projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH		 33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH		 57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP		 68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 75# define EXIM_HAVE_SESSION_TICKET
e570d136 76# define EXIM_HAVE_OPESSL_TRACE
7434882d
JH		 77# else
78# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP		 79# endif
80# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 82# define EXIM_HAVE_OPENSSL_CHECKHOST
83# endif
11aa88b0 84#endif
10ca4f1c 85
11aa88b0
RA		 86#if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 88# if !defined(OPENSSL_NO_ECDH)
89# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 90# define EXIM_HAVE_ECDH
10ca4f1c
JH		 91# endif
92# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 93# define EXIM_HAVE_OPENSSL_EC_NIST2NID
94# endif
95# endif
2dfb468b 96#endif
3bcbbbe2 97
8a40db1c
JH		 98#ifndef LIBRESSL_VERSION_NUMBER
99# if OPENSSL_VERSION_NUMBER >= 0x010101000L
100# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 101# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 102# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH		 103# endif
104#endif
105
67791ce4
JH		 106#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108# define DISABLE_OCSP
109#endif
43e2db44
JH		 110
111#ifdef EXPERIMENTAL_TLS_RESUME
112# if OPENSSL_VERSION_NUMBER < 0x0101010L
113# error OpenSSL version too old for session-resumption
114# endif
115#endif
67791ce4 116
a6510420
JH		 117#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118# include <openssl/x509v3.h>
119#endif
120
f1be21cf
JH		 121#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123# define SSL_CIPHER_get_id(c) (c->id)
124# endif
dca6d121
JH		 125# ifndef MACRO_PREDEF
126# include "tls-cipher-stdname.c"
127# endif
f1be21cf
JH		 128#endif
129
8442641e
JH		 130/*************************************************
131* OpenSSL option parse *
132*************************************************/
133
134typedef struct exim_openssl_option {
135 uschar *name;
136 long value;
137} exim_openssl_option;
138/* We could use a macro to expand, but we need the ifdef and not all the
139options document which version they were introduced in. Policylet: include
140all options unless explicitly for DTLS, let the administrator choose which
141to apply.
142
143This list is current as of:
144 ==> 1.0.1b <==
145Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
147*/
148static exim_openssl_option exim_openssl_options[] = {
149/* KEEP SORTED ALPHABETICALLY! */
150#ifdef SSL_OP_ALL
6d95688d 151 { US"all", (long) SSL_OP_ALL },
8442641e
JH		 152#endif
153#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
155#endif
156#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
158#endif
159#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
161#endif
162#ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
164#endif
165#ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
167#endif
168#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
170#endif
171#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
173#endif
174#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
176#endif
177#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
179#endif
180#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
182#endif
183#ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
185#endif
186#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
188#endif
189#ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
191#endif
192#ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
194#endif
195#ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
197#endif
198#ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
200#endif
201#ifdef SSL_OP_NO_TLSv1_1
202#if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
205#else
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
207#endif
208#endif
209#ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
211#endif
212#ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
214#endif
215#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
217#endif
218#ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
220#endif
221#ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
223#endif
224#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
226#endif
227#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
229#endif
230#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
232#endif
233#ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
235#endif
236#ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
238#endif
239};
240
241#ifndef MACRO_PREDEF
242static int exim_openssl_options_size = nelem(exim_openssl_options);
243#endif
244
245#ifdef MACRO_PREDEF
246void
247options_tls(void)
248{
8442641e
JH		 249uschar buf[64];
250
d7978c0f 251for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH		 252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
253 {
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
256
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
259 }
b10c87b3
JH		 260
261# ifdef EXPERIMENTAL_TLS_RESUME
262builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
263# endif
8442641e
JH		 264}
265#else
266
267/******************************************************************************/
268
059ec3d9
PH		 269/* Structure for collecting random data for seeding. */
270
271typedef struct randstuff {
9e3331ea
TK		 272 struct timeval tv;
273 pid_t p;
059ec3d9
PH		 274} randstuff;
275
276/* Local static variables */
277
a2ff477a
JH		 278static BOOL client_verify_callback_called = FALSE;
279static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 280static const uschar *sid_ctx = US"exim";
281
d4f09789
PP		 282/* We have three different contexts to care about.
283
284Simple case: client, `client_ctx`
285 As a client, we can be doing a callout or cut-through delivery while receiving
286 a message. So we have a client context, which should have options initialised
74f1a423
JH		 287 from the SMTP Transport. We may also concurrently want to make TLS connections
288 to utility daemons, so client-contexts are allocated and passed around in call
289 args rather than using a gobal.
d4f09789
PP		 290
291Server:
292 There are two cases: with and without ServerNameIndication from the client.
293 Given TLS SNI, we can be using different keys, certs and various other
294 configuration settings, because they're re-expanded with $tls_sni set. This
295 allows vhosting with TLS. This SNI is sent in the handshake.
296 A client might not send SNI, so we need a fallback, and an initial setup too.
297 So as a server, we start out using `server_ctx`.
298 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
299 `server_sni` from `server_ctx` and then initialise settings by re-expanding
300 configuration.
301*/
302
74f1a423
JH		 303typedef struct {
304 SSL_CTX * ctx;
305 SSL * ssl;
c09dbcfb 306 gstring * corked;
74f1a423
JH		 307} exim_openssl_client_tls_ctx;
308
817d9f57 309static SSL_CTX *server_ctx = NULL;
817d9f57 310static SSL *server_ssl = NULL;
389ca47a 311
35731706 312#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 313static SSL_CTX *server_sni = NULL;
35731706 314#endif
059ec3d9
PH		 315
316static char ssl_errstring[256];
317
dea4b568 318static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH		 319static BOOL client_verify_optional = FALSE;
320static BOOL server_verify_optional = FALSE;
059ec3d9 321
f5d78688 322static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 323
324
7be682ca 325typedef struct tls_ext_ctx_cb {
b10c87b3 326 tls_support * tlsp;
7be682ca
PP		 327 uschar *certificate;
328 uschar *privatekey;
f5d78688 329 BOOL is_server;
a6510420 330#ifndef DISABLE_OCSP
c3033f13 331 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 332 union {
333 struct {
334 uschar *file;
335 uschar *file_expanded;
336 OCSP_RESPONSE *response;
337 } server;
338 struct {
44662487
JH		 339 X509_STORE *verify_store; /* non-null if status requested */
340 BOOL verify_required;
f5d78688
JH		 341 } client;
342 } u_ocsp;
3f7eeb86 343#endif
7be682ca
PP		 344 uschar *dhparam;
345 /* these are cached from first expand */
346 uschar *server_cipher_list;
347 /* only passed down to tls_error: */
348 host_item *host;
55414b25 349 const uschar * verify_cert_hostnames;
0cbf2b82 350#ifndef DISABLE_EVENT
a7538db1
JH		 351 uschar * event_action;
352#endif
7be682ca
PP		 353} tls_ext_ctx_cb;
354
355/* should figure out a cleanup of API to handle state preserved per
356implementation, for various reasons, which can be void * in the APIs.
357For now, we hack around it. */
b10c87b3 358tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 359tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 360
361static int
983207c1 362setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 363 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 364
3f7eeb86 365/* Callbacks */
3bcbbbe2 366#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 367static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 368#endif
f2de3a33 369#ifndef DISABLE_OCSP
f5d78688 370static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 371#endif
372
059ec3d9 373
b10c87b3 374
4d93129f 375/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH		 376#ifdef EXPERIMENTAL_TLS_RESUME
377static void tk_init(void);
378static int tls_exdata_idx = -1;
379#endif
380
381void
382tls_daemon_init(void)
383{
384#ifdef EXPERIMENTAL_TLS_RESUME
385tk_init();
386#endif
387return;
388}
389
390
059ec3d9
PH		 391/*************************************************
392* Handle TLS error *
393*************************************************/
394
395/* Called from lots of places when errors occur before actually starting to do
396the TLS handshake, that is, while the session is still in clear. Always returns
397DEFER for a server and FAIL for a client so that most calls can use "return
398tls_error(...)" to do this processing and then give an appropriate return. A
399single function is used for both server and client, because it is called from
400some shared functions.
401
402Argument:
403 prefix text to include in the logged error
404 host NULL if setting up a server;
405 the connected host if setting up a client
7199e1ee 406 msg error message or NULL if we should ask OpenSSL
cf0c6164 407 errstr pointer to output error message
059ec3d9
PH		 408
409Returns: OK/DEFER/FAIL
410*/
411
412static int
cf0c6164 413tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 414{
c562fd30 415if (!msg)
7199e1ee 416 {
0abc5a13 417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 418 msg = US ssl_errstring;
7199e1ee
TF		 419 }
420
5a2a0989
JH		 421msg = string_sprintf("(%s): %s", prefix, msg);
422DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
423if (errstr) *errstr = msg;
cf0c6164 424return host ? FAIL : DEFER;
059ec3d9
PH		 425}
426
427
428
429/*************************************************
430* Callback to generate RSA key *
431*************************************************/
432
433/*
434Arguments:
3ae79556 435 s SSL connection (not used)
059ec3d9
PH		 436 export not used
437 keylength keylength
438
439Returns: pointer to generated key
440*/
441
442static RSA *
443rsa_callback(SSL *s, int export, int keylength)
444{
445RSA *rsa_key;
c8dfb21d
JH		 446#ifdef EXIM_HAVE_RSA_GENKEY_EX
447BIGNUM *bn = BN_new();
448#endif
449
059ec3d9
PH		 450export = export; /* Shut picky compilers up */
451DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 452
453#ifdef EXIM_HAVE_RSA_GENKEY_EX
454if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 455 || !(rsa_key = RSA_new())
c8dfb21d
JH		 456 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
457 )
458#else
23bb6982 459if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 460#endif
461
059ec3d9 462 {
0abc5a13 463 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH		 464 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
465 ssl_errstring);
466 return NULL;
467 }
468return rsa_key;
469}
470
471
472
f5d78688 473/* Extreme debug
f2de3a33 474#ifndef DISABLE_OCSP
f5d78688
JH		 475void
476x509_store_dump_cert_s_names(X509_STORE * store)
477{
478STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH		 479static uschar name[256];
480
d7978c0f 481for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH		 482 {
483 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
484 if(tmp_obj->type == X509_LU_X509)
485 {
70e384dd
JH		 486 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
487 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
488 {
489 name[sizeof(name)-1] = '\0';
490 debug_printf(" %s\n", name);
491 }
f5d78688
JH		 492 }
493 }
494}
495#endif
496*/
497
059ec3d9 498
0cbf2b82 499#ifndef DISABLE_EVENT
f69979cf
JH		 500static int
501verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
502 BOOL *calledp, const BOOL *optionalp, const uschar * what)
503{
504uschar * ev;
505uschar * yield;
506X509 * old_cert;
507
508ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
509if (ev)
510 {
aaba7d03 511 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 512 old_cert = tlsp->peercert;
513 tlsp->peercert = X509_dup(cert);
514 /* NB we do not bother setting peerdn */
515 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
516 {
517 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
518 "depth=%d cert=%s: %s",
519 tlsp == &tls_out ? deliver_host_address : sender_host_address,
520 what, depth, dn, yield);
521 *calledp = TRUE;
522 if (!*optionalp)
523 {
524 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
525 return 1; /* reject (leaving peercert set) */
526 }
527 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
528 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 529 tlsp->verify_override = TRUE;
f69979cf
JH		 530 }
531 X509_free(tlsp->peercert);
532 tlsp->peercert = old_cert;
533 }
534return 0;
535}
536#endif
537
059ec3d9
PH		 538/*************************************************
539* Callback for verification *
540*************************************************/
541
542/* The SSL library does certificate verification if set up to do so. This
543callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 544we set the certificate-verified flag. If verification failed, what happens
545depends on whether the client is required to present a verifiable certificate
546or not.
059ec3d9
PH		 547
548If verification is optional, we change the state to yes, but still log the
549verification error. For some reason (it really would help to have proper
550documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 551time with state = 1. We must take care not to set the private verified flag on
552the second time through.
059ec3d9
PH		 553
554Note: this function is not called if the client fails to present a certificate
555when asked. We get here only if a certificate has been received. Handling of
556optional verification for this case is done when requesting SSL to verify, by
557setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
558
a7538db1
JH		 559May be called multiple times for different issues with a certificate, even
560for a given "depth" in the certificate chain.
561
059ec3d9 562Arguments:
f2f2c91b
JH		 563 preverify_ok current yes/no state as 1/0
564 x509ctx certificate information.
