Docs: add index entry
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
d4e5e70b 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
85098ee7 31#ifdef EXPERIMENTAL_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256
55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
34e3241d
PP
73# endif
74# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
76# define EXIM_HAVE_OPENSSL_CHECKHOST
77# endif
11aa88b0 78#endif
10ca4f1c 79
11aa88b0
RA
80#if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
82# if !defined(OPENSSL_NO_ECDH)
83# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84# define EXIM_HAVE_ECDH
85# endif
86# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
87# define EXIM_HAVE_OPENSSL_EC_NIST2NID
88# endif
89# endif
2dfb468b 90#endif
3bcbbbe2 91
67791ce4
JH
92#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94# define DISABLE_OCSP
95#endif
96
059ec3d9
PH
97/* Structure for collecting random data for seeding. */
98
99typedef struct randstuff {
9e3331ea
TK
100 struct timeval tv;
101 pid_t p;
059ec3d9
PH
102} randstuff;
103
104/* Local static variables */
105
a2ff477a
JH
106static BOOL client_verify_callback_called = FALSE;
107static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
108static const uschar *sid_ctx = US"exim";
109
d4f09789
PP
110/* We have three different contexts to care about.
111
112Simple case: client, `client_ctx`
113 As a client, we can be doing a callout or cut-through delivery while receiving
114 a message. So we have a client context, which should have options initialised
115 from the SMTP Transport.
116
117Server:
118 There are two cases: with and without ServerNameIndication from the client.
119 Given TLS SNI, we can be using different keys, certs and various other
120 configuration settings, because they're re-expanded with $tls_sni set. This
121 allows vhosting with TLS. This SNI is sent in the handshake.
122 A client might not send SNI, so we need a fallback, and an initial setup too.
123 So as a server, we start out using `server_ctx`.
124 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
125 `server_sni` from `server_ctx` and then initialise settings by re-expanding
126 configuration.
127*/
128
817d9f57
JH
129static SSL_CTX *client_ctx = NULL;
130static SSL_CTX *server_ctx = NULL;
131static SSL *client_ssl = NULL;
132static SSL *server_ssl = NULL;
389ca47a 133
35731706 134#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 135static SSL_CTX *server_sni = NULL;
35731706 136#endif
059ec3d9
PH
137
138static char ssl_errstring[256];
139
140static int ssl_session_timeout = 200;
a2ff477a
JH
141static BOOL client_verify_optional = FALSE;
142static BOOL server_verify_optional = FALSE;
059ec3d9 143
f5d78688 144static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
145
146
7be682ca
PP
147typedef struct tls_ext_ctx_cb {
148 uschar *certificate;
149 uschar *privatekey;
f2de3a33 150#ifndef DISABLE_OCSP
f5d78688 151 BOOL is_server;
c3033f13 152 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
153 union {
154 struct {
155 uschar *file;
156 uschar *file_expanded;
157 OCSP_RESPONSE *response;
158 } server;
159 struct {
44662487
JH
160 X509_STORE *verify_store; /* non-null if status requested */
161 BOOL verify_required;
f5d78688
JH
162 } client;
163 } u_ocsp;
3f7eeb86 164#endif
7be682ca
PP
165 uschar *dhparam;
166 /* these are cached from first expand */
167 uschar *server_cipher_list;
168 /* only passed down to tls_error: */
169 host_item *host;
55414b25 170 const uschar * verify_cert_hostnames;
0cbf2b82 171#ifndef DISABLE_EVENT
a7538db1
JH
172 uschar * event_action;
173#endif
7be682ca
PP
174} tls_ext_ctx_cb;
175
176/* should figure out a cleanup of API to handle state preserved per
177implementation, for various reasons, which can be void * in the APIs.
178For now, we hack around it. */
817d9f57
JH
179tls_ext_ctx_cb *client_static_cbinfo = NULL;
180tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
181
182static int
983207c1 183setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 184 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 185
3f7eeb86 186/* Callbacks */
3bcbbbe2 187#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 188static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 189#endif
f2de3a33 190#ifndef DISABLE_OCSP
f5d78688 191static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
192#endif
193
059ec3d9
PH
194
195/*************************************************
196* Handle TLS error *
197*************************************************/
198
199/* Called from lots of places when errors occur before actually starting to do
200the TLS handshake, that is, while the session is still in clear. Always returns
201DEFER for a server and FAIL for a client so that most calls can use "return
202tls_error(...)" to do this processing and then give an appropriate return. A
203single function is used for both server and client, because it is called from
204some shared functions.
205
206Argument:
207 prefix text to include in the logged error
208 host NULL if setting up a server;
209 the connected host if setting up a client
7199e1ee 210 msg error message or NULL if we should ask OpenSSL
cf0c6164 211 errstr pointer to output error message
059ec3d9
PH
212
213Returns: OK/DEFER/FAIL
214*/
215
216static int
cf0c6164 217tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 218{
c562fd30 219if (!msg)
7199e1ee
TF
220 {
221 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 222 msg = US ssl_errstring;
7199e1ee
TF
223 }
224
cf0c6164
JH
225if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
226return host ? FAIL : DEFER;
059ec3d9
PH
227}
228
229
230
c8dfb21d 231#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9
PH
232/*************************************************
233* Callback to generate RSA key *
234*************************************************/
235
236/*
237Arguments:
238 s SSL connection
239 export not used
240 keylength keylength
241
242Returns: pointer to generated key
243*/
244
245static RSA *
246rsa_callback(SSL *s, int export, int keylength)
247{
248RSA *rsa_key;
c8dfb21d
JH
249#ifdef EXIM_HAVE_RSA_GENKEY_EX
250BIGNUM *bn = BN_new();
251#endif
252
059ec3d9
PH
253export = export; /* Shut picky compilers up */
254DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
255
256#ifdef EXIM_HAVE_RSA_GENKEY_EX
257if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 258 || !(rsa_key = RSA_new())
c8dfb21d
JH
259 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
260 )
261#else
23bb6982 262if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
263#endif
264
059ec3d9
PH
265 {
266 ERR_error_string(ERR_get_error(), ssl_errstring);
267 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
268 ssl_errstring);
269 return NULL;
270 }
271return rsa_key;
272}
c8dfb21d 273#endif
059ec3d9
PH
274
275
276
f5d78688 277/* Extreme debug
f2de3a33 278#ifndef DISABLE_OCSP
f5d78688
JH
279void
280x509_store_dump_cert_s_names(X509_STORE * store)
281{
282STACK_OF(X509_OBJECT) * roots= store->objs;
283int i;
284static uschar name[256];
285
286for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
287 {
288 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
289 if(tmp_obj->type == X509_LU_X509)
290 {
291 X509 * current_cert= tmp_obj->data.x509;
292 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 293 name[sizeof(name)-1] = '\0';
f5d78688
JH
294 debug_printf(" %s\n", name);
295 }
296 }
297}
298#endif
299*/
300
059ec3d9 301
0cbf2b82 302#ifndef DISABLE_EVENT
f69979cf
JH
303static int
304verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
305 BOOL *calledp, const BOOL *optionalp, const uschar * what)
306{
307uschar * ev;
308uschar * yield;
309X509 * old_cert;
310
311ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
312if (ev)
313 {
aaba7d03 314 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
315 old_cert = tlsp->peercert;
316 tlsp->peercert = X509_dup(cert);
317 /* NB we do not bother setting peerdn */
318 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
319 {
320 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
321 "depth=%d cert=%s: %s",
322 tlsp == &tls_out ? deliver_host_address : sender_host_address,
323 what, depth, dn, yield);
324 *calledp = TRUE;
325 if (!*optionalp)
326 {
327 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
328 return 1; /* reject (leaving peercert set) */
329 }
330 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
331 "(host in tls_try_verify_hosts)\n");
332 }
333 X509_free(tlsp->peercert);
334 tlsp->peercert = old_cert;
335 }
336return 0;
337}
338#endif
339
059ec3d9
PH
340/*************************************************
341* Callback for verification *
342*************************************************/
343
344/* The SSL library does certificate verification if set up to do so. This
345callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
346we set the certificate-verified flag. If verification failed, what happens
347depends on whether the client is required to present a verifiable certificate
348or not.
059ec3d9
PH
349
350If verification is optional, we change the state to yes, but still log the
351verification error. For some reason (it really would help to have proper
352documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
353time with state = 1. We must take care not to set the private verified flag on
354the second time through.
059ec3d9
PH
355
356Note: this function is not called if the client fails to present a certificate
357when asked. We get here only if a certificate has been received. Handling of
358optional verification for this case is done when requesting SSL to verify, by
359setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
360
a7538db1
JH
361May be called multiple times for different issues with a certificate, even
362for a given "depth" in the certificate chain.
363
059ec3d9 364Arguments:
f2f2c91b
JH
365 preverify_ok current yes/no state as 1/0
366 x509ctx certificate information.
