENSSL_DH_BITS
652/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
653 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
654dh_bitsize = DH_bits(dh);
655#else
656dh_bitsize = 8 * DH_size(dh);
657#endif
658
a799883d
PP		 659/* Even if it is larger, we silently return success rather than cause things
660 * to fail out, so that a too-large DH will not knock out all TLS; it's a
661 * debatable choice. */
6600985a 662if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 663 {
664 DEBUG(D_tls)
170f4904 665 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 666 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 667 }
668else
669 {
670 SSL_CTX_set_tmp_dh(sctx, dh);
671 DEBUG(D_tls)
672 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 673 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 674 }
675
a799883d
PP		 676DH_free(dh);
677BIO_free(bio);
678
679return TRUE;
059ec3d9
PH		 680}
681
682
683
684
038597d2
PP		 685/*************************************************
686* Initialize for ECDH *
687*************************************************/
688
689/* Load parameters for ECDH encryption.
690
691For now, we stick to NIST P-256 because: it's simple and easy to configure;
692it avoids any patent issues that might bite redistributors; despite events in
693the news and concerns over curve choices, we're not cryptographers, we're not
694pretending to be, and this is "good enough" to be better than no support,
695protecting against most adversaries. Given another year or two, there might
696be sufficient clarity about a "right" way forward to let us make an informed
697decision, instead of a knee-jerk reaction.
698
699Longer-term, we should look at supporting both various named curves and
700external files generated with "openssl ecparam", much as we do for init_dh().
701We should also support "none" as a value, to explicitly avoid initialisation.
702
703Patches welcome.
704
705Arguments:
706 sctx The current SSL CTX (inbound or outbound)
707 host connected host, if client; NULL if server
cf0c6164 708 errstr error string pointer
038597d2
PP		 709
710Returns: TRUE if OK (nothing to set up, or setup worked)
711*/
712
713static BOOL
cf0c6164 714init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 715{
63f0dbe0
JH		 716#ifdef OPENSSL_NO_ECDH
717return TRUE;
718#else
719
10ca4f1c
JH		 720EC_KEY * ecdh;
721uschar * exp_curve;
722int nid;
723BOOL rv;
724
038597d2
PP		 725if (host) /* No ECDH setup for clients, only for servers */
726 return TRUE;
727
10ca4f1c 728# ifndef EXIM_HAVE_ECDH
038597d2
PP		 729DEBUG(D_tls)
730 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
731return TRUE;
038597d2 732# else
10ca4f1c 733
cf0c6164 734if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 735 return FALSE;
736if (!exp_curve || !*exp_curve)
737 return TRUE;
738
8e53a4fc 739/* "auto" needs to be handled carefully.
4c04137d 740 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 741 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 742 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 743 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
744 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
745 */
10ca4f1c 746if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 747 {
8e53a4fc 748#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 749 DEBUG(D_tls) debug_printf(
8e53a4fc 750 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 751 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 752#else
753# if defined SSL_CTRL_SET_ECDH_AUTO
754 DEBUG(D_tls) debug_printf(
755 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 756 SSL_CTX_set_ecdh_auto(sctx, 1);
757 return TRUE;
8e53a4fc
HSHR		 758# else
759 DEBUG(D_tls) debug_printf(
760 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
761 return TRUE;
762# endif
763#endif
10ca4f1c 764 }
038597d2 765
10ca4f1c
JH		 766DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
767if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
768# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
769 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
770# endif
771 )
772 {
cf0c6164
JH		 773 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
774 host, NULL, errstr);
10ca4f1c
JH		 775 return FALSE;
776 }
038597d2 777
10ca4f1c
JH		 778if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
779 {
cf0c6164 780 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 781 return FALSE;
038597d2 782 }
10ca4f1c
JH		 783
784/* The "tmp" in the name here refers to setting a temporary key
785not to the stability of the interface. */
786
787if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 788 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 789else
790 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
791
792EC_KEY_free(ecdh);
793return !rv;
794
795# endif /*EXIM_HAVE_ECDH*/
796#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 797}
798
799
800
801
f2de3a33 802#ifndef DISABLE_OCSP
3f7eeb86
PP		 803/*************************************************
804* Load OCSP information into state *
805*************************************************/
f5d78688 806/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 807caller has determined this is needed. Checks validity. Debugs a message
808if invalid.
809
810ASSUMES: single response, for single cert.
811
812Arguments:
813 sctx the SSL_CTX* to update
814 cbinfo various parts of session state
815 expanded the filename putatively holding an OCSP response
816
817*/
818
819static void
f5d78688 820ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 821{
ee5b1e28
JH		 822BIO * bio;
823OCSP_RESPONSE * resp;
824OCSP_BASICRESP * basic_response;
825OCSP_SINGLERESP * single_response;
826ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 827STACK_OF(X509) * sk;
3f7eeb86
PP		 828unsigned long verify_flags;
829int status, reason, i;
830
f5d78688
JH		 831cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
832if (cbinfo->u_ocsp.server.response)
3f7eeb86 833 {
f5d78688
JH		 834 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
835 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 836 }
837
ee5b1e28 838if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 839 {
840 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 841 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 842 return;
843 }
844
845resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
846BIO_free(bio);
847if (!resp)
848 {
849 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
850 return;
851 }
852
ee5b1e28 853if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 854 {
855 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
856 OCSP_response_status_str(status), status);
f5d78688 857 goto bad;
3f7eeb86
PP		 858 }
859
ee5b1e28 860if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 861 {
862 DEBUG(D_tls)
863 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 864 goto bad;
3f7eeb86
PP		 865 }
866
c3033f13 867sk = cbinfo->verify_stack;
3f7eeb86
PP		 868verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
869
870/* May need to expose ability to adjust those flags?
871OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
872OCSP_TRUSTOTHER OCSP_NOINTERN */
873
4c04137d 874/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 875up; possibly overkill - just date-checks might be nice enough.
876
877OCSP_basic_verify takes a "store" arg, but does not
878use it for the chain verification, which is all we do
879when OCSP_NOVERIFY is set. The content from the wire
880"basic_response" and a cert-stack "sk" are all that is used.
881
c3033f13
JH		 882We have a stack, loaded in setup_certs() if tls_verify_certificates
883was a file (not a directory, or "system"). It is unfortunate we
884cannot used the connection context store, as that would neatly
885handle the "system" case too, but there seems to be no library
886function for getting a stack from a store.
e3555426 887[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 888We do not free the stack since it could be needed a second time for
889SNI handling.
890
4c04137d 891Separately we might try to replace using OCSP_basic_verify() - which seems to not
ee5b1e28
JH		 892be a public interface into the OpenSSL library (there's no manual entry) -
893But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 894And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 895library does it for us anyway? */
896
897if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 898 {
ee5b1e28
JH		 899 DEBUG(D_tls)
900 {
3f7eeb86
PP		 901 ERR_error_string(ERR_get_error(), ssl_errstring);
902 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 903 }
904 goto bad;
3f7eeb86
PP		 905 }
906
907/* Here's the simplifying assumption: there's only one response, for the
908one certificate we use, and nothing for anything else in a chain. If this
909proves false, we need to extract a cert id from our issued cert
910(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
911right cert in the stack and then calls OCSP_single_get0_status()).
912
913I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 914
915if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 916 {
917 DEBUG(D_tls)
918 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 919 goto bad;
3f7eeb86
PP		 920 }
921
922status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 923if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 924 {
f5d78688
JH		 925 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
926 OCSP_cert_status_str(status), status,
927 OCSP_crl_reason_str(reason), reason);
928 goto bad;
3f7eeb86
PP		 929 }
930
931if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
932 {
933 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 934 goto bad;
3f7eeb86
PP		 935 }
936
f5d78688 937supply_response:
018058b2 938 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH		 939return;
940
941bad:
018058b2
JH		 942 if (running_in_test_harness)
943 {
944 extern char ** environ;
945 uschar ** p;
bc3c7bb7 946 if (environ) for (p = USS environ; *p != NULL; p++)
018058b2
JH		 947 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
948 {
949 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
950 goto supply_response;
951 }
952 }
f5d78688 953return;
3f7eeb86 954}
f2de3a33 955#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 956
957
958
959
23bb6982
JH		 960/* Create and install a selfsigned certificate, for use in server mode */
961
962static int
cf0c6164 963tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 964{
965X509 * x509 = NULL;
966EVP_PKEY * pkey;
967RSA * rsa;
968X509_NAME * name;
969uschar * where;
970
971where = US"allocating pkey";
972if (!(pkey = EVP_PKEY_new()))
973 goto err;
974
975where = US"allocating cert";
976if (!(x509 = X509_new()))
977 goto err;
978
979where = US"generating pkey";
980 /* deprecated, use RSA_generate_key_ex() */
981if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
982 goto err;
983
4c04137d 984where = US"assigning pkey";
23bb6982
JH		 985if (!EVP_PKEY_assign_RSA(pkey, rsa))
986 goto err;
987
988X509_set_version(x509, 2); /* N+1 - version 3 */
989ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
990X509_gmtime_adj(X509_get_notBefore(x509), 0);
991X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
992X509_set_pubkey(x509, pkey);
993
994name = X509_get_subject_name(x509);
995X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 996 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 997X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 998 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 999X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1000 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 1001X509_set_issuer_name(x509, name);
1002
1003where = US"signing cert";
1004if (!X509_sign(x509, pkey, EVP_md5()))
1005 goto err;
1006
1007where = US"installing selfsign cert";
1008if (!SSL_CTX_use_certificate(sctx, x509))
1009 goto err;
1010
1011where = US"installing selfsign key";
1012if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1013 goto err;
1014
1015return OK;
1016
1017err:
cf0c6164 1018 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1019 if (x509) X509_free(x509);
1020 if (pkey) EVP_PKEY_free(pkey);
1021 return DEFER;
1022}
1023
1024
1025
1026
7be682ca
PP		 1027/*************************************************
1028* Expand key and cert file specs *
1029*************************************************/
1030
f5d78688 1031/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1032new context, if Server Name Indication was used and tls_sni was seen in
1033the certificate string.
