tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH
57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP
68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 75# define EXIM_HAVE_SESSION_TICKET
e570d136 76# define EXIM_HAVE_OPESSL_TRACE
7434882d
JH
77# else
78# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
79# endif
80# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
82# define EXIM_HAVE_OPENSSL_CHECKHOST
83# endif
11aa88b0 84#endif
10ca4f1c 85
11aa88b0
RA
86#if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
88# if !defined(OPENSSL_NO_ECDH)
89# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 90# define EXIM_HAVE_ECDH
10ca4f1c
JH
91# endif
92# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
93# define EXIM_HAVE_OPENSSL_EC_NIST2NID
94# endif
95# endif
2dfb468b 96#endif
3bcbbbe2 97
8a40db1c
JH
98#ifndef LIBRESSL_VERSION_NUMBER
99# if OPENSSL_VERSION_NUMBER >= 0x010101000L
100# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 101# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 102# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH
103# endif
104#endif
105
67791ce4
JH
106#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108# define DISABLE_OCSP
109#endif
43e2db44
JH
110
111#ifdef EXPERIMENTAL_TLS_RESUME
112# if OPENSSL_VERSION_NUMBER < 0x0101010L
113# error OpenSSL version too old for session-resumption
114# endif
115#endif
67791ce4 116
a6510420
JH
117#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118# include <openssl/x509v3.h>
119#endif
120
f1be21cf
JH
121#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123# define SSL_CIPHER_get_id(c) (c->id)
124# endif
dca6d121
JH
125# ifndef MACRO_PREDEF
126# include "tls-cipher-stdname.c"
127# endif
f1be21cf
JH
128#endif
129
8442641e
JH
130/*************************************************
131* OpenSSL option parse *
132*************************************************/
133
134typedef struct exim_openssl_option {
135 uschar *name;
136 long value;
137} exim_openssl_option;
138/* We could use a macro to expand, but we need the ifdef and not all the
139options document which version they were introduced in. Policylet: include
140all options unless explicitly for DTLS, let the administrator choose which
141to apply.
142
143This list is current as of:
144 ==> 1.0.1b <==
145Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
147*/
148static exim_openssl_option exim_openssl_options[] = {
149/* KEEP SORTED ALPHABETICALLY! */
150#ifdef SSL_OP_ALL
6d95688d 151 { US"all", (long) SSL_OP_ALL },
8442641e
JH
152#endif
153#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
155#endif
156#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
158#endif
159#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
161#endif
162#ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
164#endif
165#ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
167#endif
168#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
170#endif
171#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
173#endif
174#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
176#endif
177#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
179#endif
180#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
182#endif
183#ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
185#endif
186#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
188#endif
189#ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
191#endif
192#ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
194#endif
195#ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
197#endif
198#ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
200#endif
201#ifdef SSL_OP_NO_TLSv1_1
202#if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
205#else
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
207#endif
208#endif
209#ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
211#endif
212#ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
214#endif
215#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
217#endif
218#ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
220#endif
221#ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
223#endif
224#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
226#endif
227#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
229#endif
230#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
232#endif
233#ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
235#endif
236#ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
238#endif
239};
240
241#ifndef MACRO_PREDEF
242static int exim_openssl_options_size = nelem(exim_openssl_options);
243#endif
244
245#ifdef MACRO_PREDEF
246void
247options_tls(void)
248{
8442641e
JH
249uschar buf[64];
250
d7978c0f 251for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
253 {
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
256
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
259 }
b10c87b3
JH
260
261# ifdef EXPERIMENTAL_TLS_RESUME
262builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
263# endif
e326959e
JH
264# ifdef SSL_OP_NO_TLSv1_3
265builtin_macro_create(US"_HAVE_TLS1_3");
266# endif
8442641e
JH
267}
268#else
269
270/******************************************************************************/
271
059ec3d9
PH
272/* Structure for collecting random data for seeding. */
273
274typedef struct randstuff {
9e3331ea
TK
275 struct timeval tv;
276 pid_t p;
059ec3d9
PH
277} randstuff;
278
279/* Local static variables */
280
a2ff477a
JH
281static BOOL client_verify_callback_called = FALSE;
282static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
283static const uschar *sid_ctx = US"exim";
284
d4f09789
PP
285/* We have three different contexts to care about.
286
287Simple case: client, `client_ctx`
288 As a client, we can be doing a callout or cut-through delivery while receiving
289 a message. So we have a client context, which should have options initialised
74f1a423
JH
290 from the SMTP Transport. We may also concurrently want to make TLS connections
291 to utility daemons, so client-contexts are allocated and passed around in call
292 args rather than using a gobal.
d4f09789
PP
293
294Server:
295 There are two cases: with and without ServerNameIndication from the client.
296 Given TLS SNI, we can be using different keys, certs and various other
297 configuration settings, because they're re-expanded with $tls_sni set. This
298 allows vhosting with TLS. This SNI is sent in the handshake.
299 A client might not send SNI, so we need a fallback, and an initial setup too.
300 So as a server, we start out using `server_ctx`.
301 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
302 `server_sni` from `server_ctx` and then initialise settings by re-expanding
303 configuration.
304*/
305
74f1a423
JH
306typedef struct {
307 SSL_CTX * ctx;
308 SSL * ssl;
c09dbcfb 309 gstring * corked;
74f1a423
JH
310} exim_openssl_client_tls_ctx;
311
817d9f57 312static SSL_CTX *server_ctx = NULL;
817d9f57 313static SSL *server_ssl = NULL;
389ca47a 314
35731706 315#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 316static SSL_CTX *server_sni = NULL;
35731706 317#endif
059ec3d9
PH
318
319static char ssl_errstring[256];
320
dea4b568 321static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH
322static BOOL client_verify_optional = FALSE;
323static BOOL server_verify_optional = FALSE;
059ec3d9 324
f5d78688 325static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
326
327
7be682ca 328typedef struct tls_ext_ctx_cb {
b10c87b3 329 tls_support * tlsp;
7be682ca
PP
330 uschar *certificate;
331 uschar *privatekey;
f5d78688 332 BOOL is_server;
a6510420 333#ifndef DISABLE_OCSP
c3033f13 334 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
335 union {
336 struct {
337 uschar *file;
338 uschar *file_expanded;
339 OCSP_RESPONSE *response;
340 } server;
341 struct {
44662487
JH
342 X509_STORE *verify_store; /* non-null if status requested */
343 BOOL verify_required;
f5d78688
JH
344 } client;
345 } u_ocsp;
3f7eeb86 346#endif
7be682ca
PP
347 uschar *dhparam;
348 /* these are cached from first expand */
349 uschar *server_cipher_list;
350 /* only passed down to tls_error: */
351 host_item *host;
55414b25 352 const uschar * verify_cert_hostnames;
0cbf2b82 353#ifndef DISABLE_EVENT
a7538db1
JH
354 uschar * event_action;
355#endif
7be682ca
PP
356} tls_ext_ctx_cb;
357
358/* should figure out a cleanup of API to handle state preserved per
359implementation, for various reasons, which can be void * in the APIs.
360For now, we hack around it. */
b10c87b3 361tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 362tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
363
364static int
983207c1 365setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 366 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 367
3f7eeb86 368/* Callbacks */
3bcbbbe2 369#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 370static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 371#endif
f2de3a33 372#ifndef DISABLE_OCSP
f5d78688 373static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
374#endif
375
059ec3d9 376
b10c87b3 377
4d93129f 378/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH
379#ifdef EXPERIMENTAL_TLS_RESUME
380static void tk_init(void);
381static int tls_exdata_idx = -1;
382#endif
383
384void
385tls_daemon_init(void)
386{
387#ifdef EXPERIMENTAL_TLS_RESUME
388tk_init();
389#endif
390return;
391}
392
393
059ec3d9
PH
394/*************************************************
395* Handle TLS error *
396*************************************************/
397
398/* Called from lots of places when errors occur before actually starting to do
399the TLS handshake, that is, while the session is still in clear. Always returns
400DEFER for a server and FAIL for a client so that most calls can use "return
401tls_error(...)" to do this processing and then give an appropriate return. A
402single function is used for both server and client, because it is called from
403some shared functions.
404
405Argument:
406 prefix text to include in the logged error
407 host NULL if setting up a server;
408 the connected host if setting up a client
7199e1ee 409 msg error message or NULL if we should ask OpenSSL
cf0c6164 410 errstr pointer to output error message
059ec3d9
PH
411
412Returns: OK/DEFER/FAIL
413*/
414
415static int
cf0c6164 416tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 417{
c562fd30 418if (!msg)
7199e1ee 419 {
0abc5a13 420 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 421 msg = US ssl_errstring;
7199e1ee
TF
422 }
423
5a2a0989
JH
424msg = string_sprintf("(%s): %s", prefix, msg);
425DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
426if (errstr) *errstr = msg;
cf0c6164 427return host ? FAIL : DEFER;
059ec3d9
PH
428}
429
430
431
432/*************************************************
433* Callback to generate RSA key *
434*************************************************/
435
436/*
437Arguments:
3ae79556 438 s SSL connection (not used)
059ec3d9
PH
439 export not used
440 keylength keylength
441
442Returns: pointer to generated key
443*/
444
445static RSA *
446rsa_callback(SSL *s, int export, int keylength)
447{
448RSA *rsa_key;
c8dfb21d
JH
449#ifdef EXIM_HAVE_RSA_GENKEY_EX
450BIGNUM *bn = BN_new();
451#endif
452
059ec3d9
PH
453export = export; /* Shut picky compilers up */
454DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
455
456#ifdef EXIM_HAVE_RSA_GENKEY_EX
457if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 458 || !(rsa_key = RSA_new())
c8dfb21d
JH
459 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
460 )
461#else
23bb6982 462if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
463#endif
464
059ec3d9 465 {
0abc5a13 466 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
467 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
468 ssl_errstring);
469 return NULL;
470 }
471return rsa_key;
472}
473
474
475
f5d78688 476/* Extreme debug
f2de3a33 477#ifndef DISABLE_OCSP
f5d78688
JH
478void
479x509_store_dump_cert_s_names(X509_STORE * store)
480{
481STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
482static uschar name[256];
483
d7978c0f 484for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
485 {
486 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
487 if(tmp_obj->type == X509_LU_X509)
488 {
70e384dd
JH
489 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
490 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
491 {
492 name[sizeof(name)-1] = '\0';
493 debug_printf(" %s\n", name);
494 }
f5d78688
JH
495 }
496 }
497}
498#endif
499*/
500
059ec3d9 501
0cbf2b82 502#ifndef DISABLE_EVENT
f69979cf
JH
503static int
504verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
505 BOOL *calledp, const BOOL *optionalp, const uschar * what)
506{
507uschar * ev;
508uschar * yield;
509X509 * old_cert;
510
511ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
512if (ev)
513 {
aaba7d03 514 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
515 old_cert = tlsp->peercert;
516 tlsp->peercert = X509_dup(cert);
517 /* NB we do not bother setting peerdn */
518 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
519 {
520 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
521 "depth=%d cert=%s: %s",
522 tlsp == &tls_out ? deliver_host_address : sender_host_address,
523 what, depth, dn, yield);
524 *calledp = TRUE;
525 if (!*optionalp)
526 {
527 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
528 return 1; /* reject (leaving peercert set) */
529 }
530 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
531 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 532 tlsp->verify_override = TRUE;
f69979cf
JH
533 }
534 X509_free(tlsp->peercert);
535 tlsp->peercert = old_cert;
536 }
537return 0;
538}
539#endif
540
059ec3d9
PH
541/*************************************************
542* Callback for verification *
543*************************************************/
544
545/* The SSL library does certificate verification if set up to do so. This
546callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
547we set the certificate-verified flag. If verification failed, what happens
548depends on whether the client is required to present a verifiable certificate
549or not.
