projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
OpenSSL: TLSv1.3 notes
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
28#ifndef DISABLE_OCSP
29# include <openssl/ocsp.h>
30#endif
31#ifdef SUPPORT_DANE
32# include "danessl.h"
33#endif
34
35
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
39#endif
40
41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42# define EXIM_HAVE_OPENSSL_TLSEXT
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256 /*MMMM*/
55#endif
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
72# define EXIM_HAVE_OPENSSL_DH_BITS
73# define EXIM_HAVE_OPENSSL_TLS_METHOD
74# endif
75# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
76 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
77# define EXIM_HAVE_OPENSSL_CHECKHOST
78# endif
79#endif
80
81#if !defined(LIBRESSL_VERSION_NUMBER) \
82 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
83# if !defined(OPENSSL_NO_ECDH)
84# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
85# define EXIM_HAVE_ECDH /*MMMM*/
86# endif
87# if OPENSSL_VERSION_NUMBER >= 0x10002000L
88# define EXIM_HAVE_OPENSSL_EC_NIST2NID
89# endif
90# endif
91#endif
92
93#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
94# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
95# define DISABLE_OCSP
96#endif
97
98#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
99# include <openssl/x509v3.h>
100#endif
101
102/* Structure for collecting random data for seeding. */
103
104typedef struct randstuff {
105 struct timeval tv;
106 pid_t p;
107} randstuff;
108
109/* Local static variables */
110
111static BOOL client_verify_callback_called = FALSE;
112static BOOL server_verify_callback_called = FALSE;
113static const uschar *sid_ctx = US"exim";
114
115/* We have three different contexts to care about.
116
117Simple case: client, `client_ctx`
118 As a client, we can be doing a callout or cut-through delivery while receiving
119 a message. So we have a client context, which should have options initialised
120 from the SMTP Transport.
121
122Server:
123 There are two cases: with and without ServerNameIndication from the client.
124 Given TLS SNI, we can be using different keys, certs and various other
125 configuration settings, because they're re-expanded with $tls_sni set. This
126 allows vhosting with TLS. This SNI is sent in the handshake.
127 A client might not send SNI, so we need a fallback, and an initial setup too.
128 So as a server, we start out using `server_ctx`.
129 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
130 `server_sni` from `server_ctx` and then initialise settings by re-expanding
131 configuration.
132*/
133
134static SSL_CTX *client_ctx = NULL;
135static SSL_CTX *server_ctx = NULL;
136static SSL *client_ssl = NULL;
137static SSL *server_ssl = NULL;
138
139#ifdef EXIM_HAVE_OPENSSL_TLSEXT
140static SSL_CTX *server_sni = NULL;
141#endif
142
143static char ssl_errstring[256];
144
145static int ssl_session_timeout = 200;
146static BOOL client_verify_optional = FALSE;
147static BOOL server_verify_optional = FALSE;
148
149static BOOL reexpand_tls_files_for_sni = FALSE;
150
151
152typedef struct tls_ext_ctx_cb {
153 uschar *certificate;
154 uschar *privatekey;
155 BOOL is_server;
156#ifndef DISABLE_OCSP
157 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
158 union {
159 struct {
160 uschar *file;
161 uschar *file_expanded;
162 OCSP_RESPONSE *response;
163 } server;
164 struct {
165 X509_STORE *verify_store; /* non-null if status requested */
166 BOOL verify_required;
167 } client;
168 } u_ocsp;
169#endif
170 uschar *dhparam;
171 /* these are cached from first expand */
172 uschar *server_cipher_list;
173 /* only passed down to tls_error: */
174 host_item *host;
175 const uschar * verify_cert_hostnames;
176#ifndef DISABLE_EVENT
177 uschar * event_action;
178#endif
179} tls_ext_ctx_cb;
180
181/* should figure out a cleanup of API to handle state preserved per
182implementation, for various reasons, which can be void * in the APIs.
183For now, we hack around it. */
184tls_ext_ctx_cb *client_static_cbinfo = NULL;
185tls_ext_ctx_cb *server_static_cbinfo = NULL;
186
187static int
188setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
189 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
190
191/* Callbacks */
192#ifdef EXIM_HAVE_OPENSSL_TLSEXT
193static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
194#endif
195#ifndef DISABLE_OCSP
196static int tls_server_stapling_cb(SSL *s, void *arg);
197#endif
198
199
200/*************************************************
201* Handle TLS error *
202*************************************************/
203
204/* Called from lots of places when errors occur before actually starting to do
205the TLS handshake, that is, while the session is still in clear. Always returns
206DEFER for a server and FAIL for a client so that most calls can use "return
207tls_error(...)" to do this processing and then give an appropriate return. A
208single function is used for both server and client, because it is called from
209some shared functions.