565 tlsp per-direction (client vs. server) support data
566 calledp has-been-called flag
567 optionalp verification-is-optional flag
059ec3d9 568
f2f2c91b 569Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 570*/
571
572static int
70e384dd
JH		 573verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
574 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 575{
421aff85 576X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 577int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 578uschar dn[256];
059ec3d9 579
70e384dd
JH		 580if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
581 {
582 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
583 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
584 tlsp == &tls_out ? deliver_host_address : sender_host_address);
585 return 0;
586 }
f69979cf 587dn[sizeof(dn)-1] = '\0';
059ec3d9 588
f4e62a87 589tlsp->verify_override = FALSE;
f2f2c91b 590if (preverify_ok == 0)
059ec3d9 591 {
f77197ae
JH		 592 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
593 *verify_mode, sender_host_address)
594 : US"";
595 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
596 tlsp == &tls_out ? deliver_host_address : sender_host_address,
597 extra, depth,
598 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 599 *calledp = TRUE;
9d1c15ef
JH		 600 if (!*optionalp)
601 {
f69979cf
JH		 602 if (!tlsp->peercert)
603 tlsp->peercert = X509_dup(cert); /* record failing cert */
604 return 0; /* reject */
9d1c15ef 605 }
059ec3d9
PH		 606 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
607 "tls_try_verify_hosts)\n");
4a1bd6b9 608 tlsp->verify_override = TRUE;
059ec3d9
PH		 609 }
610
a7538db1 611else if (depth != 0)
059ec3d9 612 {
f69979cf 613 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 614#ifndef DISABLE_OCSP
f5d78688
JH		 615 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
616 { /* client, wanting stapling */
617 /* Add the server cert's signing chain as the one
618 for the verification of the OCSP stapled information. */
94431adb 619
f5d78688 620 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 621 cert))
f5d78688 622 ERR_clear_error();
c3033f13 623 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 624 }
a7538db1 625#endif
0cbf2b82 626#ifndef DISABLE_EVENT
f69979cf
JH		 627 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
628 return 0; /* reject, with peercert set */
f5d78688 629#endif
059ec3d9
PH		 630 }
631else
632 {
55414b25 633 const uschar * verify_cert_hostnames;
e51c7be2 634
e51c7be2
JH		 635 if ( tlsp == &tls_out
636 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 637 /* client, wanting hostname check */
e51c7be2 638 {
f69979cf 639
740f36d4 640#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 641# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
642# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
643# endif
644# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
645# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
646# endif
e51c7be2 647 int sep = 0;
55414b25 648 const uschar * list = verify_cert_hostnames;
e51c7be2 649 uschar * name;
d8e7834a
JH		 650 int rc;
651 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 652 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 653 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 654 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
655 NULL)))
d8e7834a
JH		 656 {
657 if (rc < 0)
658 {
93a6fce2 659 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 660 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH		 661 name = NULL;
662 }
e51c7be2 663 break;
d8e7834a 664 }
e51c7be2 665 if (!name)
f69979cf 666#else
e51c7be2 667 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 668#endif
e51c7be2 669 {
f77197ae
JH		 670 uschar * extra = verify_mode
671 ? string_sprintf(" (during %c-verify for [%s])",
672 *verify_mode, sender_host_address)
673 : US"";
e51c7be2 674 log_write(0, LOG_MAIN,
f77197ae
JH		 675 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
676 tlsp == &tls_out ? deliver_host_address : sender_host_address,
677 extra, dn, verify_cert_hostnames);
a3ef7310
JH		 678 *calledp = TRUE;
679 if (!*optionalp)
f69979cf
JH		 680 {
681 if (!tlsp->peercert)
682 tlsp->peercert = X509_dup(cert); /* record failing cert */
683 return 0; /* reject */
684 }
4a1bd6b9 685 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 686 "tls_try_verify_hosts)\n");
4a1bd6b9 687 tlsp->verify_override = TRUE;
e51c7be2 688 }
f69979cf 689 }
e51c7be2 690
0cbf2b82 691#ifndef DISABLE_EVENT
f69979cf
JH		 692 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
693 return 0; /* reject, with peercert set */
e51c7be2
JH		 694#endif
695
93dcb1c2 696 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 697 *calledp ? "" : " authenticated", dn);
93dcb1c2 698 *calledp = TRUE;
059ec3d9
PH		 699 }
700
a7538db1 701return 1; /* accept, at least for this level */
059ec3d9
PH		 702}
703
a2ff477a 704static int
f2f2c91b 705verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 706{
f2f2c91b
JH		 707return verify_callback(preverify_ok, x509ctx, &tls_out,
708 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 709}
710
711static int
f2f2c91b 712verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 713{
f2f2c91b
JH		 714return verify_callback(preverify_ok, x509ctx, &tls_in,
715 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 716}
717
059ec3d9 718
c0635b6d 719#ifdef SUPPORT_DANE
53a7196b 720
e5cccda9
JH		 721/* This gets called *by* the dane library verify callback, which interposes
722itself.
723*/
724static int
f2f2c91b 725verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 726{
727X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 728uschar dn[256];
83b27293 729int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 730#ifndef DISABLE_EVENT
f69979cf 731BOOL dummy_called, optional = FALSE;
83b27293 732#endif
e5cccda9 733
70e384dd
JH		 734if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
735 {
736 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
737 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
738 deliver_host_address);
739 return 0;
740 }
f69979cf 741dn[sizeof(dn)-1] = '\0';
e5cccda9 742
f2f2c91b
JH		 743DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
744 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 745
0cbf2b82 746#ifndef DISABLE_EVENT
f69979cf
JH		 747 if (verify_event(&tls_out, cert, depth, dn,
748 &dummy_called, &optional, US"DANE"))
749 return 0; /* reject, with peercert set */
83b27293
JH		 750#endif
751
f2f2c91b 752if (preverify_ok == 1)
6fbf3599 753 {
4a1bd6b9 754 tls_out.dane_verified = TRUE;
6fbf3599
JH		 755#ifndef DISABLE_OCSP
756 if (client_static_cbinfo->u_ocsp.client.verify_store)
757 { /* client, wanting stapling */
758 /* Add the server cert's signing chain as the one
759 for the verification of the OCSP stapled information. */
760
761 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
762 cert))
763 ERR_clear_error();
764 sk_X509_push(client_static_cbinfo->verify_stack, cert);
765 }
766#endif
767 }
f2f2c91b
JH		 768else
769 {
770 int err = X509_STORE_CTX_get_error(x509ctx);
771 DEBUG(D_tls)
772 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 773 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 774 preverify_ok = 1;
775 }
776return preverify_ok;
e5cccda9 777}
53a7196b 778
c0635b6d 779#endif /*SUPPORT_DANE*/
e5cccda9 780
059ec3d9
PH		 781
782/*************************************************
783* Information callback *
784*************************************************/
785
786/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 787are doing. We copy the string to the debugging output when TLS debugging has
788been requested.
059ec3d9
PH		 789
790Arguments:
791 s the SSL connection
792 where
793 ret
794
795Returns: nothing
796*/
797
798static void
799info_callback(SSL *s, int where, int ret)
800{
0abc5a13
JH		 801DEBUG(D_tls)
802 {
803 const uschar * str;
804
805 if (where & SSL_ST_CONNECT)
48224640 806 str = US"SSL_connect";
0abc5a13 807 else if (where & SSL_ST_ACCEPT)
48224640 808 str = US"SSL_accept";
0abc5a13 809 else
48224640 810 str = US"SSL info (undefined)";
0abc5a13
JH		 811
812 if (where & SSL_CB_LOOP)
813 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
814 else if (where & SSL_CB_ALERT)
815 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 816 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH		 817 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
818 else if (where & SSL_CB_EXIT)
819 if (ret == 0)
820 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
821 else if (ret < 0)
822 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
823 else if (where & SSL_CB_HANDSHAKE_START)
824 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
825 else if (where & SSL_CB_HANDSHAKE_DONE)
826 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
827 }
059ec3d9
PH		 828}
829
8238bc7b 830#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH		 831static void
832keylog_callback(const SSL *ssl, const char *line)
833{
834DEBUG(D_tls) debug_printf("%.200s\n", line);
835}
8238bc7b 836#endif
8a40db1c 837
059ec3d9 838
b10c87b3
JH		 839#ifdef EXPERIMENTAL_TLS_RESUME
840/* Manage the keysets used for encrypting the session tickets, on the server. */
841
842typedef struct { /* Session ticket encryption key */
843 uschar name[16];
844
845 const EVP_CIPHER * aes_cipher;
4d93129f 846 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH		 847 const EVP_MD * hmac_hash;
848 uschar hmac_key[16];
849 time_t renew;
850 time_t expire;
851} exim_stek;
852
4d93129f
JH		 853static exim_stek exim_tk; /* current key */
854static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH		 855
856static void
857tk_init(void)
858{
4d93129f
JH		 859time_t t = time(NULL);
860
b10c87b3
JH		 861if (exim_tk.name[0])
862 {
4d93129f 863 if (exim_tk.renew >= t) return;
b10c87b3
JH		 864 exim_tk_old = exim_tk;
865 }
866
867if (f.running_in_test_harness) ssl_session_timeout = 6;
868
869DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
870if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
871if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
872if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
873
874exim_tk.name[0] = 'E';
4d93129f 875exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 876exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH		 877exim_tk.expire = t + ssl_session_timeout;
878exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH		 879}
880
881static exim_stek *
882tk_current(void)
883{
884if (!exim_tk.name[0]) return NULL;
885return &exim_tk;
886}
887
888static exim_stek *
889tk_find(const uschar * name)
890{
891return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
892 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
893 : NULL;
894}
895
896/* Callback for session tickets, on server */
897static int
898ticket_key_callback(SSL * ssl, uschar key_name[16],
899 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
900{
901tls_support * tlsp = server_static_cbinfo->tlsp;
902exim_stek * key;
903
904if (enc)
905 {
906 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
907 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
908
909 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
910 return -1; /* insufficient random */
911
912 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
913 return 0; /* key couldn't be created */
914 memcpy(key_name, key->name, 16);
d70fc283 915 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH		 916
917 /*XXX will want these dependent on the ssl session strength */
918 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
919 key->hmac_hash, NULL);
920 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
921
922 DEBUG(D_tls) debug_printf("ticket created\n");
923 return 1;
924 }
925else
926 {
927 time_t now = time(NULL);
928
929 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
930 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
931
932 if (!(key = tk_find(key_name)) || key->expire < now)
933 {
934 DEBUG(D_tls)
935 {
936 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 937 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH		 938 }
939 return 0;
940 }
941
942 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
943 key->hmac_hash, NULL);
944 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
945
d70fc283 946 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH		 947
948 /* The ticket lifetime and renewal are the same as the STEK lifetime and
949 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
950 be better. To do that we'd have to encode ticket lifetime in the name as
951 we don't yet see the restored session. Could check posthandshake for TLS1.3
952 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH		 953 return key->renew < now ? 2 : 1;
954 }
955}
956#endif
957
958
059ec3d9
PH		 959
960/*************************************************
961* Initialize for DH *
962*************************************************/
963
964/* If dhparam is set, expand it, and load up the parameters for DH encryption.
965
966Arguments:
038597d2 967 sctx The current SSL CTX (inbound or outbound)
a799883d 968 dhparam DH parameter file or fixed parameter identity string
7199e1ee 969 host connected host, if client; NULL if server
cf0c6164 970 errstr error string pointer
059ec3d9
PH		 971
972Returns: TRUE if OK (nothing to set up, or setup worked)
973*/
974
975static BOOL
cf0c6164 976init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 977{
059ec3d9
PH		 978BIO *bio;
979DH *dh;
980uschar *dhexpanded;
a799883d 981const char *pem;
6600985a 982int dh_bitsize;
059ec3d9 983
cf0c6164 984if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 985 return FALSE;
986
0df4ab80 987if (!dhexpanded || !*dhexpanded)
a799883d 988 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 989else if (dhexpanded[0] == '/')
059ec3d9 990 {
0df4ab80 991 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 992 {
7199e1ee 993 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 994 host, US strerror(errno), errstr);
a799883d 995 return FALSE;
059ec3d9 996 }
a799883d
PP		 997 }
998else
999 {
1000 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1001 {
a799883d
PP		 1002 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1003 return TRUE;
059ec3d9 1004 }
a799883d 1005
0df4ab80 1006 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 1007 {
1008 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1009 host, US strerror(errno), errstr);
a799883d
PP		 1010 return FALSE;
1011 }
1012 bio = BIO_new_mem_buf(CS pem, -1);
1013 }
1014
0df4ab80 1015if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1016 {
059ec3d9 1017 BIO_free(bio);
a799883d 1018 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1019 host, NULL, errstr);
a799883d
PP		 1020 return FALSE;
1021 }
1022
6600985a
PP		 1023/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1024 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1025 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1026 * If someone wants to dance at the edge, then they can raise the limit or use
1027 * current libraries. */
1028#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1029/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1030 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1031dh_bitsize = DH_bits(dh);
1032#else
1033dh_bitsize = 8 * DH_size(dh);
1034#endif
1035
a799883d
PP		 1036/* Even if it is larger, we silently return success rather than cause things
1037 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1038 * debatable choice. */
6600985a 1039if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 1040 {
1041 DEBUG(D_tls)
170f4904 1042 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1043 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 1044 }
1045else
1046 {
1047 SSL_CTX_set_tmp_dh(sctx, dh);
1048 DEBUG(D_tls)
1049 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1050 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 1051 }
1052
a799883d
PP		 1053DH_free(dh);
1054BIO_free(bio);
1055
1056return TRUE;
059ec3d9
PH		 1057}
1058
1059
1060
1061
038597d2
PP		 1062/*************************************************
1063* Initialize for ECDH *
1064*************************************************/
1065
1066/* Load parameters for ECDH encryption.
1067
1068For now, we stick to NIST P-256 because: it's simple and easy to configure;
1069it avoids any patent issues that might bite redistributors; despite events in
1070the news and concerns over curve choices, we're not cryptographers, we're not
1071pretending to be, and this is "good enough" to be better than no support,
1072protecting against most adversaries. Given another year or two, there might
1073be sufficient clarity about a "right" way forward to let us make an informed
1074decision, instead of a knee-jerk reaction.
1075
1076Longer-term, we should look at supporting both various named curves and
1077external files generated with "openssl ecparam", much as we do for init_dh().
1078We should also support "none" as a value, to explicitly avoid initialisation.
1079
1080Patches welcome.