367 tlsp per-direction (client vs. server) support data
368 calledp has-been-called flag
369 optionalp verification-is-optional flag
059ec3d9 370
f2f2c91b 371Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
372*/
373
374static int
f2f2c91b 375verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
421aff85 376 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 377{
421aff85 378X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 379int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 380uschar dn[256];
059ec3d9 381
f69979cf
JH
382X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
383dn[sizeof(dn)-1] = '\0';
059ec3d9 384
f2f2c91b 385if (preverify_ok == 0)
059ec3d9 386 {
f77197ae
JH
387 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
388 *verify_mode, sender_host_address)
389 : US"";
390 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
391 tlsp == &tls_out ? deliver_host_address : sender_host_address,
392 extra, depth,
393 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 394 *calledp = TRUE;
9d1c15ef
JH
395 if (!*optionalp)
396 {
f69979cf
JH
397 if (!tlsp->peercert)
398 tlsp->peercert = X509_dup(cert); /* record failing cert */
399 return 0; /* reject */
9d1c15ef 400 }
059ec3d9
PH
401 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
402 "tls_try_verify_hosts)\n");
059ec3d9
PH
403 }
404
a7538db1 405else if (depth != 0)
059ec3d9 406 {
f69979cf 407 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 408#ifndef DISABLE_OCSP
f5d78688
JH
409 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
410 { /* client, wanting stapling */
411 /* Add the server cert's signing chain as the one
412 for the verification of the OCSP stapled information. */
94431adb 413
f5d78688 414 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 415 cert))
f5d78688 416 ERR_clear_error();
c3033f13 417 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
418 }
419#endif
0cbf2b82 420#ifndef DISABLE_EVENT
f69979cf
JH
421 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
422 return 0; /* reject, with peercert set */
a7538db1 423#endif
059ec3d9
PH
424 }
425else
426 {
55414b25 427 const uschar * verify_cert_hostnames;
e51c7be2 428
e51c7be2
JH
429 if ( tlsp == &tls_out
430 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
431 /* client, wanting hostname check */
e51c7be2 432 {
f69979cf 433
740f36d4 434#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
435# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
436# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
437# endif
438# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
439# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
440# endif
e51c7be2 441 int sep = 0;
55414b25 442 const uschar * list = verify_cert_hostnames;
e51c7be2 443 uschar * name;
d8e7834a
JH
444 int rc;
445 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 446 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 447 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
448 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
449 NULL)))
d8e7834a
JH
450 {
451 if (rc < 0)
452 {
93a6fce2 453 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 454 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
455 name = NULL;
456 }
e51c7be2 457 break;
d8e7834a 458 }
e51c7be2 459 if (!name)
f69979cf 460#else
e51c7be2 461 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 462#endif
e51c7be2 463 {
f77197ae
JH
464 uschar * extra = verify_mode
465 ? string_sprintf(" (during %c-verify for [%s])",
466 *verify_mode, sender_host_address)
467 : US"";
e51c7be2 468 log_write(0, LOG_MAIN,
f77197ae
JH
469 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
470 tlsp == &tls_out ? deliver_host_address : sender_host_address,
471 extra, dn, verify_cert_hostnames);
a3ef7310
JH
472 *calledp = TRUE;
473 if (!*optionalp)
f69979cf
JH
474 {
475 if (!tlsp->peercert)
476 tlsp->peercert = X509_dup(cert); /* record failing cert */
477 return 0; /* reject */
478 }
a3ef7310
JH
479 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
480 "tls_try_verify_hosts)\n");
e51c7be2 481 }
f69979cf 482 }
e51c7be2 483
0cbf2b82 484#ifndef DISABLE_EVENT
f69979cf
JH
485 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
486 return 0; /* reject, with peercert set */
e51c7be2
JH
487#endif
488
93dcb1c2 489 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 490 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
491 if (!*calledp) tlsp->certificate_verified = TRUE;
492 *calledp = TRUE;
059ec3d9
PH
493 }
494
a7538db1 495return 1; /* accept, at least for this level */
059ec3d9
PH
496}
497
a2ff477a 498static int
f2f2c91b 499verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 500{
f2f2c91b
JH
501return verify_callback(preverify_ok, x509ctx, &tls_out,
502 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
503}
504
505static int
f2f2c91b 506verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 507{
f2f2c91b
JH
508return verify_callback(preverify_ok, x509ctx, &tls_in,
509 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
510}
511
059ec3d9 512
e5cccda9 513#ifdef EXPERIMENTAL_DANE
53a7196b 514
e5cccda9
JH
515/* This gets called *by* the dane library verify callback, which interposes
516itself.
517*/
518static int
f2f2c91b 519verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
520{
521X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 522uschar dn[256];
83b27293 523int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 524#ifndef DISABLE_EVENT
f69979cf 525BOOL dummy_called, optional = FALSE;
83b27293 526#endif
e5cccda9 527
f69979cf
JH
528X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
529dn[sizeof(dn)-1] = '\0';
e5cccda9 530
f2f2c91b
JH
531DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
532 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 533
0cbf2b82 534#ifndef DISABLE_EVENT
f69979cf
JH
535 if (verify_event(&tls_out, cert, depth, dn,
536 &dummy_called, &optional, US"DANE"))
537 return 0; /* reject, with peercert set */
83b27293
JH
538#endif
539
f2f2c91b 540if (preverify_ok == 1)
53a7196b 541 tls_out.dane_verified =
e5cccda9 542 tls_out.certificate_verified = TRUE;
f2f2c91b
JH
543else
544 {
545 int err = X509_STORE_CTX_get_error(x509ctx);
546 DEBUG(D_tls)
547 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 548 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
549 preverify_ok = 1;
550 }
551return preverify_ok;
e5cccda9 552}
53a7196b
JH
553
554#endif /*EXPERIMENTAL_DANE*/
e5cccda9 555
059ec3d9
PH
556
557/*************************************************
558* Information callback *
559*************************************************/
560
561/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
562are doing. We copy the string to the debugging output when TLS debugging has
563been requested.
059ec3d9
PH
564
565Arguments:
566 s the SSL connection
567 where
568 ret
569
570Returns: nothing
571*/
572
573static void
574info_callback(SSL *s, int where, int ret)
575{
576where = where;
577ret = ret;
578DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
579}
580
581
582
583/*************************************************
584* Initialize for DH *
585*************************************************/
586
587/* If dhparam is set, expand it, and load up the parameters for DH encryption.
588
589Arguments:
038597d2 590 sctx The current SSL CTX (inbound or outbound)
a799883d 591 dhparam DH parameter file or fixed parameter identity string
7199e1ee 592 host connected host, if client; NULL if server
cf0c6164 593 errstr error string pointer
059ec3d9
PH
594
595Returns: TRUE if OK (nothing to set up, or setup worked)
596*/
597
598static BOOL
cf0c6164 599init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 600{
059ec3d9
PH
601BIO *bio;
602DH *dh;
603uschar *dhexpanded;
a799883d 604const char *pem;
6600985a 605int dh_bitsize;
059ec3d9 606
cf0c6164 607if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
608 return FALSE;
609
0df4ab80 610if (!dhexpanded || !*dhexpanded)
a799883d 611 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 612else if (dhexpanded[0] == '/')
059ec3d9 613 {
0df4ab80 614 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 615 {
7199e1ee 616 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 617 host, US strerror(errno), errstr);
a799883d 618 return FALSE;
059ec3d9 619 }
a799883d
PP
620 }
621else
622 {
623 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 624 {
a799883d
PP
625 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
626 return TRUE;
059ec3d9 627 }
a799883d 628
0df4ab80 629 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
630 {
631 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 632 host, US strerror(errno), errstr);
a799883d
PP
633 return FALSE;
634 }
635 bio = BIO_new_mem_buf(CS pem, -1);
636 }
637
0df4ab80 638if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 639 {
059ec3d9 640 BIO_free(bio);
a799883d 641 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 642 host, NULL, errstr);
a799883d
PP
643 return FALSE;
644 }
645
6600985a
PP
646/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
647 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
648 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
649 * If someone wants to dance at the edge, then they can raise the limit or use
650 * current libraries. */
651#ifdef EXIM_HAVE_OPENSSL_DH_BITS
652/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
653 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
654dh_bitsize = DH_bits(dh);
655#else
656dh_bitsize = 8 * DH_size(dh);
657#endif
658
a799883d
PP
659/* Even if it is larger, we silently return success rather than cause things
660 * to fail out, so that a too-large DH will not knock out all TLS; it's a
661 * debatable choice. */
6600985a 662if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
663 {
664 DEBUG(D_tls)
170f4904 665 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 666 dh_bitsize, tls_dh_max_bits);
a799883d
PP
667 }
668else
669 {
670 SSL_CTX_set_tmp_dh(sctx, dh);
671 DEBUG(D_tls)
672 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 673 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
674 }
675
a799883d
PP
676DH_free(dh);
677BIO_free(bio);
678
679return TRUE;
059ec3d9
PH
680}
681
682
683
684
038597d2
PP
685/*************************************************
686* Initialize for ECDH *
687*************************************************/
688
689/* Load parameters for ECDH encryption.
690
691For now, we stick to NIST P-256 because: it's simple and easy to configure;
692it avoids any patent issues that might bite redistributors; despite events in
693the news and concerns over curve choices, we're not cryptographers, we're not
694pretending to be, and this is "good enough" to be better than no support,
695protecting against most adversaries. Given another year or two, there might
696be sufficient clarity about a "right" way forward to let us make an informed
697decision, instead of a knee-jerk reaction.
698
699Longer-term, we should look at supporting both various named curves and
700external files generated with "openssl ecparam", much as we do for init_dh().
701We should also support "none" as a value, to explicitly avoid initialisation.
702
703Patches welcome.
704
705Arguments:
706 sctx The current SSL CTX (inbound or outbound)
707 host connected host, if client; NULL if server
cf0c6164 708 errstr error string pointer
038597d2
PP
709
710Returns: TRUE if OK (nothing to set up, or setup worked)
711*/
712
713static BOOL
cf0c6164 714init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 715{
63f0dbe0
JH
716#ifdef OPENSSL_NO_ECDH
717return TRUE;
718#else
719
10ca4f1c
JH
720EC_KEY * ecdh;
721uschar * exp_curve;
722int nid;
723BOOL rv;
724
038597d2
PP
725if (host) /* No ECDH setup for clients, only for servers */
726 return TRUE;
727
10ca4f1c 728# ifndef EXIM_HAVE_ECDH
038597d2
PP
729DEBUG(D_tls)
730 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
731return TRUE;
038597d2 732# else
10ca4f1c 733
cf0c6164 734if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
735 return FALSE;
736if (!exp_curve || !*exp_curve)
737 return TRUE;
738
8e53a4fc 739/* "auto" needs to be handled carefully.
4c04137d 740 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 741 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 742 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
743 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
744 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
745 */
10ca4f1c 746if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 747 {
8e53a4fc 748#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 749 DEBUG(D_tls) debug_printf(
8e53a4fc 750 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 751 exp_curve = US"prime256v1";
8e53a4fc
HSHR
752#else
753# if defined SSL_CTRL_SET_ECDH_AUTO
754 DEBUG(D_tls) debug_printf(
755 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
756 SSL_CTX_set_ecdh_auto(sctx, 1);
757 return TRUE;
8e53a4fc
HSHR
758# else
759 DEBUG(D_tls) debug_printf(
760 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
761 return TRUE;
762# endif
763#endif
10ca4f1c 764 }
038597d2 765
10ca4f1c
JH
766DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
767if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
768# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
769 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
770# endif
771 )
772 {
cf0c6164
JH
773 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
774 host, NULL, errstr);
10ca4f1c
JH
775 return FALSE;
776 }
038597d2 777
10ca4f1c
JH
778if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
779 {
cf0c6164 780 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 781 return FALSE;
038597d2 782 }
10ca4f1c
JH
783
784/* The "tmp" in the name here refers to setting a temporary key
785not to the stability of the interface. */
786
787if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 788 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
789else
790 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
791
792EC_KEY_free(ecdh);
793return !rv;
794
795# endif /*EXIM_HAVE_ECDH*/
796#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
797}
798
799
800
801
f2de3a33 802#ifndef DISABLE_OCSP
3f7eeb86
PP
803/*************************************************
804* Load OCSP information into state *
805*************************************************/
f5d78688 806/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
807caller has determined this is needed. Checks validity. Debugs a message
808if invalid.
809
810ASSUMES: single response, for single cert.
