projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
TLS: increase resumption ticket lifetime to 2 hours
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH		 33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH		 57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP		 68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 75# define EXIM_HAVE_SESSION_TICKET
e570d136 76# define EXIM_HAVE_OPESSL_TRACE
7434882d
JH		 77# else
78# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP		 79# endif
80# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 82# define EXIM_HAVE_OPENSSL_CHECKHOST
83# endif
11aa88b0 84#endif
10ca4f1c 85
11aa88b0
RA		 86#if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 88# if !defined(OPENSSL_NO_ECDH)
89# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 90# define EXIM_HAVE_ECDH
10ca4f1c
JH		 91# endif
92# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 93# define EXIM_HAVE_OPENSSL_EC_NIST2NID
94# endif
95# endif
2dfb468b 96#endif
3bcbbbe2 97
8a40db1c
JH		 98#ifndef LIBRESSL_VERSION_NUMBER
99# if OPENSSL_VERSION_NUMBER >= 0x010101000L
100# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 101# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 102# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH		 103# endif
104#endif
105
67791ce4
JH		 106#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108# define DISABLE_OCSP
109#endif
43e2db44
JH		 110
111#ifdef EXPERIMENTAL_TLS_RESUME
112# if OPENSSL_VERSION_NUMBER < 0x0101010L
113# error OpenSSL version too old for session-resumption
114# endif
115#endif
67791ce4 116
a6510420
JH		 117#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118# include <openssl/x509v3.h>
119#endif
120
f1be21cf
JH		 121#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123# define SSL_CIPHER_get_id(c) (c->id)
124# endif
dca6d121
JH		 125# ifndef MACRO_PREDEF
126# include "tls-cipher-stdname.c"
127# endif
f1be21cf
JH		 128#endif
129
8442641e
JH		 130/*************************************************
131* OpenSSL option parse *
132*************************************************/
133
134typedef struct exim_openssl_option {
135 uschar *name;
136 long value;
137} exim_openssl_option;
138/* We could use a macro to expand, but we need the ifdef and not all the
139options document which version they were introduced in. Policylet: include
140all options unless explicitly for DTLS, let the administrator choose which
141to apply.
142
143This list is current as of:
144 ==> 1.0.1b <==
145Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
147*/
148static exim_openssl_option exim_openssl_options[] = {
149/* KEEP SORTED ALPHABETICALLY! */
150#ifdef SSL_OP_ALL
151 { US"all", SSL_OP_ALL },
152#endif
153#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
155#endif
156#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
158#endif
159#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
161#endif
162#ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
164#endif
165#ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
167#endif
168#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
170#endif
171#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
173#endif
174#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
176#endif
177#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
179#endif
180#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
182#endif
183#ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
185#endif
186#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
188#endif
189#ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
191#endif
192#ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
194#endif
195#ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
197#endif
198#ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
200#endif
201#ifdef SSL_OP_NO_TLSv1_1
202#if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
205#else
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
207#endif
208#endif
209#ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
211#endif
212#ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
214#endif
215#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
217#endif
218#ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
220#endif
221#ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
223#endif
224#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
226#endif
227#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
229#endif
230#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
232#endif
233#ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
235#endif
236#ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
238#endif
239};
240
241#ifndef MACRO_PREDEF
242static int exim_openssl_options_size = nelem(exim_openssl_options);
243#endif
244
245#ifdef MACRO_PREDEF
246void
247options_tls(void)
248{
8442641e
JH		 249uschar buf[64];
250
d7978c0f 251for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH		 252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
253 {
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
256
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
259 }
b10c87b3
JH		 260
261# ifdef EXPERIMENTAL_TLS_RESUME
262builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
263# endif
8442641e
JH		 264}
265#else
266
267/******************************************************************************/
268
059ec3d9
PH		 269/* Structure for collecting random data for seeding. */
270
271typedef struct randstuff {
9e3331ea
TK		 272 struct timeval tv;
273 pid_t p;
059ec3d9
PH		 274} randstuff;
275
276/* Local static variables */
277
a2ff477a
JH		 278static BOOL client_verify_callback_called = FALSE;
279static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 280static const uschar *sid_ctx = US"exim";
281
d4f09789
PP		 282/* We have three different contexts to care about.
283
284Simple case: client, `client_ctx`
285 As a client, we can be doing a callout or cut-through delivery while receiving
286 a message. So we have a client context, which should have options initialised
74f1a423
JH		 287 from the SMTP Transport. We may also concurrently want to make TLS connections
288 to utility daemons, so client-contexts are allocated and passed around in call
289 args rather than using a gobal.
d4f09789
PP		 290
291Server:
292 There are two cases: with and without ServerNameIndication from the client.
293 Given TLS SNI, we can be using different keys, certs and various other
294 configuration settings, because they're re-expanded with $tls_sni set. This
295 allows vhosting with TLS. This SNI is sent in the handshake.
296 A client might not send SNI, so we need a fallback, and an initial setup too.
297 So as a server, we start out using `server_ctx`.
298 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
299 `server_sni` from `server_ctx` and then initialise settings by re-expanding
300 configuration.
301*/
302
74f1a423
JH		 303typedef struct {
304 SSL_CTX * ctx;
305 SSL * ssl;
c09dbcfb 306 gstring * corked;
74f1a423
JH		 307} exim_openssl_client_tls_ctx;
308
817d9f57 309static SSL_CTX *server_ctx = NULL;
817d9f57 310static SSL *server_ssl = NULL;
389ca47a 311
35731706 312#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 313static SSL_CTX *server_sni = NULL;
35731706 314#endif
059ec3d9
PH		 315
316static char ssl_errstring[256];
317
dea4b568 318static int ssl_session_timeout = 7200; /* Two hours */
a2ff477a
JH		 319static BOOL client_verify_optional = FALSE;
320static BOOL server_verify_optional = FALSE;
059ec3d9 321
f5d78688 322static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 323
324
7be682ca 325typedef struct tls_ext_ctx_cb {
b10c87b3 326 tls_support * tlsp;
7be682ca
PP		 327 uschar *certificate;
328 uschar *privatekey;
f5d78688 329 BOOL is_server;
a6510420 330#ifndef DISABLE_OCSP
c3033f13 331 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 332 union {
333 struct {
334 uschar *file;
335 uschar *file_expanded;
336 OCSP_RESPONSE *response;
337 } server;
338 struct {
44662487
JH		 339 X509_STORE *verify_store; /* non-null if status requested */
340 BOOL verify_required;
f5d78688
JH		 341 } client;
342 } u_ocsp;
3f7eeb86 343#endif
7be682ca
PP		 344 uschar *dhparam;
345 /* these are cached from first expand */
346 uschar *server_cipher_list;
347 /* only passed down to tls_error: */
348 host_item *host;
55414b25 349 const uschar * verify_cert_hostnames;
0cbf2b82 350#ifndef DISABLE_EVENT
a7538db1
JH		 351 uschar * event_action;
352#endif
7be682ca
PP		 353} tls_ext_ctx_cb;
354
355/* should figure out a cleanup of API to handle state preserved per
356implementation, for various reasons, which can be void * in the APIs.
357For now, we hack around it. */
b10c87b3 358tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 359tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 360
361static int
983207c1 362setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 363 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 364
3f7eeb86 365/* Callbacks */
3bcbbbe2 366#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 367static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 368#endif
f2de3a33 369#ifndef DISABLE_OCSP
f5d78688 370static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 371#endif
372
059ec3d9 373
b10c87b3 374
4d93129f 375/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH		 376#ifdef EXPERIMENTAL_TLS_RESUME
377static void tk_init(void);
378static int tls_exdata_idx = -1;
379#endif
380
381void
382tls_daemon_init(void)
383{
384#ifdef EXPERIMENTAL_TLS_RESUME
385tk_init();
386#endif
387return;
388}
389
390
059ec3d9
PH		 391/*************************************************
392* Handle TLS error *
393*************************************************/
394
395/* Called from lots of places when errors occur before actually starting to do
396the TLS handshake, that is, while the session is still in clear. Always returns
397DEFER for a server and FAIL for a client so that most calls can use "return
398tls_error(...)" to do this processing and then give an appropriate return. A
399single function is used for both server and client, because it is called from
400some shared functions.
401
402Argument:
403 prefix text to include in the logged error
404 host NULL if setting up a server;
405 the connected host if setting up a client
7199e1ee 406 msg error message or NULL if we should ask OpenSSL
cf0c6164 407 errstr pointer to output error message
059ec3d9
PH		 408
409Returns: OK/DEFER/FAIL
410*/
411
412static int
cf0c6164 413tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 414{
c562fd30 415if (!msg)
7199e1ee 416 {
0abc5a13 417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 418 msg = US ssl_errstring;
7199e1ee
TF		 419 }
420
5a2a0989
JH		 421msg = string_sprintf("(%s): %s", prefix, msg);
422DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
423if (errstr) *errstr = msg;
cf0c6164 424return host ? FAIL : DEFER;
059ec3d9
PH		 425}
426
427
428
429/*************************************************
430* Callback to generate RSA key *
431*************************************************/
432
433/*
434Arguments:
3ae79556 435 s SSL connection (not used)
059ec3d9
PH		 436 export not used
437 keylength keylength
438
439Returns: pointer to generated key
440*/
441
442static RSA *
443rsa_callback(SSL *s, int export, int keylength)
444{
445RSA *rsa_key;
c8dfb21d
JH		 446#ifdef EXIM_HAVE_RSA_GENKEY_EX
447BIGNUM *bn = BN_new();
448#endif
449
059ec3d9
PH		 450export = export; /* Shut picky compilers up */
451DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 452
453#ifdef EXIM_HAVE_RSA_GENKEY_EX
454if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 455 || !(rsa_key = RSA_new())
c8dfb21d
JH		 456 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
457 )
458#else
23bb6982 459if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 460#endif
461
059ec3d9 462 {
0abc5a13 463 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH		 464 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
465 ssl_errstring);
466 return NULL;
467 }
468return rsa_key;
469}
470
471
472
f5d78688 473/* Extreme debug
f2de3a33 474#ifndef DISABLE_OCSP
f5d78688
JH		 475void
476x509_store_dump_cert_s_names(X509_STORE * store)
477{
478STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH		 479static uschar name[256];
480
d7978c0f 481for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH		 482 {
483 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
484 if(tmp_obj->type == X509_LU_X509)
485 {
70e384dd
JH		 486 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
487 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
488 {
489 name[sizeof(name)-1] = '\0';
490 debug_printf(" %s\n", name);
491 }
f5d78688
JH		 492 }
493 }
494}
495#endif
496*/
497
059ec3d9 498
0cbf2b82 499#ifndef DISABLE_EVENT
f69979cf
JH		 500static int
501verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
502 BOOL *calledp, const BOOL *optionalp, const uschar * what)
503{
504uschar * ev;
505uschar * yield;
506X509 * old_cert;
507
508ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
509if (ev)
510 {
aaba7d03 511 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 512 old_cert = tlsp->peercert;
513 tlsp->peercert = X509_dup(cert);
514 /* NB we do not bother setting peerdn */
515 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
516 {
517 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
518 "depth=%d cert=%s: %s",
519 tlsp == &tls_out ? deliver_host_address : sender_host_address,
520 what, depth, dn, yield);
521 *calledp = TRUE;
522 if (!*optionalp)
523 {
524 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
525 return 1; /* reject (leaving peercert set) */
526 }
527 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
528 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 529 tlsp->verify_override = TRUE;
f69979cf
JH		 530 }
531 X509_free(tlsp->peercert);
532 tlsp->peercert = old_cert;
533 }
534return 0;
535}
536#endif
537
059ec3d9
PH		 538/*************************************************
539* Callback for verification *
540*************************************************/
541
542/* The SSL library does certificate verification if set up to do so. This
543callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 544we set the certificate-verified flag. If verification failed, what happens
545depends on whether the client is required to present a verifiable certificate
546or not.
059ec3d9
PH		 547
548If verification is optional, we change the state to yes, but still log the
549verification error. For some reason (it really would help to have proper
550documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 551time with state = 1. We must take care not to set the private verified flag on
552the second time through.
059ec3d9
PH		 553
554Note: this function is not called if the client fails to present a certificate
555when asked. We get here only if a certificate has been received. Handling of
556optional verification for this case is done when requesting SSL to verify, by
557setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
558
a7538db1
JH		 559May be called multiple times for different issues with a certificate, even
560for a given "depth" in the certificate chain.
561
059ec3d9 562Arguments:
f2f2c91b
JH		 563 preverify_ok current yes/no state as 1/0
564 x509ctx certificate information.