1034
1035Arguments:
1036 sctx the SSL_CTX* to update
1037 cbinfo various parts of session state
cf0c6164 1038 errstr error string pointer
7be682ca
PP		 1039
1040Returns: OK/DEFER/FAIL
1041*/
1042
1043static int
cf0c6164
JH		 1044tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1045 uschar ** errstr)
7be682ca
PP		 1046{
1047uschar *expanded;
1048
23bb6982 1049if (!cbinfo->certificate)
7be682ca 1050 {
23bb6982
JH		 1051 if (cbinfo->host) /* client */
1052 return OK;
1053 /* server */
cf0c6164 1054 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1055 return DEFER;
7be682ca 1056 }
23bb6982
JH		 1057else
1058 {
1059 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1060 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1061 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1062 )
1063 reexpand_tls_files_for_sni = TRUE;
7be682ca 1064
cf0c6164 1065 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1066 return DEFER;
1067
1068 if (expanded != NULL)
1069 {
1070 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1071 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1072 return tls_error(string_sprintf(
1073 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
cf0c6164 1074 cbinfo->host, NULL, errstr);
23bb6982 1075 }
7be682ca 1076
23bb6982 1077 if (cbinfo->privatekey != NULL &&
cf0c6164 1078 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1079 return DEFER;
7be682ca 1080
23bb6982
JH		 1081 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1082 of the expansion is an empty string, ignore it also, and assume the private
1083 key is in the same file as the certificate. */
1084
1085 if (expanded && *expanded)
1086 {
1087 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1088 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1089 return tls_error(string_sprintf(
cf0c6164 1090 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
23bb6982 1091 }
7be682ca
PP		 1092 }
1093
f2de3a33 1094#ifndef DISABLE_OCSP
f40d5be3 1095if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1096 {
cf0c6164 1097 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1098 return DEFER;
1099
f40d5be3 1100 if (expanded && *expanded)
3f7eeb86
PP		 1101 {
1102 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1103 if ( cbinfo->u_ocsp.server.file_expanded
1104 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1105 {
f40d5be3
JH		 1106 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1107 }
1108 else
f40d5be3 1109 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1110 }
1111 }
1112#endif
1113
7be682ca
PP		 1114return OK;
1115}
1116
1117
1118
1119
1120/*************************************************
1121* Callback to handle SNI *
1122*************************************************/
1123
1124/* Called when acting as server during the TLS session setup if a Server Name
1125Indication extension was sent by the client.
1126
1127API documentation is OpenSSL s_server.c implementation.
1128
1129Arguments:
1130 s SSL* of the current session
1131 ad unknown (part of OpenSSL API) (unused)
1132 arg Callback of "our" registered data
1133
1134Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1135*/
1136
3bcbbbe2 1137#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1138static int
1139tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1140{
1141const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1142tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1143int rc;
3f0945ff 1144int old_pool = store_pool;
cf0c6164 1145uschar * dummy_errstr;
7be682ca
PP		 1146
1147if (!servername)
1148 return SSL_TLSEXT_ERR_OK;
1149
3f0945ff 1150DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1151 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1152
1153/* Make the extension value available for expansion */
3f0945ff 1154store_pool = POOL_PERM;
817d9f57 1155tls_in.sni = string_copy(US servername);
3f0945ff 1156store_pool = old_pool;
7be682ca
PP		 1157
1158if (!reexpand_tls_files_for_sni)
1159 return SSL_TLSEXT_ERR_OK;
1160
1161/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1162not confident that memcpy wouldn't break some internal reference counting.
1163Especially since there's a references struct member, which would be off. */
1164
0df4ab80 1165if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP		 1166 {
1167 ERR_error_string(ERR_get_error(), ssl_errstring);
1168 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1169 return SSL_TLSEXT_ERR_NOACK;
1170 }
1171
1172/* Not sure how many of these are actually needed, since SSL object
1173already exists. Might even need this selfsame callback, for reneg? */
1174
817d9f57
JH		 1175SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1176SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1177SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1178SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1179SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1180SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1181
cf0c6164
JH		 1182if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1183 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP		 1184 )
1185 return SSL_TLSEXT_ERR_NOACK;
1186
7be682ca 1187if (cbinfo->server_cipher_list)
817d9f57 1188 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 1189#ifndef DISABLE_OCSP
f5d78688 1190if (cbinfo->u_ocsp.server.file)
3f7eeb86 1191 {
f5d78688 1192 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1193 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1194 }
1195#endif
7be682ca 1196
c3033f13 1197if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1198 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1199 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1200
3f7eeb86
PP		 1201/* do this after setup_certs, because this can require the certs for verifying
1202OCSP information. */
cf0c6164 1203if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1204 return SSL_TLSEXT_ERR_NOACK;
a799883d 1205
7be682ca 1206DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1207SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP		 1208
1209return SSL_TLSEXT_ERR_OK;
1210}
3bcbbbe2 1211#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1212
1213
1214
1215
f2de3a33 1216#ifndef DISABLE_OCSP
f5d78688 1217
3f7eeb86
PP		 1218/*************************************************
1219* Callback to handle OCSP Stapling *
1220*************************************************/
1221
1222/* Called when acting as server during the TLS session setup if the client
1223requests OCSP information with a Certificate Status Request.
1224
1225Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1226project.
1227
1228*/
1229
1230static int
f5d78688 1231tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1232{
1233const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1234uschar *response_der;
1235int response_der_len;
1236
af4a1bca 1237DEBUG(D_tls)
b3ef41c9 1238 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1239 cbinfo->u_ocsp.server.response ? "have" : "lack");
1240
44662487 1241tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1242if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1243 return SSL_TLSEXT_ERR_NOACK;
1244
1245response_der = NULL;
44662487
JH		 1246response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1247 &response_der);
3f7eeb86
PP		 1248if (response_der_len <= 0)
1249 return SSL_TLSEXT_ERR_NOACK;
1250
5e55c7a9 1251SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1252tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1253return SSL_TLSEXT_ERR_OK;
1254}
1255
3f7eeb86 1256
f5d78688
JH		 1257static void
1258time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1259{
1260BIO_printf(bp, "\t%s: ", str);
1261ASN1_GENERALIZEDTIME_print(bp, time);
1262BIO_puts(bp, "\n");
1263}
1264
1265static int
1266tls_client_stapling_cb(SSL *s, void *arg)
1267{
1268tls_ext_ctx_cb * cbinfo = arg;
1269const unsigned char * p;
1270int len;
1271OCSP_RESPONSE * rsp;
1272OCSP_BASICRESP * bs;
1273int i;
1274
1275DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1276len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1277if(!p)
1278 {
44662487 1279 /* Expect this when we requested ocsp but got none */
6c6d6e48 1280 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1281 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1282 else
1283 DEBUG(D_tls) debug_printf(" null\n");
44662487 1284 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1285 }
018058b2 1286
f5d78688
JH		 1287if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1288 {
018058b2 1289 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1290 if (LOGGING(tls_cipher))
1eca31ca 1291 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1292 else
1293 DEBUG(D_tls) debug_printf(" parse error\n");
1294 return 0;
1295 }
1296
1297if(!(bs = OCSP_response_get1_basic(rsp)))
1298 {
018058b2 1299 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1300 if (LOGGING(tls_cipher))
1eca31ca 1301 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1302 else
1303 DEBUG(D_tls) debug_printf(" error parsing response\n");
1304 OCSP_RESPONSE_free(rsp);
1305 return 0;
1306 }
1307
1308/* We'd check the nonce here if we'd put one in the request. */
1309/* However that would defeat cacheability on the server so we don't. */
1310
f5d78688
JH		 1311/* This section of code reworked from OpenSSL apps source;
1312 The OpenSSL Project retains copyright:
1313 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1314*/
1315 {
1316 BIO * bp = NULL;
f5d78688
JH		 1317 int status, reason;
1318 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1319
1320 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1321
1322 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1323
1324 /* Use the chain that verified the server cert to verify the stapled info */
1325 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1326
c3033f13 1327 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1328 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1329 {
018058b2 1330 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1331 if (LOGGING(tls_cipher))
1eca31ca 1332 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH		 1333 BIO_printf(bp, "OCSP response verify failure\n");
1334 ERR_print_errors(bp);
c8dfb21d 1335 goto failed;
f5d78688
JH		 1336 }
1337
1338 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1339
c8dfb21d
JH		 1340 /*XXX So we have a good stapled OCSP status. How do we know
1341 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1342 OCSP_resp_find_status() which matches on a cert id, which presumably
1343 we should use. Making an id needs OCSP_cert_id_new(), which takes
1344 issuerName, issuerKey, serialNumber. Are they all in the cert?