210
211Argument:
212 prefix text to include in the logged error
213 host NULL if setting up a server;
214 the connected host if setting up a client
215 msg error message or NULL if we should ask OpenSSL
216 errstr pointer to output error message
217
218Returns: OK/DEFER/FAIL
219*/
220
221static int
222tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
223{
224if (!msg)
225 {
226 ERR_error_string(ERR_get_error(), ssl_errstring);
227 msg = US ssl_errstring;
228 }
229
230if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
231return host ? FAIL : DEFER;
232}
233
234
235
236/*************************************************
237* Callback to generate RSA key *
238*************************************************/
239
240/*
241Arguments:
242 s SSL connection (not used)
243 export not used
244 keylength keylength
245
246Returns: pointer to generated key
247*/
248
249static RSA *
250rsa_callback(SSL *s, int export, int keylength)
251{
252RSA *rsa_key;
253#ifdef EXIM_HAVE_RSA_GENKEY_EX
254BIGNUM *bn = BN_new();
255#endif
256
257export = export; /* Shut picky compilers up */
258DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
259
260#ifdef EXIM_HAVE_RSA_GENKEY_EX
261if ( !BN_set_word(bn, (unsigned long)RSA_F4)
262 || !(rsa_key = RSA_new())
263 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
264 )
265#else
266if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
267#endif
268
269 {
270 ERR_error_string(ERR_get_error(), ssl_errstring);
271 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
272 ssl_errstring);
273 return NULL;
274 }
275return rsa_key;
276}
277
278
279
280/* Extreme debug
281#ifndef DISABLE_OCSP
282void
283x509_store_dump_cert_s_names(X509_STORE * store)
284{
285STACK_OF(X509_OBJECT) * roots= store->objs;
286int i;
287static uschar name[256];
288
289for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
290 {
291 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
292 if(tmp_obj->type == X509_LU_X509)
293 {
294 X509 * current_cert= tmp_obj->data.x509;
295 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
296 name[sizeof(name)-1] = '\0';
297 debug_printf(" %s\n", name);
298 }
299 }
300}
301#endif
302*/
303
304
305#ifndef DISABLE_EVENT
306static int
307verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
308 BOOL *calledp, const BOOL *optionalp, const uschar * what)
309{
310uschar * ev;
311uschar * yield;
312X509 * old_cert;
313
314ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
315if (ev)
316 {
317 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
318 old_cert = tlsp->peercert;
319 tlsp->peercert = X509_dup(cert);
320 /* NB we do not bother setting peerdn */
321 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
322 {
323 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
324 "depth=%d cert=%s: %s",
325 tlsp == &tls_out ? deliver_host_address : sender_host_address,
326 what, depth, dn, yield);
327 *calledp = TRUE;
328 if (!*optionalp)
329 {
330 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
331 return 1; /* reject (leaving peercert set) */
332 }
333 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
334 "(host in tls_try_verify_hosts)\n");
335 }
336 X509_free(tlsp->peercert);
337 tlsp->peercert = old_cert;
338 }
339return 0;
340}
341#endif
342
343/*************************************************
344* Callback for verification *
345*************************************************/
346
347/* The SSL library does certificate verification if set up to do so. This
348callback has the current yes/no state is in "state". If verification succeeded,
349we set the certificate-verified flag. If verification failed, what happens
350depends on whether the client is required to present a verifiable certificate
351or not.
352
353If verification is optional, we change the state to yes, but still log the
354verification error. For some reason (it really would help to have proper
355documentation of OpenSSL), this callback function then gets called again, this
356time with state = 1. We must take care not to set the private verified flag on
357the second time through.
358
359Note: this function is not called if the client fails to present a certificate
360when asked. We get here only if a certificate has been received. Handling of
361optional verification for this case is done when requesting SSL to verify, by
362setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
363
364May be called multiple times for different issues with a certificate, even
365for a given "depth" in the certificate chain.
366
367Arguments:
368 preverify_ok current yes/no state as 1/0
369 x509ctx certificate information.