811
812Arguments:
813 sctx the SSL_CTX* to update
814 cbinfo various parts of session state
815 expanded the filename putatively holding an OCSP response
816
817*/
818
819static void
f5d78688 820ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 821{
ee5b1e28
JH
822BIO * bio;
823OCSP_RESPONSE * resp;
824OCSP_BASICRESP * basic_response;
825OCSP_SINGLERESP * single_response;
826ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 827STACK_OF(X509) * sk;
3f7eeb86
PP
828unsigned long verify_flags;
829int status, reason, i;
830
f5d78688
JH
831cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
832if (cbinfo->u_ocsp.server.response)
3f7eeb86 833 {
f5d78688
JH
834 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
835 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
836 }
837
ee5b1e28 838if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
839 {
840 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 841 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
842 return;
843 }
844
845resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
846BIO_free(bio);
847if (!resp)
848 {
849 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
850 return;
851 }
852
ee5b1e28 853if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
854 {
855 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
856 OCSP_response_status_str(status), status);
f5d78688 857 goto bad;
3f7eeb86
PP
858 }
859
ee5b1e28 860if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
861 {
862 DEBUG(D_tls)
863 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 864 goto bad;
3f7eeb86
PP
865 }
866
c3033f13 867sk = cbinfo->verify_stack;
3f7eeb86
PP
868verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
869
870/* May need to expose ability to adjust those flags?
871OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
872OCSP_TRUSTOTHER OCSP_NOINTERN */
873
4c04137d 874/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
875up; possibly overkill - just date-checks might be nice enough.
876
877OCSP_basic_verify takes a "store" arg, but does not
878use it for the chain verification, which is all we do
879when OCSP_NOVERIFY is set. The content from the wire
880"basic_response" and a cert-stack "sk" are all that is used.
881
c3033f13
JH
882We have a stack, loaded in setup_certs() if tls_verify_certificates
883was a file (not a directory, or "system"). It is unfortunate we
884cannot used the connection context store, as that would neatly
885handle the "system" case too, but there seems to be no library
886function for getting a stack from a store.
e3555426 887[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
888We do not free the stack since it could be needed a second time for
889SNI handling.
890
4c04137d 891Separately we might try to replace using OCSP_basic_verify() - which seems to not
ee5b1e28
JH
892be a public interface into the OpenSSL library (there's no manual entry) -
893But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 894And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
895library does it for us anyway? */
896
897if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 898 {
ee5b1e28
JH
899 DEBUG(D_tls)
900 {
3f7eeb86
PP
901 ERR_error_string(ERR_get_error(), ssl_errstring);
902 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
903 }
904 goto bad;
3f7eeb86
PP
905 }
906
907/* Here's the simplifying assumption: there's only one response, for the
908one certificate we use, and nothing for anything else in a chain. If this
909proves false, we need to extract a cert id from our issued cert
910(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
911right cert in the stack and then calls OCSP_single_get0_status()).
912
913I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
914
915if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
916 {
917 DEBUG(D_tls)
918 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 919 goto bad;
3f7eeb86
PP
920 }
921
922status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 923if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 924 {
f5d78688
JH
925 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
926 OCSP_cert_status_str(status), status,
927 OCSP_crl_reason_str(reason), reason);
928 goto bad;
3f7eeb86
PP
929 }
930
931if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
932 {
933 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 934 goto bad;
3f7eeb86
PP
935 }
936
f5d78688 937supply_response:
018058b2 938 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
939return;
940
941bad:
018058b2
JH
942 if (running_in_test_harness)
943 {
944 extern char ** environ;
945 uschar ** p;
bc3c7bb7 946 if (environ) for (p = USS environ; *p != NULL; p++)
018058b2
JH
947 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
948 {
949 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
950 goto supply_response;
951 }
952 }
f5d78688 953return;
3f7eeb86 954}
f2de3a33 955#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
956
957
958
959
23bb6982
JH
960/* Create and install a selfsigned certificate, for use in server mode */
961
962static int
cf0c6164 963tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
964{
965X509 * x509 = NULL;
966EVP_PKEY * pkey;
967RSA * rsa;
968X509_NAME * name;
969uschar * where;
970
971where = US"allocating pkey";
972if (!(pkey = EVP_PKEY_new()))
973 goto err;
974
975where = US"allocating cert";
976if (!(x509 = X509_new()))
977 goto err;
978
979where = US"generating pkey";
980 /* deprecated, use RSA_generate_key_ex() */
981if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
982 goto err;
983
4c04137d 984where = US"assigning pkey";
23bb6982
JH
985if (!EVP_PKEY_assign_RSA(pkey, rsa))
986 goto err;
987
988X509_set_version(x509, 2); /* N+1 - version 3 */
989ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
990X509_gmtime_adj(X509_get_notBefore(x509), 0);
991X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
992X509_set_pubkey(x509, pkey);
993
994name = X509_get_subject_name(x509);
995X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 996 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 997X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 998 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 999X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1000 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1001X509_set_issuer_name(x509, name);
1002
1003where = US"signing cert";
1004if (!X509_sign(x509, pkey, EVP_md5()))
1005 goto err;
1006
1007where = US"installing selfsign cert";
1008if (!SSL_CTX_use_certificate(sctx, x509))
1009 goto err;
1010
1011where = US"installing selfsign key";
1012if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1013 goto err;
1014
1015return OK;
1016
1017err:
cf0c6164 1018 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1019 if (x509) X509_free(x509);
1020 if (pkey) EVP_PKEY_free(pkey);
1021 return DEFER;
1022}
1023
1024
1025
1026
059ec3d9 1027/*************************************************
7be682ca
PP
1028* Expand key and cert file specs *
1029*************************************************/
1030
f5d78688 1031/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1032new context, if Server Name Indication was used and tls_sni was seen in
1033the certificate string.
1034
1035Arguments:
1036 sctx the SSL_CTX* to update
1037 cbinfo various parts of session state
cf0c6164 1038 errstr error string pointer
7be682ca
PP
1039
1040Returns: OK/DEFER/FAIL
1041*/
1042
1043static int
cf0c6164
JH
1044tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1045 uschar ** errstr)
7be682ca
PP
1046{
1047uschar *expanded;
1048
23bb6982 1049if (!cbinfo->certificate)
7be682ca 1050 {
23bb6982
JH
1051 if (cbinfo->host) /* client */
1052 return OK;
1053 /* server */
cf0c6164 1054 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1055 return DEFER;
7be682ca 1056 }
23bb6982
JH
1057else
1058 {
1059 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1060 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1061 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1062 )
1063 reexpand_tls_files_for_sni = TRUE;
7be682ca 1064
cf0c6164 1065 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1066 return DEFER;
1067
1068 if (expanded != NULL)
1069 {
1070 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1071 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1072 return tls_error(string_sprintf(
1073 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
cf0c6164 1074 cbinfo->host, NULL, errstr);
23bb6982 1075 }
7be682ca 1076
23bb6982 1077 if (cbinfo->privatekey != NULL &&
cf0c6164 1078 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1079 return DEFER;
7be682ca 1080
23bb6982
JH
1081 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1082 of the expansion is an empty string, ignore it also, and assume the private
1083 key is in the same file as the certificate. */
1084
1085 if (expanded && *expanded)
1086 {
1087 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1088 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1089 return tls_error(string_sprintf(
cf0c6164 1090 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
23bb6982 1091 }
7be682ca
PP
1092 }
1093
f2de3a33 1094#ifndef DISABLE_OCSP
f40d5be3 1095if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1096 {
cf0c6164 1097 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1098 return DEFER;
1099
f40d5be3 1100 if (expanded && *expanded)
3f7eeb86
PP
1101 {
1102 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1103 if ( cbinfo->u_ocsp.server.file_expanded
1104 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1105 {
f40d5be3
JH
1106 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1107 }
1108 else
f40d5be3 1109 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1110 }
1111 }
1112#endif
1113
7be682ca
PP
1114return OK;
1115}
1116
1117
1118
1119
1120/*************************************************
1121* Callback to handle SNI *
1122*************************************************/
1123
1124/* Called when acting as server during the TLS session setup if a Server Name
1125Indication extension was sent by the client.
1126
1127API documentation is OpenSSL s_server.c implementation.
1128
1129Arguments:
1130 s SSL* of the current session
1131 ad unknown (part of OpenSSL API) (unused)
1132 arg Callback of "our" registered data
1133
1134Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1135*/
1136
3bcbbbe2 1137#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1138static int
7be682ca
PP
1139tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1140{
1141const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1142tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1143int rc;
3f0945ff 1144int old_pool = store_pool;
cf0c6164 1145uschar * dummy_errstr;
7be682ca
PP
1146
1147if (!servername)
1148 return SSL_TLSEXT_ERR_OK;
1149
3f0945ff 1150DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1151 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1152
1153/* Make the extension value available for expansion */
3f0945ff 1154store_pool = POOL_PERM;
817d9f57 1155tls_in.sni = string_copy(US servername);
3f0945ff 1156store_pool = old_pool;
7be682ca
PP
1157
1158if (!reexpand_tls_files_for_sni)
1159 return SSL_TLSEXT_ERR_OK;
1160
1161/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1162not confident that memcpy wouldn't break some internal reference counting.
1163Especially since there's a references struct member, which would be off. */
1164
0df4ab80 1165if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
1166 {
1167 ERR_error_string(ERR_get_error(), ssl_errstring);
1168 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1169 return SSL_TLSEXT_ERR_NOACK;
1170 }
1171
1172/* Not sure how many of these are actually needed, since SSL object
1173already exists. Might even need this selfsame callback, for reneg? */
1174
817d9f57
JH
1175SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1176SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1177SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1178SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1179SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1180SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1181
cf0c6164
JH
1182if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1183 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP
1184 )
1185 return SSL_TLSEXT_ERR_NOACK;
1186
7be682ca 1187if (cbinfo->server_cipher_list)
817d9f57 1188 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 1189#ifndef DISABLE_OCSP
f5d78688 1190if (cbinfo->u_ocsp.server.file)
3f7eeb86 1191 {
f5d78688 1192 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1193 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1194 }
1195#endif
7be682ca 1196
c3033f13 1197if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1198 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1199 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1200
3f7eeb86
PP
1201/* do this after setup_certs, because this can require the certs for verifying
1202OCSP information. */
cf0c6164 1203if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1204 return SSL_TLSEXT_ERR_NOACK;
a799883d 1205
7be682ca 1206DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1207SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
1208
1209return SSL_TLSEXT_ERR_OK;
1210}
3bcbbbe2 1211#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1212
1213
1214
1215
f2de3a33 1216#ifndef DISABLE_OCSP
f5d78688 1217
3f7eeb86
PP
1218/*************************************************
1219* Callback to handle OCSP Stapling *
1220*************************************************/
1221
1222/* Called when acting as server during the TLS session setup if the client
1223requests OCSP information with a Certificate Status Request.
1224
1225Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1226project.