1345
1346 For now, carry on blindly accepting the resp. */
1347
f5d78688 1348 {
f5d78688
JH		 1349 OCSP_SINGLERESP * single;
1350
c8dfb21d
JH		 1351#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1352 if (OCSP_resp_count(bs) != 1)
1353#else
1354 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1355 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1356#endif
f5d78688 1357 {
018058b2 1358 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1359 log_write(0, LOG_MAIN, "OCSP stapling "
1360 "with multiple responses not handled");
c8dfb21d 1361 goto failed;
f5d78688
JH		 1362 }
1363 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1364 status = OCSP_single_get0_status(single, &reason, &rev,
1365 &thisupd, &nextupd);
f5d78688
JH		 1366 }
1367
f5d78688
JH		 1368 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1369 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1370 if (!OCSP_check_validity(thisupd, nextupd,
1371 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1372 {
018058b2 1373 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1374 DEBUG(D_tls) ERR_print_errors(bp);
1375 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1376 }
44662487 1377 else
f5d78688 1378 {
44662487
JH		 1379 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1380 OCSP_cert_status_str(status));
1381 switch(status)
1382 {
1383 case V_OCSP_CERTSTATUS_GOOD:
44662487 1384 tls_out.ocsp = OCSP_VFIED;
018058b2 1385 i = 1;
c8dfb21d 1386 goto good;
44662487 1387 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1388 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1389 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1390 reason != -1 ? "; reason: " : "",
1391 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1392 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1393 break;
1394 default:
018058b2 1395 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1396 log_write(0, LOG_MAIN,
1397 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1398 break;
1399 }
f5d78688 1400 }
c8dfb21d
JH		 1401 failed:
1402 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1403 good:
f5d78688
JH		 1404 BIO_free(bp);
1405 }
1406
1407OCSP_RESPONSE_free(rsp);
1408return i;
1409}
f2de3a33 1410#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1411
1412
059ec3d9
PH		 1413/*************************************************
1414* Initialize for TLS *
1415*************************************************/
1416
e51c7be2
JH		 1417/* Called from both server and client code, to do preliminary initialization
1418of the library. We allocate and return a context structure.
059ec3d9
PH		 1419
1420Arguments:
946ecbe0 1421 ctxp returned SSL context
059ec3d9
PH		 1422 host connected host, if client; NULL if server
1423 dhparam DH parameter file
1424 certificate certificate file
1425 privatekey private key
f5d78688 1426 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1427 addr address if client; NULL if server (for some randomness)
946ecbe0 1428 cbp place to put allocated callback context
cf0c6164 1429 errstr error string pointer
059ec3d9
PH		 1430
1431Returns: OK/DEFER/FAIL
1432*/
1433
1434static int
817d9f57 1435tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1436 uschar *privatekey,
f2de3a33 1437#ifndef DISABLE_OCSP
3f7eeb86
PP		 1438 uschar *ocsp_file,
1439#endif
cf0c6164 1440 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1441{
7006ee24 1442SSL_CTX * ctx;
77bb000f 1443long init_options;
7be682ca 1444int rc;
a7538db1 1445tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1446
1447cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1448cbinfo->certificate = certificate;
1449cbinfo->privatekey = privatekey;
f2de3a33 1450#ifndef DISABLE_OCSP
c3033f13 1451cbinfo->verify_stack = NULL;
f5d78688
JH		 1452if ((cbinfo->is_server = host==NULL))
1453 {
1454 cbinfo->u_ocsp.server.file = ocsp_file;
1455 cbinfo->u_ocsp.server.file_expanded = NULL;
1456 cbinfo->u_ocsp.server.response = NULL;
1457 }
1458else
1459 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1460#endif
7be682ca 1461cbinfo->dhparam = dhparam;
0df4ab80 1462cbinfo->server_cipher_list = NULL;
7be682ca 1463cbinfo->host = host;
0cbf2b82 1464#ifndef DISABLE_EVENT
a7538db1
JH		 1465cbinfo->event_action = NULL;
1466#endif
77bb000f 1467
059ec3d9
PH		 1468SSL_load_error_strings(); /* basic set up */
1469OpenSSL_add_ssl_algorithms();
1470
c8dfb21d 1471#ifdef EXIM_HAVE_SHA256
77bb000f 1472/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1473list of available digests. */
1474EVP_add_digest(EVP_sha256());
cf1ef1a9 1475#endif
a0475b69 1476
f0f5a555
PP		 1477/* Create a context.
1478The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1479negotiation in the different methods; as far as I can tell, the only
1480*_{server,client}_method which allows negotiation is SSLv23, which exists even
1481when OpenSSL is built without SSLv2 support.
1482By disabling with openssl_options, we can let admins re-enable with the
1483existing knob. */
059ec3d9 1484
7006ee24
JH		 1485if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1486 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1487
1488/* It turns out that we need to seed the random number generator this early in
1489order to get the full complement of ciphers to work. It took me roughly a day
1490of work to discover this by experiment.
1491
1492On systems that have /dev/urandom, SSL may automatically seed itself from
1493there. Otherwise, we have to make something up as best we can. Double check
1494afterwards. */
1495
1496if (!RAND_status())
1497 {
1498 randstuff r;
9e3331ea 1499 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1500 r.p = getpid();
1501
5903c6ff
JH		 1502 RAND_seed(US (&r), sizeof(r));
1503 RAND_seed(US big_buffer, big_buffer_size);
1504 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH		 1505
1506 if (!RAND_status())
7199e1ee 1507 return tls_error(US"RAND_status", host,
cf0c6164 1508 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1509 }
1510
1511/* Set up the information callback, which outputs if debugging is at a suitable
1512level. */
1513
7006ee24 1514DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1515
c80c5570 1516/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1517(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1518
77bb000f
PP		 1519/* Apply administrator-supplied work-arounds.
1520Historically we applied just one requested option,
1521SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1522moved to an administrator-controlled list of options to specify and
1523grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1524
77bb000f
PP		 1525No OpenSSL version number checks: the options we accept depend upon the
1526availability of the option value macros from OpenSSL. */
059ec3d9 1527
7006ee24 1528if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1529 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP		 1530
1531if (init_options)
1532 {
1533 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1534 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1535 return tls_error(string_sprintf(
cf0c6164 1536 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 1537 }
1538else
1539 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1540
7006ee24
JH		 1541/* Disable session cache unconditionally */
1542
1543(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1544
059ec3d9 1545/* Initialize with DH parameters if supplied */
10ca4f1c 1546/* Initialize ECDH temp key parameter selection */
059ec3d9 1547
7006ee24
JH		 1548if ( !init_dh(ctx, dhparam, host, errstr)
1549 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 1550 )
1551 return DEFER;
059ec3d9 1552
3f7eeb86 1553/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1554
7006ee24 1555if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1556 return rc;
c91535f3 1557
c3033f13
JH		 1558/* If we need to handle SNI or OCSP, do so */
1559
3bcbbbe2 1560#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 1561# ifndef DISABLE_OCSP
1562 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1563 {
1564 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1565 return FAIL;
1566 }
1567# endif
1568
f5d78688 1569if (host == NULL) /* server */
3f0945ff 1570 {
f2de3a33 1571# ifndef DISABLE_OCSP
f5d78688 1572 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 1573 the option exists, not what the current expansion might be, as SNI might
1574 change the certificate and OCSP file in use between now and the time the
1575 callback is invoked. */
f5d78688 1576 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1577 {
7006ee24
JH		 1578 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1579 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1580 }
f5d78688 1581# endif
3f0945ff
PP		 1582 /* We always do this, so that $tls_sni is available even if not used in
1583 tls_certificate */
7006ee24
JH		 1584 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1585 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1586 }
f2de3a33 1587# ifndef DISABLE_OCSP
f5d78688
JH		 1588else /* client */
1589 if(ocsp_file) /* wanting stapling */
1590 {
1591 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1592 {
1593 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1594 return FAIL;
1595 }
7006ee24
JH		 1596 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1597 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 1598 }
1599# endif
7be682ca 1600#endif
059ec3d9 1601
e51c7be2 1602cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1603
c8dfb21d 1604#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1605/* Set up the RSA callback */
7006ee24 1606SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1607#endif
059ec3d9
PH		 1608
1609/* Finally, set the timeout, and we are done */
1610
7006ee24 1611SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1612DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1613
817d9f57 1614*cbp = cbinfo;
7006ee24 1615*ctxp = ctx;
7be682ca 1616
059ec3d9
PH		 1617return OK;
1618}
1619
1620
1621
1622
1623/*************************************************
1624* Get name of cipher in use *
1625*************************************************/
1626
817d9f57 1627/*
059ec3d9 1628Argument: pointer to an SSL structure for the connection
817d9f57
JH		 1629 buffer to use for answer
1630 size of buffer
1631 pointer to number of bits for cipher
059ec3d9
PH		 1632Returns: nothing
1633*/
1634
1635static void
817d9f57 1636construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1637{
57b3a7f5
PP		 1638/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1639yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1640the accessor functions use const in the prototype. */
1641const SSL_CIPHER *c;
d9784128 1642const uschar *ver;
059ec3d9 1643
d9784128 1644ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1645
57b3a7f5 1646c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1647SSL_CIPHER_get_bits(c, bits);
059ec3d9 1648
817d9f57
JH		 1649string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1650 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH		 1651
1652DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1653}
1654
1655
f69979cf
JH		 1656static void
1657peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1658{
1659/*XXX we might consider a list-of-certs variable for the cert chain.