370 tlsp per-direction (client vs. server) support data
371 calledp has-been-called flag
372 optionalp verification-is-optional flag
373
374Returns: 0 if verification should fail, otherwise 1
375*/
376
377static int
378verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
379 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
380{
381X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
382int depth = X509_STORE_CTX_get_error_depth(x509ctx);
383uschar dn[256];
384
385X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
386dn[sizeof(dn)-1] = '\0';
387
388if (preverify_ok == 0)
389 {
390 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
391 *verify_mode, sender_host_address)
392 : US"";
393 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
394 tlsp == &tls_out ? deliver_host_address : sender_host_address,
395 extra, depth,
396 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
397 *calledp = TRUE;
398 if (!*optionalp)
399 {
400 if (!tlsp->peercert)
401 tlsp->peercert = X509_dup(cert); /* record failing cert */
402 return 0; /* reject */
403 }
404 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
405 "tls_try_verify_hosts)\n");
406 }
407
408else if (depth != 0)
409 {
410 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
411#ifndef DISABLE_OCSP
412 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
413 { /* client, wanting stapling */
414 /* Add the server cert's signing chain as the one
415 for the verification of the OCSP stapled information. */
416
417 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
418 cert))
419 ERR_clear_error();
420 sk_X509_push(client_static_cbinfo->verify_stack, cert);
421 }
422#endif
423#ifndef DISABLE_EVENT
424 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
425 return 0; /* reject, with peercert set */
426#endif
427 }
428else
429 {
430 const uschar * verify_cert_hostnames;
431
432 if ( tlsp == &tls_out
433 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
434 /* client, wanting hostname check */
435 {
436
437#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
438# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
439# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
440# endif
441# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
442# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
443# endif
444 int sep = 0;
445 const uschar * list = verify_cert_hostnames;
446 uschar * name;
447 int rc;
448 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
449 if ((rc = X509_check_host(cert, CCS name, 0,
450 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
451 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
452 NULL)))
453 {
454 if (rc < 0)
455 {
456 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
457 tlsp == &tls_out ? deliver_host_address : sender_host_address);
458 name = NULL;
459 }
460 break;
461 }
462 if (!name)
463#else
464 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
465#endif
466 {
467 uschar * extra = verify_mode
468 ? string_sprintf(" (during %c-verify for [%s])",
469 *verify_mode, sender_host_address)
470 : US"";
471 log_write(0, LOG_MAIN,
472 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
473 tlsp == &tls_out ? deliver_host_address : sender_host_address,
474 extra, dn, verify_cert_hostnames);
475 *calledp = TRUE;
476 if (!*optionalp)
477 {
478 if (!tlsp->peercert)
479 tlsp->peercert = X509_dup(cert); /* record failing cert */
480 return 0; /* reject */
481 }
482 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
483 "tls_try_verify_hosts)\n");
484 }
485 }
486
487#ifndef DISABLE_EVENT
488 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
489 return 0; /* reject, with peercert set */
490#endif
491
492 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
493 *calledp ? "" : " authenticated", dn);
494 if (!*calledp) tlsp->certificate_verified = TRUE;
495 *calledp = TRUE;
496 }
497
498return 1; /* accept, at least for this level */
499}
500
501static int
502verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
503{
504return verify_callback(preverify_ok, x509ctx, &tls_out,
505 &client_verify_callback_called, &client_verify_optional);
506}
507
508static int
509verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
510{
511return verify_callback(preverify_ok, x509ctx, &tls_in,
512 &server_verify_callback_called, &server_verify_optional);
513}
514
515
516#ifdef SUPPORT_DANE
517
518/* This gets called *by* the dane library verify callback, which interposes
519itself.
520*/
521static int
522verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
523{
524X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
525uschar dn[256];
526int depth = X509_STORE_CTX_get_error_depth(x509ctx);
527#ifndef DISABLE_EVENT
528BOOL dummy_called, optional = FALSE;
529#endif
530
531X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
532dn[sizeof(dn)-1] = '\0';
533
534DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
535 preverify_ok ? "ok":"BAD", depth, dn);
536
537#ifndef DISABLE_EVENT
538 if (verify_event(&tls_out, cert, depth, dn,
539 &dummy_called, &optional, US"DANE"))
540 return 0; /* reject, with peercert set */
541#endif
542
543if (preverify_ok == 1)
544 {
545 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
546#ifndef DISABLE_OCSP
547 if (client_static_cbinfo->u_ocsp.client.verify_store)
548 { /* client, wanting stapling */
549 /* Add the server cert's signing chain as the one
550 for the verification of the OCSP stapled information. */
551
552 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
553 cert))
554 ERR_clear_error();
555 sk_X509_push(client_static_cbinfo->verify_stack, cert);
556 }
557#endif
558 }
559else
560 {
561 int err = X509_STORE_CTX_get_error(x509ctx);
562 DEBUG(D_tls)
563 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
564 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
565 preverify_ok = 1;
566 }
567return preverify_ok;
568}
569
570#endif /*SUPPORT_DANE*/
571
572
573/*************************************************
574* Information callback *
575*************************************************/
576
577/* The SSL library functions call this from time to time to indicate what they
578are doing. We copy the string to the debugging output when TLS debugging has
579been requested.
580
581Arguments:
582 s the SSL connection
583 where
584 ret
585
586Returns: nothing
587*/
588
589static void
590info_callback(SSL *s, int where, int ret)
591{
592where = where;
593ret = ret;
594DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
595}
596
597
598
599/*************************************************
600* Initialize for DH *
601*************************************************/
602
603/* If dhparam is set, expand it, and load up the parameters for DH encryption.