059ec3d9
PH
550
551If verification is optional, we change the state to yes, but still log the
552verification error. For some reason (it really would help to have proper
553documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
554time with state = 1. We must take care not to set the private verified flag on
555the second time through.
059ec3d9
PH
556
557Note: this function is not called if the client fails to present a certificate
558when asked. We get here only if a certificate has been received. Handling of
559optional verification for this case is done when requesting SSL to verify, by
560setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
561
a7538db1
JH
562May be called multiple times for different issues with a certificate, even
563for a given "depth" in the certificate chain.
564
059ec3d9 565Arguments:
f2f2c91b
JH
566 preverify_ok current yes/no state as 1/0
567 x509ctx certificate information.
568 tlsp per-direction (client vs. server) support data
569 calledp has-been-called flag
570 optionalp verification-is-optional flag
059ec3d9 571
f2f2c91b 572Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
573*/
574
575static int
70e384dd
JH
576verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
577 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 578{
421aff85 579X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 580int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 581uschar dn[256];
059ec3d9 582
70e384dd
JH
583if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
584 {
585 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
586 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
587 tlsp == &tls_out ? deliver_host_address : sender_host_address);
588 return 0;
589 }
f69979cf 590dn[sizeof(dn)-1] = '\0';
059ec3d9 591
f4e62a87 592tlsp->verify_override = FALSE;
f2f2c91b 593if (preverify_ok == 0)
059ec3d9 594 {
f77197ae
JH
595 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
596 *verify_mode, sender_host_address)
597 : US"";
598 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
599 tlsp == &tls_out ? deliver_host_address : sender_host_address,
600 extra, depth,
601 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 602 *calledp = TRUE;
9d1c15ef
JH
603 if (!*optionalp)
604 {
f69979cf
JH
605 if (!tlsp->peercert)
606 tlsp->peercert = X509_dup(cert); /* record failing cert */
607 return 0; /* reject */
9d1c15ef 608 }
059ec3d9
PH
609 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
610 "tls_try_verify_hosts)\n");
4a1bd6b9 611 tlsp->verify_override = TRUE;
059ec3d9
PH
612 }
613
a7538db1 614else if (depth != 0)
059ec3d9 615 {
f69979cf 616 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 617#ifndef DISABLE_OCSP
f5d78688
JH
618 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
619 { /* client, wanting stapling */
620 /* Add the server cert's signing chain as the one
621 for the verification of the OCSP stapled information. */
94431adb 622
f5d78688 623 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 624 cert))
f5d78688 625 ERR_clear_error();
c3033f13 626 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
627 }
628#endif
0cbf2b82 629#ifndef DISABLE_EVENT
f69979cf
JH
630 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
631 return 0; /* reject, with peercert set */
a7538db1 632#endif
059ec3d9
PH
633 }
634else
635 {
55414b25 636 const uschar * verify_cert_hostnames;
e51c7be2 637
e51c7be2
JH
638 if ( tlsp == &tls_out
639 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 640 /* client, wanting hostname check */
e51c7be2 641 {
f69979cf 642
740f36d4 643#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
644# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
645# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
646# endif
647# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
648# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
649# endif
e51c7be2 650 int sep = 0;
55414b25 651 const uschar * list = verify_cert_hostnames;
e51c7be2 652 uschar * name;
d8e7834a
JH
653 int rc;
654 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 655 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 656 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
657 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
658 NULL)))
d8e7834a
JH
659 {
660 if (rc < 0)
661 {
93a6fce2 662 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 663 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
664 name = NULL;
665 }
e51c7be2 666 break;
d8e7834a 667 }
e51c7be2 668 if (!name)
f69979cf 669#else
e51c7be2 670 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 671#endif
e51c7be2 672 {
f77197ae
JH
673 uschar * extra = verify_mode
674 ? string_sprintf(" (during %c-verify for [%s])",
675 *verify_mode, sender_host_address)
676 : US"";
e51c7be2 677 log_write(0, LOG_MAIN,
f77197ae
JH
678 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
679 tlsp == &tls_out ? deliver_host_address : sender_host_address,
680 extra, dn, verify_cert_hostnames);
a3ef7310
JH
681 *calledp = TRUE;
682 if (!*optionalp)
f69979cf
JH
683 {
684 if (!tlsp->peercert)
685 tlsp->peercert = X509_dup(cert); /* record failing cert */
686 return 0; /* reject */
687 }
4a1bd6b9 688 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 689 "tls_try_verify_hosts)\n");
4a1bd6b9 690 tlsp->verify_override = TRUE;
e51c7be2 691 }
f69979cf 692 }
e51c7be2 693
0cbf2b82 694#ifndef DISABLE_EVENT
f69979cf
JH
695 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
696 return 0; /* reject, with peercert set */
e51c7be2
JH
697#endif
698
93dcb1c2 699 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 700 *calledp ? "" : " authenticated", dn);
93dcb1c2 701 *calledp = TRUE;
059ec3d9
PH
702 }
703
a7538db1 704return 1; /* accept, at least for this level */
059ec3d9
PH
705}
706
a2ff477a 707static int
f2f2c91b 708verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 709{
f2f2c91b
JH
710return verify_callback(preverify_ok, x509ctx, &tls_out,
711 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
712}
713
714static int
f2f2c91b 715verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 716{
f2f2c91b
JH
717return verify_callback(preverify_ok, x509ctx, &tls_in,
718 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
719}
720
059ec3d9 721
c0635b6d 722#ifdef SUPPORT_DANE
53a7196b 723
e5cccda9
JH
724/* This gets called *by* the dane library verify callback, which interposes
725itself.
726*/
727static int
f2f2c91b 728verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
729{
730X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 731uschar dn[256];
83b27293 732int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 733#ifndef DISABLE_EVENT
f69979cf 734BOOL dummy_called, optional = FALSE;
83b27293 735#endif
e5cccda9 736
70e384dd
JH
737if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
738 {
739 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
740 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
741 deliver_host_address);
742 return 0;
743 }
f69979cf 744dn[sizeof(dn)-1] = '\0';
e5cccda9 745
f2f2c91b
JH
746DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
747 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 748
0cbf2b82 749#ifndef DISABLE_EVENT
f69979cf
JH
750 if (verify_event(&tls_out, cert, depth, dn,
751 &dummy_called, &optional, US"DANE"))
752 return 0; /* reject, with peercert set */
83b27293
JH
753#endif
754
f2f2c91b 755if (preverify_ok == 1)
6fbf3599 756 {
4a1bd6b9 757 tls_out.dane_verified = TRUE;
6fbf3599
JH
758#ifndef DISABLE_OCSP
759 if (client_static_cbinfo->u_ocsp.client.verify_store)
760 { /* client, wanting stapling */
761 /* Add the server cert's signing chain as the one
762 for the verification of the OCSP stapled information. */
763
764 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
765 cert))
766 ERR_clear_error();
767 sk_X509_push(client_static_cbinfo->verify_stack, cert);
768 }
769#endif
770 }
f2f2c91b
JH
771else
772 {
773 int err = X509_STORE_CTX_get_error(x509ctx);
774 DEBUG(D_tls)
775 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 776 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
777 preverify_ok = 1;
778 }
779return preverify_ok;
e5cccda9 780}
53a7196b 781
c0635b6d 782#endif /*SUPPORT_DANE*/
e5cccda9 783
059ec3d9
PH
784
785/*************************************************
786* Information callback *
787*************************************************/
788
789/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
790are doing. We copy the string to the debugging output when TLS debugging has
791been requested.
059ec3d9
PH
792
793Arguments:
794 s the SSL connection
795 where
796 ret
797
798Returns: nothing
799*/
800
801static void
802info_callback(SSL *s, int where, int ret)
803{
0abc5a13
JH
804DEBUG(D_tls)
805 {
806 const uschar * str;
807
808 if (where & SSL_ST_CONNECT)
48224640 809 str = US"SSL_connect";
0abc5a13 810 else if (where & SSL_ST_ACCEPT)
48224640 811 str = US"SSL_accept";
0abc5a13 812 else
48224640 813 str = US"SSL info (undefined)";
0abc5a13
JH
814
815 if (where & SSL_CB_LOOP)
816 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
817 else if (where & SSL_CB_ALERT)
818 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 819 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
820 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
821 else if (where & SSL_CB_EXIT)
822 if (ret == 0)
823 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
824 else if (ret < 0)
825 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
826 else if (where & SSL_CB_HANDSHAKE_START)
827 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
828 else if (where & SSL_CB_HANDSHAKE_DONE)
829 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
830 }
059ec3d9
PH
831}
832
8238bc7b 833#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
834static void
835keylog_callback(const SSL *ssl, const char *line)
836{
837DEBUG(D_tls) debug_printf("%.200s\n", line);
838}
8238bc7b 839#endif
8a40db1c 840
059ec3d9 841
b10c87b3
JH
842#ifdef EXPERIMENTAL_TLS_RESUME
843/* Manage the keysets used for encrypting the session tickets, on the server. */
844
845typedef struct { /* Session ticket encryption key */
846 uschar name[16];
847
848 const EVP_CIPHER * aes_cipher;
4d93129f 849 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH
850 const EVP_MD * hmac_hash;
851 uschar hmac_key[16];
852 time_t renew;
853 time_t expire;
854} exim_stek;
855
4d93129f
JH
856static exim_stek exim_tk; /* current key */
857static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH
858
859static void
860tk_init(void)
861{
4d93129f
JH
862time_t t = time(NULL);
863
b10c87b3
JH
864if (exim_tk.name[0])
865 {
4d93129f 866 if (exim_tk.renew >= t) return;
b10c87b3
JH
867 exim_tk_old = exim_tk;
868 }
869
870if (f.running_in_test_harness) ssl_session_timeout = 6;
871
872DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
873if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
874if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
875if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
876
877exim_tk.name[0] = 'E';
4d93129f 878exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 879exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH
880exim_tk.expire = t + ssl_session_timeout;
881exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH
882}
883
884static exim_stek *
885tk_current(void)
886{
887if (!exim_tk.name[0]) return NULL;
888return &exim_tk;
889}
890
891static exim_stek *
892tk_find(const uschar * name)
893{
894return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
895 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
896 : NULL;
897}
898
899/* Callback for session tickets, on server */
900static int
901ticket_key_callback(SSL * ssl, uschar key_name[16],
902 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
903{
904tls_support * tlsp = server_static_cbinfo->tlsp;
905exim_stek * key;
906
907if (enc)
908 {
909 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
910 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
911
912 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
913 return -1; /* insufficient random */
914
915 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
916 return 0; /* key couldn't be created */
917 memcpy(key_name, key->name, 16);
d70fc283 918 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
b10c87b3
JH
919
920 /*XXX will want these dependent on the ssl session strength */
921 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
922 key->hmac_hash, NULL);
923 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
924
925 DEBUG(D_tls) debug_printf("ticket created\n");
926 return 1;
927 }
928else
929 {
930 time_t now = time(NULL);
931
932 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
933 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
934
935 if (!(key = tk_find(key_name)) || key->expire < now)
936 {
937 DEBUG(D_tls)
938 {
939 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
d70fc283 940 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
b10c87b3
JH
941 }
942 return 0;
943 }
944
945 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
946 key->hmac_hash, NULL);
947 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
948
d70fc283 949 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
dea4b568
JH
950
951 /* The ticket lifetime and renewal are the same as the STEK lifetime and
952 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
953 be better. To do that we'd have to encode ticket lifetime in the name as
954 we don't yet see the restored session. Could check posthandshake for TLS1.3
955 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH
956 return key->renew < now ? 2 : 1;
957 }
958}
959#endif
960
961
059ec3d9
PH
962
963/*************************************************
964* Initialize for DH *
965*************************************************/
966
967/* If dhparam is set, expand it, and load up the parameters for DH encryption.