1660SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1661in list-handling functions, also consider the difference between the entire
1662chain and the elements sent by the peer. */
1663
1664/* Will have already noted peercert on a verify fail; possibly not the leaf */
1665if (!tlsp->peercert)
1666 tlsp->peercert = SSL_get_peer_certificate(ssl);
1667/* Beware anonymous ciphers which lead to server_cert being NULL */
1668if (tlsp->peercert)
1669 {
1670 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1671 peerdn[bsize-1] = '\0';
1672 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1673 }
1674else
1675 tlsp->peerdn = NULL;
1676}
1677
1678
059ec3d9
PH		 1679
1680
1681
1682/*************************************************
1683* Set up for verifying certificates *
1684*************************************************/
1685
c3033f13
JH		 1686/* Load certs from file, return TRUE on success */
1687
1688static BOOL
1689chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1690{
1691BIO * bp;
1692X509 * x;
1693
1694if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1695while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1696 sk_X509_push(verify_stack, x);
1697BIO_free(bp);
1698return TRUE;
1699}
1700
1701
1702
059ec3d9
PH		 1703/* Called by both client and server startup
1704
1705Arguments:
7be682ca 1706 sctx SSL_CTX* to initialise
059ec3d9
PH		 1707 certs certs file or NULL
1708 crl CRL file or NULL
1709 host NULL in a server; the remote host in a client
1710 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1711 otherwise passed as FALSE
983207c1 1712 cert_vfy_cb Callback function for certificate verification
cf0c6164 1713 errstr error string pointer
059ec3d9
PH		 1714
1715Returns: OK/DEFER/FAIL
1716*/
1717
1718static int
983207c1 1719setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1720 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 1721{
1722uschar *expcerts, *expcrl;
1723
cf0c6164 1724if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1725 return DEFER;
57cc2785 1726DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1727
10a831a3 1728if (expcerts && *expcerts)
059ec3d9 1729 {
10a831a3
JH		 1730 /* Tell the library to use its compiled-in location for the system default
1731 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1732
10a831a3 1733 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1734 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 1735
1736 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1737 {
cb1d7830
JH		 1738 struct stat statbuf;
1739
cb1d7830
JH		 1740 if (Ustat(expcerts, &statbuf) < 0)
1741 {
1742 log_write(0, LOG_MAIN|LOG_PANIC,
1743 "failed to stat %s for certificates", expcerts);
1744 return DEFER;
1745 }
059ec3d9 1746 else
059ec3d9 1747 {
cb1d7830
JH		 1748 uschar *file, *dir;
1749 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1750 { file = NULL; dir = expcerts; }
1751 else
c3033f13
JH		 1752 {
1753 file = expcerts; dir = NULL;
1754#ifndef DISABLE_OCSP
1755 /* In the server if we will be offering an OCSP proof, load chain from
1756 file for verifying the OCSP proof at load time. */
1757
1758 if ( !host
1759 && statbuf.st_size > 0
1760 && server_static_cbinfo->u_ocsp.server.file
1761 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1762 )
1763 {
1764 log_write(0, LOG_MAIN|LOG_PANIC,
1765 "failed to load cert hain from %s", file);
1766 return DEFER;
1767 }
1768#endif
1769 }
cb1d7830
JH		 1770
1771 /* If a certificate file is empty, the next function fails with an
1772 unhelpful error message. If we skip it, we get the correct behaviour (no
1773 certificates are recognized, but the error message is still misleading (it
c3033f13 1774 says no certificate was supplied). But this is better. */
cb1d7830 1775
f2f2c91b
JH		 1776 if ( (!file || statbuf.st_size > 0)
1777 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 1778 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 1779
1780 /* Load the list of CAs for which we will accept certs, for sending
1781 to the client. This is only for the one-file tls_verify_certificates
1782 variant.
1783 If a list isn't loaded into the server, but
1784 some verify locations are set, the server end appears to make
4c04137d 1785 a wildcard request for client certs.
10a831a3 1786 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 1787 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1788 Because of this, and that the dir variant is likely only used for
1789 the public-CA bundle (not for a private CA), not worth fixing.
1790 */
f2f2c91b 1791 if (file)
cb1d7830
JH		 1792 {
1793 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
f2f2c91b
JH		 1794
1795 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830
JH		 1796 sk_X509_NAME_num(names));
1797 SSL_CTX_set_client_CA_list(sctx, names);
1798 }
059ec3d9
PH		 1799 }
1800 }
1801
1802 /* Handle a certificate revocation list. */
1803
10a831a3 1804#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 1805
8b417f2c 1806 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 1807 merely reformatted it into the Exim code style.)
8b417f2c 1808
10a831a3
JH		 1809 "From here I changed the code to add support for multiple crl's
1810 in pem format in one file or to support hashed directory entries in
1811 pem format instead of a file. This method now uses the library function
1812 X509_STORE_load_locations to add the CRL location to the SSL context.
1813 OpenSSL will then handle the verify against CA certs and CRLs by
1814 itself in the verify callback." */
8b417f2c 1815
cf0c6164 1816 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 1817 if (expcrl && *expcrl)
059ec3d9 1818 {
8b417f2c
PH		 1819 struct stat statbufcrl;
1820 if (Ustat(expcrl, &statbufcrl) < 0)
1821 {
1822 log_write(0, LOG_MAIN|LOG_PANIC,
1823 "failed to stat %s for certificates revocation lists", expcrl);
1824 return DEFER;
1825 }
1826 else
059ec3d9 1827 {
8b417f2c
PH		 1828 /* is it a file or directory? */
1829 uschar *file, *dir;
7be682ca 1830 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1831 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1832 {
8b417f2c
PH		 1833 file = NULL;
1834 dir = expcrl;
1835 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 1836 }
1837 else
1838 {
8b417f2c
PH		 1839 file = expcrl;
1840 dir = NULL;
1841 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1842 }
8b417f2c 1843 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 1844 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 1845
1846 /* setting the flags to check against the complete crl chain */
1847
1848 X509_STORE_set_flags(cvstore,
1849 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1850 }
059ec3d9
PH		 1851 }
1852
10a831a3 1853#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 1854
1855 /* If verification is optional, don't fail if no certificate */
1856
7be682ca 1857 SSL_CTX_set_verify(sctx,
059ec3d9 1858 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1859 cert_vfy_cb);
059ec3d9
PH		 1860 }
1861
1862return OK;
1863}
1864
1865
1866
1867/*************************************************
1868* Start a TLS session in a server *
1869*************************************************/
1870
1871/* This is called when Exim is running as a server, after having received
1872the STARTTLS command. It must respond to that command, and then negotiate
1873a TLS session.
1874
1875Arguments:
1876 require_ciphers allowed ciphers
cf0c6164 1877 errstr pointer to error message
059ec3d9
PH		 1878
1879Returns: OK on success
1880 DEFER for errors before the start of the negotiation
4c04137d 1881 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1882 continue running.
1883*/
1884
1885int
cf0c6164 1886tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1887{
1888int rc;
cf0c6164
JH		 1889uschar * expciphers;
1890tls_ext_ctx_cb * cbinfo;
f69979cf 1891static uschar peerdn[256];
817d9f57 1892static uschar cipherbuf[256];
059ec3d9
PH		 1893
1894/* Check for previous activation */
1895
817d9f57 1896if (tls_in.active >= 0)
059ec3d9 1897 {
cf0c6164 1898 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 1899 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 1900 return FAIL;
1901 }
1902
1903/* Initialize the SSL library. If it fails, it will already have logged
1904the error. */
1905
817d9f57 1906rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1907#ifndef DISABLE_OCSP
3f7eeb86
PP		 1908 tls_ocsp_file,
1909#endif
cf0c6164 1910 NULL, &server_static_cbinfo, errstr);
059ec3d9 1911if (rc != OK) return rc;
817d9f57 1912cbinfo = server_static_cbinfo;
059ec3d9 1913
cf0c6164 1914if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 1915 return FAIL;
1916
1917/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 1918were historically separated by underscores. So that I can use either form in my
1919tests, and also for general convenience, we turn underscores into hyphens here.