1227
1228*/
1229
1230static int
f5d78688 1231tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1232{
1233const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1234uschar *response_der;
1235int response_der_len;
1236
af4a1bca 1237DEBUG(D_tls)
b3ef41c9 1238 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1239 cbinfo->u_ocsp.server.response ? "have" : "lack");
1240
44662487 1241tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1242if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1243 return SSL_TLSEXT_ERR_NOACK;
1244
1245response_der = NULL;
44662487
JH
1246response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1247 &response_der);
3f7eeb86
PP
1248if (response_der_len <= 0)
1249 return SSL_TLSEXT_ERR_NOACK;
1250
5e55c7a9 1251SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1252tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1253return SSL_TLSEXT_ERR_OK;
1254}
1255
3f7eeb86 1256
f5d78688
JH
1257static void
1258time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1259{
1260BIO_printf(bp, "\t%s: ", str);
1261ASN1_GENERALIZEDTIME_print(bp, time);
1262BIO_puts(bp, "\n");
1263}
1264
1265static int
1266tls_client_stapling_cb(SSL *s, void *arg)
1267{
1268tls_ext_ctx_cb * cbinfo = arg;
1269const unsigned char * p;
1270int len;
1271OCSP_RESPONSE * rsp;
1272OCSP_BASICRESP * bs;
1273int i;
1274
1275DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1276len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1277if(!p)
1278 {
44662487 1279 /* Expect this when we requested ocsp but got none */
6c6d6e48 1280 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1281 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1282 else
1283 DEBUG(D_tls) debug_printf(" null\n");
44662487 1284 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1285 }
018058b2 1286
f5d78688
JH
1287if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1288 {
018058b2 1289 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1290 if (LOGGING(tls_cipher))
1eca31ca 1291 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1292 else
1293 DEBUG(D_tls) debug_printf(" parse error\n");
1294 return 0;
1295 }
1296
1297if(!(bs = OCSP_response_get1_basic(rsp)))
1298 {
018058b2 1299 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1300 if (LOGGING(tls_cipher))
1eca31ca 1301 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1302 else
1303 DEBUG(D_tls) debug_printf(" error parsing response\n");
1304 OCSP_RESPONSE_free(rsp);
1305 return 0;
1306 }
1307
1308/* We'd check the nonce here if we'd put one in the request. */
1309/* However that would defeat cacheability on the server so we don't. */
1310
f5d78688
JH
1311/* This section of code reworked from OpenSSL apps source;
1312 The OpenSSL Project retains copyright:
1313 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1314*/
1315 {
1316 BIO * bp = NULL;
f5d78688
JH
1317 int status, reason;
1318 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1319
1320 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1321
1322 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1323
1324 /* Use the chain that verified the server cert to verify the stapled info */
1325 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1326
c3033f13 1327 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1328 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1329 {
018058b2 1330 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1331 if (LOGGING(tls_cipher))
1eca31ca 1332 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH
1333 BIO_printf(bp, "OCSP response verify failure\n");
1334 ERR_print_errors(bp);
c8dfb21d 1335 goto failed;
f5d78688
JH
1336 }
1337
1338 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1339
c8dfb21d
JH
1340 /*XXX So we have a good stapled OCSP status. How do we know
1341 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1342 OCSP_resp_find_status() which matches on a cert id, which presumably
1343 we should use. Making an id needs OCSP_cert_id_new(), which takes
1344 issuerName, issuerKey, serialNumber. Are they all in the cert?
1345
1346 For now, carry on blindly accepting the resp. */
1347
f5d78688 1348 {
f5d78688
JH
1349 OCSP_SINGLERESP * single;
1350
c8dfb21d
JH
1351#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1352 if (OCSP_resp_count(bs) != 1)
1353#else
1354 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1355 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1356#endif
f5d78688 1357 {
018058b2 1358 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1359 log_write(0, LOG_MAIN, "OCSP stapling "
1360 "with multiple responses not handled");
c8dfb21d 1361 goto failed;
f5d78688
JH
1362 }
1363 single = OCSP_resp_get0(bs, 0);
44662487
JH
1364 status = OCSP_single_get0_status(single, &reason, &rev,
1365 &thisupd, &nextupd);
f5d78688
JH
1366 }
1367
f5d78688
JH
1368 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1369 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1370 if (!OCSP_check_validity(thisupd, nextupd,
1371 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1372 {
018058b2 1373 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1374 DEBUG(D_tls) ERR_print_errors(bp);
1375 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1376 }
44662487 1377 else
f5d78688 1378 {
44662487
JH
1379 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1380 OCSP_cert_status_str(status));
1381 switch(status)
1382 {
1383 case V_OCSP_CERTSTATUS_GOOD:
44662487 1384 tls_out.ocsp = OCSP_VFIED;
018058b2 1385 i = 1;
c8dfb21d 1386 goto good;
44662487 1387 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1388 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1389 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1390 reason != -1 ? "; reason: " : "",
1391 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1392 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1393 break;
1394 default:
018058b2 1395 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1396 log_write(0, LOG_MAIN,
1397 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1398 break;
1399 }
f5d78688 1400 }
c8dfb21d
JH
1401 failed:
1402 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1403 good:
f5d78688
JH
1404 BIO_free(bp);
1405 }
1406
1407OCSP_RESPONSE_free(rsp);
1408return i;
1409}
f2de3a33 1410#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1411
1412
7be682ca 1413/*************************************************
059ec3d9
PH
1414* Initialize for TLS *
1415*************************************************/
1416
e51c7be2
JH
1417/* Called from both server and client code, to do preliminary initialization
1418of the library. We allocate and return a context structure.
059ec3d9
PH
1419
1420Arguments:
946ecbe0 1421 ctxp returned SSL context
059ec3d9
PH
1422 host connected host, if client; NULL if server
1423 dhparam DH parameter file
1424 certificate certificate file
1425 privatekey private key
f5d78688 1426 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1427 addr address if client; NULL if server (for some randomness)
946ecbe0 1428 cbp place to put allocated callback context
cf0c6164 1429 errstr error string pointer
059ec3d9
PH
1430
1431Returns: OK/DEFER/FAIL
1432*/
1433
1434static int
817d9f57 1435tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1436 uschar *privatekey,
f2de3a33 1437#ifndef DISABLE_OCSP
3f7eeb86
PP
1438 uschar *ocsp_file,
1439#endif
cf0c6164 1440 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1441{
7006ee24 1442SSL_CTX * ctx;
77bb000f 1443long init_options;
7be682ca 1444int rc;
a7538db1 1445tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1446
1447cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1448cbinfo->certificate = certificate;
1449cbinfo->privatekey = privatekey;
f2de3a33 1450#ifndef DISABLE_OCSP
c3033f13 1451cbinfo->verify_stack = NULL;
f5d78688
JH
1452if ((cbinfo->is_server = host==NULL))
1453 {
1454 cbinfo->u_ocsp.server.file = ocsp_file;
1455 cbinfo->u_ocsp.server.file_expanded = NULL;
1456 cbinfo->u_ocsp.server.response = NULL;
1457 }
1458else
1459 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1460#endif
7be682ca 1461cbinfo->dhparam = dhparam;
0df4ab80 1462cbinfo->server_cipher_list = NULL;
7be682ca 1463cbinfo->host = host;
0cbf2b82 1464#ifndef DISABLE_EVENT
a7538db1
JH
1465cbinfo->event_action = NULL;
1466#endif
77bb000f 1467
059ec3d9
PH
1468SSL_load_error_strings(); /* basic set up */
1469OpenSSL_add_ssl_algorithms();
1470
c8dfb21d 1471#ifdef EXIM_HAVE_SHA256
77bb000f 1472/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1473list of available digests. */
1474EVP_add_digest(EVP_sha256());
cf1ef1a9 1475#endif
a0475b69 1476
f0f5a555
PP
1477/* Create a context.
1478The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1479negotiation in the different methods; as far as I can tell, the only
1480*_{server,client}_method which allows negotiation is SSLv23, which exists even
1481when OpenSSL is built without SSLv2 support.
1482By disabling with openssl_options, we can let admins re-enable with the
1483existing knob. */
059ec3d9 1484
7006ee24
JH
1485if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1486 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1487
1488/* It turns out that we need to seed the random number generator this early in
1489order to get the full complement of ciphers to work. It took me roughly a day
1490of work to discover this by experiment.
1491
1492On systems that have /dev/urandom, SSL may automatically seed itself from
1493there. Otherwise, we have to make something up as best we can. Double check
1494afterwards. */
1495
1496if (!RAND_status())
1497 {
1498 randstuff r;
9e3331ea 1499 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1500 r.p = getpid();
1501
5903c6ff
JH
1502 RAND_seed(US (&r), sizeof(r));
1503 RAND_seed(US big_buffer, big_buffer_size);
1504 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1505
1506 if (!RAND_status())
7199e1ee 1507 return tls_error(US"RAND_status", host,
cf0c6164 1508 US"unable to seed random number generator", errstr);
059ec3d9
PH
1509 }
1510
1511/* Set up the information callback, which outputs if debugging is at a suitable
1512level. */
1513
7006ee24 1514DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1515
c80c5570 1516/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1517(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1518
77bb000f
PP
1519/* Apply administrator-supplied work-arounds.
1520Historically we applied just one requested option,
1521SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1522moved to an administrator-controlled list of options to specify and
1523grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1524
77bb000f
PP
1525No OpenSSL version number checks: the options we accept depend upon the
1526availability of the option value macros from OpenSSL. */
059ec3d9 1527
7006ee24 1528if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1529 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1530
1531if (init_options)
1532 {
1533 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1534 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1535 return tls_error(string_sprintf(
cf0c6164 1536 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1537 }
1538else
1539 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1540
7006ee24
JH
1541/* Disable session cache unconditionally */
1542
1543(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1544
059ec3d9 1545/* Initialize with DH parameters if supplied */
10ca4f1c 1546/* Initialize ECDH temp key parameter selection */
059ec3d9 1547
7006ee24
JH
1548if ( !init_dh(ctx, dhparam, host, errstr)
1549 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1550 )
1551 return DEFER;
059ec3d9 1552
3f7eeb86 1553/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1554
7006ee24 1555if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1556 return rc;
c91535f3 1557
c3033f13
JH
1558/* If we need to handle SNI or OCSP, do so */
1559
3bcbbbe2 1560#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1561# ifndef DISABLE_OCSP
1562 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1563 {
1564 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1565 return FAIL;
1566 }
1567# endif
1568
f5d78688 1569if (host == NULL) /* server */
3f0945ff 1570 {
f2de3a33 1571# ifndef DISABLE_OCSP
f5d78688 1572 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1573 the option exists, not what the current expansion might be, as SNI might
1574 change the certificate and OCSP file in use between now and the time the
1575 callback is invoked. */
f5d78688 1576 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1577 {
7006ee24
JH
1578 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1579 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1580 }
f5d78688 1581# endif
3f0945ff
PP
1582 /* We always do this, so that $tls_sni is available even if not used in
1583 tls_certificate */
7006ee24
JH
1584 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1585 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1586 }
f2de3a33 1587# ifndef DISABLE_OCSP
f5d78688
JH
1588else /* client */
1589 if(ocsp_file) /* wanting stapling */
1590 {
1591 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1592 {
1593 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1594 return FAIL;
1595 }
7006ee24
JH
1596 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1597 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1598 }
1599# endif
7be682ca 1600#endif
059ec3d9 1601
e51c7be2 1602cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1603
c8dfb21d 1604#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1605/* Set up the RSA callback */
7006ee24 1606SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1607#endif
059ec3d9
PH
1608
1609/* Finally, set the timeout, and we are done */
1610
7006ee24 1611SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1612DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1613
817d9f57 1614*cbp = cbinfo;
7006ee24 1615*ctxp = ctx;
7be682ca 1616
059ec3d9
PH
1617return OK;
1618}
1619
1620
1621
1622
1623/*************************************************
1624* Get name of cipher in use *
1625*************************************************/
1626
817d9f57 1627/*
059ec3d9 1628Argument: pointer to an SSL structure for the connection
817d9f57
JH
1629 buffer to use for answer
1630 size of buffer
1631 pointer to number of bits for cipher
059ec3d9
PH
1632Returns: nothing
1633*/
1634
1635static void
817d9f57 1636construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1637{
57b3a7f5
PP
1638/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1639yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1640the accessor functions use const in the prototype. */
1641const SSL_CIPHER *c;
d9784128 1642const uschar *ver;
059ec3d9 1643
d9784128 1644ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1645
57b3a7f5 1646c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1647SSL_CIPHER_get_bits(c, bits);
059ec3d9 1648
817d9f57
JH
1649string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1650 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1651
1652DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1653}
1654
1655
f69979cf
JH
1656static void
1657peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1658{
1659/*XXX we might consider a list-of-certs variable for the cert chain.