968
969Arguments:
038597d2 970 sctx The current SSL CTX (inbound or outbound)
a799883d 971 dhparam DH parameter file or fixed parameter identity string
7199e1ee 972 host connected host, if client; NULL if server
cf0c6164 973 errstr error string pointer
059ec3d9
PH
974
975Returns: TRUE if OK (nothing to set up, or setup worked)
976*/
977
978static BOOL
cf0c6164 979init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 980{
059ec3d9
PH
981BIO *bio;
982DH *dh;
983uschar *dhexpanded;
a799883d 984const char *pem;
6600985a 985int dh_bitsize;
059ec3d9 986
cf0c6164 987if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
988 return FALSE;
989
0df4ab80 990if (!dhexpanded || !*dhexpanded)
a799883d 991 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 992else if (dhexpanded[0] == '/')
059ec3d9 993 {
0df4ab80 994 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 995 {
7199e1ee 996 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 997 host, US strerror(errno), errstr);
a799883d 998 return FALSE;
059ec3d9 999 }
a799883d
PP
1000 }
1001else
1002 {
1003 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1004 {
a799883d
PP
1005 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1006 return TRUE;
059ec3d9 1007 }
a799883d 1008
0df4ab80 1009 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
1010 {
1011 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1012 host, US strerror(errno), errstr);
a799883d
PP
1013 return FALSE;
1014 }
1015 bio = BIO_new_mem_buf(CS pem, -1);
1016 }
1017
0df4ab80 1018if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1019 {
059ec3d9 1020 BIO_free(bio);
a799883d 1021 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1022 host, NULL, errstr);
a799883d
PP
1023 return FALSE;
1024 }
1025
6600985a
PP
1026/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1027 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1028 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1029 * If someone wants to dance at the edge, then they can raise the limit or use
1030 * current libraries. */
1031#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1032/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1033 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1034dh_bitsize = DH_bits(dh);
1035#else
1036dh_bitsize = 8 * DH_size(dh);
1037#endif
1038
a799883d
PP
1039/* Even if it is larger, we silently return success rather than cause things
1040 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1041 * debatable choice. */
6600985a 1042if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
1043 {
1044 DEBUG(D_tls)
170f4904 1045 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1046 dh_bitsize, tls_dh_max_bits);
a799883d
PP
1047 }
1048else
1049 {
1050 SSL_CTX_set_tmp_dh(sctx, dh);
1051 DEBUG(D_tls)
1052 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1053 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
1054 }
1055
a799883d
PP
1056DH_free(dh);
1057BIO_free(bio);
1058
1059return TRUE;
059ec3d9
PH
1060}
1061
1062
1063
1064
038597d2
PP
1065/*************************************************
1066* Initialize for ECDH *
1067*************************************************/
1068
1069/* Load parameters for ECDH encryption.
1070
1071For now, we stick to NIST P-256 because: it's simple and easy to configure;
1072it avoids any patent issues that might bite redistributors; despite events in
1073the news and concerns over curve choices, we're not cryptographers, we're not
1074pretending to be, and this is "good enough" to be better than no support,
1075protecting against most adversaries. Given another year or two, there might
1076be sufficient clarity about a "right" way forward to let us make an informed
1077decision, instead of a knee-jerk reaction.
1078
1079Longer-term, we should look at supporting both various named curves and
1080external files generated with "openssl ecparam", much as we do for init_dh().
1081We should also support "none" as a value, to explicitly avoid initialisation.
1082
1083Patches welcome.
1084
1085Arguments:
1086 sctx The current SSL CTX (inbound or outbound)
1087 host connected host, if client; NULL if server
cf0c6164 1088 errstr error string pointer
038597d2
PP
1089
1090Returns: TRUE if OK (nothing to set up, or setup worked)
1091*/
1092
1093static BOOL
cf0c6164 1094init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1095{
63f0dbe0
JH
1096#ifdef OPENSSL_NO_ECDH
1097return TRUE;
1098#else
1099
10ca4f1c
JH
1100EC_KEY * ecdh;
1101uschar * exp_curve;
1102int nid;
1103BOOL rv;
1104
038597d2
PP
1105if (host) /* No ECDH setup for clients, only for servers */
1106 return TRUE;
1107
10ca4f1c 1108# ifndef EXIM_HAVE_ECDH
038597d2
PP
1109DEBUG(D_tls)
1110 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1111return TRUE;
038597d2 1112# else
10ca4f1c 1113
cf0c6164 1114if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
1115 return FALSE;
1116if (!exp_curve || !*exp_curve)
1117 return TRUE;
1118
8e53a4fc 1119/* "auto" needs to be handled carefully.
4c04137d 1120 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1121 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1122 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
1123 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1124 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1125 */
10ca4f1c 1126if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1127 {
8e53a4fc 1128#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1129 DEBUG(D_tls) debug_printf(
8e53a4fc 1130 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1131 exp_curve = US"prime256v1";
8e53a4fc
HSHR
1132#else
1133# if defined SSL_CTRL_SET_ECDH_AUTO
1134 DEBUG(D_tls) debug_printf(
1135 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
1136 SSL_CTX_set_ecdh_auto(sctx, 1);
1137 return TRUE;
8e53a4fc
HSHR
1138# else
1139 DEBUG(D_tls) debug_printf(
1140 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1141 return TRUE;
1142# endif
1143#endif
10ca4f1c 1144 }
038597d2 1145
10ca4f1c
JH
1146DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1147if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1148# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1149 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1150# endif
1151 )
1152 {
cf0c6164
JH
1153 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1154 host, NULL, errstr);
10ca4f1c
JH
1155 return FALSE;
1156 }
038597d2 1157
10ca4f1c
JH
1158if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1159 {
cf0c6164 1160 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1161 return FALSE;
038597d2 1162 }
10ca4f1c
JH
1163
1164/* The "tmp" in the name here refers to setting a temporary key
1165not to the stability of the interface. */
1166
1167if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1168 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1169else
1170 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1171
1172EC_KEY_free(ecdh);
1173return !rv;
1174
1175# endif /*EXIM_HAVE_ECDH*/
1176#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1177}
1178
1179
1180
1181
f2de3a33 1182#ifndef DISABLE_OCSP
3f7eeb86
PP
1183/*************************************************
1184* Load OCSP information into state *
1185*************************************************/
f5d78688 1186/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1187caller has determined this is needed. Checks validity. Debugs a message
1188if invalid.
1189
1190ASSUMES: single response, for single cert.
1191
1192Arguments:
1193 sctx the SSL_CTX* to update
1194 cbinfo various parts of session state
1195 expanded the filename putatively holding an OCSP response
1196
1197*/
1198
1199static void
f5d78688 1200ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1201{
ee5b1e28
JH
1202BIO * bio;
1203OCSP_RESPONSE * resp;
1204OCSP_BASICRESP * basic_response;
1205OCSP_SINGLERESP * single_response;
1206ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1207STACK_OF(X509) * sk;
3f7eeb86
PP
1208unsigned long verify_flags;
1209int status, reason, i;
1210
f5d78688
JH
1211cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1212if (cbinfo->u_ocsp.server.response)
3f7eeb86 1213 {
f5d78688
JH
1214 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1215 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1216 }
1217
ee5b1e28 1218if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1219 {
1220 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1221 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1222 return;
1223 }
1224
1225resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1226BIO_free(bio);
1227if (!resp)
1228 {
1229 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1230 return;
1231 }
1232
ee5b1e28 1233if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1234 {
1235 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1236 OCSP_response_status_str(status), status);
f5d78688 1237 goto bad;
3f7eeb86
PP
1238 }
1239
ee5b1e28 1240if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1241 {
1242 DEBUG(D_tls)
1243 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1244 goto bad;
3f7eeb86
PP
1245 }
1246
c3033f13 1247sk = cbinfo->verify_stack;
3f7eeb86
PP
1248verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1249
1250/* May need to expose ability to adjust those flags?
1251OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1252OCSP_TRUSTOTHER OCSP_NOINTERN */
1253
4c04137d 1254/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1255up; possibly overkill - just date-checks might be nice enough.
1256
1257OCSP_basic_verify takes a "store" arg, but does not
1258use it for the chain verification, which is all we do
1259when OCSP_NOVERIFY is set. The content from the wire
1260"basic_response" and a cert-stack "sk" are all that is used.
1261
c3033f13
JH
1262We have a stack, loaded in setup_certs() if tls_verify_certificates
1263was a file (not a directory, or "system"). It is unfortunate we
1264cannot used the connection context store, as that would neatly
1265handle the "system" case too, but there seems to be no library
1266function for getting a stack from a store.
e3555426 1267[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1268We do not free the stack since it could be needed a second time for
1269SNI handling.
1270
4c04137d 1271Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1272be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1273But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1274And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1275library does it for us anyway? */
1276
1277if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1278 {
ee5b1e28
JH
1279 DEBUG(D_tls)
1280 {
0abc5a13 1281 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1282 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1283 }
1284 goto bad;
3f7eeb86
PP
1285 }
1286
1287/* Here's the simplifying assumption: there's only one response, for the
1288one certificate we use, and nothing for anything else in a chain. If this
1289proves false, we need to extract a cert id from our issued cert
1290(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1291right cert in the stack and then calls OCSP_single_get0_status()).
1292
1293I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1294
1295if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1296 {
1297 DEBUG(D_tls)
1298 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1299 goto bad;
3f7eeb86
PP
1300 }
1301
1302status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1303if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1304 {
f5d78688
JH
1305 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1306 OCSP_cert_status_str(status), status,
1307 OCSP_crl_reason_str(reason), reason);
1308 goto bad;
3f7eeb86
PP
1309 }
1310
1311if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1312 {
1313 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1314 goto bad;
3f7eeb86
PP
1315 }
1316
f5d78688 1317supply_response:
e5489333
JH
1318 /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */
1319 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
1320return;
1321
1322bad:
8768d548 1323 if (f.running_in_test_harness)
018058b2
JH
1324 {
1325 extern char ** environ;
d7978c0f 1326 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1327 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1328 {
1329 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1330 goto supply_response;
1331 }
1332 }
f5d78688 1333return;
3f7eeb86 1334}
f2de3a33 1335#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1336
1337
1338
1339
23bb6982
JH
1340/* Create and install a selfsigned certificate, for use in server mode */
1341
1342static int
cf0c6164 1343tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1344{
1345X509 * x509 = NULL;
1346EVP_PKEY * pkey;
1347RSA * rsa;
1348X509_NAME * name;
1349uschar * where;
1350
1351where = US"allocating pkey";
1352if (!(pkey = EVP_PKEY_new()))
1353 goto err;
1354
1355where = US"allocating cert";
1356if (!(x509 = X509_new()))
1357 goto err;
1358
1359where = US"generating pkey";
6aac3239 1360if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1361 goto err;
1362
4c04137d 1363where = US"assigning pkey";
23bb6982
JH
1364if (!EVP_PKEY_assign_RSA(pkey, rsa))
1365 goto err;
1366
1367X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1368ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1369X509_gmtime_adj(X509_get_notBefore(x509), 0);
1370X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1371X509_set_pubkey(x509, pkey);
1372
1373name = X509_get_subject_name(x509);
1374X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1375 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1376X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1377 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1378X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1379 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1380X509_set_issuer_name(x509, name);
1381
1382where = US"signing cert";
1383if (!X509_sign(x509, pkey, EVP_md5()))
1384 goto err;
1385
1386where = US"installing selfsign cert";
1387if (!SSL_CTX_use_certificate(sctx, x509))
1388 goto err;
1389
1390where = US"installing selfsign key";
1391if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1392 goto err;
1393
1394return OK;
1395
1396err:
cf0c6164 1397 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1398 if (x509) X509_free(x509);
1399 if (pkey) EVP_PKEY_free(pkey);
1400 return DEFER;
1401}
1402
1403
1404
1405
ba86e143
JH
1406static int
1407tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1408 uschar ** errstr)
1409{
1410DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1411if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1412 return tls_error(string_sprintf(
1413 "SSL_CTX_use_certificate_chain_file file=%s", file),
1414 cbinfo->host, NULL, errstr);
1415return 0;
1416}
1417
1418static int
1419tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1420 uschar ** errstr)
1421{
1422DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1423if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1424 return tls_error(string_sprintf(
1425 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1426return 0;
1427}
1428
1429
059ec3d9 1430/*************************************************
7be682ca
PP
1431* Expand key and cert file specs *
1432*************************************************/
1433
f5d78688 1434/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1435new context, if Server Name Indication was used and tls_sni was seen in
1436the certificate string.