604
605Arguments:
606 sctx The current SSL CTX (inbound or outbound)
607 dhparam DH parameter file or fixed parameter identity string
608 host connected host, if client; NULL if server
609 errstr error string pointer
610
611Returns: TRUE if OK (nothing to set up, or setup worked)
612*/
613
614static BOOL
615init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
616{
617BIO *bio;
618DH *dh;
619uschar *dhexpanded;
620const char *pem;
621int dh_bitsize;
622
623if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
624 return FALSE;
625
626if (!dhexpanded || !*dhexpanded)
627 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
628else if (dhexpanded[0] == '/')
629 {
630 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
631 {
632 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
633 host, US strerror(errno), errstr);
634 return FALSE;
635 }
636 }
637else
638 {
639 if (Ustrcmp(dhexpanded, "none") == 0)
640 {
641 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
642 return TRUE;
643 }
644
645 if (!(pem = std_dh_prime_named(dhexpanded)))
646 {
647 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
648 host, US strerror(errno), errstr);
649 return FALSE;
650 }
651 bio = BIO_new_mem_buf(CS pem, -1);
652 }
653
654if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
655 {
656 BIO_free(bio);
657 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
658 host, NULL, errstr);
659 return FALSE;
660 }
661
662/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
663 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
664 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
665 * If someone wants to dance at the edge, then they can raise the limit or use
666 * current libraries. */
667#ifdef EXIM_HAVE_OPENSSL_DH_BITS
668/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
669 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
670dh_bitsize = DH_bits(dh);
671#else
672dh_bitsize = 8 * DH_size(dh);
673#endif
674
675/* Even if it is larger, we silently return success rather than cause things
676 * to fail out, so that a too-large DH will not knock out all TLS; it's a
677 * debatable choice. */
678if (dh_bitsize > tls_dh_max_bits)
679 {
680 DEBUG(D_tls)
681 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
682 dh_bitsize, tls_dh_max_bits);
683 }
684else
685 {
686 SSL_CTX_set_tmp_dh(sctx, dh);
687 DEBUG(D_tls)
688 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
689 dhexpanded ? dhexpanded : US"default", dh_bitsize);
690 }
691
692DH_free(dh);
693BIO_free(bio);
694
695return TRUE;
696}
697
698
699
700
701/*************************************************
702* Initialize for ECDH *
703*************************************************/
704
705/* Load parameters for ECDH encryption.
706
707For now, we stick to NIST P-256 because: it's simple and easy to configure;
708it avoids any patent issues that might bite redistributors; despite events in
709the news and concerns over curve choices, we're not cryptographers, we're not
710pretending to be, and this is "good enough" to be better than no support,
711protecting against most adversaries. Given another year or two, there might
712be sufficient clarity about a "right" way forward to let us make an informed
713decision, instead of a knee-jerk reaction.
714
715Longer-term, we should look at supporting both various named curves and
716external files generated with "openssl ecparam", much as we do for init_dh().
717We should also support "none" as a value, to explicitly avoid initialisation.
718
719Patches welcome.
720
721Arguments:
722 sctx The current SSL CTX (inbound or outbound)
723 host connected host, if client; NULL if server
724 errstr error string pointer
725
726Returns: TRUE if OK (nothing to set up, or setup worked)
727*/
728
729static BOOL
730init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
731{
732#ifdef OPENSSL_NO_ECDH
733return TRUE;
734#else
735
736EC_KEY * ecdh;
737uschar * exp_curve;
738int nid;
739BOOL rv;
740
741if (host) /* No ECDH setup for clients, only for servers */
742 return TRUE;
743
744# ifndef EXIM_HAVE_ECDH
745DEBUG(D_tls)
746 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
747return TRUE;
748# else
749
750if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
751 return FALSE;
752if (!exp_curve || !*exp_curve)
753 return TRUE;
754
755/* "auto" needs to be handled carefully.
756 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
757 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
758 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
759 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
760 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
761 */
762if (Ustrcmp(exp_curve, "auto") == 0)
763 {
764#if OPENSSL_VERSION_NUMBER < 0x10002000L
765 DEBUG(D_tls) debug_printf(
766 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
767 exp_curve = US"prime256v1";
768#else
769# if defined SSL_CTRL_SET_ECDH_AUTO
770 DEBUG(D_tls) debug_printf(
771 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
772 SSL_CTX_set_ecdh_auto(sctx, 1);
773 return TRUE;
774# else
775 DEBUG(D_tls) debug_printf(
776 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
777 return TRUE;
778# endif
779#endif
780 }
781
782DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
783if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
784# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
785 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
786# endif
787 )
788 {
789 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
790 host, NULL, errstr);
791 return FALSE;
792 }
793
794if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
795 {
796 tls_error(US"Unable to create ec curve", host, NULL, errstr);
797 return FALSE;
798 }
799
800/* The "tmp" in the name here refers to setting a temporary key
801not to the stability of the interface. */
802
803if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
804 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
805else
806 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
807
808EC_KEY_free(ecdh);
809return !rv;
810
811# endif /*EXIM_HAVE_ECDH*/
812#endif /*OPENSSL_NO_ECDH*/
813}
814
815
816
817
818#ifndef DISABLE_OCSP
819/*************************************************
820* Load OCSP information into state *
821*************************************************/
822/* Called to load the server OCSP response from the given file into memory, once
823caller has determined this is needed. Checks validity. Debugs a message
824if invalid.