1920*/
059ec3d9 1921
c3033f13 1922if (expciphers)
059ec3d9 1923 {
c3033f13 1924 uschar * s = expciphers;
059ec3d9
PH		 1925 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1926 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1927 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 1928 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 1929 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 1930 }
1931
1932/* If this is a host for which certificate verification is mandatory or
1933optional, set up appropriately. */
1934
817d9f57 1935tls_in.certificate_verified = FALSE;
53a7196b
JH		 1936#ifdef EXPERIMENTAL_DANE
1937tls_in.dane_verified = FALSE;
1938#endif
a2ff477a 1939server_verify_callback_called = FALSE;
059ec3d9
PH		 1940
1941if (verify_check_host(&tls_verify_hosts) == OK)
1942 {
983207c1 1943 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1944 FALSE, verify_callback_server, errstr);
059ec3d9 1945 if (rc != OK) return rc;
a2ff477a 1946 server_verify_optional = FALSE;
059ec3d9
PH		 1947 }
1948else if (verify_check_host(&tls_try_verify_hosts) == OK)
1949 {
983207c1 1950 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1951 TRUE, verify_callback_server, errstr);
059ec3d9 1952 if (rc != OK) return rc;
a2ff477a 1953 server_verify_optional = TRUE;
059ec3d9
PH		 1954 }
1955
1956/* Prepare for new connection */
1957
cf0c6164
JH		 1958if (!(server_ssl = SSL_new(server_ctx)))
1959 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 1960
1961/* Warning: we used to SSL_clear(ssl) here, it was removed.
1962 *
1963 * With the SSL_clear(), we get strange interoperability bugs with
1964 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1965 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1966 *
1967 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1968 * session shutdown. In this case, we have a brand new object and there's no
1969 * obvious reason to immediately clear it. I'm guessing that this was
1970 * originally added because of incomplete initialisation which the clear fixed,
1971 * in some historic release.
1972 */
059ec3d9
PH		 1973
1974/* Set context and tell client to go ahead, except in the case of TLS startup
1975on connection, where outputting anything now upsets the clients and tends to
1976make them disconnect. We need to have an explicit fflush() here, to force out
1977the response. Other smtp_printf() calls do not need it, because in non-TLS
1978mode, the fflush() happens when smtp_getc() is called. */
1979
817d9f57
JH		 1980SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1981if (!tls_in.on_connect)
059ec3d9 1982 {
925ac8e4 1983 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 1984 fflush(smtp_out);
1985 }
1986
1987/* Now negotiate the TLS session. We put our own timer on it, since it seems
1988that the OpenSSL library doesn't. */
1989
817d9f57
JH		 1990SSL_set_wfd(server_ssl, fileno(smtp_out));
1991SSL_set_rfd(server_ssl, fileno(smtp_in));
1992SSL_set_accept_state(server_ssl);
059ec3d9
PH		 1993
1994DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1995
1996sigalrm_seen = FALSE;
1997if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1998rc = SSL_accept(server_ssl);
059ec3d9
PH		 1999alarm(0);
2000
2001if (rc <= 0)
2002 {
cf0c6164 2003 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 2004 return FAIL;
2005 }
2006
2007DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2008
2009/* TLS has been set up. Adjust the input functions to read via TLS,
2010and initialize things. */
2011
f69979cf
JH		 2012peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2013
817d9f57
JH		 2014construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2015tls_in.cipher = cipherbuf;
059ec3d9
PH		 2016
2017DEBUG(D_tls)
2018 {
2019 uschar buf[2048];
817d9f57 2020 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH		 2021 debug_printf("Shared ciphers: %s\n", buf);
2022 }
2023
9d1c15ef
JH		 2024/* Record the certificate we presented */
2025 {
2026 X509 * crt = SSL_get_certificate(server_ssl);
2027 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2028 }
059ec3d9 2029
817d9f57
JH		 2030/* Only used by the server-side tls (tls_in), including tls_getc.
2031 Client-side (tls_out) reads (seem to?) go via
2032 smtp_read_response()/ip_recv().
2033 Hence no need to duplicate for _in and _out.
2034 */
059ec3d9
PH		 2035ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2036ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2037ssl_xfer_eof = ssl_xfer_error = 0;
2038
2039receive_getc = tls_getc;
0d81dabc 2040receive_getbuf = tls_getbuf;
584e96c6 2041receive_get_cache = tls_get_cache;
059ec3d9
PH		 2042receive_ungetc = tls_ungetc;
2043receive_feof = tls_feof;
2044receive_ferror = tls_ferror;
58eb016e 2045receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2046
817d9f57 2047tls_in.active = fileno(smtp_out);
059ec3d9
PH		 2048return OK;
2049}
2050
2051
2052
2053
043b1248
JH		 2054static int
2055tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2056 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2057 uschar ** errstr)
043b1248
JH		 2058{
2059int rc;
94431adb 2060/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2061 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2062 the specified host patterns if one of them is defined */
2063
610ff438
JH		 2064if ( ( !ob->tls_verify_hosts
2065 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2066 )
5130845b 2067 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 2068 )
043b1248 2069 client_verify_optional = FALSE;
5130845b 2070else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2071 client_verify_optional = TRUE;
2072else
2073 return OK;
2074
2075if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2076 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2077 errstr)) != OK)
aa2a70ba 2078 return rc;
043b1248 2079
5130845b 2080if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2081 {
4af0d74a 2082 cbinfo->verify_cert_hostnames =
8c5d388a 2083#ifdef SUPPORT_I18N
4af0d74a
JH		 2084 string_domain_utf8_to_alabel(host->name, NULL);
2085#else
2086 host->name;
2087#endif
aa2a70ba
JH		 2088 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2089 cbinfo->verify_cert_hostnames);
043b1248 2090 }
043b1248
JH		 2091return OK;
2092}
059ec3d9 2093
fde080a4
JH		 2094
2095#ifdef EXPERIMENTAL_DANE
fde080a4 2096static int
cf0c6164 2097dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH		 2098{
2099dns_record * rr;
2100dns_scan dnss;
2101const char * hostnames[2] = { CS host->name, NULL };
2102int found = 0;
2103
2104if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2105 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH		 2106
2107for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2108 rr;
2109 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2110 ) if (rr->type == T_TLSA)
2111 {
c3033f13 2112 const uschar * p = rr->data;
fde080a4
JH		 2113 uint8_t usage, selector, mtype;
2114 const char * mdname;
2115
fde080a4 2116 usage = *p++;
133d2546
JH		 2117
2118 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2119 if (usage != 2 && usage != 3) continue;
2120
fde080a4
JH		 2121 selector = *p++;
2122 mtype = *p++;
2123
2124 switch (mtype)
2125 {
133d2546
JH		 2126 default: continue; /* Only match-types 0, 1, 2 are supported */
2127 case 0: mdname = NULL; break;
2128 case 1: mdname = "sha256"; break;
2129 case 2: mdname = "sha512"; break;
fde080a4
JH		 2130 }
2131
133d2546 2132 found++;
fde080a4
JH		 2133 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2134 {
2135 default:
cf0c6164 2136 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2137 case 0: /* action not taken */
fde080a4
JH		 2138 case 1: break;
2139 }
594706ea
JH		 2140
2141 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2142 }
2143
2144if (found)
2145 return OK;
2146
133d2546 2147log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2148return DEFER;
fde080a4
JH		 2149}
2150#endif /*EXPERIMENTAL_DANE*/
2151
2152
2153
059ec3d9
PH		 2154/*************************************************
2155* Start a TLS session in a client *
2156*************************************************/
2157
2158/* Called from the smtp transport after STARTTLS has been accepted.