1437
1438Arguments:
1439 sctx the SSL_CTX* to update
1440 cbinfo various parts of session state
cf0c6164 1441 errstr error string pointer
7be682ca
PP
1442
1443Returns: OK/DEFER/FAIL
1444*/
1445
1446static int
cf0c6164
JH
1447tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1448 uschar ** errstr)
7be682ca
PP
1449{
1450uschar *expanded;
1451
23bb6982 1452if (!cbinfo->certificate)
7be682ca 1453 {
ba86e143 1454 if (!cbinfo->is_server) /* client */
23bb6982 1455 return OK;
afdb5e9c 1456 /* server */
cf0c6164 1457 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1458 return DEFER;
7be682ca 1459 }
23bb6982
JH
1460else
1461 {
ba86e143
JH
1462 int err;
1463
23bb6982
JH
1464 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1465 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1466 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1467 )
1468 reexpand_tls_files_for_sni = TRUE;
7be682ca 1469
cf0c6164 1470 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1471 return DEFER;
1472
ba86e143
JH
1473 if (expanded)
1474 if (cbinfo->is_server)
1475 {
1476 const uschar * file_list = expanded;
1477 int sep = 0;
1478 uschar * file;
1479
1480 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1481 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1482 return err;
1483 }
1484 else /* would there ever be a need for multiple client certs? */
1485 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1486 return err;
7be682ca 1487
5a2a0989
JH
1488 if ( cbinfo->privatekey
1489 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1490 return DEFER;
7be682ca 1491
23bb6982
JH
1492 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1493 of the expansion is an empty string, ignore it also, and assume the private
1494 key is in the same file as the certificate. */
1495
1496 if (expanded && *expanded)
ba86e143
JH
1497 if (cbinfo->is_server)
1498 {
1499 const uschar * file_list = expanded;
1500 int sep = 0;
1501 uschar * file;
1502
1503 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1504 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1505 return err;
1506 }
1507 else /* would there ever be a need for multiple client certs? */
1508 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1509 return err;
7be682ca
PP
1510 }
1511
f2de3a33 1512#ifndef DISABLE_OCSP
f40d5be3 1513if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1514 {
47195144 1515 /*XXX stack*/
cf0c6164 1516 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1517 return DEFER;
1518
f40d5be3 1519 if (expanded && *expanded)
3f7eeb86
PP
1520 {
1521 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1522 if ( cbinfo->u_ocsp.server.file_expanded
1523 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1524 {
f40d5be3
JH
1525 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1526 }
1527 else
f40d5be3 1528 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1529 }
1530 }
1531#endif
1532
7be682ca
PP
1533return OK;
1534}
1535
1536
1537
1538
1539/*************************************************
1540* Callback to handle SNI *
1541*************************************************/
1542
1543/* Called when acting as server during the TLS session setup if a Server Name
1544Indication extension was sent by the client.
1545
1546API documentation is OpenSSL s_server.c implementation.
1547
1548Arguments:
1549 s SSL* of the current session
1550 ad unknown (part of OpenSSL API) (unused)
1551 arg Callback of "our" registered data
1552
1553Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH
1554
1555XXX might need to change to using ClientHello callback,
1556per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP
1557*/
1558
3bcbbbe2 1559#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1560static int
7be682ca
PP
1561tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1562{
1563const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1564tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1565int rc;
3f0945ff 1566int old_pool = store_pool;
cf0c6164 1567uschar * dummy_errstr;
7be682ca
PP
1568
1569if (!servername)
1570 return SSL_TLSEXT_ERR_OK;
1571
3f0945ff 1572DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1573 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1574
1575/* Make the extension value available for expansion */
3f0945ff 1576store_pool = POOL_PERM;
89a80675 1577tls_in.sni = string_copy_taint(US servername, TRUE);
3f0945ff 1578store_pool = old_pool;
7be682ca
PP
1579
1580if (!reexpand_tls_files_for_sni)
1581 return SSL_TLSEXT_ERR_OK;
1582
1583/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1584not confident that memcpy wouldn't break some internal reference counting.
1585Especially since there's a references struct member, which would be off. */
1586
7a8b9519
JH
1587#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1588if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1589#else
0df4ab80 1590if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1591#endif
7be682ca 1592 {
0abc5a13 1593 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1594 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1595 goto bad;
7be682ca
PP
1596 }
1597
1598/* Not sure how many of these are actually needed, since SSL object
1599already exists. Might even need this selfsame callback, for reneg? */
1600
817d9f57
JH
1601SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1602SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1603SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1604SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1605SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1606SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1607
cf0c6164
JH
1608if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1609 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1610 )
5a2a0989 1611 goto bad;
038597d2 1612
ca954d7f
JH
1613if ( cbinfo->server_cipher_list
1614 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1615 goto bad;
ca954d7f 1616
f2de3a33 1617#ifndef DISABLE_OCSP
f5d78688 1618if (cbinfo->u_ocsp.server.file)
3f7eeb86 1619 {
f5d78688 1620 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1621 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1622 }
1623#endif
7be682ca 1624
c3033f13 1625if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1626 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1627 goto bad;
7be682ca 1628
3f7eeb86
PP
1629/* do this after setup_certs, because this can require the certs for verifying
1630OCSP information. */
cf0c6164 1631if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1632 goto bad;
a799883d 1633
7be682ca 1634DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1635SSL_set_SSL_CTX(s, server_sni);
7be682ca 1636return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1637
1638bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1639}
3bcbbbe2 1640#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1641
1642
1643
1644
f2de3a33 1645#ifndef DISABLE_OCSP
f5d78688 1646
3f7eeb86
PP
1647/*************************************************
1648* Callback to handle OCSP Stapling *
1649*************************************************/
1650
1651/* Called when acting as server during the TLS session setup if the client
1652requests OCSP information with a Certificate Status Request.
1653
1654Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1655project.
1656
1657*/
1658
1659static int
f5d78688 1660tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1661{
1662const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1663uschar *response_der; /*XXX blob */
3f7eeb86
PP
1664int response_der_len;
1665
47195144
JH
1666/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1667out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1668buggy in current OpenSSL; it returns the last cert loaded always rather than
1669the one actually presented. So we can't support a stack of OCSP proofs at
1670this time. */
1671
af4a1bca 1672DEBUG(D_tls)
b3ef41c9 1673 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1674 cbinfo->u_ocsp.server.response ? "have" : "lack");
1675
44662487 1676tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1677if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1678 return SSL_TLSEXT_ERR_NOACK;
1679
1680response_der = NULL;
47195144 1681response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1682 &response_der);
3f7eeb86
PP
1683if (response_der_len <= 0)
1684 return SSL_TLSEXT_ERR_NOACK;
1685
5e55c7a9 1686SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1687tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1688return SSL_TLSEXT_ERR_OK;
1689}
1690
3f7eeb86 1691
f5d78688
JH
1692static void
1693time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1694{
1695BIO_printf(bp, "\t%s: ", str);
1696ASN1_GENERALIZEDTIME_print(bp, time);
1697BIO_puts(bp, "\n");
1698}
1699
1700static int
1701tls_client_stapling_cb(SSL *s, void *arg)
1702{
1703tls_ext_ctx_cb * cbinfo = arg;
1704const unsigned char * p;
1705int len;
1706OCSP_RESPONSE * rsp;
1707OCSP_BASICRESP * bs;
1708int i;
1709
1710DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1711len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1712if(!p)
1713 {
44662487 1714 /* Expect this when we requested ocsp but got none */
6c6d6e48 1715 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1716 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1717 else
1718 DEBUG(D_tls) debug_printf(" null\n");
44662487 1719 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1720 }
018058b2 1721
c82de233
JH
1722if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1723 {
1724 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
6c6d6e48 1725 if (LOGGING(tls_cipher))
1eca31ca 1726 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1727 else
1728 DEBUG(D_tls) debug_printf(" parse error\n");
1729 return 0;
c82de233 1730 }
f5d78688 1731
c82de233 1732if (!(bs = OCSP_response_get1_basic(rsp)))
f5d78688 1733 {
018058b2 1734 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1735 if (LOGGING(tls_cipher))
1eca31ca 1736 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1737 else
1738 DEBUG(D_tls) debug_printf(" error parsing response\n");
1739 OCSP_RESPONSE_free(rsp);
1740 return 0;
1741 }
1742
1743/* We'd check the nonce here if we'd put one in the request. */
1744/* However that would defeat cacheability on the server so we don't. */
1745
f5d78688
JH
1746/* This section of code reworked from OpenSSL apps source;
1747 The OpenSSL Project retains copyright:
1748 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1749*/
1750 {
1751 BIO * bp = NULL;
f5d78688
JH
1752 int status, reason;
1753 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1754
57887ecc 1755 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1756
1757 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1758
1759 /* Use the chain that verified the server cert to verify the stapled info */
1760 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1761
c3033f13 1762 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1763 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1764 {
018058b2 1765 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1766 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1767 "Received TLS cert status response, itself unverifiable: %s",
1768 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1769 BIO_printf(bp, "OCSP response verify failure\n");
1770 ERR_print_errors(bp);
57887ecc 1771 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1772 goto failed;
f5d78688
JH
1773 }
1774
1775 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1776
c8dfb21d
JH
1777 /*XXX So we have a good stapled OCSP status. How do we know
1778 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1779 OCSP_resp_find_status() which matches on a cert id, which presumably
1780 we should use. Making an id needs OCSP_cert_id_new(), which takes
1781 issuerName, issuerKey, serialNumber. Are they all in the cert?