565 tlsp per-direction (client vs. server) support data
566 calledp has-been-called flag
567 optionalp verification-is-optional flag
059ec3d9 568
f2f2c91b 569Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 570*/
571
572static int
70e384dd
JH		 573verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
574 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 575{
421aff85 576X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 577int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 578uschar dn[256];
059ec3d9 579
70e384dd
JH		 580if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
581 {
582 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
583 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
584 tlsp == &tls_out ? deliver_host_address : sender_host_address);
585 return 0;
586 }
f69979cf 587dn[sizeof(dn)-1] = '\0';
059ec3d9 588
f2f2c91b 589if (preverify_ok == 0)
059ec3d9 590 {
f77197ae
JH		 591 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
592 *verify_mode, sender_host_address)
593 : US"";
594 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
595 tlsp == &tls_out ? deliver_host_address : sender_host_address,
596 extra, depth,
597 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 598 *calledp = TRUE;
9d1c15ef
JH		 599 if (!*optionalp)
600 {
f69979cf
JH		 601 if (!tlsp->peercert)
602 tlsp->peercert = X509_dup(cert); /* record failing cert */
603 return 0; /* reject */
9d1c15ef 604 }
059ec3d9
PH		 605 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
606 "tls_try_verify_hosts)\n");
4a1bd6b9 607 tlsp->verify_override = TRUE;
059ec3d9
PH		 608 }
609
a7538db1 610else if (depth != 0)
059ec3d9 611 {
f69979cf 612 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 613#ifndef DISABLE_OCSP
f5d78688
JH		 614 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
615 { /* client, wanting stapling */
616 /* Add the server cert's signing chain as the one
617 for the verification of the OCSP stapled information. */
94431adb 618
f5d78688 619 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 620 cert))
f5d78688 621 ERR_clear_error();
c3033f13 622 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 623 }
a7538db1 624#endif
0cbf2b82 625#ifndef DISABLE_EVENT
f69979cf
JH		 626 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
627 return 0; /* reject, with peercert set */
f5d78688 628#endif
059ec3d9
PH		 629 }
630else
631 {
55414b25 632 const uschar * verify_cert_hostnames;
e51c7be2 633
e51c7be2
JH		 634 if ( tlsp == &tls_out
635 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 636 /* client, wanting hostname check */
e51c7be2 637 {
f69979cf 638
740f36d4 639#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 640# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
641# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
642# endif
643# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
644# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
645# endif
e51c7be2 646 int sep = 0;
55414b25 647 const uschar * list = verify_cert_hostnames;
e51c7be2 648 uschar * name;
d8e7834a
JH		 649 int rc;
650 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 651 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 652 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 653 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
654 NULL)))
d8e7834a
JH		 655 {
656 if (rc < 0)
657 {
93a6fce2 658 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 659 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH		 660 name = NULL;
661 }
e51c7be2 662 break;
d8e7834a 663 }
e51c7be2 664 if (!name)
f69979cf 665#else
e51c7be2 666 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 667#endif
e51c7be2 668 {
f77197ae
JH		 669 uschar * extra = verify_mode
670 ? string_sprintf(" (during %c-verify for [%s])",
671 *verify_mode, sender_host_address)
672 : US"";
e51c7be2 673 log_write(0, LOG_MAIN,
f77197ae
JH		 674 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
675 tlsp == &tls_out ? deliver_host_address : sender_host_address,
676 extra, dn, verify_cert_hostnames);
a3ef7310
JH		 677 *calledp = TRUE;
678 if (!*optionalp)
f69979cf
JH		 679 {
680 if (!tlsp->peercert)
681 tlsp->peercert = X509_dup(cert); /* record failing cert */
682 return 0; /* reject */
683 }
4a1bd6b9 684 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 685 "tls_try_verify_hosts)\n");
4a1bd6b9 686 tlsp->verify_override = TRUE;
e51c7be2 687 }
f69979cf 688 }
e51c7be2 689
0cbf2b82 690#ifndef DISABLE_EVENT
f69979cf
JH		 691 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
692 return 0; /* reject, with peercert set */
e51c7be2
JH		 693#endif
694
93dcb1c2 695 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 696 *calledp ? "" : " authenticated", dn);
93dcb1c2 697 *calledp = TRUE;
059ec3d9
PH		 698 }
699
a7538db1 700return 1; /* accept, at least for this level */
059ec3d9
PH		 701}
702
a2ff477a 703static int
f2f2c91b 704verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 705{
f2f2c91b
JH		 706return verify_callback(preverify_ok, x509ctx, &tls_out,
707 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 708}
709
710static int
f2f2c91b 711verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 712{
f2f2c91b
JH		 713return verify_callback(preverify_ok, x509ctx, &tls_in,
714 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 715}
716
059ec3d9 717
c0635b6d 718#ifdef SUPPORT_DANE
53a7196b 719
e5cccda9
JH		 720/* This gets called *by* the dane library verify callback, which interposes
721itself.
722*/
723static int
f2f2c91b 724verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 725{
726X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 727uschar dn[256];
83b27293 728int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 729#ifndef DISABLE_EVENT
f69979cf 730BOOL dummy_called, optional = FALSE;
83b27293 731#endif
e5cccda9 732
70e384dd
JH		 733if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
734 {
735 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
736 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
737 deliver_host_address);
738 return 0;
739 }
f69979cf 740dn[sizeof(dn)-1] = '\0';
e5cccda9 741
f2f2c91b
JH		 742DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
743 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 744
0cbf2b82 745#ifndef DISABLE_EVENT
f69979cf
JH		 746 if (verify_event(&tls_out, cert, depth, dn,
747 &dummy_called, &optional, US"DANE"))
748 return 0; /* reject, with peercert set */
83b27293
JH		 749#endif
750
f2f2c91b 751if (preverify_ok == 1)
6fbf3599 752 {
4a1bd6b9 753 tls_out.dane_verified = TRUE;
6fbf3599
JH		 754#ifndef DISABLE_OCSP
755 if (client_static_cbinfo->u_ocsp.client.verify_store)
756 { /* client, wanting stapling */
757 /* Add the server cert's signing chain as the one
758 for the verification of the OCSP stapled information. */
759
760 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
761 cert))
762 ERR_clear_error();
763 sk_X509_push(client_static_cbinfo->verify_stack, cert);
764 }
765#endif
766 }
f2f2c91b
JH		 767else
768 {
769 int err = X509_STORE_CTX_get_error(x509ctx);
770 DEBUG(D_tls)
771 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 772 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 773 preverify_ok = 1;
774 }
775return preverify_ok;
e5cccda9 776}
53a7196b 777
c0635b6d 778#endif /*SUPPORT_DANE*/
e5cccda9 779
059ec3d9
PH		 780
781/*************************************************
782* Information callback *
783*************************************************/
784
785/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 786are doing. We copy the string to the debugging output when TLS debugging has
787been requested.
059ec3d9
PH		 788
789Arguments:
790 s the SSL connection
791 where
792 ret
793
794Returns: nothing
795*/
796
797static void
798info_callback(SSL *s, int where, int ret)
799{
0abc5a13
JH		 800DEBUG(D_tls)
801 {
802 const uschar * str;
803
804 if (where & SSL_ST_CONNECT)
48224640 805 str = US"SSL_connect";
0abc5a13 806 else if (where & SSL_ST_ACCEPT)
48224640 807 str = US"SSL_accept";
0abc5a13 808 else
48224640 809 str = US"SSL info (undefined)";
0abc5a13
JH		 810
811 if (where & SSL_CB_LOOP)
812 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
813 else if (where & SSL_CB_ALERT)
814 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 815 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH		 816 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
817 else if (where & SSL_CB_EXIT)
818 if (ret == 0)
819 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
820 else if (ret < 0)
821 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
822 else if (where & SSL_CB_HANDSHAKE_START)
823 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
824 else if (where & SSL_CB_HANDSHAKE_DONE)
825 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
826 }
059ec3d9
PH		 827}
828
8238bc7b 829#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH		 830static void
831keylog_callback(const SSL *ssl, const char *line)
832{
833DEBUG(D_tls) debug_printf("%.200s\n", line);
834}
8238bc7b 835#endif
8a40db1c 836
059ec3d9 837
b10c87b3
JH		 838#ifdef EXPERIMENTAL_TLS_RESUME
839/* Manage the keysets used for encrypting the session tickets, on the server. */
840
841typedef struct { /* Session ticket encryption key */
842 uschar name[16];
843
844 const EVP_CIPHER * aes_cipher;
4d93129f 845 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH		 846 const EVP_MD * hmac_hash;
847 uschar hmac_key[16];
848 time_t renew;
849 time_t expire;
850} exim_stek;
851
4d93129f
JH		 852static exim_stek exim_tk; /* current key */
853static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH		 854
855static void
856tk_init(void)
857{
4d93129f
JH		 858time_t t = time(NULL);
859
b10c87b3
JH		 860if (exim_tk.name[0])
861 {
4d93129f 862 if (exim_tk.renew >= t) return;
b10c87b3
JH		 863 exim_tk_old = exim_tk;
864 }
865
866if (f.running_in_test_harness) ssl_session_timeout = 6;
867
868DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
869if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
870if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
871if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
872
873exim_tk.name[0] = 'E';
4d93129f 874exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 875exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH		 876exim_tk.expire = t + ssl_session_timeout;
877exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH		 878}
879
880static exim_stek *
881tk_current(void)
882{
883if (!exim_tk.name[0]) return NULL;
884return &exim_tk;
885}
886
887static exim_stek *
888tk_find(const uschar * name)
889{
890return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
891 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
892 : NULL;
893}
894
895/* Callback for session tickets, on server */
896static int
897ticket_key_callback(SSL * ssl, uschar key_name[16],
898 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
899{
900tls_support * tlsp = server_static_cbinfo->tlsp;
901exim_stek * key;
902
903if (enc)
904 {
905 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
906 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
907
908 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
909 return -1; /* insufficient random */
910
911 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
912 return 0; /* key couldn't be created */
913 memcpy(key_name, key->name, 16);
914 DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
915
916 /*XXX will want these dependent on the ssl session strength */
917 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
918 key->hmac_hash, NULL);
919 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
920
921 DEBUG(D_tls) debug_printf("ticket created\n");
922 return 1;
923 }
924else
925 {
926 time_t now = time(NULL);
927
928 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
929 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
930
931 if (!(key = tk_find(key_name)) || key->expire < now)
932 {
933 DEBUG(D_tls)
934 {
935 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
936 if (key) debug_printf("STEK expire %ld\n", key->expire - now);
937 }
938 return 0;
939 }
940
941 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
942 key->hmac_hash, NULL);
943 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
944
945 DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
dea4b568
JH		 946
947 /* The ticket lifetime and renewal are the same as the STEK lifetime and
948 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
949 be better. To do that we'd have to encode ticket lifetime in the name as
950 we don't yet see the restored session. Could check posthandshake for TLS1.3
951 and trigger a new ticket then, but cannot do that for TLS1.2 */
b10c87b3
JH		 952 return key->renew < now ? 2 : 1;
953 }
954}
955#endif
956
957
059ec3d9
PH		 958
959/*************************************************
960* Initialize for DH *
961*************************************************/
962
963/* If dhparam is set, expand it, and load up the parameters for DH encryption.
964
965Arguments:
038597d2 966 sctx The current SSL CTX (inbound or outbound)
a799883d 967 dhparam DH parameter file or fixed parameter identity string
7199e1ee 968 host connected host, if client; NULL if server
cf0c6164 969 errstr error string pointer
059ec3d9
PH		 970
971Returns: TRUE if OK (nothing to set up, or setup worked)
972*/
973
974static BOOL
cf0c6164 975init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 976{
059ec3d9
PH		 977BIO *bio;
978DH *dh;
979uschar *dhexpanded;
a799883d 980const char *pem;
6600985a 981int dh_bitsize;
059ec3d9 982
cf0c6164 983if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 984 return FALSE;
985
0df4ab80 986if (!dhexpanded || !*dhexpanded)
a799883d 987 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 988else if (dhexpanded[0] == '/')
059ec3d9 989 {
0df4ab80 990 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 991 {
7199e1ee 992 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 993 host, US strerror(errno), errstr);
a799883d 994 return FALSE;
059ec3d9 995 }
a799883d
PP		 996 }
997else
998 {
999 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 1000 {
a799883d
PP		 1001 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1002 return TRUE;
059ec3d9 1003 }
a799883d 1004
0df4ab80 1005 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 1006 {
1007 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1008 host, US strerror(errno), errstr);
a799883d
PP		 1009 return FALSE;
1010 }
1011 bio = BIO_new_mem_buf(CS pem, -1);
1012 }
1013
0df4ab80 1014if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1015 {
059ec3d9 1016 BIO_free(bio);
a799883d 1017 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1018 host, NULL, errstr);
a799883d
PP		 1019 return FALSE;
1020 }
1021
6600985a
PP		 1022/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1023 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1024 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1025 * If someone wants to dance at the edge, then they can raise the limit or use
1026 * current libraries. */
1027#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1028/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1029 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1030dh_bitsize = DH_bits(dh);
1031#else
1032dh_bitsize = 8 * DH_size(dh);
1033#endif
1034
a799883d
PP		 1035/* Even if it is larger, we silently return success rather than cause things
1036 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1037 * debatable choice. */
6600985a 1038if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 1039 {
1040 DEBUG(D_tls)
170f4904 1041 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1042 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 1043 }
1044else
1045 {
1046 SSL_CTX_set_tmp_dh(sctx, dh);
1047 DEBUG(D_tls)
1048 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1049 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 1050 }
1051
a799883d
PP		 1052DH_free(dh);
1053BIO_free(bio);
1054
1055return TRUE;
059ec3d9
PH		 1056}
1057
1058
1059
1060
038597d2
PP		 1061/*************************************************
1062* Initialize for ECDH *
1063*************************************************/
1064
1065/* Load parameters for ECDH encryption.
1066
1067For now, we stick to NIST P-256 because: it's simple and easy to configure;
1068it avoids any patent issues that might bite redistributors; despite events in
1069the news and concerns over curve choices, we're not cryptographers, we're not
1070pretending to be, and this is "good enough" to be better than no support,
1071protecting against most adversaries. Given another year or two, there might
1072be sufficient clarity about a "right" way forward to let us make an informed
1073decision, instead of a knee-jerk reaction.
1074
1075Longer-term, we should look at supporting both various named curves and
1076external files generated with "openssl ecparam", much as we do for init_dh().
1077We should also support "none" as a value, to explicitly avoid initialisation.