2159
2160Argument:
2161 fd the fd of the connection
2162 host connected host (for messages)
83da1223 2163 addr the first address
a7538db1 2164 tb transport (always smtp)
0e66b3b6 2165 tlsa_dnsa tlsa lookup, if DANE, else null
cf0c6164 2166 errstr error string pointer
059ec3d9
PH		 2167
2168Returns: OK on success
2169 FAIL otherwise - note that tls_error() will not give DEFER
2170 because this is not a server
2171*/
2172
2173int
f5d78688 2174tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2175 transport_instance * tb,
0e66b3b6 2176#ifdef EXPERIMENTAL_DANE
cf0c6164 2177 dns_answer * tlsa_dnsa,
0e66b3b6 2178#endif
cf0c6164 2179 uschar ** errstr)
059ec3d9 2180{
a7538db1
JH		 2181smtp_transport_options_block * ob =
2182 (smtp_transport_options_block *)tb->options_block;
f69979cf 2183static uschar peerdn[256];
868f5672 2184uschar * expciphers;
059ec3d9 2185int rc;
817d9f57 2186static uschar cipherbuf[256];
043b1248
JH		 2187
2188#ifndef DISABLE_OCSP
043b1248 2189BOOL request_ocsp = FALSE;
6634ac8d 2190BOOL require_ocsp = FALSE;
043b1248 2191#endif
043b1248
JH		 2192
2193#ifdef EXPERIMENTAL_DANE
594706ea 2194tls_out.tlsa_usage = 0;
043b1248
JH		 2195#endif
2196
f2de3a33 2197#ifndef DISABLE_OCSP
043b1248 2198 {
4f59c424
JH		 2199# ifdef EXPERIMENTAL_DANE
2200 if ( tlsa_dnsa
2201 && ob->hosts_request_ocsp[0] == '*'
2202 && ob->hosts_request_ocsp[1] == '\0'
2203 )
2204 {
2205 /* Unchanged from default. Use a safer one under DANE */
2206 request_ocsp = TRUE;
2207 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2208 " {= {4}{$tls_out_tlsa_usage}} } "
2209 " {*}{}}";
2210 }
2211# endif
2212
5130845b
JH		 2213 if ((require_ocsp =
2214 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2215 request_ocsp = TRUE;
2216 else
fca41d5a 2217# ifdef EXPERIMENTAL_DANE
4f59c424 2218 if (!request_ocsp)
fca41d5a 2219# endif
5130845b
JH		 2220 request_ocsp =
2221 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 2222 }
f5d78688 2223#endif
059ec3d9 2224
65867078
JH		 2225rc = tls_init(&client_ctx, host, NULL,
2226 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2227#ifndef DISABLE_OCSP
44662487 2228 (void *)(long)request_ocsp,
3f7eeb86 2229#endif
cf0c6164 2230 addr, &client_static_cbinfo, errstr);
059ec3d9
PH		 2231if (rc != OK) return rc;
2232
817d9f57 2233tls_out.certificate_verified = FALSE;
a2ff477a 2234client_verify_callback_called = FALSE;
059ec3d9 2235
65867078 2236if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
cf0c6164 2237 &expciphers, errstr))
059ec3d9
PH		 2238 return FAIL;
2239
2240/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2241are separated by underscores. So that I can use either form in my tests, and
2242also for general convenience, we turn underscores into hyphens here. */
2243
cf0c6164 2244if (expciphers)
059ec3d9
PH		 2245 {
2246 uschar *s = expciphers;
cf0c6164 2247 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2248 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2249 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
cf0c6164 2250 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
059ec3d9
PH		 2251 }
2252
043b1248 2253#ifdef EXPERIMENTAL_DANE
0e66b3b6 2254if (tlsa_dnsa)
a63be306 2255 {
02af313d
JH		 2256 SSL_CTX_set_verify(client_ctx,
2257 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2258 verify_callback_client_dane);
e5cccda9 2259
043b1248 2260 if (!DANESSL_library_init())
cf0c6164 2261 return tls_error(US"library init", host, NULL, errstr);
043b1248 2262 if (DANESSL_CTX_init(client_ctx) <= 0)
cf0c6164 2263 return tls_error(US"context init", host, NULL, errstr);
043b1248
JH		 2264 }
2265else
e51c7be2 2266
043b1248
JH		 2267#endif
2268
cf0c6164
JH		 2269 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2270 client_static_cbinfo, errstr)) != OK)
65867078 2271 return rc;
059ec3d9 2272
65867078 2273if ((client_ssl = SSL_new(client_ctx)) == NULL)
cf0c6164 2274 return tls_error(US"SSL_new", host, NULL, errstr);
817d9f57
JH		 2275SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2276SSL_set_fd(client_ssl, fd);
2277SSL_set_connect_state(client_ssl);
059ec3d9 2278
65867078 2279if (ob->tls_sni)
3f0945ff 2280 {
cf0c6164 2281 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
3f0945ff 2282 return FAIL;
cf0c6164 2283 if (!tls_out.sni)
2c9a0e86
PP		 2284 {
2285 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2286 }
ec4b68e5 2287 else if (!Ustrlen(tls_out.sni))
817d9f57 2288 tls_out.sni = NULL;
3f0945ff
PP		 2289 else
2290 {
35731706 2291#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH		 2292 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2293 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706 2294#else
66802652 2295 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
02d9264f 2296 tls_out.sni);
35731706 2297#endif
3f0945ff
PP		 2298 }
2299 }
2300
594706ea 2301#ifdef EXPERIMENTAL_DANE
0e66b3b6 2302if (tlsa_dnsa)
cf0c6164 2303 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
594706ea
JH		 2304 return rc;
2305#endif
2306
f2de3a33 2307#ifndef DISABLE_OCSP
f5d78688
JH		 2308/* Request certificate status at connection-time. If the server
2309does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2310# ifdef EXPERIMENTAL_DANE
594706ea
JH		 2311if (request_ocsp)
2312 {
2313 const uschar * s;
41afb5cb
JH		 2314 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2315 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 2316 )
2317 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2318 this means we avoid the OCSP request, we wasted the setup
2319 cost in tls_init(). */
5130845b
JH		 2320 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2321 request_ocsp = require_ocsp
2322 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 2323 }
2324 }
b50c8b84
JH		 2325# endif
2326
44662487
JH		 2327if (request_ocsp)
2328 {
f5d78688 2329 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH		 2330 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2331 tls_out.ocsp = OCSP_NOT_RESP;
2332 }
f5d78688
JH		 2333#endif
2334
0cbf2b82 2335#ifndef DISABLE_EVENT
774ef2d7 2336client_static_cbinfo->event_action = tb->event_action;
a7538db1 2337#endif
043b1248 2338
059ec3d9
PH		 2339/* There doesn't seem to be a built-in timeout on connection. */
2340
2341DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2342sigalrm_seen = FALSE;
65867078 2343alarm(ob->command_timeout);
817d9f57 2344rc = SSL_connect(client_ssl);
059ec3d9
PH		 2345alarm(0);
2346
043b1248 2347#ifdef EXPERIMENTAL_DANE
0e66b3b6 2348if (tlsa_dnsa)
fde080a4 2349 DANESSL_cleanup(client_ssl);
043b1248
JH		 2350#endif
2351
059ec3d9 2352if (rc <= 0)
cf0c6164
JH		 2353 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2354 errstr);
059ec3d9
PH		 2355
2356DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2357
f69979cf 2358peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2359
817d9f57
JH		 2360construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2361tls_out.cipher = cipherbuf;
059ec3d9 2362
9d1c15ef
JH		 2363/* Record the certificate we presented */
2364 {
2365 X509 * crt = SSL_get_certificate(client_ssl);
2366 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2367 }
2368
817d9f57 2369tls_out.active = fd;
059ec3d9
PH		 2370return OK;
2371}
2372
2373
2374
2375
2376
0d81dabc
JH		 2377static BOOL
2378tls_refill(unsigned lim)
2379{
2380int error;
2381int inbytes;
2382
2383DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2384 ssl_xfer_buffer, ssl_xfer_buffer_size);
2385
2386if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2387inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2388 MIN(ssl_xfer_buffer_size, lim));
2389error = SSL_get_error(server_ssl, inbytes);
2390alarm(0);
2391
2392/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2393closed down, not that the socket itself has been closed down. Revert to
2394non-SSL handling. */
2395
2396if (error == SSL_ERROR_ZERO_RETURN)
2397 {
2398 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2399
2400 receive_getc = smtp_getc;
2401 receive_getbuf = smtp_getbuf;
2402 receive_get_cache = smtp_get_cache;
2403 receive_ungetc = smtp_ungetc;
2404 receive_feof = smtp_feof;
2405 receive_ferror = smtp_ferror;
2406 receive_smtp_buffered = smtp_buffered;
2407
2408 SSL_free(server_ssl);
2409 server_ssl = NULL;
2410 tls_in.active = -1;
2411 tls_in.bits = 0;
2412 tls_in.cipher = NULL;
2413 tls_in.peerdn = NULL;
2414 tls_in.sni = NULL;
2415
2416 return FALSE;
2417 }
2418
2419/* Handle genuine errors */
2420
2421else if (error == SSL_ERROR_SSL)
2422 {
2423 ERR_error_string(ERR_get_error(), ssl_errstring);
2424 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2425 ssl_xfer_error = 1;
2426 return FALSE;
2427 }
2428
2429else if (error != SSL_ERROR_NONE)
2430 {
2431 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2432 ssl_xfer_error = 1;
2433 return FALSE;
2434 }
2435
2436#ifndef DISABLE_DKIM
2437dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2438#endif
2439ssl_xfer_buffer_hwm = inbytes;
2440ssl_xfer_buffer_lwm = 0;
2441return TRUE;
2442}
2443
2444
059ec3d9
PH		 2445/*************************************************
2446* TLS version of getc *
2447*************************************************/
2448
2449/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2450it refills the buffer via the SSL reading function.