1782
1783 For now, carry on blindly accepting the resp. */
1784
f5d78688 1785 {
f5d78688
JH
1786 OCSP_SINGLERESP * single;
1787
c8dfb21d
JH
1788#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1789 if (OCSP_resp_count(bs) != 1)
1790#else
1791 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1792 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1793#endif
f5d78688 1794 {
018058b2 1795 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1796 log_write(0, LOG_MAIN, "OCSP stapling "
1797 "with multiple responses not handled");
c8dfb21d 1798 goto failed;
f5d78688
JH
1799 }
1800 single = OCSP_resp_get0(bs, 0);
44662487
JH
1801 status = OCSP_single_get0_status(single, &reason, &rev,
1802 &thisupd, &nextupd);
f5d78688
JH
1803 }
1804
f5d78688
JH
1805 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1806 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1807 if (!OCSP_check_validity(thisupd, nextupd,
1808 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1809 {
018058b2 1810 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1811 DEBUG(D_tls) ERR_print_errors(bp);
1812 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1813 }
44662487 1814 else
f5d78688 1815 {
44662487
JH
1816 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1817 OCSP_cert_status_str(status));
1818 switch(status)
1819 {
1820 case V_OCSP_CERTSTATUS_GOOD:
44662487 1821 tls_out.ocsp = OCSP_VFIED;
018058b2 1822 i = 1;
c8dfb21d 1823 goto good;
44662487 1824 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1825 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1826 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1827 reason != -1 ? "; reason: " : "",
1828 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1829 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1830 break;
1831 default:
018058b2 1832 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1833 log_write(0, LOG_MAIN,
1834 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1835 break;
1836 }
f5d78688 1837 }
c8dfb21d
JH
1838 failed:
1839 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1840 good:
f5d78688
JH
1841 BIO_free(bp);
1842 }
1843
1844OCSP_RESPONSE_free(rsp);
1845return i;
1846}
f2de3a33 1847#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1848
1849
7be682ca 1850/*************************************************
059ec3d9
PH
1851* Initialize for TLS *
1852*************************************************/
1853
e51c7be2
JH
1854/* Called from both server and client code, to do preliminary initialization
1855of the library. We allocate and return a context structure.
059ec3d9
PH
1856
1857Arguments:
946ecbe0 1858 ctxp returned SSL context
059ec3d9
PH
1859 host connected host, if client; NULL if server
1860 dhparam DH parameter file
1861 certificate certificate file
1862 privatekey private key
f5d78688 1863 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1864 addr address if client; NULL if server (for some randomness)
946ecbe0 1865 cbp place to put allocated callback context
cf0c6164 1866 errstr error string pointer
059ec3d9
PH
1867
1868Returns: OK/DEFER/FAIL
1869*/
1870
1871static int
817d9f57 1872tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1873 uschar *privatekey,
f2de3a33 1874#ifndef DISABLE_OCSP
47195144 1875 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1876#endif
b10c87b3
JH
1877 address_item *addr, tls_ext_ctx_cb ** cbp,
1878 tls_support * tlsp,
1879 uschar ** errstr)
059ec3d9 1880{
7006ee24 1881SSL_CTX * ctx;
77bb000f 1882long init_options;
7be682ca 1883int rc;
a7538db1 1884tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1885
1886cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1887cbinfo->tlsp = tlsp;
7be682ca
PP
1888cbinfo->certificate = certificate;
1889cbinfo->privatekey = privatekey;
a6510420 1890cbinfo->is_server = host==NULL;
f2de3a33 1891#ifndef DISABLE_OCSP
c3033f13 1892cbinfo->verify_stack = NULL;
a6510420 1893if (!host)
f5d78688
JH
1894 {
1895 cbinfo->u_ocsp.server.file = ocsp_file;
1896 cbinfo->u_ocsp.server.file_expanded = NULL;
1897 cbinfo->u_ocsp.server.response = NULL;
1898 }
1899else
1900 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1901#endif
7be682ca 1902cbinfo->dhparam = dhparam;
0df4ab80 1903cbinfo->server_cipher_list = NULL;
7be682ca 1904cbinfo->host = host;
0cbf2b82 1905#ifndef DISABLE_EVENT
a7538db1
JH
1906cbinfo->event_action = NULL;
1907#endif
77bb000f 1908
7434882d 1909#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
1910SSL_load_error_strings(); /* basic set up */
1911OpenSSL_add_ssl_algorithms();
7434882d 1912#endif
059ec3d9 1913
c8dfb21d 1914#ifdef EXIM_HAVE_SHA256
77bb000f 1915/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1916list of available digests. */
1917EVP_add_digest(EVP_sha256());
cf1ef1a9 1918#endif
a0475b69 1919
f0f5a555
PP
1920/* Create a context.
1921The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1922negotiation in the different methods; as far as I can tell, the only
1923*_{server,client}_method which allows negotiation is SSLv23, which exists even
1924when OpenSSL is built without SSLv2 support.
1925By disabling with openssl_options, we can let admins re-enable with the
1926existing knob. */
059ec3d9 1927
7a8b9519
JH
1928#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1929if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1930#else
7006ee24 1931if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1932#endif
7006ee24 1933 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1934
1935/* It turns out that we need to seed the random number generator this early in
1936order to get the full complement of ciphers to work. It took me roughly a day
1937of work to discover this by experiment.
1938
1939On systems that have /dev/urandom, SSL may automatically seed itself from
1940there. Otherwise, we have to make something up as best we can. Double check
1941afterwards. */
1942
1943if (!RAND_status())
1944 {
1945 randstuff r;
9e3331ea 1946 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1947 r.p = getpid();
1948
5903c6ff
JH
1949 RAND_seed(US (&r), sizeof(r));
1950 RAND_seed(US big_buffer, big_buffer_size);
1951 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1952
1953 if (!RAND_status())
7199e1ee 1954 return tls_error(US"RAND_status", host,
cf0c6164 1955 US"unable to seed random number generator", errstr);
059ec3d9
PH
1956 }
1957
1958/* Set up the information callback, which outputs if debugging is at a suitable
1959level. */
1960
b10c87b3
JH
1961DEBUG(D_tls)
1962 {
1963 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH
1964#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1965 /* this needs a debug build of OpenSSL */
b10c87b3
JH
1966 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1967#endif
8a40db1c 1968#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 1969 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 1970#endif
b10c87b3 1971 }
059ec3d9 1972
c80c5570 1973/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1974(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1975
77bb000f
PP
1976/* Apply administrator-supplied work-arounds.
1977Historically we applied just one requested option,
1978SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1979moved to an administrator-controlled list of options to specify and
1980grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1981
77bb000f
PP
1982No OpenSSL version number checks: the options we accept depend upon the
1983availability of the option value macros from OpenSSL. */
059ec3d9 1984
7006ee24 1985if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1986 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 1987
b10c87b3
JH
1988#ifdef EXPERIMENTAL_TLS_RESUME
1989tlsp->resumption = RESUME_SUPPORTED;
1990#endif
77bb000f
PP
1991if (init_options)
1992 {
b10c87b3
JH
1993#ifdef EXPERIMENTAL_TLS_RESUME
1994 /* Should the server offer session resumption? */
1995 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1996 {
1997 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1998 init_options &= ~SSL_OP_NO_TICKET;
1999 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2000 tlsp->host_resumable = TRUE;
2001 }
2002#endif
2003
77bb000f 2004 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2005 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2006 return tls_error(string_sprintf(
cf0c6164 2007 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
2008 }
2009else
2010 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2011
a28050f8
JH
2012/* We'd like to disable session cache unconditionally, but foolish Outlook
2013Express clients then give up the first TLS connection and make a second one
2014(which works). Only when there is an IMAP service on the same machine.
2015Presumably OE is trying to use the cache for A on B. Leave it enabled for
2016now, until we work out a decent way of presenting control to the config. It
2017will never be used because we use a new context every time. */
2018#ifdef notdef
7006ee24 2019(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2020#endif
7006ee24 2021
059ec3d9 2022/* Initialize with DH parameters if supplied */
10ca4f1c 2023/* Initialize ECDH temp key parameter selection */
059ec3d9 2024
7006ee24
JH
2025if ( !init_dh(ctx, dhparam, host, errstr)
2026 || !init_ecdh(ctx, host, errstr)
038597d2
PP
2027 )
2028 return DEFER;
059ec3d9 2029
3f7eeb86 2030/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2031
7006ee24 2032if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2033 return rc;
c91535f3 2034
c3033f13
JH
2035/* If we need to handle SNI or OCSP, do so */
2036
3bcbbbe2 2037#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
2038# ifndef DISABLE_OCSP
2039 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2040 {
2041 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2042 return FAIL;
2043 }
2044# endif
2045
7a8b9519 2046if (!host) /* server */
3f0945ff 2047 {
f2de3a33 2048# ifndef DISABLE_OCSP
f5d78688 2049 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
2050 the option exists, not what the current expansion might be, as SNI might
2051 change the certificate and OCSP file in use between now and the time the
2052 callback is invoked. */
f5d78688 2053 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2054 {
7006ee24
JH
2055 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2056 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2057 }
f5d78688 2058# endif
3f0945ff
PP
2059 /* We always do this, so that $tls_sni is available even if not used in
2060 tls_certificate */
7006ee24
JH
2061 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2062 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2063 }
f2de3a33 2064# ifndef DISABLE_OCSP
f5d78688
JH
2065else /* client */
2066 if(ocsp_file) /* wanting stapling */
2067 {
2068 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2069 {
2070 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2071 return FAIL;
2072 }
7006ee24
JH
2073 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2074 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
2075 }
2076# endif
7be682ca 2077#endif
059ec3d9 2078
e51c7be2 2079cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2080
c8dfb21d 2081#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2082/* Set up the RSA callback */
7006ee24 2083SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2084#endif
059ec3d9 2085
b10c87b3
JH
2086/* Finally, set the session cache timeout, and we are done.
2087The period appears to be also used for (server-generated) session tickets */
059ec3d9 2088
7006ee24 2089SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2090DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2091
817d9f57 2092*cbp = cbinfo;
7006ee24 2093*ctxp = ctx;
7be682ca 2094
059ec3d9
PH
2095return OK;
2096}
2097
2098
2099
2100
2101/*************************************************
2102* Get name of cipher in use *
2103*************************************************/
2104
817d9f57 2105/*
059ec3d9 2106Argument: pointer to an SSL structure for the connection
817d9f57 2107 pointer to number of bits for cipher
f1be21cf 2108Returns: pointer to allocated string in perm-pool
059ec3d9
PH
2109*/
2110
f1be21cf
JH
2111static uschar *
2112construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2113{
f1be21cf 2114int pool = store_pool;
7a8b9519 2115/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
2116yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2117the accessor functions use const in the prototype. */
059ec3d9 2118
7a8b9519
JH
2119const uschar * ver = CUS SSL_get_version(ssl);
2120const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2121uschar * s;
059ec3d9 2122
817d9f57 2123SSL_CIPHER_get_bits(c, bits);
059ec3d9 2124
f1be21cf
JH
2125store_pool = POOL_PERM;
2126s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2127store_pool = pool;
2128DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2129return s;
2130}
2131
059ec3d9 2132
f1be21cf
JH
2133/* Get IETF-standard name for ciphersuite.
2134Argument: pointer to an SSL structure for the connection
2135Returns: pointer to string
2136*/
2137
2138static const uschar *
2139cipher_stdname_ssl(SSL * ssl)
2140{
2141#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2142return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2143#else
2144ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2145return cipher_stdname(id >> 8, id & 0xff);
2146#endif
059ec3d9
PH
2147}
2148
2149
f69979cf 2150static void
70e384dd 2151peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
2152{
2153/*XXX we might consider a list-of-certs variable for the cert chain.