1078
1079Patches welcome.
1080
1081Arguments:
1082 sctx The current SSL CTX (inbound or outbound)
1083 host connected host, if client; NULL if server
cf0c6164 1084 errstr error string pointer
038597d2
PP		 1085
1086Returns: TRUE if OK (nothing to set up, or setup worked)
1087*/
1088
1089static BOOL
cf0c6164 1090init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1091{
63f0dbe0
JH		 1092#ifdef OPENSSL_NO_ECDH
1093return TRUE;
1094#else
1095
10ca4f1c
JH		 1096EC_KEY * ecdh;
1097uschar * exp_curve;
1098int nid;
1099BOOL rv;
1100
038597d2
PP		 1101if (host) /* No ECDH setup for clients, only for servers */
1102 return TRUE;
1103
10ca4f1c 1104# ifndef EXIM_HAVE_ECDH
038597d2
PP		 1105DEBUG(D_tls)
1106 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1107return TRUE;
038597d2 1108# else
10ca4f1c 1109
cf0c6164 1110if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 1111 return FALSE;
1112if (!exp_curve || !*exp_curve)
1113 return TRUE;
1114
8e53a4fc 1115/* "auto" needs to be handled carefully.
4c04137d 1116 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1117 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1118 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 1119 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1120 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1121 */
10ca4f1c 1122if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1123 {
8e53a4fc 1124#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1125 DEBUG(D_tls) debug_printf(
8e53a4fc 1126 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1127 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 1128#else
1129# if defined SSL_CTRL_SET_ECDH_AUTO
1130 DEBUG(D_tls) debug_printf(
1131 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 1132 SSL_CTX_set_ecdh_auto(sctx, 1);
1133 return TRUE;
8e53a4fc
HSHR		 1134# else
1135 DEBUG(D_tls) debug_printf(
1136 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1137 return TRUE;
1138# endif
1139#endif
10ca4f1c 1140 }
038597d2 1141
10ca4f1c
JH		 1142DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1143if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1144# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1145 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1146# endif
1147 )
1148 {
cf0c6164
JH		 1149 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1150 host, NULL, errstr);
10ca4f1c
JH		 1151 return FALSE;
1152 }
038597d2 1153
10ca4f1c
JH		 1154if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1155 {
cf0c6164 1156 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1157 return FALSE;
038597d2 1158 }
10ca4f1c
JH		 1159
1160/* The "tmp" in the name here refers to setting a temporary key
1161not to the stability of the interface. */
1162
1163if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1164 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 1165else
1166 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1167
1168EC_KEY_free(ecdh);
1169return !rv;
1170
1171# endif /*EXIM_HAVE_ECDH*/
1172#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 1173}
1174
1175
1176
1177
f2de3a33 1178#ifndef DISABLE_OCSP
3f7eeb86
PP		 1179/*************************************************
1180* Load OCSP information into state *
1181*************************************************/
f5d78688 1182/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 1183caller has determined this is needed. Checks validity. Debugs a message
1184if invalid.
1185
1186ASSUMES: single response, for single cert.
1187
1188Arguments:
1189 sctx the SSL_CTX* to update
1190 cbinfo various parts of session state
1191 expanded the filename putatively holding an OCSP response
1192
1193*/
1194
1195static void
f5d78688 1196ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1197{
ee5b1e28
JH		 1198BIO * bio;
1199OCSP_RESPONSE * resp;
1200OCSP_BASICRESP * basic_response;
1201OCSP_SINGLERESP * single_response;
1202ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1203STACK_OF(X509) * sk;
3f7eeb86
PP		 1204unsigned long verify_flags;
1205int status, reason, i;
1206
f5d78688
JH		 1207cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1208if (cbinfo->u_ocsp.server.response)
3f7eeb86 1209 {
f5d78688
JH		 1210 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1211 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 1212 }
1213
ee5b1e28 1214if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 1215 {
1216 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1217 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 1218 return;
1219 }
1220
1221resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1222BIO_free(bio);
1223if (!resp)
1224 {
1225 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1226 return;
1227 }
1228
ee5b1e28 1229if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 1230 {
1231 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1232 OCSP_response_status_str(status), status);
f5d78688 1233 goto bad;
3f7eeb86
PP		 1234 }
1235
ee5b1e28 1236if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 1237 {
1238 DEBUG(D_tls)
1239 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1240 goto bad;
3f7eeb86
PP		 1241 }
1242
c3033f13 1243sk = cbinfo->verify_stack;
3f7eeb86
PP		 1244verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1245
1246/* May need to expose ability to adjust those flags?
1247OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1248OCSP_TRUSTOTHER OCSP_NOINTERN */
1249
4c04137d 1250/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 1251up; possibly overkill - just date-checks might be nice enough.
1252
1253OCSP_basic_verify takes a "store" arg, but does not
1254use it for the chain verification, which is all we do
1255when OCSP_NOVERIFY is set. The content from the wire
1256"basic_response" and a cert-stack "sk" are all that is used.
1257
c3033f13
JH		 1258We have a stack, loaded in setup_certs() if tls_verify_certificates
1259was a file (not a directory, or "system"). It is unfortunate we
1260cannot used the connection context store, as that would neatly
1261handle the "system" case too, but there seems to be no library
1262function for getting a stack from a store.
e3555426 1263[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 1264We do not free the stack since it could be needed a second time for
1265SNI handling.
1266
4c04137d 1267Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1268be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1269But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1270And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 1271library does it for us anyway? */
1272
1273if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1274 {
ee5b1e28
JH		 1275 DEBUG(D_tls)
1276 {
0abc5a13 1277 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1278 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 1279 }
1280 goto bad;
3f7eeb86
PP		 1281 }
1282
1283/* Here's the simplifying assumption: there's only one response, for the
1284one certificate we use, and nothing for anything else in a chain. If this
1285proves false, we need to extract a cert id from our issued cert
1286(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1287right cert in the stack and then calls OCSP_single_get0_status()).
1288
1289I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 1290
1291if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 1292 {
1293 DEBUG(D_tls)
1294 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1295 goto bad;
3f7eeb86
PP		 1296 }
1297
1298status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1299if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1300 {
f5d78688
JH		 1301 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1302 OCSP_cert_status_str(status), status,
1303 OCSP_crl_reason_str(reason), reason);
1304 goto bad;
3f7eeb86
PP		 1305 }
1306
1307if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1308 {
1309 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1310 goto bad;
3f7eeb86
PP		 1311 }
1312
f5d78688 1313supply_response:
47195144 1314 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH		 1315return;
1316
1317bad:
8768d548 1318 if (f.running_in_test_harness)
018058b2
JH		 1319 {
1320 extern char ** environ;
d7978c0f 1321 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH		 1322 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1323 {
1324 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1325 goto supply_response;
1326 }
1327 }
f5d78688 1328return;
3f7eeb86 1329}
f2de3a33 1330#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1331
1332
1333
1334
23bb6982
JH		 1335/* Create and install a selfsigned certificate, for use in server mode */
1336
1337static int
cf0c6164 1338tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 1339{
1340X509 * x509 = NULL;
1341EVP_PKEY * pkey;
1342RSA * rsa;
1343X509_NAME * name;
1344uschar * where;
1345
1346where = US"allocating pkey";
1347if (!(pkey = EVP_PKEY_new()))
1348 goto err;
1349
1350where = US"allocating cert";
1351if (!(x509 = X509_new()))
1352 goto err;
1353
1354where = US"generating pkey";
6aac3239 1355if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH		 1356 goto err;
1357
4c04137d 1358where = US"assigning pkey";
23bb6982
JH		 1359if (!EVP_PKEY_assign_RSA(pkey, rsa))
1360 goto err;
1361
1362X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1363ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH		 1364X509_gmtime_adj(X509_get_notBefore(x509), 0);
1365X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1366X509_set_pubkey(x509, pkey);
1367
1368name = X509_get_subject_name(x509);
1369X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1370 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1371X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1372 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1373X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1374 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 1375X509_set_issuer_name(x509, name);
1376
1377where = US"signing cert";
1378if (!X509_sign(x509, pkey, EVP_md5()))
1379 goto err;
1380
1381where = US"installing selfsign cert";
1382if (!SSL_CTX_use_certificate(sctx, x509))
1383 goto err;
1384
1385where = US"installing selfsign key";
1386if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1387 goto err;
1388
1389return OK;
1390
1391err:
cf0c6164 1392 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1393 if (x509) X509_free(x509);
1394 if (pkey) EVP_PKEY_free(pkey);
1395 return DEFER;
1396}
1397
1398
1399
1400
ba86e143
JH		 1401static int
1402tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1403 uschar ** errstr)
1404{
1405DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1406if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1407 return tls_error(string_sprintf(
1408 "SSL_CTX_use_certificate_chain_file file=%s", file),
1409 cbinfo->host, NULL, errstr);
1410return 0;
1411}
1412
1413static int
1414tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1415 uschar ** errstr)
1416{
1417DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1418if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1419 return tls_error(string_sprintf(
1420 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1421return 0;
1422}
1423
1424
7be682ca
PP		 1425/*************************************************
1426* Expand key and cert file specs *
1427*************************************************/
1428
f5d78688 1429/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1430new context, if Server Name Indication was used and tls_sni was seen in
1431the certificate string.
1432
1433Arguments:
1434 sctx the SSL_CTX* to update
1435 cbinfo various parts of session state
cf0c6164 1436 errstr error string pointer
7be682ca
PP		 1437
1438Returns: OK/DEFER/FAIL
1439*/
1440
1441static int
cf0c6164
JH		 1442tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1443 uschar ** errstr)
7be682ca
PP		 1444{
1445uschar *expanded;
1446
23bb6982 1447if (!cbinfo->certificate)
7be682ca 1448 {
ba86e143 1449 if (!cbinfo->is_server) /* client */
23bb6982 1450 return OK;
afdb5e9c 1451 /* server */
cf0c6164 1452 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1453 return DEFER;
7be682ca 1454 }
23bb6982
JH		 1455else
1456 {
ba86e143
JH		 1457 int err;
1458
23bb6982
JH		 1459 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1460 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1461 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1462 )
1463 reexpand_tls_files_for_sni = TRUE;
7be682ca 1464
cf0c6164 1465 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1466 return DEFER;
1467
ba86e143
JH		 1468 if (expanded)
1469 if (cbinfo->is_server)
1470 {
1471 const uschar * file_list = expanded;
1472 int sep = 0;
1473 uschar * file;
1474
1475 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1476 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1477 return err;
1478 }
1479 else /* would there ever be a need for multiple client certs? */
1480 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1481 return err;
7be682ca 1482
5a2a0989
JH		 1483 if ( cbinfo->privatekey
1484 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1485 return DEFER;
7be682ca 1486
23bb6982
JH		 1487 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1488 of the expansion is an empty string, ignore it also, and assume the private
1489 key is in the same file as the certificate. */
1490
1491 if (expanded && *expanded)
ba86e143
JH		 1492 if (cbinfo->is_server)
1493 {
1494 const uschar * file_list = expanded;
1495 int sep = 0;
1496 uschar * file;
1497
1498 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1499 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1500 return err;
1501 }
1502 else /* would there ever be a need for multiple client certs? */
1503 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1504 return err;
7be682ca
PP		 1505 }
1506
f2de3a33 1507#ifndef DISABLE_OCSP
f40d5be3 1508if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1509 {
47195144 1510 /*XXX stack*/
cf0c6164 1511 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1512 return DEFER;
1513
f40d5be3 1514 if (expanded && *expanded)
3f7eeb86
PP		 1515 {
1516 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1517 if ( cbinfo->u_ocsp.server.file_expanded
1518 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1519 {
f40d5be3
JH		 1520 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1521 }
1522 else
f40d5be3 1523 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1524 }
1525 }
1526#endif
1527
7be682ca
PP		 1528return OK;
1529}
1530
1531
1532
1533
1534/*************************************************
1535* Callback to handle SNI *
1536*************************************************/
1537
1538/* Called when acting as server during the TLS session setup if a Server Name
1539Indication extension was sent by the client.
1540
1541API documentation is OpenSSL s_server.c implementation.
1542
1543Arguments:
1544 s SSL* of the current session
1545 ad unknown (part of OpenSSL API) (unused)
1546 arg Callback of "our" registered data
1547
1548Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH		 1549
1550XXX might need to change to using ClientHello callback,
1551per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP		 1552*/
1553
3bcbbbe2 1554#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1555static int
1556tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1557{
1558const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1559tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1560int rc;
3f0945ff 1561int old_pool = store_pool;
cf0c6164 1562uschar * dummy_errstr;
7be682ca
PP		 1563
1564if (!servername)
1565 return SSL_TLSEXT_ERR_OK;
1566
3f0945ff 1567DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1568 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1569
1570/* Make the extension value available for expansion */
3f0945ff 1571store_pool = POOL_PERM;
817d9f57 1572tls_in.sni = string_copy(US servername);
3f0945ff 1573store_pool = old_pool;
7be682ca
PP		 1574
1575if (!reexpand_tls_files_for_sni)
1576 return SSL_TLSEXT_ERR_OK;
1577
1578/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1579not confident that memcpy wouldn't break some internal reference counting.