1081
1082Arguments:
1083 sctx The current SSL CTX (inbound or outbound)
1084 host connected host, if client; NULL if server
cf0c6164 1085 errstr error string pointer
038597d2
PP		 1086
1087Returns: TRUE if OK (nothing to set up, or setup worked)
1088*/
1089
1090static BOOL
cf0c6164 1091init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1092{
63f0dbe0
JH		 1093#ifdef OPENSSL_NO_ECDH
1094return TRUE;
1095#else
1096
10ca4f1c
JH		 1097EC_KEY * ecdh;
1098uschar * exp_curve;
1099int nid;
1100BOOL rv;
1101
038597d2
PP		 1102if (host) /* No ECDH setup for clients, only for servers */
1103 return TRUE;
1104
10ca4f1c 1105# ifndef EXIM_HAVE_ECDH
038597d2
PP		 1106DEBUG(D_tls)
1107 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1108return TRUE;
038597d2 1109# else
10ca4f1c 1110
cf0c6164 1111if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 1112 return FALSE;
1113if (!exp_curve || !*exp_curve)
1114 return TRUE;
1115
8e53a4fc 1116/* "auto" needs to be handled carefully.
4c04137d 1117 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1118 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1119 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 1120 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1121 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1122 */
10ca4f1c 1123if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1124 {
8e53a4fc 1125#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1126 DEBUG(D_tls) debug_printf(
8e53a4fc 1127 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1128 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 1129#else
1130# if defined SSL_CTRL_SET_ECDH_AUTO
1131 DEBUG(D_tls) debug_printf(
1132 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 1133 SSL_CTX_set_ecdh_auto(sctx, 1);
1134 return TRUE;
8e53a4fc
HSHR		 1135# else
1136 DEBUG(D_tls) debug_printf(
1137 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1138 return TRUE;
1139# endif
1140#endif
10ca4f1c 1141 }
038597d2 1142
10ca4f1c
JH		 1143DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1144if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1145# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1146 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1147# endif
1148 )
1149 {
cf0c6164
JH		 1150 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1151 host, NULL, errstr);
10ca4f1c
JH		 1152 return FALSE;
1153 }
038597d2 1154
10ca4f1c
JH		 1155if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1156 {
cf0c6164 1157 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1158 return FALSE;
038597d2 1159 }
10ca4f1c
JH		 1160
1161/* The "tmp" in the name here refers to setting a temporary key
1162not to the stability of the interface. */
1163
1164if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1165 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 1166else
1167 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1168
1169EC_KEY_free(ecdh);
1170return !rv;
1171
1172# endif /*EXIM_HAVE_ECDH*/
1173#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 1174}
1175
1176
1177
1178
f2de3a33 1179#ifndef DISABLE_OCSP
3f7eeb86
PP		 1180/*************************************************
1181* Load OCSP information into state *
1182*************************************************/
f5d78688 1183/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 1184caller has determined this is needed. Checks validity. Debugs a message
1185if invalid.
1186
1187ASSUMES: single response, for single cert.
1188
1189Arguments:
1190 sctx the SSL_CTX* to update
1191 cbinfo various parts of session state
1192 expanded the filename putatively holding an OCSP response
1193
1194*/
1195
1196static void
f5d78688 1197ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1198{
ee5b1e28
JH		 1199BIO * bio;
1200OCSP_RESPONSE * resp;
1201OCSP_BASICRESP * basic_response;
1202OCSP_SINGLERESP * single_response;
1203ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1204STACK_OF(X509) * sk;
3f7eeb86
PP		 1205unsigned long verify_flags;
1206int status, reason, i;
1207
f5d78688
JH		 1208cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1209if (cbinfo->u_ocsp.server.response)
3f7eeb86 1210 {
f5d78688
JH		 1211 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1212 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 1213 }
1214
ee5b1e28 1215if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 1216 {
1217 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1218 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 1219 return;
1220 }
1221
1222resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1223BIO_free(bio);
1224if (!resp)
1225 {
1226 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1227 return;
1228 }
1229
ee5b1e28 1230if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 1231 {
1232 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1233 OCSP_response_status_str(status), status);
f5d78688 1234 goto bad;
3f7eeb86
PP		 1235 }
1236
ee5b1e28 1237if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 1238 {
1239 DEBUG(D_tls)
1240 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1241 goto bad;
3f7eeb86
PP		 1242 }
1243
c3033f13 1244sk = cbinfo->verify_stack;
3f7eeb86
PP		 1245verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1246
1247/* May need to expose ability to adjust those flags?
1248OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1249OCSP_TRUSTOTHER OCSP_NOINTERN */
1250
4c04137d 1251/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 1252up; possibly overkill - just date-checks might be nice enough.
1253
1254OCSP_basic_verify takes a "store" arg, but does not
1255use it for the chain verification, which is all we do
1256when OCSP_NOVERIFY is set. The content from the wire
1257"basic_response" and a cert-stack "sk" are all that is used.
1258
c3033f13
JH		 1259We have a stack, loaded in setup_certs() if tls_verify_certificates
1260was a file (not a directory, or "system"). It is unfortunate we
1261cannot used the connection context store, as that would neatly
1262handle the "system" case too, but there seems to be no library
1263function for getting a stack from a store.
e3555426 1264[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 1265We do not free the stack since it could be needed a second time for
1266SNI handling.
1267
4c04137d 1268Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1269be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1270But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1271And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 1272library does it for us anyway? */
1273
1274if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1275 {
ee5b1e28
JH		 1276 DEBUG(D_tls)
1277 {
0abc5a13 1278 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1279 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 1280 }
1281 goto bad;
3f7eeb86
PP		 1282 }
1283
1284/* Here's the simplifying assumption: there's only one response, for the
1285one certificate we use, and nothing for anything else in a chain. If this
1286proves false, we need to extract a cert id from our issued cert
1287(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1288right cert in the stack and then calls OCSP_single_get0_status()).
1289
1290I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 1291
1292if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 1293 {
1294 DEBUG(D_tls)
1295 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1296 goto bad;
3f7eeb86
PP		 1297 }
1298
1299status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1300if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1301 {
f5d78688
JH		 1302 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1303 OCSP_cert_status_str(status), status,
1304 OCSP_crl_reason_str(reason), reason);
1305 goto bad;
3f7eeb86
PP		 1306 }
1307
1308if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1309 {
1310 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1311 goto bad;
3f7eeb86
PP		 1312 }
1313
f5d78688 1314supply_response:
47195144 1315 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH		 1316return;
1317
1318bad:
8768d548 1319 if (f.running_in_test_harness)
018058b2
JH		 1320 {
1321 extern char ** environ;
d7978c0f 1322 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH		 1323 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1324 {
1325 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1326 goto supply_response;
1327 }
1328 }
f5d78688 1329return;
3f7eeb86 1330}
f2de3a33 1331#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1332
1333
1334
1335
23bb6982
JH		 1336/* Create and install a selfsigned certificate, for use in server mode */
1337
1338static int
cf0c6164 1339tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 1340{
1341X509 * x509 = NULL;
1342EVP_PKEY * pkey;
1343RSA * rsa;
1344X509_NAME * name;
1345uschar * where;
1346
1347where = US"allocating pkey";
1348if (!(pkey = EVP_PKEY_new()))
1349 goto err;
1350
1351where = US"allocating cert";
1352if (!(x509 = X509_new()))
1353 goto err;
1354
1355where = US"generating pkey";
6aac3239 1356if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH		 1357 goto err;
1358
4c04137d 1359where = US"assigning pkey";
23bb6982
JH		 1360if (!EVP_PKEY_assign_RSA(pkey, rsa))
1361 goto err;
1362
1363X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1364ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH		 1365X509_gmtime_adj(X509_get_notBefore(x509), 0);
1366X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1367X509_set_pubkey(x509, pkey);
1368
1369name = X509_get_subject_name(x509);
1370X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1371 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1372X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1373 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1374X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1375 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 1376X509_set_issuer_name(x509, name);
1377
1378where = US"signing cert";
1379if (!X509_sign(x509, pkey, EVP_md5()))
1380 goto err;
1381
1382where = US"installing selfsign cert";
1383if (!SSL_CTX_use_certificate(sctx, x509))
1384 goto err;
1385
1386where = US"installing selfsign key";
1387if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1388 goto err;
1389
1390return OK;
1391
1392err:
cf0c6164 1393 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1394 if (x509) X509_free(x509);
1395 if (pkey) EVP_PKEY_free(pkey);
1396 return DEFER;
1397}
1398
1399
1400
1401
ba86e143
JH		 1402static int
1403tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1404 uschar ** errstr)
1405{
1406DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1407if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1408 return tls_error(string_sprintf(
1409 "SSL_CTX_use_certificate_chain_file file=%s", file),
1410 cbinfo->host, NULL, errstr);
1411return 0;
1412}
1413
1414static int
1415tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1416 uschar ** errstr)
1417{
1418DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1419if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1420 return tls_error(string_sprintf(
1421 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1422return 0;
1423}
1424
1425
7be682ca
PP		 1426/*************************************************
1427* Expand key and cert file specs *
1428*************************************************/
1429
f5d78688 1430/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1431new context, if Server Name Indication was used and tls_sni was seen in
1432the certificate string.
1433
1434Arguments:
1435 sctx the SSL_CTX* to update
1436 cbinfo various parts of session state
cf0c6164 1437 errstr error string pointer
7be682ca
PP		 1438
1439Returns: OK/DEFER/FAIL
1440*/
1441
1442static int
cf0c6164
JH		 1443tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1444 uschar ** errstr)
7be682ca
PP		 1445{
1446uschar *expanded;
1447
23bb6982 1448if (!cbinfo->certificate)
7be682ca 1449 {
ba86e143 1450 if (!cbinfo->is_server) /* client */
23bb6982 1451 return OK;
afdb5e9c 1452 /* server */
cf0c6164 1453 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1454 return DEFER;
7be682ca 1455 }
23bb6982
JH		 1456else
1457 {
ba86e143
JH		 1458 int err;
1459
23bb6982
JH		 1460 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1461 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1462 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1463 )
1464 reexpand_tls_files_for_sni = TRUE;
7be682ca 1465
cf0c6164 1466 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1467 return DEFER;
1468
ba86e143
JH		 1469 if (expanded)
1470 if (cbinfo->is_server)
1471 {
1472 const uschar * file_list = expanded;
1473 int sep = 0;
1474 uschar * file;
1475
1476 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1477 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1478 return err;
1479 }
1480 else /* would there ever be a need for multiple client certs? */
1481 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1482 return err;
7be682ca 1483
5a2a0989
JH		 1484 if ( cbinfo->privatekey
1485 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1486 return DEFER;
7be682ca 1487
23bb6982
JH		 1488 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1489 of the expansion is an empty string, ignore it also, and assume the private
1490 key is in the same file as the certificate. */
1491
1492 if (expanded && *expanded)
ba86e143
JH		 1493 if (cbinfo->is_server)
1494 {
1495 const uschar * file_list = expanded;
1496 int sep = 0;
1497 uschar * file;
1498
1499 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1500 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1501 return err;
1502 }
1503 else /* would there ever be a need for multiple client certs? */
1504 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1505 return err;
7be682ca
PP		 1506 }
1507
f2de3a33 1508#ifndef DISABLE_OCSP
f40d5be3 1509if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1510 {
47195144 1511 /*XXX stack*/
cf0c6164 1512 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1513 return DEFER;
1514
f40d5be3 1515 if (expanded && *expanded)
3f7eeb86
PP		 1516 {
1517 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1518 if ( cbinfo->u_ocsp.server.file_expanded
1519 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1520 {
f40d5be3
JH		 1521 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1522 }
1523 else
f40d5be3 1524 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1525 }
1526 }
1527#endif
1528
7be682ca
PP		 1529return OK;
1530}
1531
1532
1533
1534
1535/*************************************************
1536* Callback to handle SNI *
1537*************************************************/
1538
1539/* Called when acting as server during the TLS session setup if a Server Name
1540Indication extension was sent by the client.
1541
1542API documentation is OpenSSL s_server.c implementation.
1543
1544Arguments:
1545 s SSL* of the current session
1546 ad unknown (part of OpenSSL API) (unused)
1547 arg Callback of "our" registered data
1548
1549Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH		 1550
1551XXX might need to change to using ClientHello callback,
1552per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP		 1553*/
1554
3bcbbbe2 1555#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1556static int
1557tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1558{
1559const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1560tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1561int rc;
3f0945ff 1562int old_pool = store_pool;
cf0c6164 1563uschar * dummy_errstr;
7be682ca
PP		 1564
1565if (!servername)
1566 return SSL_TLSEXT_ERR_OK;
1567
3f0945ff 1568DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1569 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1570
1571/* Make the extension value available for expansion */
3f0945ff 1572store_pool = POOL_PERM;
89a80675 1573tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1574store_pool = old_pool;
7be682ca
PP		 1575
1576if (!reexpand_tls_files_for_sni)
1577 return SSL_TLSEXT_ERR_OK;
1578
1579/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1580not confident that memcpy wouldn't break some internal reference counting.