2154SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2155in list-handling functions, also consider the difference between the entire
2156chain and the elements sent by the peer. */
2157
70e384dd
JH
2158tlsp->peerdn = NULL;
2159
f69979cf
JH
2160/* Will have already noted peercert on a verify fail; possibly not the leaf */
2161if (!tlsp->peercert)
2162 tlsp->peercert = SSL_get_peer_certificate(ssl);
2163/* Beware anonymous ciphers which lead to server_cert being NULL */
2164if (tlsp->peercert)
70e384dd
JH
2165 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2166 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2167 else
2168 {
4a1bd6b9
JH
2169 int oldpool = store_pool;
2170
2171 peerdn[siz-1] = '\0'; /* paranoia */
2172 store_pool = POOL_PERM;
2173 tlsp->peerdn = string_copy(peerdn);
2174 store_pool = oldpool;
2175
2176 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2177 but they don't get called on session-resumption. So use the official
2178 interface, which uses the resumed value. Unfortunately this claims verified
2179 when it actually failed but we're in try-verify mode, due to us wanting the
2180 knowlege that it failed so needing to have the callback and forcing a
2181 permissive return. If we don't force it, the TLS startup is failed.
f4e62a87
JH
2182 The extra bit of information is set in verify_override in the cb, stashed
2183 for resumption next to the TLS session, and used here. */
4a1bd6b9
JH
2184
2185 if (!tlsp->verify_override)
2186 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2187 }
f69979cf
JH
2188}
2189
2190
059ec3d9
PH
2191
2192
2193
2194/*************************************************
2195* Set up for verifying certificates *
2196*************************************************/
2197
0e8aed8a 2198#ifndef DISABLE_OCSP
c3033f13
JH
2199/* Load certs from file, return TRUE on success */
2200
2201static BOOL
2202chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2203{
2204BIO * bp;
2205X509 * x;
2206
dec766a1
WB
2207while (sk_X509_num(verify_stack) > 0)
2208 X509_free(sk_X509_pop(verify_stack));
2209
c3033f13
JH
2210if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2211while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2212 sk_X509_push(verify_stack, x);
2213BIO_free(bp);
2214return TRUE;
2215}
0e8aed8a 2216#endif
c3033f13
JH
2217
2218
2219
dec766a1
WB
2220/* Called by both client and server startup; on the server possibly
2221repeated after a Server Name Indication.
059ec3d9
PH
2222
2223Arguments:
7be682ca 2224 sctx SSL_CTX* to initialise
059ec3d9
PH
2225 certs certs file or NULL
2226 crl CRL file or NULL
2227 host NULL in a server; the remote host in a client
2228 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2229 otherwise passed as FALSE
983207c1 2230 cert_vfy_cb Callback function for certificate verification
cf0c6164 2231 errstr error string pointer
059ec3d9
PH
2232
2233Returns: OK/DEFER/FAIL
2234*/
2235
2236static int
983207c1 2237setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2238 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2239{
2240uschar *expcerts, *expcrl;
2241
cf0c6164 2242if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2243 return DEFER;
57cc2785 2244DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2245
10a831a3 2246if (expcerts && *expcerts)
059ec3d9 2247 {
10a831a3
JH
2248 /* Tell the library to use its compiled-in location for the system default
2249 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2250
10a831a3 2251 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2252 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2253
2254 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2255 {
cb1d7830
JH
2256 struct stat statbuf;
2257
cb1d7830
JH
2258 if (Ustat(expcerts, &statbuf) < 0)
2259 {
2260 log_write(0, LOG_MAIN|LOG_PANIC,
2261 "failed to stat %s for certificates", expcerts);
2262 return DEFER;
2263 }
059ec3d9 2264 else
059ec3d9 2265 {
cb1d7830
JH
2266 uschar *file, *dir;
2267 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2268 { file = NULL; dir = expcerts; }
2269 else
c3033f13
JH
2270 {
2271 file = expcerts; dir = NULL;
2272#ifndef DISABLE_OCSP
2273 /* In the server if we will be offering an OCSP proof, load chain from
2274 file for verifying the OCSP proof at load time. */
2275
2276 if ( !host
2277 && statbuf.st_size > 0
2278 && server_static_cbinfo->u_ocsp.server.file
2279 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2280 )
2281 {
2282 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2283 "failed to load cert chain from %s", file);
c3033f13
JH
2284 return DEFER;
2285 }
2286#endif
2287 }
cb1d7830
JH
2288
2289 /* If a certificate file is empty, the next function fails with an
2290 unhelpful error message. If we skip it, we get the correct behaviour (no
2291 certificates are recognized, but the error message is still misleading (it
c3033f13 2292 says no certificate was supplied). But this is better. */
cb1d7830 2293
f2f2c91b
JH
2294 if ( (!file || statbuf.st_size > 0)
2295 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2296 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2297
2298 /* Load the list of CAs for which we will accept certs, for sending
2299 to the client. This is only for the one-file tls_verify_certificates
2300 variant.
d7978c0f
JH
2301 If a list isn't loaded into the server, but some verify locations are set,
2302 the server end appears to make a wildcard request for client certs.
10a831a3 2303 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2304 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2305 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2306 the public-CA bundle (not for a private CA), not worth fixing. */
2307
f2f2c91b 2308 if (file)
cb1d7830 2309 {
2009ecca 2310 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2311
2312 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2313 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2314 sk_X509_NAME_num(names));
cb1d7830 2315 }
059ec3d9
PH
2316 }
2317 }
2318
2319 /* Handle a certificate revocation list. */
2320
10a831a3 2321#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2322
8b417f2c 2323 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2324 merely reformatted it into the Exim code style.)
8b417f2c 2325
10a831a3
JH
2326 "From here I changed the code to add support for multiple crl's
2327 in pem format in one file or to support hashed directory entries in
2328 pem format instead of a file. This method now uses the library function
2329 X509_STORE_load_locations to add the CRL location to the SSL context.
2330 OpenSSL will then handle the verify against CA certs and CRLs by
2331 itself in the verify callback." */
8b417f2c 2332
cf0c6164 2333 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2334 if (expcrl && *expcrl)
059ec3d9 2335 {
8b417f2c
PH
2336 struct stat statbufcrl;
2337 if (Ustat(expcrl, &statbufcrl) < 0)
2338 {
2339 log_write(0, LOG_MAIN|LOG_PANIC,
2340 "failed to stat %s for certificates revocation lists", expcrl);
2341 return DEFER;
2342 }
2343 else
059ec3d9 2344 {
8b417f2c
PH
2345 /* is it a file or directory? */
2346 uschar *file, *dir;
7be682ca 2347 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2348 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2349 {
8b417f2c
PH
2350 file = NULL;
2351 dir = expcrl;
2352 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2353 }
2354 else
2355 {
8b417f2c
PH
2356 file = expcrl;
2357 dir = NULL;
2358 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2359 }
8b417f2c 2360 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2361 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2362
2363 /* setting the flags to check against the complete crl chain */
2364
2365 X509_STORE_set_flags(cvstore,
2366 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2367 }
059ec3d9
PH
2368 }
2369
10a831a3 2370#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2371
2372 /* If verification is optional, don't fail if no certificate */
2373
7be682ca 2374 SSL_CTX_set_verify(sctx,
5a2a0989 2375 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2376 cert_vfy_cb);
059ec3d9
PH
2377 }
2378
2379return OK;
2380}
2381
2382
2383
2384/*************************************************
2385* Start a TLS session in a server *
2386*************************************************/
2387
2388/* This is called when Exim is running as a server, after having received
2389the STARTTLS command. It must respond to that command, and then negotiate
2390a TLS session.
2391
2392Arguments:
2393 require_ciphers allowed ciphers
cf0c6164 2394 errstr pointer to error message
059ec3d9
PH
2395
2396Returns: OK on success
2397 DEFER for errors before the start of the negotiation
4c04137d 2398 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2399 continue running.
2400*/
2401
2402int
cf0c6164 2403tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2404{
2405int rc;
cf0c6164
JH
2406uschar * expciphers;
2407tls_ext_ctx_cb * cbinfo;
f69979cf 2408static uschar peerdn[256];
059ec3d9
PH
2409
2410/* Check for previous activation */
2411
74f1a423 2412if (tls_in.active.sock >= 0)
059ec3d9 2413 {
cf0c6164 2414 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2415 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2416 return FAIL;
2417 }
2418
2419/* Initialize the SSL library. If it fails, it will already have logged
2420the error. */
2421
817d9f57 2422rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2423#ifndef DISABLE_OCSP
47195144 2424 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2425#endif
b10c87b3 2426 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2427if (rc != OK) return rc;
817d9f57 2428cbinfo = server_static_cbinfo;
059ec3d9 2429
cf0c6164 2430if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2431 return FAIL;
2432
2433/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2434were historically separated by underscores. So that I can use either form in my
2435tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2436
2437XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2438for TLS 1.3 . Since we do not call it at present we get the default list:
2439TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2440*/
059ec3d9 2441
c3033f13 2442if (expciphers)
059ec3d9 2443 {
b10c87b3 2444 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2445 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2446 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2447 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2448 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2449 }
2450
2451/* If this is a host for which certificate verification is mandatory or
2452optional, set up appropriately. */
2453
817d9f57 2454tls_in.certificate_verified = FALSE;
c0635b6d 2455#ifdef SUPPORT_DANE
53a7196b
JH
2456tls_in.dane_verified = FALSE;
2457#endif
a2ff477a 2458server_verify_callback_called = FALSE;
059ec3d9
PH
2459
2460if (verify_check_host(&tls_verify_hosts) == OK)
2461 {
983207c1 2462 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2463 FALSE, verify_callback_server, errstr);
059ec3d9 2464 if (rc != OK) return rc;
a2ff477a 2465 server_verify_optional = FALSE;
059ec3d9
PH
2466 }
2467else if (verify_check_host(&tls_try_verify_hosts) == OK)
2468 {
983207c1 2469 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2470 TRUE, verify_callback_server, errstr);
059ec3d9 2471 if (rc != OK) return rc;
a2ff477a 2472 server_verify_optional = TRUE;
059ec3d9
PH
2473 }
2474
b10c87b3
JH
2475#ifdef EXPERIMENTAL_TLS_RESUME
2476SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2477/* despite working, appears to always return failure, so ignoring */
2478#endif
2479#ifdef OPENSSL_HAVE_NUM_TICKETS
2480# ifdef EXPERIMENTAL_TLS_RESUME
2481SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2482# else
2483SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2484# endif
2485#endif
2486
2487
059ec3d9
PH
2488/* Prepare for new connection */
2489
cf0c6164
JH
2490if (!(server_ssl = SSL_new(server_ctx)))
2491 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2492
2493/* Warning: we used to SSL_clear(ssl) here, it was removed.
2494 *
2495 * With the SSL_clear(), we get strange interoperability bugs with
2496 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2497 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2498 *
2499 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2500 * session shutdown. In this case, we have a brand new object and there's no
2501 * obvious reason to immediately clear it. I'm guessing that this was
2502 * originally added because of incomplete initialisation which the clear fixed,
2503 * in some historic release.