1580Especially since there's a references struct member, which would be off. */
1581
7a8b9519
JH		 1582#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1583if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1584#else
0df4ab80 1585if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1586#endif
7be682ca 1587 {
0abc5a13 1588 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1589 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1590 goto bad;
7be682ca
PP		 1591 }
1592
1593/* Not sure how many of these are actually needed, since SSL object
1594already exists. Might even need this selfsame callback, for reneg? */
1595
817d9f57
JH		 1596SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1597SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1598SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1599SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1600SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1601SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1602
cf0c6164
JH		 1603if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1604 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1605 )
5a2a0989 1606 goto bad;
038597d2 1607
ca954d7f
JH		 1608if ( cbinfo->server_cipher_list
1609 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1610 goto bad;
ca954d7f 1611
f2de3a33 1612#ifndef DISABLE_OCSP
f5d78688 1613if (cbinfo->u_ocsp.server.file)
3f7eeb86 1614 {
f5d78688 1615 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1616 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1617 }
1618#endif
7be682ca 1619
c3033f13 1620if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1621 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1622 goto bad;
7be682ca 1623
3f7eeb86
PP		 1624/* do this after setup_certs, because this can require the certs for verifying
1625OCSP information. */
cf0c6164 1626if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1627 goto bad;
a799883d 1628
7be682ca 1629DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1630SSL_set_SSL_CTX(s, server_sni);
7be682ca 1631return SSL_TLSEXT_ERR_OK;
5a2a0989
JH		 1632
1633bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1634}
3bcbbbe2 1635#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1636
1637
1638
1639
f2de3a33 1640#ifndef DISABLE_OCSP
f5d78688 1641
3f7eeb86
PP		 1642/*************************************************
1643* Callback to handle OCSP Stapling *
1644*************************************************/
1645
1646/* Called when acting as server during the TLS session setup if the client
1647requests OCSP information with a Certificate Status Request.
1648
1649Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1650project.
1651
1652*/
1653
1654static int
f5d78688 1655tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1656{
1657const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1658uschar *response_der; /*XXX blob */
3f7eeb86
PP		 1659int response_der_len;
1660
47195144
JH		 1661/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1662out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1663buggy in current OpenSSL; it returns the last cert loaded always rather than
1664the one actually presented. So we can't support a stack of OCSP proofs at
1665this time. */
1666
af4a1bca 1667DEBUG(D_tls)
b3ef41c9 1668 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1669 cbinfo->u_ocsp.server.response ? "have" : "lack");
1670
44662487 1671tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1672if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1673 return SSL_TLSEXT_ERR_NOACK;
1674
1675response_der = NULL;
47195144 1676response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1677 &response_der);
3f7eeb86
PP		 1678if (response_der_len <= 0)
1679 return SSL_TLSEXT_ERR_NOACK;
1680
5e55c7a9 1681SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1682tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1683return SSL_TLSEXT_ERR_OK;
1684}
1685
3f7eeb86 1686
f5d78688
JH		 1687static void
1688time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1689{
1690BIO_printf(bp, "\t%s: ", str);
1691ASN1_GENERALIZEDTIME_print(bp, time);
1692BIO_puts(bp, "\n");
1693}
1694
1695static int
1696tls_client_stapling_cb(SSL *s, void *arg)
1697{
1698tls_ext_ctx_cb * cbinfo = arg;
1699const unsigned char * p;
1700int len;
1701OCSP_RESPONSE * rsp;
1702OCSP_BASICRESP * bs;
1703int i;
1704
1705DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1706len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1707if(!p)
1708 {
44662487 1709 /* Expect this when we requested ocsp but got none */
6c6d6e48 1710 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1711 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1712 else
1713 DEBUG(D_tls) debug_printf(" null\n");
44662487 1714 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1715 }
018058b2 1716
f5d78688
JH		 1717if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1718 {
018058b2 1719 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1720 if (LOGGING(tls_cipher))
1eca31ca 1721 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1722 else
1723 DEBUG(D_tls) debug_printf(" parse error\n");
1724 return 0;
1725 }
1726
1727if(!(bs = OCSP_response_get1_basic(rsp)))
1728 {
018058b2 1729 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1730 if (LOGGING(tls_cipher))
1eca31ca 1731 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1732 else
1733 DEBUG(D_tls) debug_printf(" error parsing response\n");
1734 OCSP_RESPONSE_free(rsp);
1735 return 0;
1736 }
1737
1738/* We'd check the nonce here if we'd put one in the request. */
1739/* However that would defeat cacheability on the server so we don't. */
1740
f5d78688
JH		 1741/* This section of code reworked from OpenSSL apps source;
1742 The OpenSSL Project retains copyright:
1743 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1744*/
1745 {
1746 BIO * bp = NULL;
f5d78688
JH		 1747 int status, reason;
1748 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1749
57887ecc 1750 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH		 1751
1752 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1753
1754 /* Use the chain that verified the server cert to verify the stapled info */
1755 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1756
c3033f13 1757 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1758 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1759 {
018058b2 1760 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH		 1761 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1762 "Received TLS cert status response, itself unverifiable: %s",
1763 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH		 1764 BIO_printf(bp, "OCSP response verify failure\n");
1765 ERR_print_errors(bp);
57887ecc 1766 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1767 goto failed;
f5d78688
JH		 1768 }
1769
1770 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1771
c8dfb21d
JH		 1772 /*XXX So we have a good stapled OCSP status. How do we know
1773 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1774 OCSP_resp_find_status() which matches on a cert id, which presumably
1775 we should use. Making an id needs OCSP_cert_id_new(), which takes
1776 issuerName, issuerKey, serialNumber. Are they all in the cert?
1777
1778 For now, carry on blindly accepting the resp. */
1779
f5d78688 1780 {
f5d78688
JH		 1781 OCSP_SINGLERESP * single;
1782
c8dfb21d
JH		 1783#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1784 if (OCSP_resp_count(bs) != 1)
1785#else
1786 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1787 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1788#endif
f5d78688 1789 {
018058b2 1790 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1791 log_write(0, LOG_MAIN, "OCSP stapling "
1792 "with multiple responses not handled");
c8dfb21d 1793 goto failed;
f5d78688
JH		 1794 }
1795 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1796 status = OCSP_single_get0_status(single, &reason, &rev,
1797 &thisupd, &nextupd);
f5d78688
JH		 1798 }
1799
f5d78688
JH		 1800 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1801 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1802 if (!OCSP_check_validity(thisupd, nextupd,
1803 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1804 {
018058b2 1805 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1806 DEBUG(D_tls) ERR_print_errors(bp);
1807 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1808 }
44662487 1809 else
f5d78688 1810 {
44662487
JH		 1811 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1812 OCSP_cert_status_str(status));
1813 switch(status)
1814 {
1815 case V_OCSP_CERTSTATUS_GOOD:
44662487 1816 tls_out.ocsp = OCSP_VFIED;
018058b2 1817 i = 1;
c8dfb21d 1818 goto good;
44662487 1819 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1820 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1821 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1822 reason != -1 ? "; reason: " : "",
1823 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1824 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1825 break;
1826 default:
018058b2 1827 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1828 log_write(0, LOG_MAIN,
1829 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1830 break;
1831 }
f5d78688 1832 }
c8dfb21d
JH		 1833 failed:
1834 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1835 good:
f5d78688
JH		 1836 BIO_free(bp);
1837 }
1838
1839OCSP_RESPONSE_free(rsp);
1840return i;
1841}
f2de3a33 1842#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1843
1844
059ec3d9
PH		 1845/*************************************************
1846* Initialize for TLS *
1847*************************************************/
1848
e51c7be2
JH		 1849/* Called from both server and client code, to do preliminary initialization
1850of the library. We allocate and return a context structure.
059ec3d9
PH		 1851
1852Arguments:
946ecbe0 1853 ctxp returned SSL context
059ec3d9
PH		 1854 host connected host, if client; NULL if server
1855 dhparam DH parameter file
1856 certificate certificate file
1857 privatekey private key
f5d78688 1858 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1859 addr address if client; NULL if server (for some randomness)
946ecbe0 1860 cbp place to put allocated callback context
cf0c6164 1861 errstr error string pointer
059ec3d9
PH		 1862
1863Returns: OK/DEFER/FAIL
1864*/
1865
1866static int
817d9f57 1867tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1868 uschar *privatekey,
f2de3a33 1869#ifndef DISABLE_OCSP
47195144 1870 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1871#endif
b10c87b3
JH		 1872 address_item *addr, tls_ext_ctx_cb ** cbp,
1873 tls_support * tlsp,
1874 uschar ** errstr)
059ec3d9 1875{
7006ee24 1876SSL_CTX * ctx;
77bb000f 1877long init_options;
7be682ca 1878int rc;
a7538db1 1879tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1880
1881cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1882cbinfo->tlsp = tlsp;
7be682ca
PP		 1883cbinfo->certificate = certificate;
1884cbinfo->privatekey = privatekey;
a6510420 1885cbinfo->is_server = host==NULL;
f2de3a33 1886#ifndef DISABLE_OCSP
c3033f13 1887cbinfo->verify_stack = NULL;
a6510420 1888if (!host)
f5d78688
JH		 1889 {
1890 cbinfo->u_ocsp.server.file = ocsp_file;
1891 cbinfo->u_ocsp.server.file_expanded = NULL;
1892 cbinfo->u_ocsp.server.response = NULL;
1893 }
1894else
1895 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1896#endif
7be682ca 1897cbinfo->dhparam = dhparam;
0df4ab80 1898cbinfo->server_cipher_list = NULL;
7be682ca 1899cbinfo->host = host;
0cbf2b82 1900#ifndef DISABLE_EVENT
a7538db1
JH		 1901cbinfo->event_action = NULL;
1902#endif
77bb000f 1903
7434882d 1904#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH		 1905SSL_load_error_strings(); /* basic set up */
1906OpenSSL_add_ssl_algorithms();
7434882d 1907#endif
059ec3d9 1908
c8dfb21d 1909#ifdef EXIM_HAVE_SHA256
77bb000f 1910/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1911list of available digests. */
1912EVP_add_digest(EVP_sha256());
cf1ef1a9 1913#endif
a0475b69 1914
f0f5a555
PP		 1915/* Create a context.
1916The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1917negotiation in the different methods; as far as I can tell, the only
1918*_{server,client}_method which allows negotiation is SSLv23, which exists even
1919when OpenSSL is built without SSLv2 support.
1920By disabling with openssl_options, we can let admins re-enable with the
1921existing knob. */
059ec3d9 1922
7a8b9519
JH		 1923#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1924if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1925#else
7006ee24 1926if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1927#endif
7006ee24 1928 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1929
1930/* It turns out that we need to seed the random number generator this early in
1931order to get the full complement of ciphers to work. It took me roughly a day
1932of work to discover this by experiment.
1933
1934On systems that have /dev/urandom, SSL may automatically seed itself from
1935there. Otherwise, we have to make something up as best we can. Double check
1936afterwards. */
1937
1938if (!RAND_status())
1939 {
1940 randstuff r;
9e3331ea 1941 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1942 r.p = getpid();
1943
5903c6ff
JH		 1944 RAND_seed(US (&r), sizeof(r));
1945 RAND_seed(US big_buffer, big_buffer_size);
1946 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH		 1947
1948 if (!RAND_status())
7199e1ee 1949 return tls_error(US"RAND_status", host,
cf0c6164 1950 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1951 }
1952
1953/* Set up the information callback, which outputs if debugging is at a suitable
1954level. */
1955
b10c87b3
JH		 1956DEBUG(D_tls)
1957 {
1958 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH		 1959#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1960 /* this needs a debug build of OpenSSL */
b10c87b3
JH		 1961 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1962#endif
8a40db1c 1963#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 1964 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 1965#endif
b10c87b3 1966 }
059ec3d9 1967
c80c5570 1968/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1969(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1970
77bb000f
PP		 1971/* Apply administrator-supplied work-arounds.
1972Historically we applied just one requested option,
1973SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1974moved to an administrator-controlled list of options to specify and
1975grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1976
77bb000f
PP		 1977No OpenSSL version number checks: the options we accept depend upon the
1978availability of the option value macros from OpenSSL. */
059ec3d9 1979
7006ee24 1980if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1981 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 1982
b10c87b3
JH		 1983#ifdef EXPERIMENTAL_TLS_RESUME
1984tlsp->resumption = RESUME_SUPPORTED;
1985#endif
77bb000f
PP		 1986if (init_options)
1987 {
b10c87b3
JH		 1988#ifdef EXPERIMENTAL_TLS_RESUME
1989 /* Should the server offer session resumption? */
1990 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1991 {
1992 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1993 init_options &= ~SSL_OP_NO_TICKET;
1994 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
1995 tlsp->host_resumable = TRUE;
1996 }
1997#endif
1998
77bb000f 1999 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 2000 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 2001 return tls_error(string_sprintf(
cf0c6164 2002 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 2003 }
2004else
2005 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2006
a28050f8
JH		 2007/* We'd like to disable session cache unconditionally, but foolish Outlook
2008Express clients then give up the first TLS connection and make a second one
2009(which works). Only when there is an IMAP service on the same machine.