1660SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1661in list-handling functions, also consider the difference between the entire
1662chain and the elements sent by the peer. */
1663
1664/* Will have already noted peercert on a verify fail; possibly not the leaf */
1665if (!tlsp->peercert)
1666 tlsp->peercert = SSL_get_peer_certificate(ssl);
1667/* Beware anonymous ciphers which lead to server_cert being NULL */
1668if (tlsp->peercert)
1669 {
1670 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1671 peerdn[bsize-1] = '\0';
1672 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1673 }
1674else
1675 tlsp->peerdn = NULL;
1676}
1677
1678
059ec3d9
PH
1679
1680
1681
1682/*************************************************
1683* Set up for verifying certificates *
1684*************************************************/
1685
c3033f13
JH
1686/* Load certs from file, return TRUE on success */
1687
1688static BOOL
1689chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1690{
1691BIO * bp;
1692X509 * x;
1693
1694if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1695while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1696 sk_X509_push(verify_stack, x);
1697BIO_free(bp);
1698return TRUE;
1699}
1700
1701
1702
059ec3d9
PH
1703/* Called by both client and server startup
1704
1705Arguments:
7be682ca 1706 sctx SSL_CTX* to initialise
059ec3d9
PH
1707 certs certs file or NULL
1708 crl CRL file or NULL
1709 host NULL in a server; the remote host in a client
1710 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1711 otherwise passed as FALSE
983207c1 1712 cert_vfy_cb Callback function for certificate verification
cf0c6164 1713 errstr error string pointer
059ec3d9
PH
1714
1715Returns: OK/DEFER/FAIL
1716*/
1717
1718static int
983207c1 1719setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1720 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1721{
1722uschar *expcerts, *expcrl;
1723
cf0c6164 1724if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1725 return DEFER;
57cc2785 1726DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1727
10a831a3 1728if (expcerts && *expcerts)
059ec3d9 1729 {
10a831a3
JH
1730 /* Tell the library to use its compiled-in location for the system default
1731 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1732
10a831a3 1733 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1734 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
1735
1736 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1737 {
cb1d7830
JH
1738 struct stat statbuf;
1739
cb1d7830
JH
1740 if (Ustat(expcerts, &statbuf) < 0)
1741 {
1742 log_write(0, LOG_MAIN|LOG_PANIC,
1743 "failed to stat %s for certificates", expcerts);
1744 return DEFER;
1745 }
059ec3d9 1746 else
059ec3d9 1747 {
cb1d7830
JH
1748 uschar *file, *dir;
1749 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1750 { file = NULL; dir = expcerts; }
1751 else
c3033f13
JH
1752 {
1753 file = expcerts; dir = NULL;
1754#ifndef DISABLE_OCSP
1755 /* In the server if we will be offering an OCSP proof, load chain from
1756 file for verifying the OCSP proof at load time. */
1757
1758 if ( !host
1759 && statbuf.st_size > 0
1760 && server_static_cbinfo->u_ocsp.server.file
1761 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1762 )
1763 {
1764 log_write(0, LOG_MAIN|LOG_PANIC,
1765 "failed to load cert hain from %s", file);
1766 return DEFER;
1767 }
1768#endif
1769 }
cb1d7830
JH
1770
1771 /* If a certificate file is empty, the next function fails with an
1772 unhelpful error message. If we skip it, we get the correct behaviour (no
1773 certificates are recognized, but the error message is still misleading (it
c3033f13 1774 says no certificate was supplied). But this is better. */
cb1d7830 1775
f2f2c91b
JH
1776 if ( (!file || statbuf.st_size > 0)
1777 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 1778 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
1779
1780 /* Load the list of CAs for which we will accept certs, for sending
1781 to the client. This is only for the one-file tls_verify_certificates
1782 variant.
1783 If a list isn't loaded into the server, but
1784 some verify locations are set, the server end appears to make
4c04137d 1785 a wildcard request for client certs.
10a831a3 1786 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
1787 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1788 Because of this, and that the dir variant is likely only used for
1789 the public-CA bundle (not for a private CA), not worth fixing.
1790 */
f2f2c91b 1791 if (file)
cb1d7830
JH
1792 {
1793 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
f2f2c91b
JH
1794
1795 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830
JH
1796 sk_X509_NAME_num(names));
1797 SSL_CTX_set_client_CA_list(sctx, names);
1798 }
059ec3d9
PH
1799 }
1800 }
1801
1802 /* Handle a certificate revocation list. */
1803
10a831a3 1804#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 1805
8b417f2c 1806 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 1807 merely reformatted it into the Exim code style.)
8b417f2c 1808
10a831a3
JH
1809 "From here I changed the code to add support for multiple crl's
1810 in pem format in one file or to support hashed directory entries in
1811 pem format instead of a file. This method now uses the library function
1812 X509_STORE_load_locations to add the CRL location to the SSL context.
1813 OpenSSL will then handle the verify against CA certs and CRLs by
1814 itself in the verify callback." */
8b417f2c 1815
cf0c6164 1816 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 1817 if (expcrl && *expcrl)
059ec3d9 1818 {
8b417f2c
PH
1819 struct stat statbufcrl;
1820 if (Ustat(expcrl, &statbufcrl) < 0)
1821 {
1822 log_write(0, LOG_MAIN|LOG_PANIC,
1823 "failed to stat %s for certificates revocation lists", expcrl);
1824 return DEFER;
1825 }
1826 else
059ec3d9 1827 {
8b417f2c
PH
1828 /* is it a file or directory? */
1829 uschar *file, *dir;
7be682ca 1830 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1831 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1832 {
8b417f2c
PH
1833 file = NULL;
1834 dir = expcrl;
1835 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1836 }
1837 else
1838 {
8b417f2c
PH
1839 file = expcrl;
1840 dir = NULL;
1841 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1842 }
8b417f2c 1843 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 1844 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
1845
1846 /* setting the flags to check against the complete crl chain */
1847
1848 X509_STORE_set_flags(cvstore,
1849 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1850 }
059ec3d9
PH
1851 }
1852
10a831a3 1853#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
1854
1855 /* If verification is optional, don't fail if no certificate */
1856
7be682ca 1857 SSL_CTX_set_verify(sctx,
059ec3d9 1858 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1859 cert_vfy_cb);
059ec3d9
PH
1860 }
1861
1862return OK;
1863}
1864
1865
1866
1867/*************************************************
1868* Start a TLS session in a server *
1869*************************************************/
1870
1871/* This is called when Exim is running as a server, after having received
1872the STARTTLS command. It must respond to that command, and then negotiate
1873a TLS session.
1874
1875Arguments:
1876 require_ciphers allowed ciphers
cf0c6164 1877 errstr pointer to error message
059ec3d9
PH
1878
1879Returns: OK on success
1880 DEFER for errors before the start of the negotiation
4c04137d 1881 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
1882 continue running.
1883*/
1884
1885int
cf0c6164 1886tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
1887{
1888int rc;
cf0c6164
JH
1889uschar * expciphers;
1890tls_ext_ctx_cb * cbinfo;
f69979cf 1891static uschar peerdn[256];
817d9f57 1892static uschar cipherbuf[256];
059ec3d9
PH
1893
1894/* Check for previous activation */
1895
817d9f57 1896if (tls_in.active >= 0)
059ec3d9 1897 {
cf0c6164 1898 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 1899 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
1900 return FAIL;
1901 }
1902
1903/* Initialize the SSL library. If it fails, it will already have logged
1904the error. */
1905
817d9f57 1906rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1907#ifndef DISABLE_OCSP
3f7eeb86
PP
1908 tls_ocsp_file,
1909#endif
cf0c6164 1910 NULL, &server_static_cbinfo, errstr);
059ec3d9 1911if (rc != OK) return rc;
817d9f57 1912cbinfo = server_static_cbinfo;
059ec3d9 1913
cf0c6164 1914if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
1915 return FAIL;
1916
1917/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1918were historically separated by underscores. So that I can use either form in my
1919tests, and also for general convenience, we turn underscores into hyphens here.
1920*/
059ec3d9 1921
c3033f13 1922if (expciphers)
059ec3d9 1923 {
c3033f13 1924 uschar * s = expciphers;
059ec3d9
PH
1925 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1926 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1927 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 1928 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 1929 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1930 }
1931
1932/* If this is a host for which certificate verification is mandatory or
1933optional, set up appropriately. */
1934
817d9f57 1935tls_in.certificate_verified = FALSE;
53a7196b
JH
1936#ifdef EXPERIMENTAL_DANE
1937tls_in.dane_verified = FALSE;
1938#endif
a2ff477a 1939server_verify_callback_called = FALSE;
059ec3d9
PH
1940
1941if (verify_check_host(&tls_verify_hosts) == OK)
1942 {
983207c1 1943 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1944 FALSE, verify_callback_server, errstr);
059ec3d9 1945 if (rc != OK) return rc;
a2ff477a 1946 server_verify_optional = FALSE;
059ec3d9
PH
1947 }
1948else if (verify_check_host(&tls_try_verify_hosts) == OK)
1949 {
983207c1 1950 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1951 TRUE, verify_callback_server, errstr);
059ec3d9 1952 if (rc != OK) return rc;
a2ff477a 1953 server_verify_optional = TRUE;
059ec3d9
PH
1954 }
1955
1956/* Prepare for new connection */
1957
cf0c6164
JH
1958if (!(server_ssl = SSL_new(server_ctx)))
1959 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
1960
1961/* Warning: we used to SSL_clear(ssl) here, it was removed.