2451
bd8fbe36 2452Arguments: lim Maximum amount to read/buffer
059ec3d9 2453Returns: the next character or EOF
817d9f57
JH		 2454
2455Only used by the server-side TLS.
059ec3d9
PH		 2456*/
2457
2458int
bd8fbe36 2459tls_getc(unsigned lim)
059ec3d9
PH		 2460{
2461if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 2462 if (!tls_refill(lim))
2463 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2464
0d81dabc 2465/* Something in the buffer; return next uschar */
059ec3d9 2466
0d81dabc
JH		 2467return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2468}
059ec3d9 2469
0d81dabc
JH		 2470uschar *
2471tls_getbuf(unsigned * len)
2472{
2473unsigned size;
2474uschar * buf;
ba084640 2475
0d81dabc
JH		 2476if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2477 if (!tls_refill(*len))
059ec3d9 2478 {
0d81dabc
JH		 2479 if (!ssl_xfer_error) return smtp_getbuf(len);
2480 *len = 0;
2481 return NULL;
059ec3d9 2482 }
c80c5570 2483
0d81dabc
JH		 2484if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2485 size = *len;
2486buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2487ssl_xfer_buffer_lwm += size;
2488*len = size;
2489return buf;
059ec3d9
PH		 2490}
2491
0d81dabc 2492
584e96c6
JH		 2493void
2494tls_get_cache()
2495{
9960d1e5 2496#ifndef DISABLE_DKIM
584e96c6
JH		 2497int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2498if (n > 0)
2499 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2500#endif
9960d1e5 2501}
584e96c6 2502
059ec3d9 2503
925ac8e4
JH		 2504BOOL
2505tls_could_read(void)
2506{
a5ffa9b4 2507return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 2508}
2509
059ec3d9
PH		 2510
2511/*************************************************
2512* Read bytes from TLS channel *
2513*************************************************/
2514
2515/*
2516Arguments:
2517 buff buffer of data
2518 len size of buffer
2519
2520Returns: the number of bytes read
2521 -1 after a failed read
817d9f57
JH		 2522
2523Only used by the client-side TLS.
059ec3d9
PH		 2524*/
2525
2526int
389ca47a 2527tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2528{
389ca47a 2529SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH		 2530int inbytes;
2531int error;
2532
389ca47a 2533DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2534 buff, (unsigned int)len);
059ec3d9 2535
389ca47a
JH		 2536inbytes = SSL_read(ssl, CS buff, len);
2537error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 2538
2539if (error == SSL_ERROR_ZERO_RETURN)
2540 {
2541 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2542 return -1;
2543 }
2544else if (error != SSL_ERROR_NONE)
059ec3d9 2545 return -1;
059ec3d9
PH		 2546
2547return inbytes;
2548}
2549
2550
2551
2552
2553
2554/*************************************************
2555* Write bytes down TLS channel *
2556*************************************************/
2557
2558/*
2559Arguments:
817d9f57 2560 is_server channel specifier
059ec3d9
PH		 2561 buff buffer of data
2562 len number of bytes
925ac8e4 2563 more further data expected soon
059ec3d9
PH		 2564
2565Returns: the number of bytes after a successful write,
2566 -1 after a failed write
817d9f57
JH		 2567
2568Used by both server-side and client-side TLS.
059ec3d9
PH		 2569*/
2570
2571int
925ac8e4 2572tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2573{
a5ffa9b4 2574int outbytes, error, left;
817d9f57 2575SSL *ssl = is_server ? server_ssl : client_ssl;
a5ffa9b4
JH		 2576static uschar * corked = NULL;
2577static int c_size = 0, c_len = 0;
2578
ef698bf6 2579DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2580 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH		 2581
2582/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2583"more" is notified. This hack is only ok if small amounts are involved AND only
2584one stream does it, in one context (i.e. no store reset). Currently it is used
2585for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2586
2587if (is_server && (more || corked))
2588 {
2589 corked = string_catn(corked, &c_size, &c_len, buff, len);
2590 if (more)
2591 return len;
2592 buff = CUS corked;
2593 len = c_len;
2594 corked = NULL; c_size = c_len = 0;
2595 }
059ec3d9 2596
a5ffa9b4 2597for (left = len; left > 0;)
059ec3d9 2598 {
c80c5570 2599 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH		 2600 outbytes = SSL_write(ssl, CS buff, left);
2601 error = SSL_get_error(ssl, outbytes);
2602 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2603 switch (error)
2604 {
2605 case SSL_ERROR_SSL:
96f5fe4c
JH		 2606 ERR_error_string(ERR_get_error(), ssl_errstring);
2607 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2608 return -1;
059ec3d9
PH		 2609
2610 case SSL_ERROR_NONE:
96f5fe4c
JH		 2611 left -= outbytes;
2612 buff += outbytes;
2613 break;
059ec3d9
PH		 2614
2615 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 2616 log_write(0, LOG_MAIN, "SSL channel closed on write");
2617 return -1;
059ec3d9 2618
817d9f57 2619 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 2620 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2621 sender_fullhost ? sender_fullhost : US"<unknown>",
2622 strerror(errno));
2623 return -1;
817d9f57 2624
059ec3d9 2625 default:
96f5fe4c
JH		 2626 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2627 return -1;
059ec3d9
PH		 2628 }
2629 }
2630return len;
2631}
2632
2633
2634
2635/*************************************************
2636* Close down a TLS session *
2637*************************************************/
2638
2639/* This is also called from within a delivery subprocess forked from the
2640daemon, to shut down the TLS library, without actually doing a shutdown (which
2641would tamper with the SSL session in the parent process).
2642
2643Arguments: TRUE if SSL_shutdown is to be called
2644Returns: nothing
817d9f57
JH		 2645
2646Used by both server-side and client-side TLS.
059ec3d9
PH		 2647*/
2648
2649void
817d9f57 2650tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2651{
817d9f57 2652SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2653int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH		 2654
2655if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 2656
2657if (shutdown)
2658 {
ec8b777a 2659 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2660 SSL_shutdown(*sslp);
059ec3d9
PH		 2661 }
2662
817d9f57
JH		 2663SSL_free(*sslp);
2664*sslp = NULL;
059ec3d9 2665
817d9f57 2666*fdp = -1;
059ec3d9
PH		 2667}
2668
36f12725
NM		 2669
2670
2671
3375e053
PP		 2672/*************************************************
2673* Let tls_require_ciphers be checked at startup *
2674*************************************************/
2675
2676/* The tls_require_ciphers option, if set, must be something which the
2677library can parse.
2678
2679Returns: NULL on success, or error message
2680*/
2681
2682uschar *
2683tls_validate_require_cipher(void)
2684{
2685SSL_CTX *ctx;
2686uschar *s, *expciphers, *err;
2687
2688/* this duplicates from tls_init(), we need a better "init just global
2689state, for no specific purpose" singleton function of our own */
2690
2691SSL_load_error_strings();
2692OpenSSL_add_ssl_algorithms();
2693#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2694/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2695list of available digests. */
2696EVP_add_digest(EVP_sha256());
2697#endif
2698
2699if (!(tls_require_ciphers && *tls_require_ciphers))
2700 return NULL;
2701
cf0c6164
JH		 2702if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2703 &err))
3375e053
PP		 2704 return US"failed to expand tls_require_ciphers";
2705
2706if (!(expciphers && *expciphers))
2707 return NULL;
2708
2709/* normalisation ripped from above */
2710s = expciphers;
2711while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2712
2713err = NULL;
2714
2715ctx = SSL_CTX_new(SSLv23_server_method());
2716if (!ctx)
2717 {
2718 ERR_error_string(ERR_get_error(), ssl_errstring);
2719 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2720 }
2721
2722DEBUG(D_tls)
2723 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2724
2725if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2726 {
2727 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH		 2728 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2729 expciphers, ssl_errstring);
3375e053
PP		 2730 }
2731
2732SSL_CTX_free(ctx);
2733
2734return err;
2735}
2736
2737
2738
2739
36f12725
NM		 2740/*************************************************
2741* Report the library versions. *
2742*************************************************/
2743
2744/* There have historically been some issues with binary compatibility in
2745OpenSSL libraries; if Exim (like many other applications) is built against
2746one version of OpenSSL but the run-time linker picks up another version,
2747it can result in serious failures, including crashing with a SIGSEGV. So
2748report the version found by the compiler and the run-time version.
2749
f64a1e23
PP		 2750Note: some OS vendors backport security fixes without changing the version
2751number/string, and the version date remains unchanged. The _build_ date
2752will change, so we can more usefully assist with version diagnosis by also
2753reporting the build date.