825
826ASSUMES: single response, for single cert.
827
828Arguments:
829 sctx the SSL_CTX* to update
830 cbinfo various parts of session state
831 expanded the filename putatively holding an OCSP response
832
833*/
834
835static void
836ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
837{
838BIO * bio;
839OCSP_RESPONSE * resp;
840OCSP_BASICRESP * basic_response;
841OCSP_SINGLERESP * single_response;
842ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
843STACK_OF(X509) * sk;
844unsigned long verify_flags;
845int status, reason, i;
846
847cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
848if (cbinfo->u_ocsp.server.response)
849 {
850 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
851 cbinfo->u_ocsp.server.response = NULL;
852 }
853
854if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
855 {
856 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
857 cbinfo->u_ocsp.server.file_expanded);
858 return;
859 }
860
861resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
862BIO_free(bio);
863if (!resp)
864 {
865 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
866 return;
867 }
868
869if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
870 {
871 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
872 OCSP_response_status_str(status), status);
873 goto bad;
874 }
875
876if (!(basic_response = OCSP_response_get1_basic(resp)))
877 {
878 DEBUG(D_tls)
879 debug_printf("OCSP response parse error: unable to extract basic response.\n");
880 goto bad;
881 }
882
883sk = cbinfo->verify_stack;
884verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
885
886/* May need to expose ability to adjust those flags?
887OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
888OCSP_TRUSTOTHER OCSP_NOINTERN */
889
890/* This does a full verify on the OCSP proof before we load it for serving
891up; possibly overkill - just date-checks might be nice enough.
892
893OCSP_basic_verify takes a "store" arg, but does not
894use it for the chain verification, which is all we do
895when OCSP_NOVERIFY is set. The content from the wire
896"basic_response" and a cert-stack "sk" are all that is used.
897
898We have a stack, loaded in setup_certs() if tls_verify_certificates
899was a file (not a directory, or "system"). It is unfortunate we
900cannot used the connection context store, as that would neatly
901handle the "system" case too, but there seems to be no library
902function for getting a stack from a store.
903[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
904We do not free the stack since it could be needed a second time for
905SNI handling.
906
907Separately we might try to replace using OCSP_basic_verify() - which seems to not
908be a public interface into the OpenSSL library (there's no manual entry) -
909But what with? We also use OCSP_basic_verify in the client stapling callback.
910And there we NEED it; we must verify that status... unless the
911library does it for us anyway? */
912
913if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
914 {
915 DEBUG(D_tls)
916 {
917 ERR_error_string(ERR_get_error(), ssl_errstring);
918 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
919 }
920 goto bad;
921 }
922
923/* Here's the simplifying assumption: there's only one response, for the
924one certificate we use, and nothing for anything else in a chain. If this
925proves false, we need to extract a cert id from our issued cert
926(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
927right cert in the stack and then calls OCSP_single_get0_status()).