1962 *
1963 * With the SSL_clear(), we get strange interoperability bugs with
1964 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1965 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1966 *
1967 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1968 * session shutdown. In this case, we have a brand new object and there's no
1969 * obvious reason to immediately clear it. I'm guessing that this was
1970 * originally added because of incomplete initialisation which the clear fixed,
1971 * in some historic release.
1972 */
059ec3d9
PH
1973
1974/* Set context and tell client to go ahead, except in the case of TLS startup
1975on connection, where outputting anything now upsets the clients and tends to
1976make them disconnect. We need to have an explicit fflush() here, to force out
1977the response. Other smtp_printf() calls do not need it, because in non-TLS
1978mode, the fflush() happens when smtp_getc() is called. */
1979
817d9f57
JH
1980SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1981if (!tls_in.on_connect)
059ec3d9 1982 {
925ac8e4 1983 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
1984 fflush(smtp_out);
1985 }
1986
1987/* Now negotiate the TLS session. We put our own timer on it, since it seems
1988that the OpenSSL library doesn't. */
1989
817d9f57
JH
1990SSL_set_wfd(server_ssl, fileno(smtp_out));
1991SSL_set_rfd(server_ssl, fileno(smtp_in));
1992SSL_set_accept_state(server_ssl);
059ec3d9
PH
1993
1994DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1995
1996sigalrm_seen = FALSE;
1997if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1998rc = SSL_accept(server_ssl);
059ec3d9
PH
1999alarm(0);
2000
2001if (rc <= 0)
2002 {
cf0c6164 2003 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2004 return FAIL;
2005 }
2006
2007DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2008
2009/* TLS has been set up. Adjust the input functions to read via TLS,
2010and initialize things. */
2011
f69979cf
JH
2012peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2013
817d9f57
JH
2014construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2015tls_in.cipher = cipherbuf;
059ec3d9
PH
2016
2017DEBUG(D_tls)
2018 {
2019 uschar buf[2048];
817d9f57 2020 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2021 debug_printf("Shared ciphers: %s\n", buf);
2022 }
2023
9d1c15ef
JH
2024/* Record the certificate we presented */
2025 {
2026 X509 * crt = SSL_get_certificate(server_ssl);
2027 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2028 }
059ec3d9 2029
817d9f57
JH
2030/* Only used by the server-side tls (tls_in), including tls_getc.
2031 Client-side (tls_out) reads (seem to?) go via
2032 smtp_read_response()/ip_recv().
2033 Hence no need to duplicate for _in and _out.
2034 */
059ec3d9
PH
2035ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2036ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2037ssl_xfer_eof = ssl_xfer_error = 0;
2038
2039receive_getc = tls_getc;
0d81dabc 2040receive_getbuf = tls_getbuf;
584e96c6 2041receive_get_cache = tls_get_cache;
059ec3d9
PH
2042receive_ungetc = tls_ungetc;
2043receive_feof = tls_feof;
2044receive_ferror = tls_ferror;
58eb016e 2045receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2046
817d9f57 2047tls_in.active = fileno(smtp_out);
059ec3d9
PH
2048return OK;
2049}
2050
2051
2052
2053
043b1248
JH
2054static int
2055tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2056 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2057 uschar ** errstr)
043b1248
JH
2058{
2059int rc;
94431adb 2060/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2061 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2062 the specified host patterns if one of them is defined */
2063
610ff438
JH
2064if ( ( !ob->tls_verify_hosts
2065 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2066 )
5130845b 2067 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 2068 )
043b1248 2069 client_verify_optional = FALSE;
5130845b 2070else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2071 client_verify_optional = TRUE;
2072else
2073 return OK;
2074
2075if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2076 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2077 errstr)) != OK)
aa2a70ba 2078 return rc;
043b1248 2079
5130845b 2080if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2081 {
4af0d74a 2082 cbinfo->verify_cert_hostnames =
8c5d388a 2083#ifdef SUPPORT_I18N
4af0d74a
JH
2084 string_domain_utf8_to_alabel(host->name, NULL);
2085#else
2086 host->name;
2087#endif
aa2a70ba
JH
2088 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2089 cbinfo->verify_cert_hostnames);
043b1248 2090 }
043b1248
JH
2091return OK;
2092}
059ec3d9 2093
fde080a4
JH
2094
2095#ifdef EXPERIMENTAL_DANE
2096static int
cf0c6164 2097dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2098{
2099dns_record * rr;
2100dns_scan dnss;
2101const char * hostnames[2] = { CS host->name, NULL };
2102int found = 0;
2103
2104if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2105 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2106
2107for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2108 rr;
2109 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2110 ) if (rr->type == T_TLSA)
2111 {
c3033f13 2112 const uschar * p = rr->data;
fde080a4
JH
2113 uint8_t usage, selector, mtype;
2114 const char * mdname;
2115
fde080a4 2116 usage = *p++;
133d2546
JH
2117
2118 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2119 if (usage != 2 && usage != 3) continue;
2120
fde080a4
JH
2121 selector = *p++;
2122 mtype = *p++;
2123
2124 switch (mtype)
2125 {
133d2546
JH
2126 default: continue; /* Only match-types 0, 1, 2 are supported */
2127 case 0: mdname = NULL; break;
2128 case 1: mdname = "sha256"; break;
2129 case 2: mdname = "sha512"; break;
fde080a4
JH
2130 }
2131
133d2546 2132 found++;
fde080a4
JH
2133 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2134 {
2135 default:
cf0c6164 2136 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2137 case 0: /* action not taken */
fde080a4
JH
2138 case 1: break;
2139 }
594706ea
JH
2140
2141 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2142 }
2143
2144if (found)
2145 return OK;
2146
133d2546 2147log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2148return DEFER;
fde080a4
JH
2149}
2150#endif /*EXPERIMENTAL_DANE*/
2151
2152
2153
059ec3d9
PH
2154/*************************************************
2155* Start a TLS session in a client *
2156*************************************************/
2157
2158/* Called from the smtp transport after STARTTLS has been accepted.
2159
2160Argument:
2161 fd the fd of the connection
2162 host connected host (for messages)
83da1223 2163 addr the first address
a7538db1 2164 tb transport (always smtp)
0e66b3b6 2165 tlsa_dnsa tlsa lookup, if DANE, else null
cf0c6164 2166 errstr error string pointer
059ec3d9
PH
2167
2168Returns: OK on success
2169 FAIL otherwise - note that tls_error() will not give DEFER
2170 because this is not a server
2171*/
2172
2173int
f5d78688 2174tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2175 transport_instance * tb,
0e66b3b6 2176#ifdef EXPERIMENTAL_DANE
cf0c6164 2177 dns_answer * tlsa_dnsa,
0e66b3b6 2178#endif
cf0c6164 2179 uschar ** errstr)
059ec3d9 2180{
a7538db1
JH
2181smtp_transport_options_block * ob =
2182 (smtp_transport_options_block *)tb->options_block;
f69979cf 2183static uschar peerdn[256];
868f5672 2184uschar * expciphers;
059ec3d9 2185int rc;
817d9f57 2186static uschar cipherbuf[256];
043b1248
JH
2187
2188#ifndef DISABLE_OCSP
043b1248 2189BOOL request_ocsp = FALSE;
6634ac8d 2190BOOL require_ocsp = FALSE;
043b1248 2191#endif
043b1248
JH
2192
2193#ifdef EXPERIMENTAL_DANE
594706ea 2194tls_out.tlsa_usage = 0;
043b1248
JH
2195#endif
2196
f2de3a33 2197#ifndef DISABLE_OCSP
043b1248 2198 {
4f59c424
JH
2199# ifdef EXPERIMENTAL_DANE
2200 if ( tlsa_dnsa
2201 && ob->hosts_request_ocsp[0] == '*'
2202 && ob->hosts_request_ocsp[1] == '\0'
2203 )
2204 {
2205 /* Unchanged from default. Use a safer one under DANE */
2206 request_ocsp = TRUE;
2207 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2208 " {= {4}{$tls_out_tlsa_usage}} } "
2209 " {*}{}}";
2210 }
2211# endif
2212
5130845b
JH
2213 if ((require_ocsp =
2214 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2215 request_ocsp = TRUE;
2216 else
fca41d5a 2217# ifdef EXPERIMENTAL_DANE
4f59c424 2218 if (!request_ocsp)
fca41d5a 2219# endif
5130845b
JH
2220 request_ocsp =
2221 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 2222 }
f5d78688 2223#endif
059ec3d9 2224
65867078
JH
2225rc = tls_init(&client_ctx, host, NULL,
2226 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2227#ifndef DISABLE_OCSP
44662487 2228 (void *)(long)request_ocsp,
3f7eeb86 2229#endif
cf0c6164 2230 addr, &client_static_cbinfo, errstr);
059ec3d9
PH
2231if (rc != OK) return rc;
2232
817d9f57 2233tls_out.certificate_verified = FALSE;
a2ff477a 2234client_verify_callback_called = FALSE;
059ec3d9 2235
65867078 2236if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
cf0c6164 2237 &expciphers, errstr))
059ec3d9
PH
2238 return FAIL;
2239
2240/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2241are separated by underscores. So that I can use either form in my tests, and
2242also for general convenience, we turn underscores into hyphens here. */
2243
cf0c6164 2244if (expciphers)
059ec3d9
PH
2245 {
2246 uschar *s = expciphers;
cf0c6164 2247 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2248 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2249 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
cf0c6164 2250 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
059ec3d9
PH
2251 }
2252
043b1248 2253#ifdef EXPERIMENTAL_DANE
0e66b3b6 2254if (tlsa_dnsa)
a63be306 2255 {
02af313d
JH
2256 SSL_CTX_set_verify(client_ctx,
2257 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2258 verify_callback_client_dane);
e5cccda9 2259
043b1248 2260 if (!DANESSL_library_init())
cf0c6164 2261 return tls_error(US"library init", host, NULL, errstr);
043b1248 2262 if (DANESSL_CTX_init(client_ctx) <= 0)
cf0c6164 2263 return tls_error(US"context init", host, NULL, errstr);
043b1248
JH
2264 }
2265else
e51c7be2 2266
043b1248
JH
2267#endif
2268
cf0c6164
JH
2269 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2270 client_static_cbinfo, errstr)) != OK)
65867078 2271 return rc;
059ec3d9 2272
65867078 2273if ((client_ssl = SSL_new(client_ctx)) == NULL)
cf0c6164 2274 return tls_error(US"SSL_new", host, NULL, errstr);
817d9f57
JH
2275SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2276SSL_set_fd(client_ssl, fd);
2277SSL_set_connect_state(client_ssl);
059ec3d9 2278
65867078 2279if (ob->tls_sni)
3f0945ff 2280 {
cf0c6164 2281 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
3f0945ff 2282 return FAIL;
cf0c6164 2283 if (!tls_out.sni)
2c9a0e86
PP
2284 {
2285 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2286 }
ec4b68e5 2287 else if (!Ustrlen(tls_out.sni))
817d9f57 2288 tls_out.sni = NULL;
3f0945ff
PP
2289 else
2290 {
35731706 2291#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
2292 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2293 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706 2294#else