2010Presumably OE is trying to use the cache for A on B. Leave it enabled for
2011now, until we work out a decent way of presenting control to the config. It
2012will never be used because we use a new context every time. */
2013#ifdef notdef
7006ee24 2014(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2015#endif
7006ee24 2016
059ec3d9 2017/* Initialize with DH parameters if supplied */
10ca4f1c 2018/* Initialize ECDH temp key parameter selection */
059ec3d9 2019
7006ee24
JH		 2020if ( !init_dh(ctx, dhparam, host, errstr)
2021 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 2022 )
2023 return DEFER;
059ec3d9 2024
3f7eeb86 2025/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2026
7006ee24 2027if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2028 return rc;
c91535f3 2029
c3033f13
JH		 2030/* If we need to handle SNI or OCSP, do so */
2031
3bcbbbe2 2032#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 2033# ifndef DISABLE_OCSP
2034 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2035 {
2036 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2037 return FAIL;
2038 }
2039# endif
2040
7a8b9519 2041if (!host) /* server */
3f0945ff 2042 {
f2de3a33 2043# ifndef DISABLE_OCSP
f5d78688 2044 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 2045 the option exists, not what the current expansion might be, as SNI might
2046 change the certificate and OCSP file in use between now and the time the
2047 callback is invoked. */
f5d78688 2048 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2049 {
7006ee24
JH		 2050 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2051 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2052 }
f5d78688 2053# endif
3f0945ff
PP		 2054 /* We always do this, so that $tls_sni is available even if not used in
2055 tls_certificate */
7006ee24
JH		 2056 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2057 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2058 }
f2de3a33 2059# ifndef DISABLE_OCSP
f5d78688
JH		 2060else /* client */
2061 if(ocsp_file) /* wanting stapling */
2062 {
2063 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2064 {
2065 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2066 return FAIL;
2067 }
7006ee24
JH		 2068 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2069 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 2070 }
2071# endif
7be682ca 2072#endif
059ec3d9 2073
e51c7be2 2074cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2075
c8dfb21d 2076#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2077/* Set up the RSA callback */
7006ee24 2078SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2079#endif
059ec3d9 2080
b10c87b3
JH		 2081/* Finally, set the session cache timeout, and we are done.
2082The period appears to be also used for (server-generated) session tickets */
059ec3d9 2083
7006ee24 2084SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2085DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2086
817d9f57 2087*cbp = cbinfo;
7006ee24 2088*ctxp = ctx;
7be682ca 2089
059ec3d9
PH		 2090return OK;
2091}
2092
2093
2094
2095
2096/*************************************************
2097* Get name of cipher in use *
2098*************************************************/
2099
817d9f57 2100/*
059ec3d9 2101Argument: pointer to an SSL structure for the connection
817d9f57 2102 pointer to number of bits for cipher
f1be21cf 2103Returns: pointer to allocated string in perm-pool
059ec3d9
PH		 2104*/
2105
f1be21cf
JH		 2106static uschar *
2107construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2108{
f1be21cf 2109int pool = store_pool;
7a8b9519 2110/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP		 2111yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2112the accessor functions use const in the prototype. */
059ec3d9 2113
7a8b9519
JH		 2114const uschar * ver = CUS SSL_get_version(ssl);
2115const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2116uschar * s;
059ec3d9 2117
817d9f57 2118SSL_CIPHER_get_bits(c, bits);
059ec3d9 2119
f1be21cf
JH		 2120store_pool = POOL_PERM;
2121s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2122store_pool = pool;
2123DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2124return s;
2125}
2126
059ec3d9 2127
f1be21cf
JH		 2128/* Get IETF-standard name for ciphersuite.
2129Argument: pointer to an SSL structure for the connection
2130Returns: pointer to string
2131*/
2132
2133static const uschar *
2134cipher_stdname_ssl(SSL * ssl)
2135{
2136#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2137return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2138#else
2139ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2140return cipher_stdname(id >> 8, id & 0xff);
2141#endif
059ec3d9
PH		 2142}
2143
2144
f69979cf 2145static void
70e384dd 2146peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH		 2147{
2148/*XXX we might consider a list-of-certs variable for the cert chain.
2149SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2150in list-handling functions, also consider the difference between the entire
2151chain and the elements sent by the peer. */
2152
70e384dd
JH		 2153tlsp->peerdn = NULL;
2154
f69979cf
JH		 2155/* Will have already noted peercert on a verify fail; possibly not the leaf */
2156if (!tlsp->peercert)
2157 tlsp->peercert = SSL_get_peer_certificate(ssl);
2158/* Beware anonymous ciphers which lead to server_cert being NULL */
2159if (tlsp->peercert)
70e384dd
JH		 2160 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2161 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2162 else
2163 {
4a1bd6b9
JH		 2164 int oldpool = store_pool;
2165
2166 peerdn[siz-1] = '\0'; /* paranoia */
2167 store_pool = POOL_PERM;
2168 tlsp->peerdn = string_copy(peerdn);
2169 store_pool = oldpool;
2170
2171 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2172 but they don't get called on session-resumption. So use the official
2173 interface, which uses the resumed value. Unfortunately this claims verified
2174 when it actually failed but we're in try-verify mode, due to us wanting the
2175 knowlege that it failed so needing to have the callback and forcing a
2176 permissive return. If we don't force it, the TLS startup is failed.
2177 Hence the verify_override bodge - though still a problem for resumption. */
2178
2179 if (!tlsp->verify_override)
2180 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2181 }
f69979cf
JH		 2182}
2183
2184
059ec3d9
PH		 2185
2186
2187
2188/*************************************************
2189* Set up for verifying certificates *
2190*************************************************/
2191
0e8aed8a 2192#ifndef DISABLE_OCSP
c3033f13
JH		 2193/* Load certs from file, return TRUE on success */
2194
2195static BOOL
2196chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2197{
2198BIO * bp;
2199X509 * x;
2200
dec766a1
WB		 2201while (sk_X509_num(verify_stack) > 0)
2202 X509_free(sk_X509_pop(verify_stack));
2203
c3033f13
JH		 2204if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2205while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2206 sk_X509_push(verify_stack, x);
2207BIO_free(bp);
2208return TRUE;
2209}
0e8aed8a 2210#endif
c3033f13
JH		 2211
2212
2213
dec766a1
WB		 2214/* Called by both client and server startup; on the server possibly
2215repeated after a Server Name Indication.
059ec3d9
PH		 2216
2217Arguments:
7be682ca 2218 sctx SSL_CTX* to initialise
059ec3d9
PH		 2219 certs certs file or NULL
2220 crl CRL file or NULL
2221 host NULL in a server; the remote host in a client
2222 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2223 otherwise passed as FALSE
983207c1 2224 cert_vfy_cb Callback function for certificate verification
cf0c6164 2225 errstr error string pointer
059ec3d9
PH		 2226
2227Returns: OK/DEFER/FAIL
2228*/
2229
2230static int
983207c1 2231setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2232 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 2233{
2234uschar *expcerts, *expcrl;
2235
cf0c6164 2236if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2237 return DEFER;
57cc2785 2238DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2239
10a831a3 2240if (expcerts && *expcerts)
059ec3d9 2241 {
10a831a3
JH		 2242 /* Tell the library to use its compiled-in location for the system default
2243 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2244
10a831a3 2245 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2246 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 2247
2248 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2249 {
cb1d7830
JH		 2250 struct stat statbuf;
2251
cb1d7830
JH		 2252 if (Ustat(expcerts, &statbuf) < 0)
2253 {
2254 log_write(0, LOG_MAIN|LOG_PANIC,
2255 "failed to stat %s for certificates", expcerts);
2256 return DEFER;
2257 }
059ec3d9 2258 else
059ec3d9 2259 {
cb1d7830
JH		 2260 uschar *file, *dir;
2261 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2262 { file = NULL; dir = expcerts; }
2263 else
c3033f13
JH		 2264 {
2265 file = expcerts; dir = NULL;
2266#ifndef DISABLE_OCSP
2267 /* In the server if we will be offering an OCSP proof, load chain from
2268 file for verifying the OCSP proof at load time. */
2269
2270 if ( !host
2271 && statbuf.st_size > 0
2272 && server_static_cbinfo->u_ocsp.server.file
2273 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2274 )
2275 {
2276 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2277 "failed to load cert chain from %s", file);
c3033f13
JH		 2278 return DEFER;
2279 }
2280#endif
2281 }
cb1d7830
JH		 2282
2283 /* If a certificate file is empty, the next function fails with an
2284 unhelpful error message. If we skip it, we get the correct behaviour (no
2285 certificates are recognized, but the error message is still misleading (it
c3033f13 2286 says no certificate was supplied). But this is better. */
cb1d7830 2287
f2f2c91b
JH		 2288 if ( (!file || statbuf.st_size > 0)
2289 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2290 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 2291
2292 /* Load the list of CAs for which we will accept certs, for sending
2293 to the client. This is only for the one-file tls_verify_certificates
2294 variant.
d7978c0f
JH		 2295 If a list isn't loaded into the server, but some verify locations are set,
2296 the server end appears to make a wildcard request for client certs.
10a831a3 2297 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 2298 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2299 Because of this, and that the dir variant is likely only used for
d7978c0f
JH		 2300 the public-CA bundle (not for a private CA), not worth fixing. */
2301
f2f2c91b 2302 if (file)
cb1d7830 2303 {
2009ecca 2304 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB		 2305
2306 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2307 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2308 sk_X509_NAME_num(names));
cb1d7830 2309 }
059ec3d9
PH		 2310 }
2311 }
2312
2313 /* Handle a certificate revocation list. */
2314
10a831a3 2315#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2316
8b417f2c 2317 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2318 merely reformatted it into the Exim code style.)
8b417f2c 2319
10a831a3
JH		 2320 "From here I changed the code to add support for multiple crl's
2321 in pem format in one file or to support hashed directory entries in
2322 pem format instead of a file. This method now uses the library function
2323 X509_STORE_load_locations to add the CRL location to the SSL context.
2324 OpenSSL will then handle the verify against CA certs and CRLs by
2325 itself in the verify callback." */
8b417f2c 2326
cf0c6164 2327 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2328 if (expcrl && *expcrl)
059ec3d9 2329 {
8b417f2c
PH		 2330 struct stat statbufcrl;
2331 if (Ustat(expcrl, &statbufcrl) < 0)
2332 {
2333 log_write(0, LOG_MAIN|LOG_PANIC,
2334 "failed to stat %s for certificates revocation lists", expcrl);
2335 return DEFER;
2336 }
2337 else
059ec3d9 2338 {
8b417f2c
PH		 2339 /* is it a file or directory? */
2340 uschar *file, *dir;
7be682ca 2341 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2342 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2343 {
8b417f2c
PH		 2344 file = NULL;
2345 dir = expcrl;
2346 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 2347 }
2348 else
2349 {
8b417f2c
PH		 2350 file = expcrl;
2351 dir = NULL;
2352 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2353 }
8b417f2c 2354 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2355 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 2356
2357 /* setting the flags to check against the complete crl chain */
2358
2359 X509_STORE_set_flags(cvstore,
2360 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2361 }
059ec3d9
PH		 2362 }
2363
10a831a3 2364#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 2365
2366 /* If verification is optional, don't fail if no certificate */
2367
7be682ca 2368 SSL_CTX_set_verify(sctx,
5a2a0989 2369 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2370 cert_vfy_cb);
059ec3d9
PH		 2371 }
2372
2373return OK;
2374}
2375
2376
2377
2378/*************************************************
2379* Start a TLS session in a server *
2380*************************************************/
2381
2382/* This is called when Exim is running as a server, after having received
2383the STARTTLS command. It must respond to that command, and then negotiate
2384a TLS session.
2385
2386Arguments:
2387 require_ciphers allowed ciphers
cf0c6164 2388 errstr pointer to error message
059ec3d9
PH		 2389
2390Returns: OK on success
2391 DEFER for errors before the start of the negotiation
4c04137d 2392 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2393 continue running.
2394*/
2395
2396int
cf0c6164 2397tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2398{
2399int rc;
cf0c6164
JH		 2400uschar * expciphers;
2401tls_ext_ctx_cb * cbinfo;
f69979cf 2402static uschar peerdn[256];
059ec3d9
PH		 2403
2404/* Check for previous activation */
2405
74f1a423 2406if (tls_in.active.sock >= 0)
059ec3d9 2407 {
cf0c6164 2408 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2409 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2410 return FAIL;
2411 }
2412
2413/* Initialize the SSL library. If it fails, it will already have logged
2414the error. */
2415
817d9f57 2416rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2417#ifndef DISABLE_OCSP
47195144 2418 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2419#endif
b10c87b3 2420 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2421if (rc != OK) return rc;
817d9f57 2422cbinfo = server_static_cbinfo;
059ec3d9 2423
cf0c6164 2424if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 2425 return FAIL;
2426
2427/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 2428were historically separated by underscores. So that I can use either form in my
2429tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH		 2430
2431XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2432for TLS 1.3 . Since we do not call it at present we get the default list:
2433TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2434*/
059ec3d9 2435
c3033f13 2436if (expciphers)
059ec3d9 2437 {
b10c87b3 2438 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2439 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2440 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2441 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2442 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 2443 }
2444
2445/* If this is a host for which certificate verification is mandatory or
2446optional, set up appropriately. */
2447
817d9f57 2448tls_in.certificate_verified = FALSE;
c0635b6d 2449#ifdef SUPPORT_DANE
53a7196b
JH		 2450tls_in.dane_verified = FALSE;
2451#endif
a2ff477a 2452server_verify_callback_called = FALSE;
059ec3d9
PH		 2453
2454if (verify_check_host(&tls_verify_hosts) == OK)
2455 {
983207c1 2456 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2457 FALSE, verify_callback_server, errstr);
059ec3d9 2458 if (rc != OK) return rc;
a2ff477a 2459 server_verify_optional = FALSE;
059ec3d9
PH		 2460 }
2461else if (verify_check_host(&tls_try_verify_hosts) == OK)
2462 {
983207c1 2463 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2464 TRUE, verify_callback_server, errstr);
059ec3d9 2465 if (rc != OK) return rc;
a2ff477a 2466 server_verify_optional = TRUE;
059ec3d9
PH		 2467 }
2468
b10c87b3
JH		 2469#ifdef EXPERIMENTAL_TLS_RESUME
2470SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2471/* despite working, appears to always return failure, so ignoring */
2472#endif
2473#ifdef OPENSSL_HAVE_NUM_TICKETS
2474# ifdef EXPERIMENTAL_TLS_RESUME
2475SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2476# else
2477SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2478# endif
2479#endif
2480
2481
059ec3d9
PH		 2482/* Prepare for new connection */
2483
cf0c6164
JH		 2484if (!(server_ssl = SSL_new(server_ctx)))
2485 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 2486
2487/* Warning: we used to SSL_clear(ssl) here, it was removed.