928
929I'm hoping to avoid reworking a bunch more of how we handle state here. */
930
931if (!(single_response = OCSP_resp_get0(basic_response, 0)))
932 {
933 DEBUG(D_tls)
934 debug_printf("Unable to get first response from OCSP basic response.\n");
935 goto bad;
936 }
937
938status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
939if (status != V_OCSP_CERTSTATUS_GOOD)
940 {
941 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
942 OCSP_cert_status_str(status), status,
943 OCSP_crl_reason_str(reason), reason);
944 goto bad;
945 }
946
947if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
948 {
949 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
950 goto bad;
951 }
952
953supply_response:
954 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
955return;
956
957bad:
958 if (running_in_test_harness)
959 {
960 extern char ** environ;
961 uschar ** p;
962 if (environ) for (p = USS environ; *p; p++)
963 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
964 {
965 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
966 goto supply_response;
967 }
968 }
969return;
970}
971#endif /*!DISABLE_OCSP*/
972
973
974
975
976/* Create and install a selfsigned certificate, for use in server mode */
977
978static int
979tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
980{
981X509 * x509 = NULL;
982EVP_PKEY * pkey;
983RSA * rsa;
984X509_NAME * name;
985uschar * where;
986
987where = US"allocating pkey";
988if (!(pkey = EVP_PKEY_new()))
989 goto err;
990
991where = US"allocating cert";
992if (!(x509 = X509_new()))
993 goto err;
994
995where = US"generating pkey";
996if (!(rsa = rsa_callback(NULL, 0, 1024)))
997 goto err;
998
999where = US"assigning pkey";
1000if (!EVP_PKEY_assign_RSA(pkey, rsa))
1001 goto err;
1002
1003X509_set_version(x509, 2); /* N+1 - version 3 */
1004ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1005X509_gmtime_adj(X509_get_notBefore(x509), 0);
1006X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1007X509_set_pubkey(x509, pkey);
1008
1009name = X509_get_subject_name(x509);
1010X509_NAME_add_entry_by_txt(name, "C",
1011 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1012X509_NAME_add_entry_by_txt(name, "O",
1013 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1014X509_NAME_add_entry_by_txt(name, "CN",
1015 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1016X509_set_issuer_name(x509, name);
1017
1018where = US"signing cert";
1019if (!X509_sign(x509, pkey, EVP_md5()))
1020 goto err;
1021
1022where = US"installing selfsign cert";
1023if (!SSL_CTX_use_certificate(sctx, x509))
1024 goto err;
1025
1026where = US"installing selfsign key";
1027if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1028 goto err;
1029
1030return OK;
1031
1032err:
1033 (void) tls_error(where, NULL, NULL, errstr);
1034 if (x509) X509_free(x509);
1035 if (pkey) EVP_PKEY_free(pkey);
1036 return DEFER;
1037}
1038
1039
1040
1041
1042static int
1043tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1044 uschar ** errstr)
1045{
1046DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1047if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1048 return tls_error(string_sprintf(
1049 "SSL_CTX_use_certificate_chain_file file=%s", file),
1050 cbinfo->host, NULL, errstr);
1051return 0;
1052}
1053
1054static int
1055tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1056 uschar ** errstr)
1057{
1058DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1059if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1060 return tls_error(string_sprintf(
1061 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1062return 0;
1063}
1064
1065
1066/*************************************************
1067* Expand key and cert file specs *
1068*************************************************/
1069
1070/* Called once during tls_init and possibly again during TLS setup, for a
1071new context, if Server Name Indication was used and tls_sni was seen in
1072the certificate string.
1073
1074Arguments:
1075 sctx the SSL_CTX* to update
1076 cbinfo various parts of session state
1077 errstr error string pointer
1078
1079Returns: OK/DEFER/FAIL
1080*/
1081
1082static int
1083tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1084 uschar ** errstr)
1085{
1086uschar *expanded;
1087
1088if (!cbinfo->certificate)
1089 {
1090 if (!cbinfo->is_server) /* client */
1091 return OK;
1092 /* server */
1093 if (tls_install_selfsign(sctx, errstr) != OK)
1094 return DEFER;
1095 }
1096else
1097 {
1098 int err;
1099
1100 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1101 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1102 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1103 )
1104 reexpand_tls_files_for_sni = TRUE;
1105
1106 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1107 return DEFER;
1108
1109 if (expanded)
1110 if (cbinfo->is_server)
1111 {
1112 const uschar * file_list = expanded;
1113 int sep = 0;
1114 uschar * file;
1115
1116 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1117 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1118 return err;
1119 }
1120 else /* would there ever be a need for multiple client certs? */
1121 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1122 return err;
1123
1124 if (cbinfo->privatekey != NULL &&
1125 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1126 return DEFER;
1127
1128 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1129 of the expansion is an empty string, ignore it also, and assume the private
1130 key is in the same file as the certificate. */
1131
1132 if (expanded && *expanded)
1133 if (cbinfo->is_server)
1134 {
1135 const uschar * file_list = expanded;
1136 int sep = 0;
1137 uschar * file;
1138
1139 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1140 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1141 return err;
1142 }
1143 else /* would there ever be a need for multiple client certs? */
1144 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1145 return err;
1146 }
1147
1148#ifndef DISABLE_OCSP
1149if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1150 {
1151 /*XXX stack*/
1152 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1153 return DEFER;
1154
1155 if (expanded && *expanded)
1156 {
1157 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1158 if ( cbinfo->u_ocsp.server.file_expanded
1159 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1160 {
1161 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1162 }
1163 else
1164 ocsp_load_response(sctx, cbinfo, expanded);
1165 }
1166 }
1167#endif
1168
1169return OK;
1170}
1171
1172
1173
1174
1175/*************************************************
1176* Callback to handle SNI *
1177*************************************************/
1178
1179/* Called when acting as server during the TLS session setup if a Server Name
1180Indication extension was sent by the client.