66802652 2295 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
02d9264f 2296 tls_out.sni);
35731706 2297#endif
3f0945ff
PP
2298 }
2299 }
2300
594706ea 2301#ifdef EXPERIMENTAL_DANE
0e66b3b6 2302if (tlsa_dnsa)
cf0c6164 2303 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
594706ea
JH
2304 return rc;
2305#endif
2306
f2de3a33 2307#ifndef DISABLE_OCSP
f5d78688
JH
2308/* Request certificate status at connection-time. If the server
2309does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2310# ifdef EXPERIMENTAL_DANE
44662487
JH
2311if (request_ocsp)
2312 {
594706ea 2313 const uschar * s;
41afb5cb
JH
2314 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2315 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2316 )
2317 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2318 this means we avoid the OCSP request, we wasted the setup
2319 cost in tls_init(). */
5130845b
JH
2320 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2321 request_ocsp = require_ocsp
2322 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2323 }
2324 }
b50c8b84
JH
2325# endif
2326
594706ea
JH
2327if (request_ocsp)
2328 {
f5d78688 2329 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
2330 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2331 tls_out.ocsp = OCSP_NOT_RESP;
2332 }
f5d78688
JH
2333#endif
2334
0cbf2b82 2335#ifndef DISABLE_EVENT
774ef2d7 2336client_static_cbinfo->event_action = tb->event_action;
a7538db1 2337#endif
043b1248 2338
059ec3d9
PH
2339/* There doesn't seem to be a built-in timeout on connection. */
2340
2341DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2342sigalrm_seen = FALSE;
65867078 2343alarm(ob->command_timeout);
817d9f57 2344rc = SSL_connect(client_ssl);
059ec3d9
PH
2345alarm(0);
2346
043b1248 2347#ifdef EXPERIMENTAL_DANE
0e66b3b6 2348if (tlsa_dnsa)
fde080a4 2349 DANESSL_cleanup(client_ssl);
043b1248
JH
2350#endif
2351
059ec3d9 2352if (rc <= 0)
cf0c6164
JH
2353 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2354 errstr);
059ec3d9
PH
2355
2356DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2357
f69979cf 2358peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2359
817d9f57
JH
2360construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2361tls_out.cipher = cipherbuf;
059ec3d9 2362
9d1c15ef
JH
2363/* Record the certificate we presented */
2364 {
2365 X509 * crt = SSL_get_certificate(client_ssl);
2366 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2367 }
2368
817d9f57 2369tls_out.active = fd;
059ec3d9
PH
2370return OK;
2371}
2372
2373
2374
2375
2376
0d81dabc
JH
2377static BOOL
2378tls_refill(unsigned lim)
2379{
2380int error;
2381int inbytes;
2382
2383DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2384 ssl_xfer_buffer, ssl_xfer_buffer_size);
2385
2386if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2387inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2388 MIN(ssl_xfer_buffer_size, lim));
2389error = SSL_get_error(server_ssl, inbytes);
2390alarm(0);
2391
2392/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2393closed down, not that the socket itself has been closed down. Revert to
2394non-SSL handling. */
2395
2396if (error == SSL_ERROR_ZERO_RETURN)
2397 {
2398 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2399
2400 receive_getc = smtp_getc;
2401 receive_getbuf = smtp_getbuf;
2402 receive_get_cache = smtp_get_cache;
2403 receive_ungetc = smtp_ungetc;
2404 receive_feof = smtp_feof;
2405 receive_ferror = smtp_ferror;
2406 receive_smtp_buffered = smtp_buffered;
2407
2408 SSL_free(server_ssl);
2409 server_ssl = NULL;
2410 tls_in.active = -1;
2411 tls_in.bits = 0;
2412 tls_in.cipher = NULL;
2413 tls_in.peerdn = NULL;
2414 tls_in.sni = NULL;
2415
2416 return FALSE;
2417 }
2418
2419/* Handle genuine errors */
2420
2421else if (error == SSL_ERROR_SSL)
2422 {
2423 ERR_error_string(ERR_get_error(), ssl_errstring);
2424 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2425 ssl_xfer_error = 1;
2426 return FALSE;
2427 }
2428
2429else if (error != SSL_ERROR_NONE)
2430 {
2431 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2432 ssl_xfer_error = 1;
2433 return FALSE;
2434 }
2435
2436#ifndef DISABLE_DKIM
2437dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2438#endif
2439ssl_xfer_buffer_hwm = inbytes;
2440ssl_xfer_buffer_lwm = 0;
2441return TRUE;
2442}
2443
2444
059ec3d9
PH
2445/*************************************************
2446* TLS version of getc *
2447*************************************************/
2448
2449/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2450it refills the buffer via the SSL reading function.
2451
bd8fbe36 2452Arguments: lim Maximum amount to read/buffer
059ec3d9 2453Returns: the next character or EOF
817d9f57
JH
2454
2455Only used by the server-side TLS.
059ec3d9
PH
2456*/
2457
2458int
bd8fbe36 2459tls_getc(unsigned lim)
059ec3d9
PH
2460{
2461if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2462 if (!tls_refill(lim))
2463 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2464
0d81dabc 2465/* Something in the buffer; return next uschar */
059ec3d9 2466
0d81dabc
JH
2467return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2468}
059ec3d9 2469
0d81dabc
JH
2470uschar *
2471tls_getbuf(unsigned * len)
2472{
2473unsigned size;
2474uschar * buf;
ba084640 2475
0d81dabc
JH
2476if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2477 if (!tls_refill(*len))
059ec3d9 2478 {
0d81dabc
JH
2479 if (!ssl_xfer_error) return smtp_getbuf(len);
2480 *len = 0;
2481 return NULL;
059ec3d9 2482 }
c80c5570 2483
0d81dabc
JH
2484if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2485 size = *len;
2486buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2487ssl_xfer_buffer_lwm += size;
2488*len = size;
2489return buf;
059ec3d9
PH
2490}
2491
0d81dabc 2492
584e96c6
JH
2493void
2494tls_get_cache()
2495{
9960d1e5 2496#ifndef DISABLE_DKIM
584e96c6
JH
2497int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2498if (n > 0)
2499 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2500#endif
9960d1e5 2501}
584e96c6 2502
059ec3d9 2503
925ac8e4
JH
2504BOOL
2505tls_could_read(void)
2506{
a5ffa9b4 2507return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2508}
2509
059ec3d9
PH
2510
2511/*************************************************
2512* Read bytes from TLS channel *
2513*************************************************/
2514
2515/*
2516Arguments:
2517 buff buffer of data
2518 len size of buffer
2519
2520Returns: the number of bytes read
2521 -1 after a failed read
817d9f57
JH
2522
2523Only used by the client-side TLS.
059ec3d9
PH
2524*/
2525
2526int
389ca47a 2527tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2528{
389ca47a 2529SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2530int inbytes;
2531int error;
2532
389ca47a 2533DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2534 buff, (unsigned int)len);
059ec3d9 2535
389ca47a
JH
2536inbytes = SSL_read(ssl, CS buff, len);
2537error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2538
2539if (error == SSL_ERROR_ZERO_RETURN)
2540 {
2541 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2542 return -1;
2543 }
2544else if (error != SSL_ERROR_NONE)
059ec3d9 2545 return -1;
059ec3d9
PH
2546
2547return inbytes;
2548}
2549
2550
2551
2552
2553
2554/*************************************************
2555* Write bytes down TLS channel *
2556*************************************************/
2557
2558/*
2559Arguments:
817d9f57 2560 is_server channel specifier
059ec3d9
PH
2561 buff buffer of data
2562 len number of bytes
925ac8e4 2563 more further data expected soon
059ec3d9
PH
2564
2565Returns: the number of bytes after a successful write,
2566 -1 after a failed write
817d9f57
JH
2567
2568Used by both server-side and client-side TLS.
059ec3d9
PH
2569*/
2570
2571int
925ac8e4 2572tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2573{
a5ffa9b4 2574int outbytes, error, left;
817d9f57 2575SSL *ssl = is_server ? server_ssl : client_ssl;
acec9514 2576static gstring * corked = NULL;
a5ffa9b4 2577
ef698bf6 2578DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2579 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2580
2581/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2582"more" is notified. This hack is only ok if small amounts are involved AND only
2583one stream does it, in one context (i.e. no store reset). Currently it is used
2584for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2585
2586if (is_server && (more || corked))
2587 {
acec9514 2588 corked = string_catn(corked, buff, len);
a5ffa9b4
JH
2589 if (more)
2590 return len;
acec9514
JH
2591 buff = CUS corked->s;
2592 len = corked->ptr;
2593 corked = NULL;
a5ffa9b4 2594 }
059ec3d9 2595
a5ffa9b4 2596for (left = len; left > 0;)
059ec3d9 2597 {
c80c5570 2598 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2599 outbytes = SSL_write(ssl, CS buff, left);
2600 error = SSL_get_error(ssl, outbytes);
2601 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2602 switch (error)
2603 {
2604 case SSL_ERROR_SSL:
96f5fe4c
JH
2605 ERR_error_string(ERR_get_error(), ssl_errstring);
2606 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2607 return -1;
059ec3d9
PH
2608
2609 case SSL_ERROR_NONE:
96f5fe4c
JH
2610 left -= outbytes;
2611 buff += outbytes;
2612 break;
059ec3d9
PH
2613
2614 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2615 log_write(0, LOG_MAIN, "SSL channel closed on write");
2616 return -1;
059ec3d9 2617
817d9f57 2618 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2619 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2620 sender_fullhost ? sender_fullhost : US"<unknown>",
2621 strerror(errno));
2622 return -1;
817d9f57 2623
059ec3d9 2624 default:
96f5fe4c
JH
2625 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2626 return -1;
059ec3d9
PH
2627 }
2628 }
2629return len;
2630}
2631
2632
2633
2634/*************************************************
2635* Close down a TLS session *
2636*************************************************/
2637
2638/* This is also called from within a delivery subprocess forked from the
2639daemon, to shut down the TLS library, without actually doing a shutdown (which
2640would tamper with the SSL session in the parent process).
2641
2642Arguments: TRUE if SSL_shutdown is to be called
2643Returns: nothing
817d9f57
JH
2644
2645Used by both server-side and client-side TLS.
059ec3d9
PH
2646*/
2647
2648void
817d9f57 2649tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2650{
817d9f57 2651SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2652int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2653
2654if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2655
2656if (shutdown)
2657 {
ec8b777a 2658 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2659 SSL_shutdown(*sslp);
059ec3d9
PH
2660 }
2661
817d9f57
JH
2662SSL_free(*sslp);
2663*sslp = NULL;
059ec3d9 2664
817d9f57 2665*fdp = -1;
059ec3d9
PH
2666}
2667
36f12725
NM
2668
2669
2670
2671/*************************************************
3375e053
PP
2672* Let tls_require_ciphers be checked at startup *
2673*************************************************/
2674
2675/* The tls_require_ciphers option, if set, must be something which the
2676library can parse.