1581Especially since there's a references struct member, which would be off. */
1582
7a8b9519
JH		 1583#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1584if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1585#else
0df4ab80 1586if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1587#endif
7be682ca 1588 {
0abc5a13 1589 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1590 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1591 goto bad;
7be682ca
PP		 1592 }
1593
1594/* Not sure how many of these are actually needed, since SSL object
1595already exists. Might even need this selfsame callback, for reneg? */
1596
817d9f57
JH		 1597SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1598SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1599SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1600SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1601SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1602SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1603
cf0c6164
JH		 1604if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1605 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1606 )
5a2a0989 1607 goto bad;
038597d2 1608
ca954d7f
JH		 1609if ( cbinfo->server_cipher_list
1610 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1611 goto bad;
ca954d7f 1612
f2de3a33 1613#ifndef DISABLE_OCSP
f5d78688 1614if (cbinfo->u_ocsp.server.file)
3f7eeb86 1615 {
f5d78688 1616 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1617 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1618 }
1619#endif
7be682ca 1620
c3033f13 1621if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1622 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1623 goto bad;
7be682ca 1624
3f7eeb86
PP		 1625/* do this after setup_certs, because this can require the certs for verifying
1626OCSP information. */
cf0c6164 1627if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1628 goto bad;
a799883d 1629
7be682ca 1630DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1631SSL_set_SSL_CTX(s, server_sni);
7be682ca 1632return SSL_TLSEXT_ERR_OK;
5a2a0989
JH		 1633
1634bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1635}
3bcbbbe2 1636#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1637
1638
1639
1640
f2de3a33 1641#ifndef DISABLE_OCSP
f5d78688 1642
3f7eeb86
PP		 1643/*************************************************
1644* Callback to handle OCSP Stapling *
1645*************************************************/
1646
1647/* Called when acting as server during the TLS session setup if the client
1648requests OCSP information with a Certificate Status Request.
1649
1650Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1651project.
1652
1653*/
1654
1655static int
f5d78688 1656tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1657{
1658const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1659uschar *response_der; /*XXX blob */
3f7eeb86
PP		 1660int response_der_len;
1661
47195144
JH		 1662/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1663out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1664buggy in current OpenSSL; it returns the last cert loaded always rather than
1665the one actually presented. So we can't support a stack of OCSP proofs at
1666this time. */
1667
af4a1bca 1668DEBUG(D_tls)
b3ef41c9 1669 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1670 cbinfo->u_ocsp.server.response ? "have" : "lack");
1671
44662487 1672tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1673if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1674 return SSL_TLSEXT_ERR_NOACK;
1675
1676response_der = NULL;
47195144 1677response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1678 &response_der);
3f7eeb86
PP		 1679if (response_der_len <= 0)
1680 return SSL_TLSEXT_ERR_NOACK;
1681
5e55c7a9 1682SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1683tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1684return SSL_TLSEXT_ERR_OK;
1685}
1686
3f7eeb86 1687
f5d78688
JH		 1688static void
1689time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1690{
1691BIO_printf(bp, "\t%s: ", str);
1692ASN1_GENERALIZEDTIME_print(bp, time);
1693BIO_puts(bp, "\n");
1694}
1695
1696static int
1697tls_client_stapling_cb(SSL *s, void *arg)
1698{
1699tls_ext_ctx_cb * cbinfo = arg;
1700const unsigned char * p;
1701int len;
1702OCSP_RESPONSE * rsp;
1703OCSP_BASICRESP * bs;
1704int i;
1705
1706DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1707len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1708if(!p)
1709 {
44662487 1710 /* Expect this when we requested ocsp but got none */
6c6d6e48 1711 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1712 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1713 else
1714 DEBUG(D_tls) debug_printf(" null\n");
44662487 1715 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1716 }
018058b2 1717
c82de233
JH		 1718if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1719 {
1720 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1721 if (LOGGING(tls_cipher))
1eca31ca 1722 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1723 else
1724 DEBUG(D_tls) debug_printf(" parse error\n");
1725 return 0;
c82de233 1726 }
f5d78688 1727
c82de233 1728if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1729 {
018058b2 1730 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1731 if (LOGGING(tls_cipher))
1eca31ca 1732 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1733 else
1734 DEBUG(D_tls) debug_printf(" error parsing response\n");
1735 OCSP_RESPONSE_free(rsp);
1736 return 0;
1737 }
1738
1739/* We'd check the nonce here if we'd put one in the request. */
1740/* However that would defeat cacheability on the server so we don't. */
1741
f5d78688
JH		 1742/* This section of code reworked from OpenSSL apps source;
1743 The OpenSSL Project retains copyright:
1744 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1745*/
1746 {
1747 BIO * bp = NULL;
f5d78688
JH		 1748 int status, reason;
1749 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1750
57887ecc 1751 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH		 1752
1753 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1754
1755 /* Use the chain that verified the server cert to verify the stapled info */
1756 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1757
c3033f13 1758 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1759 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1760 {
018058b2 1761 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH		 1762 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1763 "Received TLS cert status response, itself unverifiable: %s",
1764 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH		 1765 BIO_printf(bp, "OCSP response verify failure\n");
1766 ERR_print_errors(bp);
57887ecc 1767 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1768 goto failed;
f5d78688
JH		 1769 }
1770
1771 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1772
c8dfb21d
JH		 1773 /*XXX So we have a good stapled OCSP status. How do we know
1774 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1775 OCSP_resp_find_status() which matches on a cert id, which presumably
1776 we should use. Making an id needs OCSP_cert_id_new(), which takes
1777 issuerName, issuerKey, serialNumber. Are they all in the cert?
1778
1779 For now, carry on blindly accepting the resp. */
1780
f5d78688 1781 {
f5d78688
JH		 1782 OCSP_SINGLERESP * single;
1783
c8dfb21d
JH		 1784#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1785 if (OCSP_resp_count(bs) != 1)
1786#else
1787 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1788 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1789#endif
f5d78688 1790 {
018058b2 1791 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1792 log_write(0, LOG_MAIN, "OCSP stapling "
1793 "with multiple responses not handled");
c8dfb21d 1794 goto failed;
f5d78688
JH		 1795 }
1796 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1797 status = OCSP_single_get0_status(single, &reason, &rev,
1798 &thisupd, &nextupd);
f5d78688
JH		 1799 }
1800
f5d78688
JH		 1801 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1802 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1803 if (!OCSP_check_validity(thisupd, nextupd,
1804 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1805 {
018058b2 1806 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1807 DEBUG(D_tls) ERR_print_errors(bp);
1808 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1809 }
44662487 1810 else
f5d78688 1811 {
44662487
JH		 1812 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1813 OCSP_cert_status_str(status));
1814 switch(status)
1815 {
1816 case V_OCSP_CERTSTATUS_GOOD:
44662487 1817 tls_out.ocsp = OCSP_VFIED;
018058b2 1818 i = 1;
c8dfb21d 1819 goto good;
44662487 1820 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1821 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1822 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1823 reason != -1 ? "; reason: " : "",
1824 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1825 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1826 break;
1827 default:
018058b2 1828 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1829 log_write(0, LOG_MAIN,
1830 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1831 break;
1832 }
f5d78688 1833 }
c8dfb21d
JH		 1834 failed:
1835 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1836 good:
f5d78688
JH		 1837 BIO_free(bp);
1838 }
1839
1840OCSP_RESPONSE_free(rsp);
1841return i;
1842}
f2de3a33 1843#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1844
1845
059ec3d9
PH		 1846/*************************************************
1847* Initialize for TLS *
1848*************************************************/
1849
e51c7be2
JH		 1850/* Called from both server and client code, to do preliminary initialization
1851of the library. We allocate and return a context structure.
059ec3d9
PH		 1852
1853Arguments:
946ecbe0 1854 ctxp returned SSL context
059ec3d9
PH		 1855 host connected host, if client; NULL if server
1856 dhparam DH parameter file
1857 certificate certificate file
1858 privatekey private key
f5d78688 1859 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1860 addr address if client; NULL if server (for some randomness)
946ecbe0 1861 cbp place to put allocated callback context
cf0c6164 1862 errstr error string pointer
059ec3d9
PH		 1863
1864Returns: OK/DEFER/FAIL
1865*/
1866
1867static int
817d9f57 1868tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1869 uschar *privatekey,
f2de3a33 1870#ifndef DISABLE_OCSP
47195144 1871 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1872#endif
b10c87b3
JH		 1873 address_item *addr, tls_ext_ctx_cb ** cbp,
1874 tls_support * tlsp,
1875 uschar ** errstr)
059ec3d9 1876{
7006ee24 1877SSL_CTX * ctx;
77bb000f 1878long init_options;
7be682ca 1879int rc;
a7538db1 1880tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1881
1882cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1883cbinfo->tlsp = tlsp;
7be682ca
PP		 1884cbinfo->certificate = certificate;
1885cbinfo->privatekey = privatekey;
a6510420 1886cbinfo->is_server = host==NULL;
f2de3a33 1887#ifndef DISABLE_OCSP
c3033f13 1888cbinfo->verify_stack = NULL;
a6510420 1889if (!host)
f5d78688
JH		 1890 {
1891 cbinfo->u_ocsp.server.file = ocsp_file;
1892 cbinfo->u_ocsp.server.file_expanded = NULL;
1893 cbinfo->u_ocsp.server.response = NULL;
1894 }
1895else
1896 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1897#endif
7be682ca 1898cbinfo->dhparam = dhparam;
0df4ab80 1899cbinfo->server_cipher_list = NULL;
7be682ca 1900cbinfo->host = host;
0cbf2b82 1901#ifndef DISABLE_EVENT
a7538db1
JH		 1902cbinfo->event_action = NULL;
1903#endif
77bb000f 1904
7434882d 1905#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH		 1906SSL_load_error_strings(); /* basic set up */
1907OpenSSL_add_ssl_algorithms();
7434882d 1908#endif
059ec3d9 1909
c8dfb21d 1910#ifdef EXIM_HAVE_SHA256
77bb000f 1911/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1912list of available digests. */
1913EVP_add_digest(EVP_sha256());
cf1ef1a9 1914#endif
a0475b69 1915
f0f5a555
PP		 1916/* Create a context.
1917The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1918negotiation in the different methods; as far as I can tell, the only
1919*_{server,client}_method which allows negotiation is SSLv23, which exists even
1920when OpenSSL is built without SSLv2 support.
1921By disabling with openssl_options, we can let admins re-enable with the
1922existing knob. */
059ec3d9 1923
7a8b9519
JH		 1924#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1925if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1926#else
7006ee24 1927if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1928#endif
7006ee24 1929 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1930
1931/* It turns out that we need to seed the random number generator this early in
1932order to get the full complement of ciphers to work. It took me roughly a day
1933of work to discover this by experiment.
1934
1935On systems that have /dev/urandom, SSL may automatically seed itself from
1936there. Otherwise, we have to make something up as best we can. Double check
1937afterwards. */
1938
1939if (!RAND_status())
1940 {
1941 randstuff r;
9e3331ea 1942 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1943 r.p = getpid();
1944
5903c6ff
JH		 1945 RAND_seed(US (&r), sizeof(r));
1946 RAND_seed(US big_buffer, big_buffer_size);
1947 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH		 1948
1949 if (!RAND_status())
7199e1ee 1950 return tls_error(US"RAND_status", host,
cf0c6164 1951 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1952 }
1953
1954/* Set up the information callback, which outputs if debugging is at a suitable
1955level. */
1956
b10c87b3
JH		 1957DEBUG(D_tls)
1958 {
1959 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH		 1960#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1961 /* this needs a debug build of OpenSSL */
b10c87b3
JH		 1962 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1963#endif
8a40db1c 1964#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 1965 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 1966#endif
b10c87b3 1967 }
059ec3d9 1968
c80c5570 1969/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1970(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1971
77bb000f
PP		 1972/* Apply administrator-supplied work-arounds.
1973Historically we applied just one requested option,
1974SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1975moved to an administrator-controlled list of options to specify and
1976grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1977
77bb000f
PP		 1978No OpenSSL version number checks: the options we accept depend upon the
1979availability of the option value macros from OpenSSL. */
059ec3d9 1980
7006ee24 1981if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1982 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 1983
b10c87b3
JH		 1984#ifdef EXPERIMENTAL_TLS_RESUME
1985tlsp->resumption = RESUME_SUPPORTED;
1986#endif
77bb000f
PP		 1987if (init_options)
1988 {
b10c87b3
JH		 1989#ifdef EXPERIMENTAL_TLS_RESUME
1990 /* Should the server offer session resumption? */
1991 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1992 {
1993 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1994 init_options &= ~SSL_OP_NO_TICKET;
1995 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
1996 tlsp->host_resumable = TRUE;
1997 }
1998#endif
1999
77bb000f 2000 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2001 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2002 return tls_error(string_sprintf(
cf0c6164 2003 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 2004 }
2005else
2006 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2007
a28050f8
JH		 2008/* We'd like to disable session cache unconditionally, but foolish Outlook
2009Express clients then give up the first TLS connection and make a second one
2010(which works). Only when there is an IMAP service on the same machine.