2488 *
2489 * With the SSL_clear(), we get strange interoperability bugs with
2490 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2491 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2492 *
2493 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2494 * session shutdown. In this case, we have a brand new object and there's no
2495 * obvious reason to immediately clear it. I'm guessing that this was
2496 * originally added because of incomplete initialisation which the clear fixed,
2497 * in some historic release.
2498 */
059ec3d9
PH		 2499
2500/* Set context and tell client to go ahead, except in the case of TLS startup
2501on connection, where outputting anything now upsets the clients and tends to
2502make them disconnect. We need to have an explicit fflush() here, to force out
2503the response. Other smtp_printf() calls do not need it, because in non-TLS
2504mode, the fflush() happens when smtp_getc() is called. */
2505
817d9f57
JH		 2506SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2507if (!tls_in.on_connect)
059ec3d9 2508 {
925ac8e4 2509 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 2510 fflush(smtp_out);
2511 }
2512
2513/* Now negotiate the TLS session. We put our own timer on it, since it seems
2514that the OpenSSL library doesn't. */
2515
817d9f57
JH		 2516SSL_set_wfd(server_ssl, fileno(smtp_out));
2517SSL_set_rfd(server_ssl, fileno(smtp_in));
2518SSL_set_accept_state(server_ssl);
059ec3d9
PH		 2519
2520DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2521
2522sigalrm_seen = FALSE;
c2a1bba0 2523if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2524rc = SSL_accept(server_ssl);
c2a1bba0 2525ALARM_CLR(0);
059ec3d9
PH		 2526
2527if (rc <= 0)
2528 {
cf0c6164 2529 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 2530 return FAIL;
2531 }
2532
2533DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2534ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH		 2535 anon-authentication ciphersuite negotiated. */
2536
2537#ifdef EXPERIMENTAL_TLS_RESUME
2538if (SSL_session_reused(server_ssl))
2539 {
2540 tls_in.resumption |= RESUME_USED;
2541 DEBUG(D_tls) debug_printf("Session reused\n");
2542 }
2543#endif
059ec3d9
PH		 2544
2545/* TLS has been set up. Adjust the input functions to read via TLS,
2546and initialize things. */
2547
f69979cf
JH		 2548peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2549
f1be21cf
JH		 2550tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2551tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2552
059ec3d9
PH		 2553DEBUG(D_tls)
2554 {
2555 uschar buf[2048];
f1be21cf 2556 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2557 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH		 2558
2559#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2560 {
10ed27e0 2561 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2562 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH		 2563 BIO_free(bp);
2564 }
2565#endif
b10c87b3
JH		 2566
2567#ifdef EXIM_HAVE_SESSION_TICKET
2568 {
2569 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2570 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH		 2571 debug_printf("The session has a ticket, life %lu seconds\n",
2572 SSL_SESSION_get_ticket_lifetime_hint(ss));
2573 }
2574#endif
059ec3d9
PH		 2575 }
2576
9d1c15ef
JH		 2577/* Record the certificate we presented */
2578 {
2579 X509 * crt = SSL_get_certificate(server_ssl);
2580 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2581 }
059ec3d9 2582
817d9f57
JH		 2583/* Only used by the server-side tls (tls_in), including tls_getc.
2584 Client-side (tls_out) reads (seem to?) go via
2585 smtp_read_response()/ip_recv().
2586 Hence no need to duplicate for _in and _out.
2587 */
b808677c 2588if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2589ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2590ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH		 2591
2592receive_getc = tls_getc;
0d81dabc 2593receive_getbuf = tls_getbuf;
584e96c6 2594receive_get_cache = tls_get_cache;
059ec3d9
PH		 2595receive_ungetc = tls_ungetc;
2596receive_feof = tls_feof;
2597receive_ferror = tls_ferror;
58eb016e 2598receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2599
74f1a423
JH		 2600tls_in.active.sock = fileno(smtp_out);
2601tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH		 2602return OK;
2603}
2604
2605
2606
2607
043b1248
JH		 2608static int
2609tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2610 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2611 uschar ** errstr)
043b1248
JH		 2612{
2613int rc;
94431adb 2614/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2615 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2616 the specified host patterns if one of them is defined */
2617
610ff438
JH		 2618if ( ( !ob->tls_verify_hosts
2619 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2620 )
3c07dd2d 2621 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2622 )
043b1248 2623 client_verify_optional = FALSE;
3c07dd2d 2624else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2625 client_verify_optional = TRUE;
2626else
2627 return OK;
2628
2629if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2630 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2631 errstr)) != OK)
aa2a70ba 2632 return rc;
043b1248 2633
3c07dd2d 2634if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2635 {
4af0d74a 2636 cbinfo->verify_cert_hostnames =
8c5d388a 2637#ifdef SUPPORT_I18N
4af0d74a
JH		 2638 string_domain_utf8_to_alabel(host->name, NULL);
2639#else
2640 host->name;
2641#endif
aa2a70ba
JH		 2642 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2643 cbinfo->verify_cert_hostnames);
043b1248 2644 }
043b1248
JH		 2645return OK;
2646}
059ec3d9 2647
fde080a4 2648
c0635b6d 2649#ifdef SUPPORT_DANE
fde080a4 2650static int
cf0c6164 2651dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2652{
fde080a4
JH		 2653dns_scan dnss;
2654const char * hostnames[2] = { CS host->name, NULL };
2655int found = 0;
2656
2657if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2658 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2659
d7978c0f 2660for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2661 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2662 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2663 {
c3033f13 2664 const uschar * p = rr->data;
fde080a4
JH		 2665 uint8_t usage, selector, mtype;
2666 const char * mdname;
2667
fde080a4 2668 usage = *p++;
133d2546
JH		 2669
2670 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2671 if (usage != 2 && usage != 3) continue;
2672
fde080a4
JH		 2673 selector = *p++;
2674 mtype = *p++;
2675
2676 switch (mtype)
2677 {
133d2546
JH		 2678 default: continue; /* Only match-types 0, 1, 2 are supported */
2679 case 0: mdname = NULL; break;
2680 case 1: mdname = "sha256"; break;
2681 case 2: mdname = "sha512"; break;
fde080a4
JH		 2682 }
2683
133d2546 2684 found++;
fde080a4
JH		 2685 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2686 {
2687 default:
cf0c6164 2688 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2689 case 0: /* action not taken */
fde080a4
JH		 2690 case 1: break;
2691 }
594706ea
JH		 2692
2693 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2694 }
2695
2696if (found)
2697 return OK;
2698
133d2546 2699log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2700return DEFER;
fde080a4 2701}
c0635b6d 2702#endif /*SUPPORT_DANE*/
fde080a4
JH		 2703
2704
2705
b10c87b3
JH		 2706#ifdef EXPERIMENTAL_TLS_RESUME
2707/* On the client, get any stashed session for the given IP from hints db
2708and apply it to the ssl-connection for attempted resumption. */
2709
2710static void
2711tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2712{
2713tlsp->resumption |= RESUME_SUPPORTED;
2714if (tlsp->host_resumable)
2715 {
2716 dbdata_tls_session * dt;
2717 int len;
2718 open_db dbblock, * dbm_file;
2719
2720 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2721 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2722 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2723 {
2724 /* key for the db is the IP */
2725 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2726 {
2727 SSL_SESSION * ss = NULL;
2728 const uschar * sess_asn1 = dt->session;
2729
2730 len -= sizeof(dbdata_tls_session);
2731 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2732 {
2733 DEBUG(D_tls)
2734 {
2735 ERR_error_string_n(ERR_get_error(),
2736 ssl_errstring, sizeof(ssl_errstring));
2737 debug_printf("decoding session: %s\n", ssl_errstring);
2738 }
2739 }
4f1d23a1
JH		 2740 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2741 < time(NULL))
2742 {
2743 DEBUG(D_tls) debug_printf("session expired\n");
2744 dbfn_delete(dbm_file, key);
2745 }
b10c87b3
JH		 2746 else if (!SSL_set_session(ssl, ss))
2747 {
2748 DEBUG(D_tls)
2749 {
2750 ERR_error_string_n(ERR_get_error(),
2751 ssl_errstring, sizeof(ssl_errstring));
2752 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2753 }
2754 }
2755 else
2756 {
2757 DEBUG(D_tls) debug_printf("good session\n");
2758 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2759 }
2760 }
2761 else
2762 DEBUG(D_tls) debug_printf("no session record\n");
2763 dbfn_close(dbm_file);
2764 }
2765 }
2766}
2767
2768
2769/* On the client, save the session for later resumption */
2770
2771static int
2772tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2773{
2774tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2775tls_support * tlsp;
2776
2777DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2778
2779if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2780
40618fb6
JH		 2781# ifdef OPENSSL_HAVE_NUM_TICKETS
2782if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2783# endif
b10c87b3
JH		 2784 {
2785 int len = i2d_SSL_SESSION(ss, NULL);
2786 int dlen = sizeof(dbdata_tls_session) + len;
2787 dbdata_tls_session * dt = store_get(dlen);
2788 uschar * s = dt->session;
2789 open_db dbblock, * dbm_file;
2790
2791 DEBUG(D_tls) debug_printf("session is resumable\n");
2792 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2793
2794 len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
2795
2796 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2797 {
2798 const uschar * key = cbinfo->host->address;
2799 dbfn_delete(dbm_file, key);
2800 dbfn_write(dbm_file, key, dt, dlen);
2801 dbfn_close(dbm_file);
2802 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2803 (unsigned)dlen);
2804 }
2805 }
b10c87b3
JH		 2806return 1;
2807}
2808
2809
2810static void
2811tls_client_ctx_resume_prehandshake(
2812 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2813 smtp_transport_options_block * ob, host_item * host)
2814{
2815/* Should the client request a session resumption ticket? */
2816if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2817 {
2818 tlsp->host_resumable = TRUE;
2819
2820 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2821 SSL_SESS_CACHE_CLIENT
2822 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2823 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2824 }
2825}
2826
2827static BOOL
2828tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2829 host_item * host, uschar ** errstr)
2830{
2831if (tlsp->host_resumable)
2832 {
2833 DEBUG(D_tls)
2834 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2835 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2836
2837 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2838 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2839 {
2840 tls_error(US"set ex_data", host, NULL, errstr);
2841 return FALSE;
2842 }
2843 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2844 }
2845
2846tlsp->resumption = RESUME_SUPPORTED;
2847/* Pick up a previous session, saved on an old ticket */
2848tls_retrieve_session(tlsp, ssl, host->address);
2849return TRUE;
2850}
2851
2852static void
2853tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2854 tls_support * tlsp)
2855{
2856if (SSL_session_reused(exim_client_ctx->ssl))
2857 {
2858 DEBUG(D_tls) debug_printf("The session was reused\n");
2859 tlsp->resumption |= RESUME_USED;
2860 }
2861}
2862#endif /* EXPERIMENTAL_TLS_RESUME */
2863
2864
059ec3d9
PH		 2865/*************************************************
2866* Start a TLS session in a client *
2867*************************************************/
2868
2869/* Called from the smtp transport after STARTTLS has been accepted.