1181
1182API documentation is OpenSSL s_server.c implementation.
1183
1184Arguments:
1185 s SSL* of the current session
1186 ad unknown (part of OpenSSL API) (unused)
1187 arg Callback of "our" registered data
1188
1189Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1190*/
1191
1192#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1193static int
1194tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1195{
1196const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1197tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1198int rc;
1199int old_pool = store_pool;
1200uschar * dummy_errstr;
1201
1202if (!servername)
1203 return SSL_TLSEXT_ERR_OK;
1204
1205DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1206 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1207
1208/* Make the extension value available for expansion */
1209store_pool = POOL_PERM;
1210tls_in.sni = string_copy(US servername);
1211store_pool = old_pool;
1212
1213if (!reexpand_tls_files_for_sni)
1214 return SSL_TLSEXT_ERR_OK;
1215
1216/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1217not confident that memcpy wouldn't break some internal reference counting.
1218Especially since there's a references struct member, which would be off. */
1219
1220#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1221if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1222#else
1223if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1224#endif
1225 {
1226 ERR_error_string(ERR_get_error(), ssl_errstring);
1227 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1228 return SSL_TLSEXT_ERR_NOACK;
1229 }
1230
1231/* Not sure how many of these are actually needed, since SSL object
1232already exists. Might even need this selfsame callback, for reneg? */
1233
1234SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1235SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1236SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1237SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1238SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1239SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1240
1241if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1242 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1243 )
1244 return SSL_TLSEXT_ERR_NOACK;
1245
1246if (cbinfo->server_cipher_list)
1247 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1248#ifndef DISABLE_OCSP
1249if (cbinfo->u_ocsp.server.file)
1250 {
1251 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1252 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1253 }
1254#endif
1255
1256if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1257 verify_callback_server, &dummy_errstr)) != OK)
1258 return SSL_TLSEXT_ERR_NOACK;
1259
1260/* do this after setup_certs, because this can require the certs for verifying
1261OCSP information. */
1262if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1263 return SSL_TLSEXT_ERR_NOACK;
1264
1265DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1266SSL_set_SSL_CTX(s, server_sni);
1267
1268return SSL_TLSEXT_ERR_OK;
1269}
1270#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1271
1272
1273
1274
1275#ifndef DISABLE_OCSP
1276
1277/*************************************************
1278* Callback to handle OCSP Stapling *
1279*************************************************/
1280
1281/* Called when acting as server during the TLS session setup if the client
1282requests OCSP information with a Certificate Status Request.
1283
1284Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1285project.
1286
1287*/
1288
1289static int
1290tls_server_stapling_cb(SSL *s, void *arg)
1291{
1292const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1293uschar *response_der; /*XXX blob */
1294int response_der_len;
1295
1296/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1297out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1298buggy in current OpenSSL; it returns the last cert loaded always rather than
1299the one actually presented. So we can't support a stack of OCSP proofs at
1300this time. */
1301
1302DEBUG(D_tls)
1303 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1304 cbinfo->u_ocsp.server.response ? "have" : "lack");
1305
1306tls_in.ocsp = OCSP_NOT_RESP;
1307if (!cbinfo->u_ocsp.server.response)
1308 return SSL_TLSEXT_ERR_NOACK;
1309
1310response_der = NULL;
1311response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1312 &response_der);
1313if (response_der_len <= 0)
1314 return SSL_TLSEXT_ERR_NOACK;
1315
1316SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1317tls_in.ocsp = OCSP_VFIED;
1318return SSL_TLSEXT_ERR_OK;
1319}
1320
1321
1322static void
1323time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1324{
1325BIO_printf(bp, "\t%s: ", str);
1326ASN1_GENERALIZEDTIME_print(bp, time);
1327BIO_puts(bp, "\n");
1328}
1329
1330static int
1331tls_client_stapling_cb(SSL *s, void *arg)
1332{
1333tls_ext_ctx_cb * cbinfo = arg;
1334const unsigned char * p;
1335int len;
1336OCSP_RESPONSE * rsp;
1337OCSP_BASICRESP * bs;
1338int i;
1339
1340DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1341len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1342if(!p)
1343 {
1344 /* Expect this when we requested ocsp but got none */
1345 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1346 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1347 else
1348 DEBUG(D_tls) debug_printf(" null\n");
1349 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1350 }
1351
1352if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1353 {
1354 tls_out.ocsp = OCSP_FAILED;
1355 if (LOGGING(tls_cipher))
1356 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1357 else
1358 DEBUG(D_tls) debug_printf(" parse error\n");
1359 return 0;
1360 }
1361
1362if(!(bs = OCSP_response_get1_basic(rsp)))
1363 {
1364 tls_out.ocsp = OCSP_FAILED;
1365 if (LOGGING(tls_cipher))
1366 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1367 else
1368 DEBUG(D_tls) debug_printf(" error parsing response\n");
1369 OCSP_RESPONSE_free(rsp);
1370 return 0;
1371 }
1372
1373/* We'd check the nonce here if we'd put one in the request. */
1374/* However that would defeat cacheability on the server so we don't. */
1375
1376/* This section of code reworked from OpenSSL apps source;
1377 The OpenSSL Project retains copyright:
1378 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1379*/
1380 {
1381 BIO * bp = NULL;
1382 int status, reason;
1383 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1384
1385 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1386
1387 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1388
1389 /* Use the chain that verified the server cert to verify the stapled info */
1390 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1391
1392 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1393 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1394 {
1395 tls_out.ocsp = OCSP_FAILED;
1396 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1397 "Received TLS cert status response, itself unverifiable: %s",
1398 ERR_reason_error_string(ERR_peek_error()));
1399 BIO_printf(bp, "OCSP response verify failure\n");
1400 ERR_print_errors(bp);
1401 OCSP_RESPONSE_print(bp, rsp, 0);
1402 goto failed;
1403 }
1404
1405 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1406
1407 /*XXX So we have a good stapled OCSP status. How do we know
1408 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1409 OCSP_resp_find_status() which matches on a cert id, which presumably
1410 we should use. Making an id needs OCSP_cert_id_new(), which takes
1411 issuerName, issuerKey, serialNumber. Are they all in the cert?