2011Presumably OE is trying to use the cache for A on B. Leave it enabled for
2012now, until we work out a decent way of presenting control to the config. It
2013will never be used because we use a new context every time. */
2014#ifdef notdef
7006ee24 2015(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2016#endif
7006ee24 2017
059ec3d9 2018/* Initialize with DH parameters if supplied */
10ca4f1c 2019/* Initialize ECDH temp key parameter selection */
059ec3d9 2020
7006ee24
JH		 2021if ( !init_dh(ctx, dhparam, host, errstr)
2022 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 2023 )
2024 return DEFER;
059ec3d9 2025
3f7eeb86 2026/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2027
7006ee24 2028if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2029 return rc;
c91535f3 2030
c3033f13
JH		 2031/* If we need to handle SNI or OCSP, do so */
2032
3bcbbbe2 2033#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 2034# ifndef DISABLE_OCSP
2035 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2036 {
2037 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2038 return FAIL;
2039 }
2040# endif
2041
7a8b9519 2042if (!host) /* server */
3f0945ff 2043 {
f2de3a33 2044# ifndef DISABLE_OCSP
f5d78688 2045 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 2046 the option exists, not what the current expansion might be, as SNI might
2047 change the certificate and OCSP file in use between now and the time the
2048 callback is invoked. */
f5d78688 2049 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2050 {
7006ee24
JH		 2051 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2052 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2053 }
f5d78688 2054# endif
3f0945ff
PP		 2055 /* We always do this, so that $tls_sni is available even if not used in
2056 tls_certificate */
7006ee24
JH		 2057 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2058 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2059 }
f2de3a33 2060# ifndef DISABLE_OCSP
f5d78688
JH		 2061else /* client */
2062 if(ocsp_file) /* wanting stapling */
2063 {
2064 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2065 {
2066 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2067 return FAIL;
2068 }
7006ee24
JH		 2069 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2070 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 2071 }
2072# endif
7be682ca 2073#endif
059ec3d9 2074
e51c7be2 2075cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2076
c8dfb21d 2077#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2078/* Set up the RSA callback */
7006ee24 2079SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2080#endif
059ec3d9 2081
b10c87b3
JH		 2082/* Finally, set the session cache timeout, and we are done.
2083The period appears to be also used for (server-generated) session tickets */
059ec3d9 2084
7006ee24 2085SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2086DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2087
817d9f57 2088*cbp = cbinfo;
7006ee24 2089*ctxp = ctx;
7be682ca 2090
059ec3d9
PH		 2091return OK;
2092}
2093
2094
2095
2096
2097/*************************************************
2098* Get name of cipher in use *
2099*************************************************/
2100
817d9f57 2101/*
059ec3d9 2102Argument: pointer to an SSL structure for the connection
817d9f57 2103 pointer to number of bits for cipher
f1be21cf 2104Returns: pointer to allocated string in perm-pool
059ec3d9
PH		 2105*/
2106
f1be21cf
JH		 2107static uschar *
2108construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2109{
f1be21cf 2110int pool = store_pool;
7a8b9519 2111/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP		 2112yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2113the accessor functions use const in the prototype. */
059ec3d9 2114
7a8b9519
JH		 2115const uschar * ver = CUS SSL_get_version(ssl);
2116const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2117uschar * s;
059ec3d9 2118
817d9f57 2119SSL_CIPHER_get_bits(c, bits);
059ec3d9 2120
f1be21cf
JH		 2121store_pool = POOL_PERM;
2122s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2123store_pool = pool;
2124DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2125return s;
2126}
2127
059ec3d9 2128
f1be21cf
JH		 2129/* Get IETF-standard name for ciphersuite.
2130Argument: pointer to an SSL structure for the connection
2131Returns: pointer to string
2132*/
2133
2134static const uschar *
2135cipher_stdname_ssl(SSL * ssl)
2136{
2137#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2138return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2139#else
2140ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2141return cipher_stdname(id >> 8, id & 0xff);
2142#endif
059ec3d9
PH		 2143}
2144
2145
f69979cf 2146static void
70e384dd 2147peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH		 2148{
2149/*XXX we might consider a list-of-certs variable for the cert chain.
2150SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2151in list-handling functions, also consider the difference between the entire
2152chain and the elements sent by the peer. */
2153
70e384dd
JH		 2154tlsp->peerdn = NULL;
2155
f69979cf
JH		 2156/* Will have already noted peercert on a verify fail; possibly not the leaf */
2157if (!tlsp->peercert)
2158 tlsp->peercert = SSL_get_peer_certificate(ssl);
2159/* Beware anonymous ciphers which lead to server_cert being NULL */
2160if (tlsp->peercert)
70e384dd
JH		 2161 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2162 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2163 else
2164 {
4a1bd6b9
JH		 2165 int oldpool = store_pool;
2166
2167 peerdn[siz-1] = '\0'; /* paranoia */
2168 store_pool = POOL_PERM;
2169 tlsp->peerdn = string_copy(peerdn);
2170 store_pool = oldpool;
2171
2172 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2173 but they don't get called on session-resumption. So use the official
2174 interface, which uses the resumed value. Unfortunately this claims verified
2175 when it actually failed but we're in try-verify mode, due to us wanting the
2176 knowlege that it failed so needing to have the callback and forcing a
2177 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH		 2178 The extra bit of information is set in verify_override in the cb, stashed
2179 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH		 2180
2181 if (!tlsp->verify_override)
2182 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2183 }
f69979cf
JH		 2184}
2185
2186
059ec3d9
PH		 2187
2188
2189
2190/*************************************************
2191* Set up for verifying certificates *
2192*************************************************/
2193
0e8aed8a 2194#ifndef DISABLE_OCSP
c3033f13
JH		 2195/* Load certs from file, return TRUE on success */
2196
2197static BOOL
2198chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2199{
2200BIO * bp;
2201X509 * x;
2202
dec766a1
WB		 2203while (sk_X509_num(verify_stack) > 0)
2204 X509_free(sk_X509_pop(verify_stack));
2205
c3033f13
JH		 2206if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2207while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2208 sk_X509_push(verify_stack, x);
2209BIO_free(bp);
2210return TRUE;
2211}
0e8aed8a 2212#endif
c3033f13
JH		 2213
2214
2215
dec766a1
WB		 2216/* Called by both client and server startup; on the server possibly
2217repeated after a Server Name Indication.
059ec3d9
PH		 2218
2219Arguments:
7be682ca 2220 sctx SSL_CTX* to initialise
059ec3d9
PH		 2221 certs certs file or NULL
2222 crl CRL file or NULL
2223 host NULL in a server; the remote host in a client
2224 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2225 otherwise passed as FALSE
983207c1 2226 cert_vfy_cb Callback function for certificate verification
cf0c6164 2227 errstr error string pointer
059ec3d9
PH		 2228
2229Returns: OK/DEFER/FAIL
2230*/
2231
2232static int
983207c1 2233setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2234 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 2235{
2236uschar *expcerts, *expcrl;
2237
cf0c6164 2238if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2239 return DEFER;
57cc2785 2240DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2241
10a831a3 2242if (expcerts && *expcerts)
059ec3d9 2243 {
10a831a3
JH		 2244 /* Tell the library to use its compiled-in location for the system default
2245 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2246
10a831a3 2247 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2248 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 2249
2250 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2251 {
cb1d7830
JH		 2252 struct stat statbuf;
2253
cb1d7830
JH		 2254 if (Ustat(expcerts, &statbuf) < 0)
2255 {
2256 log_write(0, LOG_MAIN|LOG_PANIC,
2257 "failed to stat %s for certificates", expcerts);
2258 return DEFER;
2259 }
059ec3d9 2260 else
059ec3d9 2261 {
cb1d7830
JH		 2262 uschar *file, *dir;
2263 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2264 { file = NULL; dir = expcerts; }
2265 else
c3033f13
JH		 2266 {
2267 file = expcerts; dir = NULL;
2268#ifndef DISABLE_OCSP
2269 /* In the server if we will be offering an OCSP proof, load chain from
2270 file for verifying the OCSP proof at load time. */
2271
2272 if ( !host
2273 && statbuf.st_size > 0
2274 && server_static_cbinfo->u_ocsp.server.file
2275 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2276 )
2277 {
2278 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2279 "failed to load cert chain from %s", file);
c3033f13
JH		 2280 return DEFER;
2281 }
2282#endif
2283 }
cb1d7830
JH		 2284
2285 /* If a certificate file is empty, the next function fails with an
2286 unhelpful error message. If we skip it, we get the correct behaviour (no
2287 certificates are recognized, but the error message is still misleading (it
c3033f13 2288 says no certificate was supplied). But this is better. */
cb1d7830 2289
f2f2c91b
JH		 2290 if ( (!file || statbuf.st_size > 0)
2291 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2292 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 2293
2294 /* Load the list of CAs for which we will accept certs, for sending
2295 to the client. This is only for the one-file tls_verify_certificates
2296 variant.
d7978c0f
JH		 2297 If a list isn't loaded into the server, but some verify locations are set,
2298 the server end appears to make a wildcard request for client certs.
10a831a3 2299 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 2300 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2301 Because of this, and that the dir variant is likely only used for
d7978c0f
JH		 2302 the public-CA bundle (not for a private CA), not worth fixing. */
2303
f2f2c91b 2304 if (file)
cb1d7830 2305 {
2009ecca 2306 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB		 2307
2308 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2309 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2310 sk_X509_NAME_num(names));
cb1d7830 2311 }
059ec3d9
PH		 2312 }
2313 }
2314
2315 /* Handle a certificate revocation list. */
2316
10a831a3 2317#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2318
8b417f2c 2319 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2320 merely reformatted it into the Exim code style.)
8b417f2c 2321
10a831a3
JH		 2322 "From here I changed the code to add support for multiple crl's
2323 in pem format in one file or to support hashed directory entries in
2324 pem format instead of a file. This method now uses the library function
2325 X509_STORE_load_locations to add the CRL location to the SSL context.
2326 OpenSSL will then handle the verify against CA certs and CRLs by
2327 itself in the verify callback." */
8b417f2c 2328
cf0c6164 2329 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2330 if (expcrl && *expcrl)
059ec3d9 2331 {
8b417f2c
PH		 2332 struct stat statbufcrl;
2333 if (Ustat(expcrl, &statbufcrl) < 0)
2334 {
2335 log_write(0, LOG_MAIN|LOG_PANIC,
2336 "failed to stat %s for certificates revocation lists", expcrl);
2337 return DEFER;
2338 }
2339 else
059ec3d9 2340 {
8b417f2c
PH		 2341 /* is it a file or directory? */
2342 uschar *file, *dir;
7be682ca 2343 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2344 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2345 {
8b417f2c
PH		 2346 file = NULL;
2347 dir = expcrl;
2348 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 2349 }
2350 else
2351 {
8b417f2c
PH		 2352 file = expcrl;
2353 dir = NULL;
2354 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2355 }
8b417f2c 2356 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2357 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 2358
2359 /* setting the flags to check against the complete crl chain */
2360
2361 X509_STORE_set_flags(cvstore,
2362 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2363 }
059ec3d9
PH		 2364 }
2365
10a831a3 2366#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 2367
2368 /* If verification is optional, don't fail if no certificate */
2369
7be682ca 2370 SSL_CTX_set_verify(sctx,
5a2a0989 2371 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2372 cert_vfy_cb);
059ec3d9
PH		 2373 }
2374
2375return OK;
2376}
2377
2378
2379
2380/*************************************************
2381* Start a TLS session in a server *
2382*************************************************/
2383
2384/* This is called when Exim is running as a server, after having received
2385the STARTTLS command. It must respond to that command, and then negotiate
2386a TLS session.
2387
2388Arguments:
2389 require_ciphers allowed ciphers
cf0c6164 2390 errstr pointer to error message
059ec3d9
PH		 2391
2392Returns: OK on success
2393 DEFER for errors before the start of the negotiation
4c04137d 2394 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2395 continue running.
2396*/
2397
2398int
cf0c6164 2399tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2400{
2401int rc;
cf0c6164
JH		 2402uschar * expciphers;
2403tls_ext_ctx_cb * cbinfo;
f69979cf 2404static uschar peerdn[256];
059ec3d9
PH		 2405
2406/* Check for previous activation */
2407
74f1a423 2408if (tls_in.active.sock >= 0)
059ec3d9 2409 {
cf0c6164 2410 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2411 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2412 return FAIL;
2413 }
2414
2415/* Initialize the SSL library. If it fails, it will already have logged
2416the error. */
2417
817d9f57 2418rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2419#ifndef DISABLE_OCSP
47195144 2420 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2421#endif
b10c87b3 2422 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2423if (rc != OK) return rc;
817d9f57 2424cbinfo = server_static_cbinfo;
059ec3d9 2425
cf0c6164 2426if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 2427 return FAIL;
2428
2429/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 2430were historically separated by underscores. So that I can use either form in my
2431tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH		 2432
2433XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2434for TLS 1.3 . Since we do not call it at present we get the default list:
2435TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2436*/
059ec3d9 2437
c3033f13 2438if (expciphers)
059ec3d9 2439 {
b10c87b3 2440 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2441 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2442 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2443 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2444 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 2445 }
2446
2447/* If this is a host for which certificate verification is mandatory or
2448optional, set up appropriately. */
2449
817d9f57 2450tls_in.certificate_verified = FALSE;
c0635b6d 2451#ifdef SUPPORT_DANE
53a7196b
JH		 2452tls_in.dane_verified = FALSE;
2453#endif
a2ff477a 2454server_verify_callback_called = FALSE;
059ec3d9
PH		 2455
2456if (verify_check_host(&tls_verify_hosts) == OK)
2457 {
983207c1 2458 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2459 FALSE, verify_callback_server, errstr);
059ec3d9 2460 if (rc != OK) return rc;
a2ff477a 2461 server_verify_optional = FALSE;
059ec3d9
PH		 2462 }
2463else if (verify_check_host(&tls_try_verify_hosts) == OK)
2464 {
983207c1 2465 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2466 TRUE, verify_callback_server, errstr);
059ec3d9 2467 if (rc != OK) return rc;
a2ff477a 2468 server_verify_optional = TRUE;
059ec3d9
PH		 2469 }
2470
b10c87b3
JH		 2471#ifdef EXPERIMENTAL_TLS_RESUME
2472SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2473/* despite working, appears to always return failure, so ignoring */
2474#endif
2475#ifdef OPENSSL_HAVE_NUM_TICKETS
2476# ifdef EXPERIMENTAL_TLS_RESUME
2477SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2478# else
2479SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2480# endif
2481#endif
2482
2483
059ec3d9
PH		 2484/* Prepare for new connection */
2485
cf0c6164
JH		 2486if (!(server_ssl = SSL_new(server_ctx)))
2487 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 2488
2489/* Warning: we used to SSL_clear(ssl) here, it was removed.