2677
2678Returns: NULL on success, or error message
2679*/
2680
2681uschar *
2682tls_validate_require_cipher(void)
2683{
2684SSL_CTX *ctx;
2685uschar *s, *expciphers, *err;
2686
2687/* this duplicates from tls_init(), we need a better "init just global
2688state, for no specific purpose" singleton function of our own */
2689
2690SSL_load_error_strings();
2691OpenSSL_add_ssl_algorithms();
2692#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2693/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2694list of available digests. */
2695EVP_add_digest(EVP_sha256());
2696#endif
2697
2698if (!(tls_require_ciphers && *tls_require_ciphers))
2699 return NULL;
2700
cf0c6164
JH
2701if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2702 &err))
3375e053
PP
2703 return US"failed to expand tls_require_ciphers";
2704
2705if (!(expciphers && *expciphers))
2706 return NULL;
2707
2708/* normalisation ripped from above */
2709s = expciphers;
2710while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2711
2712err = NULL;
2713
2714ctx = SSL_CTX_new(SSLv23_server_method());
2715if (!ctx)
2716 {
2717 ERR_error_string(ERR_get_error(), ssl_errstring);
2718 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2719 }
2720
2721DEBUG(D_tls)
2722 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2723
2724if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2725 {
2726 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH
2727 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2728 expciphers, ssl_errstring);
3375e053
PP
2729 }
2730
2731SSL_CTX_free(ctx);
2732
2733return err;
2734}
2735
2736
2737
2738
2739/*************************************************
36f12725
NM
2740* Report the library versions. *
2741*************************************************/
2742
2743/* There have historically been some issues with binary compatibility in
2744OpenSSL libraries; if Exim (like many other applications) is built against
2745one version of OpenSSL but the run-time linker picks up another version,
2746it can result in serious failures, including crashing with a SIGSEGV. So
2747report the version found by the compiler and the run-time version.
2748
f64a1e23
PP
2749Note: some OS vendors backport security fixes without changing the version
2750number/string, and the version date remains unchanged. The _build_ date
2751will change, so we can more usefully assist with version diagnosis by also
2752reporting the build date.
2753
36f12725
NM
2754Arguments: a FILE* to print the results to
2755Returns: nothing
2756*/
2757
2758void
2759tls_version_report(FILE *f)
2760{
754a0503 2761fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2762 " Runtime: %s\n"
2763 " : %s\n",
754a0503 2764 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2765 SSLeay_version(SSLEAY_VERSION),
2766 SSLeay_version(SSLEAY_BUILT_ON));
2767/* third line is 38 characters for the %s and the line is 73 chars long;
2768the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2769}
2770
9e3331ea
TK
2771
2772
2773
2774/*************************************************
17c76198 2775* Random number generation *
9e3331ea
TK
2776*************************************************/
2777
2778/* Pseudo-random number generation. The result is not expected to be
2779cryptographically strong but not so weak that someone will shoot themselves
2780in the foot using it as a nonce in input in some email header scheme or
2781whatever weirdness they'll twist this into. The result should handle fork()
2782and avoid repeating sequences. OpenSSL handles that for us.
2783
2784Arguments:
2785 max range maximum
2786Returns a random number in range [0, max-1]
2787*/
2788
2789int
17c76198 2790vaguely_random_number(int max)
9e3331ea
TK
2791{
2792unsigned int r;
2793int i, needed_len;
de6135a0
PP
2794static pid_t pidlast = 0;
2795pid_t pidnow;
9e3331ea
TK
2796uschar *p;
2797uschar smallbuf[sizeof(r)];
2798
2799if (max <= 1)
2800 return 0;
2801
de6135a0
PP
2802pidnow = getpid();
2803if (pidnow != pidlast)
2804 {
2805 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2806 is unique for each thread", this doesn't apparently apply across processes,
2807 so our own warning from vaguely_random_number_fallback() applies here too.
2808 Fix per PostgreSQL. */
2809 if (pidlast != 0)
2810 RAND_cleanup();
2811 pidlast = pidnow;
2812 }
2813
9e3331ea
TK
2814/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2815if (!RAND_status())
2816 {
2817 randstuff r;
2818 gettimeofday(&r.tv, NULL);
2819 r.p = getpid();
2820
5903c6ff 2821 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
2822 }
2823/* We're after pseudo-random, not random; if we still don't have enough data
2824in the internal PRNG then our options are limited. We could sleep and hope
2825for entropy to come along (prayer technique) but if the system is so depleted
2826in the first place then something is likely to just keep taking it. Instead,
2827we'll just take whatever little bit of pseudo-random we can still manage to
2828get. */
2829
2830needed_len = sizeof(r);
2831/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2832asked for a number less than 10. */
2833for (r = max, i = 0; r; ++i)
2834 r >>= 1;
2835i = (i + 7) / 8;
2836if (i < needed_len)
2837 needed_len = i;
2838
c8dfb21d 2839#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 2840/* We do not care if crypto-strong */
17c76198 2841i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
2842#else
2843i = RAND_bytes(smallbuf, needed_len);
2844#endif
2845
17c76198
PP
2846if (i < 0)
2847 {
2848 DEBUG(D_all)
2849 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2850 return vaguely_random_number_fallback(max);
2851 }
2852
9e3331ea
TK
2853r = 0;
2854for (p = smallbuf; needed_len; --needed_len, ++p)
2855 {
2856 r *= 256;
2857 r += *p;
2858 }
2859
2860/* We don't particularly care about weighted results; if someone wants
2861smooth distribution and cares enough then they should submit a patch then. */
2862return r % max;
2863}
2864
77bb000f
PP
2865
2866
2867
2868/*************************************************
2869* OpenSSL option parse *
2870*************************************************/
2871
2872/* Parse one option for tls_openssl_options_parse below
2873
2874Arguments:
2875 name one option name
2876 value place to store a value for it
2877Returns success or failure in parsing
2878*/
2879
2880struct exim_openssl_option {
2881 uschar *name;
2882 long value;
2883};
2884/* We could use a macro to expand, but we need the ifdef and not all the
2885options document which version they were introduced in. Policylet: include
2886all options unless explicitly for DTLS, let the administrator choose which
2887to apply.
2888
2889This list is current as of:
e2fbf4a2
PP
2890 ==> 1.0.1b <==
2891Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2892*/
77bb000f
PP
2893static struct exim_openssl_option exim_openssl_options[] = {
2894/* KEEP SORTED ALPHABETICALLY! */
2895#ifdef SSL_OP_ALL
73a46702 2896 { US"all", SSL_OP_ALL },
77bb000f
PP
2897#endif
2898#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2899 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2900#endif
2901#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2902 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2903#endif
2904#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2905 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2906#endif
2907#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2908 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2909#endif
2910#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2911 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2912#endif
2913#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2914 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2915#endif
2916#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2917 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2918#endif
2919#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2920 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2921#endif
2922#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2923 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2924#endif
2925#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2926 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2927#endif
c80c5570
PP
2928#ifdef SSL_OP_NO_COMPRESSION
2929 { US"no_compression", SSL_OP_NO_COMPRESSION },
2930#endif
77bb000f 2931#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2932 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2933#endif
c0c7b2da
PP
2934#ifdef SSL_OP_NO_SSLv2
2935 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2936#endif
2937#ifdef SSL_OP_NO_SSLv3
2938 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2939#endif
2940#ifdef SSL_OP_NO_TICKET
2941 { US"no_ticket", SSL_OP_NO_TICKET },
2942#endif
2943#ifdef SSL_OP_NO_TLSv1
2944 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2945#endif
c80c5570
PP
2946#ifdef SSL_OP_NO_TLSv1_1
2947#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2948 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2949#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2950#else
2951 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2952#endif
2953#endif
2954#ifdef SSL_OP_NO_TLSv1_2
2955 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2956#endif
e2fbf4a2
PP
2957#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2958 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2959#endif
77bb000f 2960#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2961 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2962#endif
2963#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2964 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2965#endif
2966#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2967 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2968#endif
2969#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2970 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2971#endif
2972#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2973 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2974#endif
2975#ifdef SSL_OP_TLS_D5_BUG
73a46702 2976 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2977#endif
2978#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2979 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2980#endif
2981};
2982static int exim_openssl_options_size =
2983 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2984
c80c5570 2985
77bb000f
PP
2986static BOOL
2987tls_openssl_one_option_parse(uschar *name, long *value)
2988{
2989int first = 0;
2990int last = exim_openssl_options_size;
2991while (last > first)
2992 {
2993 int middle = (first + last)/2;
2994 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2995 if (c == 0)
2996 {
2997 *value = exim_openssl_options[middle].value;
2998 return TRUE;
2999 }
3000 else if (c > 0)
3001 first = middle + 1;
3002 else
3003 last = middle;
3004 }
3005return FALSE;
3006}
3007
3008
3009
3010
3011/*************************************************
3012* OpenSSL option parsing logic *
3013*************************************************/
3014
3015/* OpenSSL has a number of compatibility options which an administrator might
3016reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3017we look like log_selector.
3018
3019Arguments:
3020 option_spec the administrator-supplied string of options
3021 results ptr to long storage for the options bitmap
3022Returns success or failure
3023*/
3024
3025BOOL
3026tls_openssl_options_parse(uschar *option_spec, long *results)
3027{
3028long result, item;
3029uschar *s, *end;
3030uschar keep_c;
3031BOOL adding, item_parsed;
3032
7006ee24 3033result = SSL_OP_NO_TICKET;
b1770b6e 3034/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3035 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
3036#ifdef SSL_OP_NO_SSLv2
3037result |= SSL_OP_NO_SSLv2;
3038#endif
a57b6200
JH
3039#ifdef SSL_OP_SINGLE_DH_USE
3040result |= SSL_OP_SINGLE_DH_USE;
3041#endif
77bb000f 3042
7006ee24 3043if (!option_spec)
77bb000f
PP
3044 {
3045 *results = result;
3046 return TRUE;
3047 }
3048
3049for (s=option_spec; *s != '\0'; /**/)
3050 {
3051 while (isspace(*s)) ++s;
3052 if (*s == '\0')
3053 break;
3054 if (*s != '+' && *s != '-')
3055 {
3056 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3057 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
3058 return FALSE;
3059 }
3060 adding = *s++ == '+';
3061 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3062 keep_c = *end;
3063 *end = '\0';
3064 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3065 *end = keep_c;
77bb000f
PP
3066 if (!item_parsed)
3067 {
0e944a0d 3068 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
3069 return FALSE;
3070 }
3071 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3072 adding ? "adding" : "removing", result, item, s);
3073 if (adding)
3074 result |= item;
3075 else
3076 result &= ~item;
77bb000f
PP
3077 s = end;
3078 }
3079
3080*results = result;
3081return TRUE;
3082}
3083
9d1c15ef
JH
3084/* vi: aw ai sw=2
3085*/
059ec3d9 3086/* End of tls-openssl.c */