2754
36f12725
NM		 2755Arguments: a FILE* to print the results to
2756Returns: nothing
2757*/
2758
2759void
2760tls_version_report(FILE *f)
2761{
754a0503 2762fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 2763 " Runtime: %s\n"
2764 " : %s\n",
754a0503 2765 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 2766 SSLeay_version(SSLEAY_VERSION),
2767 SSLeay_version(SSLEAY_BUILT_ON));
2768/* third line is 38 characters for the %s and the line is 73 chars long;
2769the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 2770}
2771
9e3331ea
TK		 2772
2773
2774
2775/*************************************************
17c76198 2776* Random number generation *
9e3331ea
TK		 2777*************************************************/
2778
2779/* Pseudo-random number generation. The result is not expected to be
2780cryptographically strong but not so weak that someone will shoot themselves
2781in the foot using it as a nonce in input in some email header scheme or
2782whatever weirdness they'll twist this into. The result should handle fork()
2783and avoid repeating sequences. OpenSSL handles that for us.
2784
2785Arguments:
2786 max range maximum
2787Returns a random number in range [0, max-1]
2788*/
2789
2790int
17c76198 2791vaguely_random_number(int max)
9e3331ea
TK		 2792{
2793unsigned int r;
2794int i, needed_len;
de6135a0
PP		 2795static pid_t pidlast = 0;
2796pid_t pidnow;
9e3331ea
TK		 2797uschar *p;
2798uschar smallbuf[sizeof(r)];
2799
2800if (max <= 1)
2801 return 0;
2802
de6135a0
PP		 2803pidnow = getpid();
2804if (pidnow != pidlast)
2805 {
2806 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2807 is unique for each thread", this doesn't apparently apply across processes,
2808 so our own warning from vaguely_random_number_fallback() applies here too.
2809 Fix per PostgreSQL. */
2810 if (pidlast != 0)
2811 RAND_cleanup();
2812 pidlast = pidnow;
2813 }
2814
9e3331ea
TK		 2815/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2816if (!RAND_status())
2817 {
2818 randstuff r;
2819 gettimeofday(&r.tv, NULL);
2820 r.p = getpid();
2821
5903c6ff 2822 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK		 2823 }
2824/* We're after pseudo-random, not random; if we still don't have enough data
2825in the internal PRNG then our options are limited. We could sleep and hope
2826for entropy to come along (prayer technique) but if the system is so depleted
2827in the first place then something is likely to just keep taking it. Instead,
2828we'll just take whatever little bit of pseudo-random we can still manage to
2829get. */
2830
2831needed_len = sizeof(r);
2832/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2833asked for a number less than 10. */
2834for (r = max, i = 0; r; ++i)
2835 r >>= 1;
2836i = (i + 7) / 8;
2837if (i < needed_len)
2838 needed_len = i;
2839
c8dfb21d 2840#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 2841/* We do not care if crypto-strong */
17c76198 2842i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 2843#else
2844i = RAND_bytes(smallbuf, needed_len);
2845#endif
2846
17c76198
PP		 2847if (i < 0)
2848 {
2849 DEBUG(D_all)
2850 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2851 return vaguely_random_number_fallback(max);
2852 }
2853
9e3331ea
TK		 2854r = 0;
2855for (p = smallbuf; needed_len; --needed_len, ++p)
2856 {
2857 r *= 256;
2858 r += *p;
2859 }
2860
2861/* We don't particularly care about weighted results; if someone wants
2862smooth distribution and cares enough then they should submit a patch then. */
2863return r % max;
2864}
2865
77bb000f
PP		 2866
2867
2868
2869/*************************************************
2870* OpenSSL option parse *
2871*************************************************/
2872
2873/* Parse one option for tls_openssl_options_parse below
2874
2875Arguments:
2876 name one option name
2877 value place to store a value for it
2878Returns success or failure in parsing
2879*/
2880
2881struct exim_openssl_option {
2882 uschar *name;
2883 long value;
2884};
2885/* We could use a macro to expand, but we need the ifdef and not all the
2886options document which version they were introduced in. Policylet: include
2887all options unless explicitly for DTLS, let the administrator choose which
2888to apply.
2889
2890This list is current as of:
e2fbf4a2
PP		 2891 ==> 1.0.1b <==
2892Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2893*/
77bb000f
PP		 2894static struct exim_openssl_option exim_openssl_options[] = {
2895/* KEEP SORTED ALPHABETICALLY! */
2896#ifdef SSL_OP_ALL
73a46702 2897 { US"all", SSL_OP_ALL },
77bb000f
PP		 2898#endif
2899#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2900 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP		 2901#endif
2902#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2903 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP		 2904#endif
2905#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2906 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP		 2907#endif
2908#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2909 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP		 2910#endif
2911#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2912 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP		 2913#endif
2914#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2915 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP		 2916#endif
2917#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2918 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP		 2919#endif
2920#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2921 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP		 2922#endif
2923#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2924 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP		 2925#endif
2926#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2927 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2928#endif
c80c5570
PP		 2929#ifdef SSL_OP_NO_COMPRESSION
2930 { US"no_compression", SSL_OP_NO_COMPRESSION },
2931#endif
77bb000f 2932#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2933 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2934#endif
c0c7b2da
PP		 2935#ifdef SSL_OP_NO_SSLv2
2936 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2937#endif
2938#ifdef SSL_OP_NO_SSLv3
2939 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2940#endif
2941#ifdef SSL_OP_NO_TICKET
2942 { US"no_ticket", SSL_OP_NO_TICKET },
2943#endif
2944#ifdef SSL_OP_NO_TLSv1
2945 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2946#endif
c80c5570
PP		 2947#ifdef SSL_OP_NO_TLSv1_1
2948#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2949 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2950#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2951#else
2952 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2953#endif
2954#endif
2955#ifdef SSL_OP_NO_TLSv1_2
2956 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2957#endif
e2fbf4a2
PP		 2958#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2959 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2960#endif
77bb000f 2961#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2962 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP		 2963#endif
2964#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2965 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP		 2966#endif
2967#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2968 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP		 2969#endif
2970#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2971 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP		 2972#endif
2973#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2974 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP		 2975#endif
2976#ifdef SSL_OP_TLS_D5_BUG
73a46702 2977 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP		 2978#endif
2979#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2980 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP		 2981#endif
2982};
2983static int exim_openssl_options_size =
2984 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2985
c80c5570 2986
77bb000f
PP		 2987static BOOL
2988tls_openssl_one_option_parse(uschar *name, long *value)
2989{
2990int first = 0;
2991int last = exim_openssl_options_size;
2992while (last > first)
2993 {
2994 int middle = (first + last)/2;
2995 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2996 if (c == 0)
2997 {
2998 *value = exim_openssl_options[middle].value;
2999 return TRUE;
3000 }
3001 else if (c > 0)
3002 first = middle + 1;
3003 else
3004 last = middle;
3005 }
3006return FALSE;
3007}
3008
3009
3010
3011
3012/*************************************************
3013* OpenSSL option parsing logic *
3014*************************************************/
3015
3016/* OpenSSL has a number of compatibility options which an administrator might
3017reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3018we look like log_selector.
3019
3020Arguments:
3021 option_spec the administrator-supplied string of options
3022 results ptr to long storage for the options bitmap
3023Returns success or failure
3024*/
3025
3026BOOL
3027tls_openssl_options_parse(uschar *option_spec, long *results)
3028{
3029long result, item;
3030uschar *s, *end;
3031uschar keep_c;
3032BOOL adding, item_parsed;
3033
7006ee24 3034result = SSL_OP_NO_TICKET;
b1770b6e 3035/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3036 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3037#ifdef SSL_OP_NO_SSLv2
3038result |= SSL_OP_NO_SSLv2;
3039#endif
a57b6200
JH		 3040#ifdef SSL_OP_SINGLE_DH_USE
3041result |= SSL_OP_SINGLE_DH_USE;
3042#endif
77bb000f 3043
7006ee24 3044if (!option_spec)
77bb000f
PP		 3045 {
3046 *results = result;
3047 return TRUE;
3048 }
3049
3050for (s=option_spec; *s != '\0'; /**/)
3051 {
3052 while (isspace(*s)) ++s;
3053 if (*s == '\0')
3054 break;
3055 if (*s != '+' && *s != '-')
3056 {
3057 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3058 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3059 return FALSE;
3060 }
3061 adding = *s++ == '+';
3062 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3063 keep_c = *end;
3064 *end = '\0';
3065 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3066 *end = keep_c;
77bb000f
PP		 3067 if (!item_parsed)
3068 {
0e944a0d 3069 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3070 return FALSE;
3071 }
3072 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3073 adding ? "adding" : "removing", result, item, s);
3074 if (adding)
3075 result |= item;
3076 else
3077 result &= ~item;
77bb000f
PP		 3078 s = end;
3079 }
3080
3081*results = result;
3082return TRUE;
3083}
3084
9d1c15ef
JH		 3085/* vi: aw ai sw=2
3086*/
059ec3d9 3087/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.