2490 *
2491 * With the SSL_clear(), we get strange interoperability bugs with
2492 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2493 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2494 *
2495 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2496 * session shutdown. In this case, we have a brand new object and there's no
2497 * obvious reason to immediately clear it. I'm guessing that this was
2498 * originally added because of incomplete initialisation which the clear fixed,
2499 * in some historic release.
2500 */
059ec3d9
PH		 2501
2502/* Set context and tell client to go ahead, except in the case of TLS startup
2503on connection, where outputting anything now upsets the clients and tends to
2504make them disconnect. We need to have an explicit fflush() here, to force out
2505the response. Other smtp_printf() calls do not need it, because in non-TLS
2506mode, the fflush() happens when smtp_getc() is called. */
2507
817d9f57
JH		 2508SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2509if (!tls_in.on_connect)
059ec3d9 2510 {
925ac8e4 2511 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 2512 fflush(smtp_out);
2513 }
2514
2515/* Now negotiate the TLS session. We put our own timer on it, since it seems
2516that the OpenSSL library doesn't. */
2517
817d9f57
JH		 2518SSL_set_wfd(server_ssl, fileno(smtp_out));
2519SSL_set_rfd(server_ssl, fileno(smtp_in));
2520SSL_set_accept_state(server_ssl);
059ec3d9
PH		 2521
2522DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2523
2524sigalrm_seen = FALSE;
c2a1bba0 2525if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2526rc = SSL_accept(server_ssl);
c2a1bba0 2527ALARM_CLR(0);
059ec3d9
PH		 2528
2529if (rc <= 0)
2530 {
cf0c6164 2531 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 2532 return FAIL;
2533 }
2534
2535DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2536ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH		 2537 anon-authentication ciphersuite negotiated. */
2538
2539#ifdef EXPERIMENTAL_TLS_RESUME
2540if (SSL_session_reused(server_ssl))
2541 {
2542 tls_in.resumption |= RESUME_USED;
2543 DEBUG(D_tls) debug_printf("Session reused\n");
2544 }
2545#endif
059ec3d9
PH		 2546
2547/* TLS has been set up. Adjust the input functions to read via TLS,
2548and initialize things. */
2549
f69979cf
JH		 2550peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2551
f1be21cf
JH		 2552tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2553tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2554
059ec3d9
PH		 2555DEBUG(D_tls)
2556 {
2557 uschar buf[2048];
f1be21cf 2558 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2559 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH		 2560
2561#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2562 {
10ed27e0 2563 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2564 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH		 2565 BIO_free(bp);
2566 }
2567#endif
b10c87b3
JH		 2568
2569#ifdef EXIM_HAVE_SESSION_TICKET
2570 {
2571 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2572 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH		 2573 debug_printf("The session has a ticket, life %lu seconds\n",
2574 SSL_SESSION_get_ticket_lifetime_hint(ss));
2575 }
2576#endif
059ec3d9
PH		 2577 }
2578
9d1c15ef
JH		 2579/* Record the certificate we presented */
2580 {
2581 X509 * crt = SSL_get_certificate(server_ssl);
2582 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2583 }
059ec3d9 2584
817d9f57
JH		 2585/* Only used by the server-side tls (tls_in), including tls_getc.
2586 Client-side (tls_out) reads (seem to?) go via
2587 smtp_read_response()/ip_recv().
2588 Hence no need to duplicate for _in and _out.
2589 */
b808677c 2590if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2591ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2592ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH		 2593
2594receive_getc = tls_getc;
0d81dabc 2595receive_getbuf = tls_getbuf;
584e96c6 2596receive_get_cache = tls_get_cache;
059ec3d9
PH		 2597receive_ungetc = tls_ungetc;
2598receive_feof = tls_feof;
2599receive_ferror = tls_ferror;
58eb016e 2600receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2601
74f1a423
JH		 2602tls_in.active.sock = fileno(smtp_out);
2603tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH		 2604return OK;
2605}
2606
2607
2608
2609
043b1248
JH		 2610static int
2611tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2612 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2613 uschar ** errstr)
043b1248
JH		 2614{
2615int rc;
94431adb 2616/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2617 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2618 the specified host patterns if one of them is defined */
2619
610ff438
JH		 2620if ( ( !ob->tls_verify_hosts
2621 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2622 )
3c07dd2d 2623 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2624 )
043b1248 2625 client_verify_optional = FALSE;
3c07dd2d 2626else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2627 client_verify_optional = TRUE;
2628else
2629 return OK;
2630
2631if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2632 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2633 errstr)) != OK)
aa2a70ba 2634 return rc;
043b1248 2635
3c07dd2d 2636if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2637 {
4af0d74a 2638 cbinfo->verify_cert_hostnames =
8c5d388a 2639#ifdef SUPPORT_I18N
4af0d74a
JH		 2640 string_domain_utf8_to_alabel(host->name, NULL);
2641#else
2642 host->name;
2643#endif
aa2a70ba
JH		 2644 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2645 cbinfo->verify_cert_hostnames);
043b1248 2646 }
043b1248
JH		 2647return OK;
2648}
059ec3d9 2649
fde080a4 2650
c0635b6d 2651#ifdef SUPPORT_DANE
fde080a4 2652static int
cf0c6164 2653dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2654{
fde080a4
JH		 2655dns_scan dnss;
2656const char * hostnames[2] = { CS host->name, NULL };
2657int found = 0;
2658
2659if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2660 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2661
d7978c0f 2662for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2663 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2664 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2665 {
c3033f13 2666 const uschar * p = rr->data;
fde080a4
JH		 2667 uint8_t usage, selector, mtype;
2668 const char * mdname;
2669
fde080a4 2670 usage = *p++;
133d2546
JH		 2671
2672 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2673 if (usage != 2 && usage != 3) continue;
2674
fde080a4
JH		 2675 selector = *p++;
2676 mtype = *p++;
2677
2678 switch (mtype)
2679 {
133d2546
JH		 2680 default: continue; /* Only match-types 0, 1, 2 are supported */
2681 case 0: mdname = NULL; break;
2682 case 1: mdname = "sha256"; break;
2683 case 2: mdname = "sha512"; break;
fde080a4
JH		 2684 }
2685
133d2546 2686 found++;
fde080a4
JH		 2687 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2688 {
2689 default:
cf0c6164 2690 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2691 case 0: /* action not taken */
fde080a4
JH		 2692 case 1: break;
2693 }
594706ea
JH		 2694
2695 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2696 }
2697
2698if (found)
2699 return OK;
2700
133d2546 2701log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2702return DEFER;
fde080a4 2703}
c0635b6d 2704#endif /*SUPPORT_DANE*/
fde080a4
JH		 2705
2706
2707
b10c87b3
JH		 2708#ifdef EXPERIMENTAL_TLS_RESUME
2709/* On the client, get any stashed session for the given IP from hints db
2710and apply it to the ssl-connection for attempted resumption. */
2711
2712static void
2713tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2714{
2715tlsp->resumption |= RESUME_SUPPORTED;
2716if (tlsp->host_resumable)
2717 {
2718 dbdata_tls_session * dt;
2719 int len;
2720 open_db dbblock, * dbm_file;
2721
2722 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2723 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2724 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2725 {
2726 /* key for the db is the IP */
2727 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2728 {
2729 SSL_SESSION * ss = NULL;
2730 const uschar * sess_asn1 = dt->session;
2731
2732 len -= sizeof(dbdata_tls_session);
2733 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2734 {
2735 DEBUG(D_tls)
2736 {
2737 ERR_error_string_n(ERR_get_error(),
2738 ssl_errstring, sizeof(ssl_errstring));
2739 debug_printf("decoding session: %s\n", ssl_errstring);
2740 }
2741 }
a775dd1d 2742#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH		 2743 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2744 < time(NULL))
2745 {
2746 DEBUG(D_tls) debug_printf("session expired\n");
2747 dbfn_delete(dbm_file, key);
2748 }
a775dd1d 2749#endif
b10c87b3
JH		 2750 else if (!SSL_set_session(ssl, ss))
2751 {
2752 DEBUG(D_tls)
2753 {
2754 ERR_error_string_n(ERR_get_error(),
2755 ssl_errstring, sizeof(ssl_errstring));
2756 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2757 }
2758 }
2759 else
2760 {
2761 DEBUG(D_tls) debug_printf("good session\n");
2762 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2763 tlsp->verify_override = dt->verify_override;
c82de233 2764 tlsp->ocsp = dt->ocsp;
b10c87b3
JH		 2765 }
2766 }
2767 else
2768 DEBUG(D_tls) debug_printf("no session record\n");
2769 dbfn_close(dbm_file);
2770 }
2771 }
2772}
2773
2774
2775/* On the client, save the session for later resumption */
2776
2777static int
2778tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2779{
2780tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2781tls_support * tlsp;
2782
2783DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2784
2785if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2786
40618fb6
JH		 2787# ifdef OPENSSL_HAVE_NUM_TICKETS
2788if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2789# endif
b10c87b3
JH		 2790 {
2791 int len = i2d_SSL_SESSION(ss, NULL);
2792 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 2793 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH		 2794 uschar * s = dt->session;
2795 open_db dbblock, * dbm_file;
2796
2797 DEBUG(D_tls) debug_printf("session is resumable\n");
2798 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2799
f4e62a87 2800 dt->verify_override = tlsp->verify_override;
c82de233 2801 dt->ocsp = tlsp->ocsp;
f4e62a87 2802 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH		 2803
2804 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2805 {
2806 const uschar * key = cbinfo->host->address;
2807 dbfn_delete(dbm_file, key);
2808 dbfn_write(dbm_file, key, dt, dlen);
2809 dbfn_close(dbm_file);
2810 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2811 (unsigned)dlen);
2812 }
2813 }
b10c87b3
JH		 2814return 1;
2815}
2816
2817
2818static void
2819tls_client_ctx_resume_prehandshake(
2820 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2821 smtp_transport_options_block * ob, host_item * host)
2822{
2823/* Should the client request a session resumption ticket? */
2824if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2825 {
2826 tlsp->host_resumable = TRUE;
2827
2828 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2829 SSL_SESS_CACHE_CLIENT
2830 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2831 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2832 }
2833}
2834
2835static BOOL
2836tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2837 host_item * host, uschar ** errstr)
2838{
2839if (tlsp->host_resumable)
2840 {
2841 DEBUG(D_tls)
2842 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2843 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2844
2845 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2846 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2847 {
2848 tls_error(US"set ex_data", host, NULL, errstr);
2849 return FALSE;
2850 }
2851 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2852 }
2853
2854tlsp->resumption = RESUME_SUPPORTED;
2855/* Pick up a previous session, saved on an old ticket */
2856tls_retrieve_session(tlsp, ssl, host->address);
2857return TRUE;
2858}
2859
2860static void
2861tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2862 tls_support * tlsp)
2863{
2864if (SSL_session_reused(exim_client_ctx->ssl))
2865 {
2866 DEBUG(D_tls) debug_printf("The session was reused\n");
2867 tlsp->resumption |= RESUME_USED;
2868 }
2869}
2870#endif /* EXPERIMENTAL_TLS_RESUME */
2871
2872
059ec3d9
PH		 2873/*************************************************
2874* Start a TLS session in a client *
2875*************************************************/
2876
2877/* Called from the smtp transport after STARTTLS has been accepted.