2504 */
059ec3d9
PH
2505
2506/* Set context and tell client to go ahead, except in the case of TLS startup
2507on connection, where outputting anything now upsets the clients and tends to
2508make them disconnect. We need to have an explicit fflush() here, to force out
2509the response. Other smtp_printf() calls do not need it, because in non-TLS
2510mode, the fflush() happens when smtp_getc() is called. */
2511
817d9f57
JH
2512SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2513if (!tls_in.on_connect)
059ec3d9 2514 {
925ac8e4 2515 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2516 fflush(smtp_out);
2517 }
2518
2519/* Now negotiate the TLS session. We put our own timer on it, since it seems
2520that the OpenSSL library doesn't. */
2521
817d9f57
JH
2522SSL_set_wfd(server_ssl, fileno(smtp_out));
2523SSL_set_rfd(server_ssl, fileno(smtp_in));
2524SSL_set_accept_state(server_ssl);
059ec3d9
PH
2525
2526DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2527
2528sigalrm_seen = FALSE;
c2a1bba0 2529if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2530rc = SSL_accept(server_ssl);
c2a1bba0 2531ALARM_CLR(0);
059ec3d9
PH
2532
2533if (rc <= 0)
2534 {
cf0c6164 2535 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2536 return FAIL;
2537 }
2538
2539DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2540ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH
2541 anon-authentication ciphersuite negotiated. */
2542
2543#ifdef EXPERIMENTAL_TLS_RESUME
2544if (SSL_session_reused(server_ssl))
2545 {
2546 tls_in.resumption |= RESUME_USED;
2547 DEBUG(D_tls) debug_printf("Session reused\n");
2548 }
2549#endif
059ec3d9
PH
2550
2551/* TLS has been set up. Adjust the input functions to read via TLS,
2552and initialize things. */
2553
f69979cf
JH
2554peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2555
f1be21cf
JH
2556tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2557tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2558
059ec3d9
PH
2559DEBUG(D_tls)
2560 {
2561 uschar buf[2048];
f1be21cf 2562 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2563 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2564
2565#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2566 {
10ed27e0 2567 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2568 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2569 BIO_free(bp);
2570 }
2571#endif
b10c87b3
JH
2572
2573#ifdef EXIM_HAVE_SESSION_TICKET
2574 {
2575 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2576 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH
2577 debug_printf("The session has a ticket, life %lu seconds\n",
2578 SSL_SESSION_get_ticket_lifetime_hint(ss));
2579 }
2580#endif
059ec3d9
PH
2581 }
2582
9d1c15ef
JH
2583/* Record the certificate we presented */
2584 {
2585 X509 * crt = SSL_get_certificate(server_ssl);
2586 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2587 }
059ec3d9 2588
817d9f57
JH
2589/* Only used by the server-side tls (tls_in), including tls_getc.
2590 Client-side (tls_out) reads (seem to?) go via
2591 smtp_read_response()/ip_recv().
2592 Hence no need to duplicate for _in and _out.
2593 */
b808677c 2594if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2595ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2596ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2597
2598receive_getc = tls_getc;
0d81dabc 2599receive_getbuf = tls_getbuf;
584e96c6 2600receive_get_cache = tls_get_cache;
059ec3d9
PH
2601receive_ungetc = tls_ungetc;
2602receive_feof = tls_feof;
2603receive_ferror = tls_ferror;
58eb016e 2604receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2605
74f1a423
JH
2606tls_in.active.sock = fileno(smtp_out);
2607tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2608return OK;
2609}
2610
2611
2612
2613
043b1248
JH
2614static int
2615tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2616 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2617 uschar ** errstr)
043b1248
JH
2618{
2619int rc;
94431adb 2620/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2621 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2622 the specified host patterns if one of them is defined */
2623
610ff438
JH
2624if ( ( !ob->tls_verify_hosts
2625 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2626 )
3c07dd2d 2627 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2628 )
043b1248 2629 client_verify_optional = FALSE;
3c07dd2d 2630else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2631 client_verify_optional = TRUE;
2632else
2633 return OK;
2634
2635if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2636 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2637 errstr)) != OK)
aa2a70ba 2638 return rc;
043b1248 2639
3c07dd2d 2640if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2641 {
4af0d74a 2642 cbinfo->verify_cert_hostnames =
8c5d388a 2643#ifdef SUPPORT_I18N
4af0d74a
JH
2644 string_domain_utf8_to_alabel(host->name, NULL);
2645#else
2646 host->name;
2647#endif
aa2a70ba
JH
2648 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2649 cbinfo->verify_cert_hostnames);
043b1248 2650 }
043b1248
JH
2651return OK;
2652}
059ec3d9 2653
fde080a4 2654
c0635b6d 2655#ifdef SUPPORT_DANE
fde080a4 2656static int
cf0c6164 2657dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2658{
fde080a4
JH
2659dns_scan dnss;
2660const char * hostnames[2] = { CS host->name, NULL };
2661int found = 0;
2662
2663if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2664 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2665
d7978c0f 2666for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2667 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2668 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2669 {
c3033f13 2670 const uschar * p = rr->data;
fde080a4
JH
2671 uint8_t usage, selector, mtype;
2672 const char * mdname;
2673
fde080a4 2674 usage = *p++;
133d2546
JH
2675
2676 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2677 if (usage != 2 && usage != 3) continue;
2678
fde080a4
JH
2679 selector = *p++;
2680 mtype = *p++;
2681
2682 switch (mtype)
2683 {
133d2546
JH
2684 default: continue; /* Only match-types 0, 1, 2 are supported */
2685 case 0: mdname = NULL; break;
2686 case 1: mdname = "sha256"; break;
2687 case 2: mdname = "sha512"; break;
fde080a4
JH
2688 }
2689
133d2546 2690 found++;
fde080a4
JH
2691 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2692 {
2693 default:
cf0c6164 2694 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2695 case 0: /* action not taken */
fde080a4
JH
2696 case 1: break;
2697 }
594706ea
JH
2698
2699 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2700 }
2701
2702if (found)
2703 return OK;
2704
133d2546 2705log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2706return DEFER;
fde080a4 2707}
c0635b6d 2708#endif /*SUPPORT_DANE*/
fde080a4
JH
2709
2710
2711
b10c87b3
JH
2712#ifdef EXPERIMENTAL_TLS_RESUME
2713/* On the client, get any stashed session for the given IP from hints db
2714and apply it to the ssl-connection for attempted resumption. */
2715
2716static void
2717tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2718{
2719tlsp->resumption |= RESUME_SUPPORTED;
2720if (tlsp->host_resumable)
2721 {
2722 dbdata_tls_session * dt;
2723 int len;
2724 open_db dbblock, * dbm_file;
2725
2726 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2727 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2728 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2729 {
2730 /* key for the db is the IP */
2731 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2732 {
2733 SSL_SESSION * ss = NULL;
2734 const uschar * sess_asn1 = dt->session;
2735
2736 len -= sizeof(dbdata_tls_session);
2737 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2738 {
2739 DEBUG(D_tls)
2740 {
2741 ERR_error_string_n(ERR_get_error(),
2742 ssl_errstring, sizeof(ssl_errstring));
2743 debug_printf("decoding session: %s\n", ssl_errstring);
2744 }
2745 }
a775dd1d 2746#ifdef EXIM_HAVE_SESSION_TICKET
4f1d23a1
JH
2747 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2748 < time(NULL))
2749 {
2750 DEBUG(D_tls) debug_printf("session expired\n");
2751 dbfn_delete(dbm_file, key);
2752 }
a775dd1d 2753#endif
b10c87b3
JH
2754 else if (!SSL_set_session(ssl, ss))
2755 {
2756 DEBUG(D_tls)
2757 {
2758 ERR_error_string_n(ERR_get_error(),
2759 ssl_errstring, sizeof(ssl_errstring));
2760 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2761 }
2762 }
2763 else
2764 {
2765 DEBUG(D_tls) debug_printf("good session\n");
2766 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
f4e62a87 2767 tlsp->verify_override = dt->verify_override;
c82de233 2768 tlsp->ocsp = dt->ocsp;
b10c87b3
JH
2769 }
2770 }
2771 else
2772 DEBUG(D_tls) debug_printf("no session record\n");
2773 dbfn_close(dbm_file);
2774 }
2775 }
2776}
2777
2778
2779/* On the client, save the session for later resumption */
2780
2781static int
2782tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2783{
2784tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2785tls_support * tlsp;
2786
2787DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2788
2789if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2790
40618fb6
JH
2791# ifdef OPENSSL_HAVE_NUM_TICKETS
2792if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2793# endif
b10c87b3
JH
2794 {
2795 int len = i2d_SSL_SESSION(ss, NULL);
2796 int dlen = sizeof(dbdata_tls_session) + len;
f3ebb786 2797 dbdata_tls_session * dt = store_get(dlen, TRUE);
b10c87b3
JH
2798 uschar * s = dt->session;
2799 open_db dbblock, * dbm_file;
2800
2801 DEBUG(D_tls) debug_printf("session is resumable\n");
2802 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2803
f4e62a87 2804 dt->verify_override = tlsp->verify_override;
c82de233 2805 dt->ocsp = tlsp->ocsp;
f4e62a87 2806 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
b10c87b3
JH
2807
2808 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2809 {
2810 const uschar * key = cbinfo->host->address;
2811 dbfn_delete(dbm_file, key);
2812 dbfn_write(dbm_file, key, dt, dlen);
2813 dbfn_close(dbm_file);
2814 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2815 (unsigned)dlen);
2816 }
2817 }
b10c87b3
JH
2818return 1;
2819}
2820
2821
2822static void
2823tls_client_ctx_resume_prehandshake(
2824 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2825 smtp_transport_options_block * ob, host_item * host)
2826{
2827/* Should the client request a session resumption ticket? */
2828if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2829 {
2830 tlsp->host_resumable = TRUE;
2831
2832 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2833 SSL_SESS_CACHE_CLIENT
2834 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2835 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2836 }
2837}
2838
2839static BOOL
2840tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2841 host_item * host, uschar ** errstr)
2842{
2843if (tlsp->host_resumable)
2844 {
2845 DEBUG(D_tls)
2846 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2847 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2848
2849 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2850 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2851 {
2852 tls_error(US"set ex_data", host, NULL, errstr);
2853 return FALSE;
2854 }
2855 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2856 }
2857
2858tlsp->resumption = RESUME_SUPPORTED;
2859/* Pick up a previous session, saved on an old ticket */
2860tls_retrieve_session(tlsp, ssl, host->address);
2861return TRUE;
2862}
2863
2864static void
2865tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2866 tls_support * tlsp)
2867{
2868if (SSL_session_reused(exim_client_ctx->ssl))
2869 {
2870 DEBUG(D_tls) debug_printf("The session was reused\n");
2871 tlsp->resumption |= RESUME_USED;
2872 }
2873}
2874#endif /* EXPERIMENTAL_TLS_RESUME */
2875
2876
059ec3d9
PH
2877/*************************************************
2878* Start a TLS session in a client *
2879*************************************************/
2880
2881/* Called from the smtp transport after STARTTLS has been accepted.