2870
c05bdbd6
JH		 2871Arguments:
2872 cctx connection context
2873 conn_args connection details
2874 cookie datum for randomness; can be NULL
2875 tlsp record details of TLS channel configuration here; must be non-NULL
2876 errstr error string pointer
2877
2878Returns: TRUE for success with TLS session context set in connection context,
2879 FALSE on error
059ec3d9
PH		 2880*/
2881
c05bdbd6
JH		 2882BOOL
2883tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2884 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2885{
c05bdbd6
JH		 2886host_item * host = conn_args->host; /* for msgs and option-tests */
2887transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH		 2888smtp_transport_options_block * ob = tb
2889 ? (smtp_transport_options_block *)tb->options_block
2890 : &smtp_transport_option_defaults;
74f1a423 2891exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 2892uschar * expciphers;
059ec3d9 2893int rc;
c05bdbd6 2894static uschar peerdn[256];
043b1248
JH		 2895
2896#ifndef DISABLE_OCSP
043b1248 2897BOOL request_ocsp = FALSE;
6634ac8d 2898BOOL require_ocsp = FALSE;
043b1248 2899#endif
043b1248 2900
74f1a423
JH		 2901rc = store_pool;
2902store_pool = POOL_PERM;
2903exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
c09dbcfb 2904exim_client_ctx->corked = NULL;
74f1a423
JH		 2905store_pool = rc;
2906
c0635b6d 2907#ifdef SUPPORT_DANE
74f1a423 2908tlsp->tlsa_usage = 0;
043b1248
JH		 2909#endif
2910
f2de3a33 2911#ifndef DISABLE_OCSP
043b1248 2912 {
c0635b6d 2913# ifdef SUPPORT_DANE
c05bdbd6 2914 if ( conn_args->dane
4f59c424
JH		 2915 && ob->hosts_request_ocsp[0] == '*'
2916 && ob->hosts_request_ocsp[1] == '\0'
2917 )
2918 {
2919 /* Unchanged from default. Use a safer one under DANE */
2920 request_ocsp = TRUE;
2921 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2922 " {= {4}{$tls_out_tlsa_usage}} } "
2923 " {*}{}}";
2924 }
2925# endif
2926
5130845b 2927 if ((require_ocsp =
3c07dd2d 2928 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2929 request_ocsp = TRUE;
2930 else
c0635b6d 2931# ifdef SUPPORT_DANE
4f59c424 2932 if (!request_ocsp)
fca41d5a 2933# endif
5130845b 2934 request_ocsp =
3c07dd2d 2935 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2936 }
f5d78688 2937#endif
059ec3d9 2938
74f1a423 2939rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2940 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2941#ifndef DISABLE_OCSP
44662487 2942 (void *)(long)request_ocsp,
3f7eeb86 2943#endif
b10c87b3 2944 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 2945if (rc != OK) return FALSE;
059ec3d9 2946
74f1a423 2947tlsp->certificate_verified = FALSE;
a2ff477a 2948client_verify_callback_called = FALSE;
059ec3d9 2949
5ec37a55
PP		 2950expciphers = NULL;
2951#ifdef SUPPORT_DANE
c05bdbd6 2952if (conn_args->dane)
5ec37a55
PP		 2953 {
2954 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2955 other failures should be treated as problems. */
2956 if (ob->dane_require_tls_ciphers &&
2957 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2958 &expciphers, errstr))
c05bdbd6 2959 return FALSE;
5ec37a55
PP		 2960 if (expciphers && *expciphers == '\0')
2961 expciphers = NULL;
2962 }
2963#endif
2964if (!expciphers &&
2965 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2966 &expciphers, errstr))
c05bdbd6 2967 return FALSE;
059ec3d9
PH		 2968
2969/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2970are separated by underscores. So that I can use either form in my tests, and
2971also for general convenience, we turn underscores into hyphens here. */
2972
cf0c6164 2973if (expciphers)
059ec3d9
PH		 2974 {
2975 uschar *s = expciphers;
cf0c6164 2976 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2977 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH		 2978 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2979 {
2980 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 2981 return FALSE;
74f1a423 2982 }
059ec3d9
PH		 2983 }
2984
c0635b6d 2985#ifdef SUPPORT_DANE
c05bdbd6 2986if (conn_args->dane)
a63be306 2987 {
74f1a423 2988 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH		 2989 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2990 verify_callback_client_dane);
e5cccda9 2991
043b1248 2992 if (!DANESSL_library_init())
74f1a423
JH		 2993 {
2994 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 2995 return FALSE;
74f1a423
JH		 2996 }
2997 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2998 {
2999 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 3000 return FALSE;
74f1a423 3001 }
043b1248
JH		 3002 }
3003else
e51c7be2 3004
043b1248
JH		 3005#endif
3006
74f1a423
JH		 3007 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3008 client_static_cbinfo, errstr) != OK)
c05bdbd6 3009 return FALSE;
059ec3d9 3010
b10c87b3
JH		 3011#ifdef EXPERIMENTAL_TLS_RESUME
3012tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3013#endif
3014
3015
74f1a423
JH		 3016if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3017 {
3018 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3019 return FALSE;
74f1a423
JH		 3020 }
3021SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3
JH		 3022
3023#ifdef EXPERIMENTAL_TLS_RESUME
3024if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3025 errstr))
3026 return FALSE;
3027#endif
3028
c05bdbd6 3029SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3030SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3031
65867078 3032if (ob->tls_sni)
3f0945ff 3033 {
74f1a423 3034 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3035 return FALSE;
74f1a423 3036 if (!tlsp->sni)
2c9a0e86
PP		 3037 {
3038 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3039 }
74f1a423
JH		 3040 else if (!Ustrlen(tlsp->sni))
3041 tlsp->sni = NULL;
3f0945ff
PP		 3042 else
3043 {
35731706 3044#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH		 3045 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3046 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3047#else
66802652 3048 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3049 tlsp->sni);
35731706 3050#endif
3f0945ff
PP		 3051 }
3052 }
3053
c0635b6d 3054#ifdef SUPPORT_DANE
c05bdbd6
JH		 3055if (conn_args->dane)
3056 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3057 return FALSE;
594706ea
JH		 3058#endif
3059
f2de3a33 3060#ifndef DISABLE_OCSP
f5d78688
JH		 3061/* Request certificate status at connection-time. If the server
3062does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3063# ifdef SUPPORT_DANE
594706ea
JH		 3064if (request_ocsp)
3065 {
3066 const uschar * s;
41afb5cb
JH		 3067 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3068 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 3069 )
3070 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3071 this means we avoid the OCSP request, we wasted the setup
3072 cost in tls_init(). */
3c07dd2d 3073 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3074 request_ocsp = require_ocsp
3c07dd2d 3075 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 3076 }
3077 }
b50c8b84
JH		 3078# endif
3079
44662487
JH		 3080if (request_ocsp)
3081 {
74f1a423 3082 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3083 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3084 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3085 }
f5d78688
JH		 3086#endif
3087
0cbf2b82 3088#ifndef DISABLE_EVENT
afdb5e9c 3089client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3090#endif
043b1248 3091
059ec3d9
PH		 3092/* There doesn't seem to be a built-in timeout on connection. */
3093
3094DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3095sigalrm_seen = FALSE;
c2a1bba0 3096ALARM(ob->command_timeout);
74f1a423 3097rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3098ALARM_CLR(0);
059ec3d9 3099
c0635b6d 3100#ifdef SUPPORT_DANE
c05bdbd6 3101if (conn_args->dane)
74f1a423 3102 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH		 3103#endif
3104
059ec3d9 3105if (rc <= 0)
74f1a423
JH		 3106 {
3107 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3108 return FALSE;
74f1a423 3109 }
059ec3d9 3110
f20cfa4a
JH		 3111DEBUG(D_tls)
3112 {
3113 debug_printf("SSL_connect succeeded\n");
3114#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3115 {
10ed27e0
JH		 3116 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3117 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3118 BIO_free(bp);
f20cfa4a
JH		 3119 }
3120#endif
3121 }
059ec3d9 3122
b10c87b3
JH		 3123#ifdef EXPERIMENTAL_TLS_RESUME
3124tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3125#endif
3126
74f1a423 3127peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3128
f1be21cf
JH		 3129tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3130tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3131
9d1c15ef
JH		 3132/* Record the certificate we presented */
3133 {
74f1a423
JH		 3134 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3135 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH		 3136 }
3137
c05bdbd6 3138tlsp->active.sock = cctx->sock;
74f1a423 3139tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH		 3140cctx->tls_ctx = exim_client_ctx;
3141return TRUE;
059ec3d9
PH		 3142}
3143
3144
3145
3146
3147
0d81dabc
JH		 3148static BOOL
3149tls_refill(unsigned lim)
3150{
3151int error;
3152int inbytes;
3153
3154DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3155 ssl_xfer_buffer, ssl_xfer_buffer_size);
3156
c2a1bba0 3157if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH		 3158inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3159 MIN(ssl_xfer_buffer_size, lim));
3160error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3161if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3162
3163if (had_command_timeout) /* set by signal handler */
3164 smtp_command_timeout_exit(); /* does not return */
3165if (had_command_sigterm)
3166 smtp_command_sigterm_exit();
3167if (had_data_timeout)
3168 smtp_data_timeout_exit();
3169if (had_data_sigint)
3170 smtp_data_sigint_exit();
0d81dabc
JH		 3171
3172/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3173closed down, not that the socket itself has been closed down. Revert to
3174non-SSL handling. */
3175
74f1a423 3176switch(error)
0d81dabc 3177 {
74f1a423
JH		 3178 case SSL_ERROR_NONE:
3179 break;
3180
3181 case SSL_ERROR_ZERO_RETURN:
3182 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 3183
74f1a423
JH		 3184 receive_getc = smtp_getc;
3185 receive_getbuf = smtp_getbuf;
3186 receive_get_cache = smtp_get_cache;
3187 receive_ungetc = smtp_ungetc;
3188 receive_feof = smtp_feof;
3189 receive_ferror = smtp_ferror;
3190 receive_smtp_buffered = smtp_buffered;
0d81dabc 3191
74f1a423
JH		 3192 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3193 SSL_shutdown(server_ssl);
dec766a1 3194
37f0ce65 3195#ifndef DISABLE_OCSP
74f1a423
JH		 3196 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3197 server_static_cbinfo->verify_stack = NULL;
37f0ce65 3198#endif
74f1a423
JH		 3199 SSL_free(server_ssl);
3200 SSL_CTX_free(server_ctx);
3201 server_ctx = NULL;
3202 server_ssl = NULL;
3203 tls_in.active.sock = -1;
3204 tls_in.active.tls_ctx = NULL;
3205 tls_in.bits = 0;
3206 tls_in.cipher = NULL;
3207 tls_in.peerdn = NULL;
3208 tls_in.sni = NULL;
0d81dabc 3209
74f1a423 3210 return FALSE;
0d81dabc 3211
74f1a423
JH		 3212 /* Handle genuine errors */
3213 case SSL_ERROR_SSL:
0abc5a13 3214 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH		 3215 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3216 ssl_xfer_error = TRUE;
3217 return FALSE;
0d81dabc 3218
74f1a423
JH		 3219 default:
3220 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3221 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3222 debug_printf(" - syscall %s\n", strerror(errno));
3223 ssl_xfer_error = TRUE;
3224 return FALSE;
0d81dabc
JH		 3225 }
3226
3227#ifndef DISABLE_DKIM
3228dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3229#endif
3230ssl_xfer_buffer_hwm = inbytes;
3231ssl_xfer_buffer_lwm = 0;
3232return TRUE;
3233}
3234
3235
059ec3d9
PH		 3236/*************************************************
3237* TLS version of getc *
3238*************************************************/
3239
3240/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3241it refills the buffer via the SSL reading function.
3242
bd8fbe36 3243Arguments: lim Maximum amount to read/buffer
059ec3d9 3244Returns: the next character or EOF
817d9f57
JH		 3245
3246Only used by the server-side TLS.
059ec3d9
PH		 3247*/
3248
3249int
bd8fbe36 3250tls_getc(unsigned lim)
059ec3d9
PH		 3251{
3252if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 3253 if (!tls_refill(lim))
3254 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 3255
0d81dabc 3256/* Something in the buffer; return next uschar */
059ec3d9 3257
0d81dabc
JH		 3258return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3259}
059ec3d9 3260
0d81dabc
JH		 3261uschar *
3262tls_getbuf(unsigned * len)
3263{
3264unsigned size;
3265uschar * buf;
ba084640 3266
0d81dabc
JH		 3267if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3268 if (!tls_refill(*len))
059ec3d9 3269 {
0d81dabc
JH		 3270 if (!ssl_xfer_error) return smtp_getbuf(len);
3271 *len = 0;
3272 return NULL;
059ec3d9 3273 }
c80c5570 3274
0d81dabc
JH		 3275if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3276 size = *len;
3277buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3278ssl_xfer_buffer_lwm += size;
3279*len = size;
3280return buf;
059ec3d9
PH		 3281}
3282
0d81dabc 3283
584e96c6
JH		 3284void
3285tls_get_cache()
3286{
9960d1e5 3287#ifndef DISABLE_DKIM
584e96c6
JH		 3288int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3289if (n > 0)
3290 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 3291#endif
9960d1e5 3292}
584e96c6 3293
059ec3d9 3294
925ac8e4
JH		 3295BOOL
3296tls_could_read(void)
3297{
a5ffa9b4 3298return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 3299}
3300
059ec3d9
PH		 3301
3302/*************************************************
3303* Read bytes from TLS channel *
3304*************************************************/
3305
3306/*
3307Arguments:
74f1a423 3308 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3309 buff buffer of data
3310 len size of buffer
3311
3312Returns: the number of bytes read
afdb5e9c 3313 -1 after a failed read, including EOF
817d9f57
JH		 3314
3315Only used by the client-side TLS.
059ec3d9
PH		 3316*/
3317
3318int
74f1a423 3319tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3320{
74f1a423 3321SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH		 3322int inbytes;
3323int error;
3324
389ca47a 3325DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 3326 buff, (unsigned int)len);
059ec3d9 3327
389ca47a
JH		 3328inbytes = SSL_read(ssl, CS buff, len);
3329error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 3330
3331if (error == SSL_ERROR_ZERO_RETURN)
3332 {
3333 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3334 return -1;
3335 }
3336else if (error != SSL_ERROR_NONE)
059ec3d9 3337 return -1;
059ec3d9
PH		 3338
3339return inbytes;
3340}
3341
3342
3343
3344
3345
3346/*************************************************
3347* Write bytes down TLS channel *
3348*************************************************/
3349
3350/*
3351Arguments:
74f1a423 3352 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3353 buff buffer of data
3354 len number of bytes
925ac8e4 3355 more further data expected soon
059ec3d9
PH		 3356
3357Returns: the number of bytes after a successful write,
3358 -1 after a failed write
817d9f57
JH		 3359
3360Used by both server-side and client-side TLS.