2878
c05bdbd6
JH		 2879Arguments:
2880 cctx connection context
2881 conn_args connection details
2882 cookie datum for randomness; can be NULL
2883 tlsp record details of TLS channel configuration here; must be non-NULL
2884 errstr error string pointer
2885
2886Returns: TRUE for success with TLS session context set in connection context,
2887 FALSE on error
059ec3d9
PH		 2888*/
2889
c05bdbd6
JH		 2890BOOL
2891tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2892 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2893{
c05bdbd6
JH		 2894host_item * host = conn_args->host; /* for msgs and option-tests */
2895transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH		 2896smtp_transport_options_block * ob = tb
2897 ? (smtp_transport_options_block *)tb->options_block
2898 : &smtp_transport_option_defaults;
74f1a423 2899exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 2900uschar * expciphers;
059ec3d9 2901int rc;
c05bdbd6 2902static uschar peerdn[256];
043b1248
JH		 2903
2904#ifndef DISABLE_OCSP
043b1248 2905BOOL request_ocsp = FALSE;
6634ac8d 2906BOOL require_ocsp = FALSE;
043b1248 2907#endif
043b1248 2908
74f1a423
JH		 2909rc = store_pool;
2910store_pool = POOL_PERM;
f3ebb786 2911exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 2912exim_client_ctx->corked = NULL;
74f1a423
JH		 2913store_pool = rc;
2914
c0635b6d 2915#ifdef SUPPORT_DANE
74f1a423 2916tlsp->tlsa_usage = 0;
043b1248
JH		 2917#endif
2918
f2de3a33 2919#ifndef DISABLE_OCSP
043b1248 2920 {
c0635b6d 2921# ifdef SUPPORT_DANE
c05bdbd6 2922 if ( conn_args->dane
4f59c424
JH		 2923 && ob->hosts_request_ocsp[0] == '*'
2924 && ob->hosts_request_ocsp[1] == '\0'
2925 )
2926 {
2927 /* Unchanged from default. Use a safer one under DANE */
2928 request_ocsp = TRUE;
2929 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2930 " {= {4}{$tls_out_tlsa_usage}} } "
2931 " {*}{}}";
2932 }
2933# endif
2934
5130845b 2935 if ((require_ocsp =
3c07dd2d 2936 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2937 request_ocsp = TRUE;
2938 else
c0635b6d 2939# ifdef SUPPORT_DANE
4f59c424 2940 if (!request_ocsp)
fca41d5a 2941# endif
5130845b 2942 request_ocsp =
3c07dd2d 2943 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2944 }
f5d78688 2945#endif
059ec3d9 2946
74f1a423 2947rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2948 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2949#ifndef DISABLE_OCSP
44662487 2950 (void *)(long)request_ocsp,
3f7eeb86 2951#endif
b10c87b3 2952 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 2953if (rc != OK) return FALSE;
059ec3d9 2954
74f1a423 2955tlsp->certificate_verified = FALSE;
a2ff477a 2956client_verify_callback_called = FALSE;
059ec3d9 2957
5ec37a55
PP		 2958expciphers = NULL;
2959#ifdef SUPPORT_DANE
c05bdbd6 2960if (conn_args->dane)
5ec37a55
PP		 2961 {
2962 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2963 other failures should be treated as problems. */
2964 if (ob->dane_require_tls_ciphers &&
2965 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2966 &expciphers, errstr))
c05bdbd6 2967 return FALSE;
5ec37a55
PP		 2968 if (expciphers && *expciphers == '\0')
2969 expciphers = NULL;
2970 }
2971#endif
2972if (!expciphers &&
2973 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2974 &expciphers, errstr))
c05bdbd6 2975 return FALSE;
059ec3d9
PH		 2976
2977/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2978are separated by underscores. So that I can use either form in my tests, and
2979also for general convenience, we turn underscores into hyphens here. */
2980
cf0c6164 2981if (expciphers)
059ec3d9
PH		 2982 {
2983 uschar *s = expciphers;
cf0c6164 2984 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2985 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH		 2986 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2987 {
2988 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 2989 return FALSE;
74f1a423 2990 }
059ec3d9
PH		 2991 }
2992
c0635b6d 2993#ifdef SUPPORT_DANE
c05bdbd6 2994if (conn_args->dane)
a63be306 2995 {
74f1a423 2996 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH		 2997 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2998 verify_callback_client_dane);
e5cccda9 2999
043b1248 3000 if (!DANESSL_library_init())
74f1a423
JH		 3001 {
3002 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3003 return FALSE;
74f1a423
JH		 3004 }
3005 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3006 {
3007 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3008 return FALSE;
74f1a423 3009 }
043b1248
JH		 3010 }
3011else
e51c7be2 3012
043b1248
JH		 3013#endif
3014
74f1a423
JH		 3015 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3016 client_static_cbinfo, errstr) != OK)
c05bdbd6 3017 return FALSE;
059ec3d9 3018
b10c87b3
JH		 3019#ifdef EXPERIMENTAL_TLS_RESUME
3020tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3021#endif
3022
3023
74f1a423
JH		 3024if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3025 {
3026 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3027 return FALSE;
74f1a423
JH		 3028 }
3029SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3030
c05bdbd6 3031SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3032SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3033
65867078 3034if (ob->tls_sni)
3f0945ff 3035 {
74f1a423 3036 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3037 return FALSE;
74f1a423 3038 if (!tlsp->sni)
2c9a0e86
PP		 3039 {
3040 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3041 }
74f1a423
JH		 3042 else if (!Ustrlen(tlsp->sni))
3043 tlsp->sni = NULL;
3f0945ff
PP		 3044 else
3045 {
35731706 3046#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH		 3047 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3048 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3049#else
66802652 3050 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3051 tlsp->sni);
35731706 3052#endif
3f0945ff
PP		 3053 }
3054 }
3055
c0635b6d 3056#ifdef SUPPORT_DANE
c05bdbd6
JH		 3057if (conn_args->dane)
3058 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3059 return FALSE;
594706ea
JH		 3060#endif
3061
f2de3a33 3062#ifndef DISABLE_OCSP
f5d78688
JH		 3063/* Request certificate status at connection-time. If the server
3064does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3065# ifdef SUPPORT_DANE
594706ea
JH		 3066if (request_ocsp)
3067 {
3068 const uschar * s;
41afb5cb
JH		 3069 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3070 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 3071 )
3072 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3073 this means we avoid the OCSP request, we wasted the setup
3074 cost in tls_init(). */
3c07dd2d 3075 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3076 request_ocsp = require_ocsp
3c07dd2d 3077 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 3078 }
3079 }
b50c8b84
JH		 3080# endif
3081
44662487
JH		 3082if (request_ocsp)
3083 {
74f1a423 3084 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3085 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3086 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3087 }
f5d78688
JH		 3088#endif
3089
c82de233
JH		 3090#ifdef EXPERIMENTAL_TLS_RESUME
3091if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3092 errstr))
3093 return FALSE;
3094#endif
3095
0cbf2b82 3096#ifndef DISABLE_EVENT
afdb5e9c 3097client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3098#endif
043b1248 3099
059ec3d9
PH		 3100/* There doesn't seem to be a built-in timeout on connection. */
3101
3102DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3103sigalrm_seen = FALSE;
c2a1bba0 3104ALARM(ob->command_timeout);
74f1a423 3105rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3106ALARM_CLR(0);
059ec3d9 3107
c0635b6d 3108#ifdef SUPPORT_DANE
c05bdbd6 3109if (conn_args->dane)
74f1a423 3110 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH		 3111#endif
3112
059ec3d9 3113if (rc <= 0)
74f1a423
JH		 3114 {
3115 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3116 return FALSE;
74f1a423 3117 }
059ec3d9 3118
f20cfa4a
JH		 3119DEBUG(D_tls)
3120 {
3121 debug_printf("SSL_connect succeeded\n");
3122#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3123 {
10ed27e0
JH		 3124 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3125 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3126 BIO_free(bp);
f20cfa4a
JH		 3127 }
3128#endif
3129 }
059ec3d9 3130
b10c87b3
JH		 3131#ifdef EXPERIMENTAL_TLS_RESUME
3132tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3133#endif
3134
74f1a423 3135peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3136
f1be21cf
JH		 3137tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3138tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3139
9d1c15ef
JH		 3140/* Record the certificate we presented */
3141 {
74f1a423
JH		 3142 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3143 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH		 3144 }
3145
c05bdbd6 3146tlsp->active.sock = cctx->sock;
74f1a423 3147tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH		 3148cctx->tls_ctx = exim_client_ctx;
3149return TRUE;
059ec3d9
PH		 3150}
3151
3152
3153
3154
3155
0d81dabc
JH		 3156static BOOL
3157tls_refill(unsigned lim)
3158{
3159int error;
3160int inbytes;
3161
3162DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3163 ssl_xfer_buffer, ssl_xfer_buffer_size);
3164
c2a1bba0 3165if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH		 3166inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3167 MIN(ssl_xfer_buffer_size, lim));
3168error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3169if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3170
3171if (had_command_timeout) /* set by signal handler */
3172 smtp_command_timeout_exit(); /* does not return */
3173if (had_command_sigterm)
3174 smtp_command_sigterm_exit();
3175if (had_data_timeout)
3176 smtp_data_timeout_exit();
3177if (had_data_sigint)
3178 smtp_data_sigint_exit();
0d81dabc
JH		 3179
3180/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3181closed down, not that the socket itself has been closed down. Revert to
3182non-SSL handling. */
3183
74f1a423 3184switch(error)
0d81dabc 3185 {
74f1a423
JH		 3186 case SSL_ERROR_NONE:
3187 break;
3188
3189 case SSL_ERROR_ZERO_RETURN:
3190 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 3191
74f1a423
JH		 3192 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3193 SSL_shutdown(server_ssl);
dec766a1 3194
bd231acd 3195 tls_close(NULL, TLS_NO_SHUTDOWN);
74f1a423 3196 return FALSE;
0d81dabc 3197
74f1a423
JH		 3198 /* Handle genuine errors */
3199 case SSL_ERROR_SSL:
0abc5a13 3200 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH		 3201 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3202 ssl_xfer_error = TRUE;
3203 return FALSE;
0d81dabc 3204
74f1a423
JH		 3205 default:
3206 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3207 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3208 debug_printf(" - syscall %s\n", strerror(errno));
3209 ssl_xfer_error = TRUE;
3210 return FALSE;
0d81dabc
JH		 3211 }
3212
3213#ifndef DISABLE_DKIM
3214dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3215#endif
3216ssl_xfer_buffer_hwm = inbytes;
3217ssl_xfer_buffer_lwm = 0;
3218return TRUE;
3219}
3220
3221
059ec3d9
PH		 3222/*************************************************
3223* TLS version of getc *
3224*************************************************/
3225
3226/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3227it refills the buffer via the SSL reading function.
3228
bd8fbe36 3229Arguments: lim Maximum amount to read/buffer
059ec3d9 3230Returns: the next character or EOF
817d9f57
JH		 3231
3232Only used by the server-side TLS.
059ec3d9
PH		 3233*/
3234
3235int
bd8fbe36 3236tls_getc(unsigned lim)
059ec3d9
PH		 3237{
3238if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 3239 if (!tls_refill(lim))
3240 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 3241
0d81dabc 3242/* Something in the buffer; return next uschar */
059ec3d9 3243
0d81dabc
JH		 3244return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3245}
059ec3d9 3246
0d81dabc
JH		 3247uschar *
3248tls_getbuf(unsigned * len)
3249{
3250unsigned size;
3251uschar * buf;
ba084640 3252
0d81dabc
JH		 3253if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3254 if (!tls_refill(*len))
059ec3d9 3255 {
0d81dabc
JH		 3256 if (!ssl_xfer_error) return smtp_getbuf(len);
3257 *len = 0;
3258 return NULL;
059ec3d9 3259 }
c80c5570 3260
0d81dabc
JH		 3261if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3262 size = *len;
3263buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3264ssl_xfer_buffer_lwm += size;
3265*len = size;
3266return buf;
059ec3d9
PH		 3267}
3268
0d81dabc 3269
584e96c6
JH		 3270void
3271tls_get_cache()
3272{
9960d1e5 3273#ifndef DISABLE_DKIM
584e96c6
JH		 3274int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3275if (n > 0)
3276 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 3277#endif
9960d1e5 3278}
584e96c6 3279
059ec3d9 3280
925ac8e4
JH		 3281BOOL
3282tls_could_read(void)
3283{
a5ffa9b4 3284return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 3285}
3286
059ec3d9
PH		 3287
3288/*************************************************
3289* Read bytes from TLS channel *
3290*************************************************/
3291
3292/*
3293Arguments:
74f1a423 3294 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3295 buff buffer of data
3296 len size of buffer
3297
3298Returns: the number of bytes read
afdb5e9c 3299 -1 after a failed read, including EOF
817d9f57
JH		 3300
3301Only used by the client-side TLS.
059ec3d9
PH		 3302*/
3303
3304int
74f1a423 3305tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3306{
74f1a423 3307SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH		 3308int inbytes;
3309int error;
3310
389ca47a 3311DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 3312 buff, (unsigned int)len);
059ec3d9 3313
389ca47a
JH		 3314inbytes = SSL_read(ssl, CS buff, len);
3315error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 3316
3317if (error == SSL_ERROR_ZERO_RETURN)
3318 {
3319 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3320 return -1;
3321 }
3322else if (error != SSL_ERROR_NONE)
059ec3d9 3323 return -1;
059ec3d9
PH		 3324
3325return inbytes;
3326}
3327
3328
3329
3330
3331
3332/*************************************************
3333* Write bytes down TLS channel *
3334*************************************************/
3335
3336/*
3337Arguments:
74f1a423 3338 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3339 buff buffer of data
3340 len number of bytes
925ac8e4 3341 more further data expected soon
059ec3d9
PH		 3342
3343Returns: the number of bytes after a successful write,
3344 -1 after a failed write
817d9f57
JH		 3345
3346Used by both server-side and client-side TLS.