2882
c05bdbd6
JH
2883Arguments:
2884 cctx connection context
2885 conn_args connection details
2886 cookie datum for randomness; can be NULL
2887 tlsp record details of TLS channel configuration here; must be non-NULL
2888 errstr error string pointer
2889
2890Returns: TRUE for success with TLS session context set in connection context,
2891 FALSE on error
059ec3d9
PH
2892*/
2893
c05bdbd6
JH
2894BOOL
2895tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2896 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2897{
c05bdbd6
JH
2898host_item * host = conn_args->host; /* for msgs and option-tests */
2899transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
2900smtp_transport_options_block * ob = tb
2901 ? (smtp_transport_options_block *)tb->options_block
2902 : &smtp_transport_option_defaults;
74f1a423 2903exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 2904uschar * expciphers;
059ec3d9 2905int rc;
c05bdbd6 2906static uschar peerdn[256];
043b1248
JH
2907
2908#ifndef DISABLE_OCSP
043b1248 2909BOOL request_ocsp = FALSE;
6634ac8d 2910BOOL require_ocsp = FALSE;
043b1248 2911#endif
043b1248 2912
74f1a423
JH
2913rc = store_pool;
2914store_pool = POOL_PERM;
f3ebb786 2915exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
c09dbcfb 2916exim_client_ctx->corked = NULL;
74f1a423
JH
2917store_pool = rc;
2918
c0635b6d 2919#ifdef SUPPORT_DANE
74f1a423 2920tlsp->tlsa_usage = 0;
043b1248
JH
2921#endif
2922
f2de3a33 2923#ifndef DISABLE_OCSP
043b1248 2924 {
c0635b6d 2925# ifdef SUPPORT_DANE
c05bdbd6 2926 if ( conn_args->dane
4f59c424
JH
2927 && ob->hosts_request_ocsp[0] == '*'
2928 && ob->hosts_request_ocsp[1] == '\0'
2929 )
2930 {
2931 /* Unchanged from default. Use a safer one under DANE */
2932 request_ocsp = TRUE;
2933 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2934 " {= {4}{$tls_out_tlsa_usage}} } "
2935 " {*}{}}";
2936 }
2937# endif
2938
5130845b 2939 if ((require_ocsp =
3c07dd2d 2940 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2941 request_ocsp = TRUE;
2942 else
c0635b6d 2943# ifdef SUPPORT_DANE
4f59c424 2944 if (!request_ocsp)
fca41d5a 2945# endif
5130845b 2946 request_ocsp =
3c07dd2d 2947 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2948 }
f5d78688 2949#endif
059ec3d9 2950
74f1a423 2951rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2952 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2953#ifndef DISABLE_OCSP
44662487 2954 (void *)(long)request_ocsp,
3f7eeb86 2955#endif
b10c87b3 2956 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 2957if (rc != OK) return FALSE;
059ec3d9 2958
74f1a423 2959tlsp->certificate_verified = FALSE;
a2ff477a 2960client_verify_callback_called = FALSE;
059ec3d9 2961
5ec37a55
PP
2962expciphers = NULL;
2963#ifdef SUPPORT_DANE
c05bdbd6 2964if (conn_args->dane)
5ec37a55
PP
2965 {
2966 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2967 other failures should be treated as problems. */
2968 if (ob->dane_require_tls_ciphers &&
2969 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2970 &expciphers, errstr))
c05bdbd6 2971 return FALSE;
5ec37a55
PP
2972 if (expciphers && *expciphers == '\0')
2973 expciphers = NULL;
2974 }
2975#endif
2976if (!expciphers &&
2977 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2978 &expciphers, errstr))
c05bdbd6 2979 return FALSE;
059ec3d9
PH
2980
2981/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2982are separated by underscores. So that I can use either form in my tests, and
2983also for general convenience, we turn underscores into hyphens here. */
2984
cf0c6164 2985if (expciphers)
059ec3d9
PH
2986 {
2987 uschar *s = expciphers;
cf0c6164 2988 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2989 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2990 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2991 {
2992 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 2993 return FALSE;
74f1a423 2994 }
059ec3d9
PH
2995 }
2996
c0635b6d 2997#ifdef SUPPORT_DANE
c05bdbd6 2998if (conn_args->dane)
a63be306 2999 {
74f1a423 3000 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
3001 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3002 verify_callback_client_dane);
e5cccda9 3003
043b1248 3004 if (!DANESSL_library_init())
74f1a423
JH
3005 {
3006 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 3007 return FALSE;
74f1a423
JH
3008 }
3009 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3010 {
3011 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3012 return FALSE;
74f1a423 3013 }
043b1248
JH
3014 }
3015else
e51c7be2 3016
043b1248
JH
3017#endif
3018
74f1a423
JH
3019 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3020 client_static_cbinfo, errstr) != OK)
c05bdbd6 3021 return FALSE;
059ec3d9 3022
b10c87b3
JH
3023#ifdef EXPERIMENTAL_TLS_RESUME
3024tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3025#endif
3026
3027
74f1a423
JH
3028if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3029 {
3030 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3031 return FALSE;
74f1a423
JH
3032 }
3033SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3 3034
c05bdbd6 3035SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3036SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3037
65867078 3038if (ob->tls_sni)
3f0945ff 3039 {
74f1a423 3040 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3041 return FALSE;
74f1a423 3042 if (!tlsp->sni)
2c9a0e86
PP
3043 {
3044 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3045 }
74f1a423
JH
3046 else if (!Ustrlen(tlsp->sni))
3047 tlsp->sni = NULL;
3f0945ff
PP
3048 else
3049 {
35731706 3050#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
3051 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3052 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3053#else
66802652 3054 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3055 tlsp->sni);
35731706 3056#endif
3f0945ff
PP
3057 }
3058 }
3059
c0635b6d 3060#ifdef SUPPORT_DANE
c05bdbd6
JH
3061if (conn_args->dane)
3062 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3063 return FALSE;
594706ea
JH
3064#endif
3065
f2de3a33 3066#ifndef DISABLE_OCSP
f5d78688
JH
3067/* Request certificate status at connection-time. If the server
3068does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3069# ifdef SUPPORT_DANE
44662487
JH
3070if (request_ocsp)
3071 {
594706ea 3072 const uschar * s;
41afb5cb
JH
3073 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3074 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
3075 )
3076 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3077 this means we avoid the OCSP request, we wasted the setup
3078 cost in tls_init(). */
3c07dd2d 3079 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3080 request_ocsp = require_ocsp
3c07dd2d 3081 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
3082 }
3083 }
b50c8b84
JH
3084# endif
3085
594706ea
JH
3086if (request_ocsp)
3087 {
74f1a423 3088 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3089 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3090 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3091 }
f5d78688
JH
3092#endif
3093
c82de233
JH
3094#ifdef EXPERIMENTAL_TLS_RESUME
3095if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3096 errstr))
3097 return FALSE;
3098#endif
3099
0cbf2b82 3100#ifndef DISABLE_EVENT
afdb5e9c 3101client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3102#endif
043b1248 3103
059ec3d9
PH
3104/* There doesn't seem to be a built-in timeout on connection. */
3105
3106DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3107sigalrm_seen = FALSE;
c2a1bba0 3108ALARM(ob->command_timeout);
74f1a423 3109rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3110ALARM_CLR(0);
059ec3d9 3111
c0635b6d 3112#ifdef SUPPORT_DANE
c05bdbd6 3113if (conn_args->dane)
74f1a423 3114 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
3115#endif
3116
059ec3d9 3117if (rc <= 0)
74f1a423
JH
3118 {
3119 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3120 return FALSE;
74f1a423 3121 }
059ec3d9 3122
f20cfa4a
JH
3123DEBUG(D_tls)
3124 {
3125 debug_printf("SSL_connect succeeded\n");
3126#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3127 {
10ed27e0
JH
3128 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3129 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3130 BIO_free(bp);
f20cfa4a
JH
3131 }
3132#endif
3133 }
059ec3d9 3134
b10c87b3
JH
3135#ifdef EXPERIMENTAL_TLS_RESUME
3136tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3137#endif
3138
74f1a423 3139peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3140
f1be21cf
JH
3141tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3142tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3143
9d1c15ef
JH
3144/* Record the certificate we presented */
3145 {
74f1a423
JH
3146 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3147 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
3148 }
3149
c05bdbd6 3150tlsp->active.sock = cctx->sock;
74f1a423 3151tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH
3152cctx->tls_ctx = exim_client_ctx;
3153return TRUE;
059ec3d9
PH
3154}
3155
3156
3157
3158
3159
0d81dabc
JH
3160static BOOL
3161tls_refill(unsigned lim)
3162{
3163int error;
3164int inbytes;
3165
3166DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3167 ssl_xfer_buffer, ssl_xfer_buffer_size);
3168
c2a1bba0 3169if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
3170inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3171 MIN(ssl_xfer_buffer_size, lim));
3172error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3173if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
3174
3175if (had_command_timeout) /* set by signal handler */
3176 smtp_command_timeout_exit(); /* does not return */
3177if (had_command_sigterm)
3178 smtp_command_sigterm_exit();
3179if (had_data_timeout)
3180 smtp_data_timeout_exit();
3181if (had_data_sigint)
3182 smtp_data_sigint_exit();
0d81dabc
JH
3183
3184/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3185closed down, not that the socket itself has been closed down. Revert to
3186non-SSL handling. */
3187
74f1a423 3188switch(error)
0d81dabc 3189 {
74f1a423
JH
3190 case SSL_ERROR_NONE:
3191 break;
3192
3193 case SSL_ERROR_ZERO_RETURN:
3194 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 3195
74f1a423
JH
3196 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3197 SSL_shutdown(server_ssl);
dec766a1 3198
bd231acd 3199 tls_close(NULL, TLS_NO_SHUTDOWN);
74f1a423 3200 return FALSE;
0d81dabc 3201
74f1a423
JH
3202 /* Handle genuine errors */
3203 case SSL_ERROR_SSL:
0abc5a13 3204 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
3205 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3206 ssl_xfer_error = TRUE;
3207 return FALSE;
0d81dabc 3208
74f1a423
JH
3209 default:
3210 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3211 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3212 debug_printf(" - syscall %s\n", strerror(errno));
3213 ssl_xfer_error = TRUE;
3214 return FALSE;
0d81dabc
JH
3215 }
3216
3217#ifndef DISABLE_DKIM
3218dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3219#endif
3220ssl_xfer_buffer_hwm = inbytes;
3221ssl_xfer_buffer_lwm = 0;
3222return TRUE;
3223}
3224
3225
059ec3d9
PH
3226/*************************************************
3227* TLS version of getc *
3228*************************************************/
3229
3230/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3231it refills the buffer via the SSL reading function.
3232
bd8fbe36 3233Arguments: lim Maximum amount to read/buffer
059ec3d9 3234Returns: the next character or EOF
817d9f57
JH
3235
3236Only used by the server-side TLS.
059ec3d9
PH
3237*/
3238
3239int
bd8fbe36 3240tls_getc(unsigned lim)
059ec3d9
PH
3241{
3242if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
3243 if (!tls_refill(lim))
3244 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 3245
0d81dabc 3246/* Something in the buffer; return next uschar */
059ec3d9 3247
0d81dabc
JH
3248return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3249}
059ec3d9 3250
0d81dabc
JH
3251uschar *
3252tls_getbuf(unsigned * len)
3253{
3254unsigned size;
3255uschar * buf;
ba084640 3256
0d81dabc
JH
3257if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3258 if (!tls_refill(*len))
059ec3d9 3259 {
0d81dabc
JH
3260 if (!ssl_xfer_error) return smtp_getbuf(len);
3261 *len = 0;
3262 return NULL;
059ec3d9 3263 }
c80c5570 3264
0d81dabc
JH
3265if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3266 size = *len;
3267buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3268ssl_xfer_buffer_lwm += size;
3269*len = size;
3270return buf;
059ec3d9
PH
3271}
3272
0d81dabc 3273
584e96c6
JH
3274void
3275tls_get_cache()
3276{
9960d1e5 3277#ifndef DISABLE_DKIM
584e96c6
JH
3278int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3279if (n > 0)
3280 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 3281#endif
9960d1e5 3282}
584e96c6 3283
059ec3d9 3284
925ac8e4
JH
3285BOOL
3286tls_could_read(void)
3287{
a5ffa9b4 3288return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
3289}
3290
059ec3d9
PH