059ec3d9
PH		 3361*/
3362
3363int
74f1a423 3364tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 3365{
ac35befe 3366size_t olen = len;
d7978c0f 3367int outbytes, error;
c09dbcfb
JH		 3368SSL * ssl = ct_ctx
3369 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3370static gstring * server_corked = NULL;
3371gstring ** corkedp = ct_ctx
3372 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3373gstring * corked = *corkedp;
a5ffa9b4 3374
ef698bf6 3375DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 3376 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH		 3377
3378/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3379"more" is notified. This hack is only ok if small amounts are involved AND only
3380one stream does it, in one context (i.e. no store reset). Currently it is used
c09dbcfb
JH		 3381for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3382We support callouts done by the server process by using a separate client
3383context for the stashed information. */
ac35befe
JH		 3384/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3385a store reset there, so use POOL_PERM. */
3386/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 3387
ac35befe 3388if ((more || corked))
a5ffa9b4 3389 {
ee8b8090
JH		 3390#ifdef EXPERIMENTAL_PIPE_CONNECT
3391 int save_pool = store_pool;
3392 store_pool = POOL_PERM;
3393#endif
3394
acec9514 3395 corked = string_catn(corked, buff, len);
ee8b8090
JH		 3396
3397#ifdef EXPERIMENTAL_PIPE_CONNECT
3398 store_pool = save_pool;
3399#endif
3400
a5ffa9b4 3401 if (more)
c09dbcfb
JH		 3402 {
3403 *corkedp = corked;
a5ffa9b4 3404 return len;
c09dbcfb 3405 }
acec9514
JH		 3406 buff = CUS corked->s;
3407 len = corked->ptr;
c09dbcfb 3408 *corkedp = NULL;
a5ffa9b4 3409 }
059ec3d9 3410
d7978c0f 3411for (int left = len; left > 0;)
059ec3d9 3412 {
74f1a423 3413 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH		 3414 outbytes = SSL_write(ssl, CS buff, left);
3415 error = SSL_get_error(ssl, outbytes);
3416 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3417 switch (error)
3418 {
3419 case SSL_ERROR_SSL:
0abc5a13 3420 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH		 3421 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3422 return -1;
059ec3d9
PH		 3423
3424 case SSL_ERROR_NONE:
96f5fe4c
JH		 3425 left -= outbytes;
3426 buff += outbytes;
3427 break;
059ec3d9
PH		 3428
3429 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 3430 log_write(0, LOG_MAIN, "SSL channel closed on write");
3431 return -1;
059ec3d9 3432
817d9f57 3433 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 3434 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3435 sender_fullhost ? sender_fullhost : US"<unknown>",
3436 strerror(errno));
3437 return -1;
817d9f57 3438
059ec3d9 3439 default:
96f5fe4c
JH		 3440 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3441 return -1;
059ec3d9
PH		 3442 }
3443 }
ac35befe 3444return olen;
059ec3d9
PH		 3445}
3446
3447
3448
3449/*************************************************
3450* Close down a TLS session *
3451*************************************************/
3452
3453/* This is also called from within a delivery subprocess forked from the
3454daemon, to shut down the TLS library, without actually doing a shutdown (which
3455would tamper with the SSL session in the parent process).
3456
dec766a1 3457Arguments:
74f1a423 3458 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB		 3459 shutdown 1 if TLS close-alert is to be sent,
3460 2 if also response to be waited for
3461
059ec3d9 3462Returns: nothing
817d9f57
JH		 3463
3464Used by both server-side and client-side TLS.
059ec3d9
PH		 3465*/
3466
3467void
74f1a423 3468tls_close(void * ct_ctx, int shutdown)
059ec3d9 3469{
74f1a423
JH		 3470exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3471SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3472SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3473int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH		 3474
3475if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 3476
3477if (shutdown)
3478 {
dec766a1
WB		 3479 int rc;
3480 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3481 shutdown > 1 ? " (with response-wait)" : "");
3482
3483 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3484 && shutdown > 1)
3485 {
c2a1bba0 3486 ALARM(2);
dec766a1 3487 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3488 ALARM_CLR(0);
dec766a1
WB		 3489 }
3490
3491 if (rc < 0) DEBUG(D_tls)
3492 {
0abc5a13 3493 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB		 3494 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3495 }
3496 }
3497
37f0ce65 3498#ifndef DISABLE_OCSP
74f1a423 3499if (!o_ctx) /* server side */
dec766a1
WB		 3500 {
3501 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3502 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3503 }
37f0ce65 3504#endif
059ec3d9 3505
dec766a1 3506SSL_CTX_free(*ctxp);
817d9f57 3507SSL_free(*sslp);
dec766a1 3508*ctxp = NULL;
817d9f57 3509*sslp = NULL;
817d9f57 3510*fdp = -1;
059ec3d9
PH		 3511}
3512
36f12725
NM		 3513
3514
3515
3375e053
PP		 3516/*************************************************
3517* Let tls_require_ciphers be checked at startup *
3518*************************************************/
3519
3520/* The tls_require_ciphers option, if set, must be something which the
3521library can parse.
3522
3523Returns: NULL on success, or error message
3524*/
3525
3526uschar *
3527tls_validate_require_cipher(void)
3528{
3529SSL_CTX *ctx;
3530uschar *s, *expciphers, *err;
3531
3532/* this duplicates from tls_init(), we need a better "init just global
3533state, for no specific purpose" singleton function of our own */
3534
7434882d 3535#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP		 3536SSL_load_error_strings();
3537OpenSSL_add_ssl_algorithms();
7434882d 3538#endif
3375e053
PP		 3539#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3540/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3541list of available digests. */
3542EVP_add_digest(EVP_sha256());
3543#endif
3544
3545if (!(tls_require_ciphers && *tls_require_ciphers))
3546 return NULL;
3547
cf0c6164
JH		 3548if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3549 &err))
3375e053
PP		 3550 return US"failed to expand tls_require_ciphers";
3551
3552if (!(expciphers && *expciphers))
3553 return NULL;
3554
3555/* normalisation ripped from above */
3556s = expciphers;
3557while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3558
3559err = NULL;
3560
7a8b9519
JH		 3561#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3562if (!(ctx = SSL_CTX_new(TLS_server_method())))
3563#else
3564if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3565#endif
3375e053 3566 {
0abc5a13 3567 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP		 3568 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3569 }
3570
3571DEBUG(D_tls)
3572 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3573
3574if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3575 {
0abc5a13 3576 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH		 3577 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3578 expciphers, ssl_errstring);
3375e053
PP		 3579 }
3580
3581SSL_CTX_free(ctx);
3582
3583return err;
3584}
3585
3586
3587
3588
36f12725
NM		 3589/*************************************************
3590* Report the library versions. *
3591*************************************************/
3592
3593/* There have historically been some issues with binary compatibility in
3594OpenSSL libraries; if Exim (like many other applications) is built against
3595one version of OpenSSL but the run-time linker picks up another version,
3596it can result in serious failures, including crashing with a SIGSEGV. So
3597report the version found by the compiler and the run-time version.
3598
f64a1e23
PP		 3599Note: some OS vendors backport security fixes without changing the version
3600number/string, and the version date remains unchanged. The _build_ date
3601will change, so we can more usefully assist with version diagnosis by also
3602reporting the build date.
3603
36f12725
NM		 3604Arguments: a FILE* to print the results to
3605Returns: nothing
3606*/
3607
3608void
3609tls_version_report(FILE *f)
3610{
754a0503 3611fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 3612 " Runtime: %s\n"
3613 " : %s\n",
754a0503 3614 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 3615 SSLeay_version(SSLEAY_VERSION),
3616 SSLeay_version(SSLEAY_BUILT_ON));
3617/* third line is 38 characters for the %s and the line is 73 chars long;
3618the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 3619}
3620
9e3331ea
TK		 3621
3622
3623
3624/*************************************************
17c76198 3625* Random number generation *
9e3331ea
TK		 3626*************************************************/
3627
3628/* Pseudo-random number generation. The result is not expected to be
3629cryptographically strong but not so weak that someone will shoot themselves
3630in the foot using it as a nonce in input in some email header scheme or
3631whatever weirdness they'll twist this into. The result should handle fork()
3632and avoid repeating sequences. OpenSSL handles that for us.
3633
3634Arguments:
3635 max range maximum
3636Returns a random number in range [0, max-1]
3637*/
3638
3639int
17c76198 3640vaguely_random_number(int max)
9e3331ea
TK		 3641{
3642unsigned int r;
3643int i, needed_len;
de6135a0
PP		 3644static pid_t pidlast = 0;
3645pid_t pidnow;
9e3331ea
TK		 3646uschar smallbuf[sizeof(r)];
3647
3648if (max <= 1)
3649 return 0;
3650
de6135a0
PP		 3651pidnow = getpid();
3652if (pidnow != pidlast)
3653 {
3654 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3655 is unique for each thread", this doesn't apparently apply across processes,
3656 so our own warning from vaguely_random_number_fallback() applies here too.
3657 Fix per PostgreSQL. */
3658 if (pidlast != 0)
3659 RAND_cleanup();
3660 pidlast = pidnow;
3661 }
3662
9e3331ea
TK		 3663/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3664if (!RAND_status())
3665 {
3666 randstuff r;
3667 gettimeofday(&r.tv, NULL);
3668 r.p = getpid();
3669
5903c6ff 3670 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK		 3671 }
3672/* We're after pseudo-random, not random; if we still don't have enough data
3673in the internal PRNG then our options are limited. We could sleep and hope
3674for entropy to come along (prayer technique) but if the system is so depleted
3675in the first place then something is likely to just keep taking it. Instead,
3676we'll just take whatever little bit of pseudo-random we can still manage to
3677get. */
3678
3679needed_len = sizeof(r);
3680/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3681asked for a number less than 10. */
3682for (r = max, i = 0; r; ++i)
3683 r >>= 1;
3684i = (i + 7) / 8;
3685if (i < needed_len)
3686 needed_len = i;
3687
c8dfb21d 3688#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3689/* We do not care if crypto-strong */
17c76198 3690i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 3691#else
3692i = RAND_bytes(smallbuf, needed_len);
3693#endif
3694
17c76198
PP		 3695if (i < 0)
3696 {
3697 DEBUG(D_all)
3698 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3699 return vaguely_random_number_fallback(max);
3700 }
3701
9e3331ea 3702r = 0;
d7978c0f
JH		 3703for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3704 r = 256 * r + *p;
9e3331ea
TK		 3705
3706/* We don't particularly care about weighted results; if someone wants
3707smooth distribution and cares enough then they should submit a patch then. */
3708return r % max;
3709}
3710
77bb000f
PP		 3711
3712
3713
3714/*************************************************
3715* OpenSSL option parse *
3716*************************************************/
3717
3718/* Parse one option for tls_openssl_options_parse below
3719
3720Arguments:
3721 name one option name
3722 value place to store a value for it
3723Returns success or failure in parsing
3724*/
3725
77bb000f 3726
c80c5570 3727
77bb000f
PP		 3728static BOOL
3729tls_openssl_one_option_parse(uschar *name, long *value)
3730{
3731int first = 0;
3732int last = exim_openssl_options_size;
3733while (last > first)
3734 {
3735 int middle = (first + last)/2;
3736 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3737 if (c == 0)
3738 {
3739 *value = exim_openssl_options[middle].value;
3740 return TRUE;
3741 }
3742 else if (c > 0)
3743 first = middle + 1;
3744 else
3745 last = middle;
3746 }
3747return FALSE;
3748}
3749
3750
3751
3752
3753/*************************************************
3754* OpenSSL option parsing logic *
3755*************************************************/
3756
3757/* OpenSSL has a number of compatibility options which an administrator might
3758reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3759we look like log_selector.
3760
3761Arguments:
3762 option_spec the administrator-supplied string of options
3763 results ptr to long storage for the options bitmap
3764Returns success or failure
3765*/
3766
3767BOOL
3768tls_openssl_options_parse(uschar *option_spec, long *results)
3769{
3770long result, item;
d7978c0f 3771uschar *end;
77bb000f
PP		 3772uschar keep_c;
3773BOOL adding, item_parsed;
3774
b10c87b3 3775/* Server: send no (<= TLS1.2) session tickets */
7006ee24 3776result = SSL_OP_NO_TICKET;
b10c87b3 3777
b1770b6e 3778/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3779 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3780#ifdef SSL_OP_NO_SSLv2
3781result |= SSL_OP_NO_SSLv2;
3782#endif
b10c87b3
JH		 3783#ifdef SSL_OP_NO_SSLv3
3784result |= SSL_OP_NO_SSLv3;
3785#endif
a57b6200
JH		 3786#ifdef SSL_OP_SINGLE_DH_USE
3787result |= SSL_OP_SINGLE_DH_USE;
3788#endif
77bb000f 3789
7006ee24 3790if (!option_spec)
77bb000f
PP		 3791 {
3792 *results = result;
3793 return TRUE;
3794 }
3795
b10c87b3 3796for (uschar * s = option_spec; *s; /**/)
77bb000f
PP		 3797 {
3798 while (isspace(*s)) ++s;
3799 if (*s == '\0')
3800 break;
3801 if (*s != '+' && *s != '-')
3802 {
3803 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3804 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3805 return FALSE;
3806 }
3807 adding = *s++ == '+';
3808 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3809 keep_c = *end;
3810 *end = '\0';
3811 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3812 *end = keep_c;
77bb000f
PP		 3813 if (!item_parsed)
3814 {
0e944a0d 3815 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3816 return FALSE;
3817 }
f97ca6d1
JH		 3818 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3819 adding ? "adding to " : "removing from", result, item, s);
77bb000f
PP		 3820 if (adding)
3821 result |= item;
3822 else
3823 result &= ~item;
77bb000f
PP		 3824 s = end;
3825 }
3826
3827*results = result;
3828return TRUE;
3829}
3830
8442641e 3831#endif /*!MACRO_PREDEF*/
9d1c15ef
JH		 3832/* vi: aw ai sw=2
3833*/
059ec3d9 3834/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.