059ec3d9
PH		 3347*/
3348
3349int
74f1a423 3350tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 3351{
ac35befe 3352size_t olen = len;
d7978c0f 3353int outbytes, error;
c09dbcfb
JH		 3354SSL * ssl = ct_ctx
3355 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3356static gstring * server_corked = NULL;
3357gstring ** corkedp = ct_ctx
3358 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3359gstring * corked = *corkedp;
a5ffa9b4 3360
ef698bf6 3361DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 3362 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH		 3363
3364/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3365"more" is notified. This hack is only ok if small amounts are involved AND only
3366one stream does it, in one context (i.e. no store reset). Currently it is used
c09dbcfb
JH		 3367for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3368We support callouts done by the server process by using a separate client
3369context for the stashed information. */
ac35befe
JH		 3370/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3371a store reset there, so use POOL_PERM. */
3372/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 3373
ac35befe 3374if ((more || corked))
a5ffa9b4 3375 {
4e48d56c 3376#ifdef SUPPORT_PIPE_CONNECT
ee8b8090
JH		 3377 int save_pool = store_pool;
3378 store_pool = POOL_PERM;
3379#endif
3380
acec9514 3381 corked = string_catn(corked, buff, len);
ee8b8090 3382
4e48d56c 3383#ifdef SUPPORT_PIPE_CONNECT
ee8b8090
JH		 3384 store_pool = save_pool;
3385#endif
3386
a5ffa9b4 3387 if (more)
c09dbcfb
JH		 3388 {
3389 *corkedp = corked;
a5ffa9b4 3390 return len;
c09dbcfb 3391 }
acec9514
JH		 3392 buff = CUS corked->s;
3393 len = corked->ptr;
c09dbcfb 3394 *corkedp = NULL;
a5ffa9b4 3395 }
059ec3d9 3396
d7978c0f 3397for (int left = len; left > 0;)
059ec3d9 3398 {
74f1a423 3399 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH		 3400 outbytes = SSL_write(ssl, CS buff, left);
3401 error = SSL_get_error(ssl, outbytes);
3402 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3403 switch (error)
3404 {
3405 case SSL_ERROR_SSL:
0abc5a13 3406 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH		 3407 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3408 return -1;
059ec3d9
PH		 3409
3410 case SSL_ERROR_NONE:
96f5fe4c
JH		 3411 left -= outbytes;
3412 buff += outbytes;
3413 break;
059ec3d9
PH		 3414
3415 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 3416 log_write(0, LOG_MAIN, "SSL channel closed on write");
3417 return -1;
059ec3d9 3418
817d9f57 3419 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 3420 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3421 sender_fullhost ? sender_fullhost : US"<unknown>",
3422 strerror(errno));
3423 return -1;
817d9f57 3424
059ec3d9 3425 default:
96f5fe4c
JH		 3426 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3427 return -1;
059ec3d9
PH		 3428 }
3429 }
ac35befe 3430return olen;
059ec3d9
PH		 3431}
3432
3433
3434
3435/*************************************************
3436* Close down a TLS session *
3437*************************************************/
3438
3439/* This is also called from within a delivery subprocess forked from the
3440daemon, to shut down the TLS library, without actually doing a shutdown (which
3441would tamper with the SSL session in the parent process).
3442
dec766a1 3443Arguments:
74f1a423 3444 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB		 3445 shutdown 1 if TLS close-alert is to be sent,
3446 2 if also response to be waited for
3447
059ec3d9 3448Returns: nothing
817d9f57
JH		 3449
3450Used by both server-side and client-side TLS.
059ec3d9
PH		 3451*/
3452
3453void
74f1a423 3454tls_close(void * ct_ctx, int shutdown)
059ec3d9 3455{
74f1a423
JH		 3456exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3457SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3458SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3459int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH		 3460
3461if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 3462
3463if (shutdown)
3464 {
dec766a1
WB		 3465 int rc;
3466 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3467 shutdown > 1 ? " (with response-wait)" : "");
3468
3469 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3470 && shutdown > 1)
3471 {
c2a1bba0 3472 ALARM(2);
dec766a1 3473 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3474 ALARM_CLR(0);
dec766a1
WB		 3475 }
3476
3477 if (rc < 0) DEBUG(D_tls)
3478 {
0abc5a13 3479 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB		 3480 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3481 }
3482 }
3483
74f1a423 3484if (!o_ctx) /* server side */
dec766a1 3485 {
bd231acd 3486#ifndef DISABLE_OCSP
dec766a1 3487 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3488 server_static_cbinfo->verify_stack = NULL;
37f0ce65 3489#endif
059ec3d9 3490
bd231acd
JH		 3491 receive_getc = smtp_getc;
3492 receive_getbuf = smtp_getbuf;
3493 receive_get_cache = smtp_get_cache;
3494 receive_ungetc = smtp_ungetc;
3495 receive_feof = smtp_feof;
3496 receive_ferror = smtp_ferror;
3497 receive_smtp_buffered = smtp_buffered;
3498 tls_in.active.tls_ctx = NULL;
3499 tls_in.sni = NULL;
3500 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3501 }
3502
dec766a1 3503SSL_CTX_free(*ctxp);
817d9f57 3504SSL_free(*sslp);
dec766a1 3505*ctxp = NULL;
817d9f57 3506*sslp = NULL;
817d9f57 3507*fdp = -1;
059ec3d9
PH		 3508}
3509
36f12725
NM		 3510
3511
3512
3375e053
PP		 3513/*************************************************
3514* Let tls_require_ciphers be checked at startup *
3515*************************************************/
3516
3517/* The tls_require_ciphers option, if set, must be something which the
3518library can parse.
3519
3520Returns: NULL on success, or error message
3521*/
3522
3523uschar *
3524tls_validate_require_cipher(void)
3525{
3526SSL_CTX *ctx;
3527uschar *s, *expciphers, *err;
3528
3529/* this duplicates from tls_init(), we need a better "init just global
3530state, for no specific purpose" singleton function of our own */
3531
7434882d 3532#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP		 3533SSL_load_error_strings();
3534OpenSSL_add_ssl_algorithms();
7434882d 3535#endif
3375e053
PP		 3536#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3537/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3538list of available digests. */
3539EVP_add_digest(EVP_sha256());
3540#endif
3541
3542if (!(tls_require_ciphers && *tls_require_ciphers))
3543 return NULL;
3544
cf0c6164
JH		 3545if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3546 &err))
3375e053
PP		 3547 return US"failed to expand tls_require_ciphers";
3548
3549if (!(expciphers && *expciphers))
3550 return NULL;
3551
3552/* normalisation ripped from above */
3553s = expciphers;
3554while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3555
3556err = NULL;
3557
7a8b9519
JH		 3558#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3559if (!(ctx = SSL_CTX_new(TLS_server_method())))
3560#else
3561if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3562#endif
3375e053 3563 {
0abc5a13 3564 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP		 3565 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3566 }
3567
3568DEBUG(D_tls)
3569 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3570
3571if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3572 {
0abc5a13 3573 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH		 3574 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3575 expciphers, ssl_errstring);
3375e053
PP		 3576 }
3577
3578SSL_CTX_free(ctx);
3579
3580return err;
3581}
3582
3583
3584
3585
36f12725
NM		 3586/*************************************************
3587* Report the library versions. *
3588*************************************************/
3589
3590/* There have historically been some issues with binary compatibility in
3591OpenSSL libraries; if Exim (like many other applications) is built against
3592one version of OpenSSL but the run-time linker picks up another version,
3593it can result in serious failures, including crashing with a SIGSEGV. So
3594report the version found by the compiler and the run-time version.
3595
f64a1e23
PP		 3596Note: some OS vendors backport security fixes without changing the version
3597number/string, and the version date remains unchanged. The _build_ date
3598will change, so we can more usefully assist with version diagnosis by also
3599reporting the build date.
3600
36f12725
NM		 3601Arguments: a FILE* to print the results to
3602Returns: nothing
3603*/
3604
3605void
3606tls_version_report(FILE *f)
3607{
754a0503 3608fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 3609 " Runtime: %s\n"
3610 " : %s\n",
754a0503 3611 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 3612 SSLeay_version(SSLEAY_VERSION),
3613 SSLeay_version(SSLEAY_BUILT_ON));
3614/* third line is 38 characters for the %s and the line is 73 chars long;
3615the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 3616}
3617
9e3331ea
TK		 3618
3619
3620
3621/*************************************************
17c76198 3622* Random number generation *
9e3331ea
TK		 3623*************************************************/
3624
3625/* Pseudo-random number generation. The result is not expected to be
3626cryptographically strong but not so weak that someone will shoot themselves
3627in the foot using it as a nonce in input in some email header scheme or
3628whatever weirdness they'll twist this into. The result should handle fork()
3629and avoid repeating sequences. OpenSSL handles that for us.
3630
3631Arguments:
3632 max range maximum
3633Returns a random number in range [0, max-1]
3634*/
3635
3636int
17c76198 3637vaguely_random_number(int max)
9e3331ea
TK		 3638{
3639unsigned int r;
3640int i, needed_len;
de6135a0
PP		 3641static pid_t pidlast = 0;
3642pid_t pidnow;
9e3331ea
TK		 3643uschar smallbuf[sizeof(r)];
3644
3645if (max <= 1)
3646 return 0;
3647
de6135a0
PP		 3648pidnow = getpid();
3649if (pidnow != pidlast)
3650 {
3651 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3652 is unique for each thread", this doesn't apparently apply across processes,
3653 so our own warning from vaguely_random_number_fallback() applies here too.
3654 Fix per PostgreSQL. */
3655 if (pidlast != 0)
3656 RAND_cleanup();
3657 pidlast = pidnow;
3658 }
3659
9e3331ea
TK		 3660/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3661if (!RAND_status())
3662 {
3663 randstuff r;
3664 gettimeofday(&r.tv, NULL);
3665 r.p = getpid();
3666
5903c6ff 3667 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK		 3668 }
3669/* We're after pseudo-random, not random; if we still don't have enough data
3670in the internal PRNG then our options are limited. We could sleep and hope
3671for entropy to come along (prayer technique) but if the system is so depleted
3672in the first place then something is likely to just keep taking it. Instead,
3673we'll just take whatever little bit of pseudo-random we can still manage to
3674get. */
3675
3676needed_len = sizeof(r);
3677/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3678asked for a number less than 10. */
3679for (r = max, i = 0; r; ++i)
3680 r >>= 1;
3681i = (i + 7) / 8;
3682if (i < needed_len)
3683 needed_len = i;
3684
c8dfb21d 3685#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3686/* We do not care if crypto-strong */
17c76198 3687i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 3688#else
3689i = RAND_bytes(smallbuf, needed_len);
3690#endif
3691
17c76198
PP		 3692if (i < 0)
3693 {
3694 DEBUG(D_all)
3695 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3696 return vaguely_random_number_fallback(max);
3697 }
3698
9e3331ea 3699r = 0;
d7978c0f
JH		 3700for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3701 r = 256 * r + *p;
9e3331ea
TK		 3702
3703/* We don't particularly care about weighted results; if someone wants
3704smooth distribution and cares enough then they should submit a patch then. */
3705return r % max;
3706}
3707
77bb000f
PP		 3708
3709
3710
3711/*************************************************
3712* OpenSSL option parse *
3713*************************************************/
3714
3715/* Parse one option for tls_openssl_options_parse below
3716
3717Arguments:
3718 name one option name
3719 value place to store a value for it
3720Returns success or failure in parsing
3721*/
3722
77bb000f 3723
c80c5570 3724
77bb000f
PP		 3725static BOOL
3726tls_openssl_one_option_parse(uschar *name, long *value)
3727{
3728int first = 0;
3729int last = exim_openssl_options_size;
3730while (last > first)
3731 {
3732 int middle = (first + last)/2;
3733 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3734 if (c == 0)
3735 {
3736 *value = exim_openssl_options[middle].value;
3737 return TRUE;
3738 }
3739 else if (c > 0)
3740 first = middle + 1;
3741 else
3742 last = middle;
3743 }
3744return FALSE;
3745}
3746
3747
3748
3749
3750/*************************************************
3751* OpenSSL option parsing logic *
3752*************************************************/
3753
3754/* OpenSSL has a number of compatibility options which an administrator might
3755reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3756we look like log_selector.
3757
3758Arguments:
3759 option_spec the administrator-supplied string of options
3760 results ptr to long storage for the options bitmap
3761Returns success or failure
3762*/
3763
3764BOOL
3765tls_openssl_options_parse(uschar *option_spec, long *results)
3766{
3767long result, item;
d7978c0f 3768uschar *end;
77bb000f
PP		 3769uschar keep_c;
3770BOOL adding, item_parsed;
3771
b10c87b3 3772/* Server: send no (<= TLS1.2) session tickets */
7006ee24 3773result = SSL_OP_NO_TICKET;
b10c87b3 3774
b1770b6e 3775/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3776 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3777#ifdef SSL_OP_NO_SSLv2
3778result |= SSL_OP_NO_SSLv2;
3779#endif
b10c87b3
JH		 3780#ifdef SSL_OP_NO_SSLv3
3781result |= SSL_OP_NO_SSLv3;
3782#endif
a57b6200
JH		 3783#ifdef SSL_OP_SINGLE_DH_USE
3784result |= SSL_OP_SINGLE_DH_USE;
3785#endif
77bb000f 3786
7006ee24 3787if (!option_spec)
77bb000f
PP		 3788 {
3789 *results = result;
3790 return TRUE;
3791 }
3792
b10c87b3 3793for (uschar * s = option_spec; *s; /**/)
77bb000f
PP		 3794 {
3795 while (isspace(*s)) ++s;
3796 if (*s == '\0')
3797 break;
3798 if (*s != '+' && *s != '-')
3799 {
3800 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3801 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3802 return FALSE;
3803 }
3804 adding = *s++ == '+';
3805 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3806 keep_c = *end;
3807 *end = '\0';
3808 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3809 *end = keep_c;
77bb000f
PP		 3810 if (!item_parsed)
3811 {
0e944a0d 3812 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3813 return FALSE;
3814 }
f97ca6d1
JH		 3815 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3816 adding ? "adding to " : "removing from", result, item, s);
77bb000f
PP		 3817 if (adding)
3818 result |= item;
3819 else
3820 result &= ~item;
77bb000f
PP		 3821 s = end;
3822 }
3823
3824*results = result;
3825return TRUE;
3826}
3827
8442641e 3828#endif /*!MACRO_PREDEF*/
9d1c15ef
JH		 3829/* vi: aw ai sw=2
3830*/
059ec3d9 3831/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.