1412
1413 For now, carry on blindly accepting the resp. */
1414
1415 {
1416 OCSP_SINGLERESP * single;
1417
1418#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1419 if (OCSP_resp_count(bs) != 1)
1420#else
1421 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1422 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1423#endif
1424 {
1425 tls_out.ocsp = OCSP_FAILED;
1426 log_write(0, LOG_MAIN, "OCSP stapling "
1427 "with multiple responses not handled");
1428 goto failed;
1429 }
1430 single = OCSP_resp_get0(bs, 0);
1431 status = OCSP_single_get0_status(single, &reason, &rev,
1432 &thisupd, &nextupd);
1433 }
1434
1435 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1436 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1437 if (!OCSP_check_validity(thisupd, nextupd,
1438 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1439 {
1440 tls_out.ocsp = OCSP_FAILED;
1441 DEBUG(D_tls) ERR_print_errors(bp);
1442 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1443 }
1444 else
1445 {
1446 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1447 OCSP_cert_status_str(status));
1448 switch(status)
1449 {
1450 case V_OCSP_CERTSTATUS_GOOD:
1451 tls_out.ocsp = OCSP_VFIED;
1452 i = 1;
1453 goto good;
1454 case V_OCSP_CERTSTATUS_REVOKED:
1455 tls_out.ocsp = OCSP_FAILED;
1456 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1457 reason != -1 ? "; reason: " : "",
1458 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1459 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1460 break;
1461 default:
1462 tls_out.ocsp = OCSP_FAILED;
1463 log_write(0, LOG_MAIN,
1464 "Server certificate status unknown, in OCSP stapling");
1465 break;
1466 }
1467 }
1468 failed:
1469 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1470 good:
1471 BIO_free(bp);
1472 }
1473
1474OCSP_RESPONSE_free(rsp);
1475return i;
1476}
1477#endif /*!DISABLE_OCSP*/
1478
1479
1480/*************************************************
1481* Initialize for TLS *
1482*************************************************/
1483
1484/* Called from both server and client code, to do preliminary initialization
1485of the library. We allocate and return a context structure.
1486
1487Arguments:
1488 ctxp returned SSL context
1489 host connected host, if client; NULL if server
1490 dhparam DH parameter file
1491 certificate certificate file
1492 privatekey private key
1493 ocsp_file file of stapling info (server); flag for require ocsp (client)
1494 addr address if client; NULL if server (for some randomness)
1495 cbp place to put allocated callback context
1496 errstr error string pointer
1497
1498Returns: OK/DEFER/FAIL
1499*/
1500
1501static int
1502tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1503 uschar *privatekey,
1504#ifndef DISABLE_OCSP
1505 uschar *ocsp_file, /*XXX stack, in server*/
1506#endif
1507 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1508{
1509SSL_CTX * ctx;
1510long init_options;
1511int rc;
1512tls_ext_ctx_cb * cbinfo;
1513
1514cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1515cbinfo->certificate = certificate;
1516cbinfo->privatekey = privatekey;
1517cbinfo->is_server = host==NULL;
1518#ifndef DISABLE_OCSP
1519cbinfo->verify_stack = NULL;
1520if (!host)
1521 {
1522 cbinfo->u_ocsp.server.file = ocsp_file;
1523 cbinfo->u_ocsp.server.file_expanded = NULL;
1524 cbinfo->u_ocsp.server.response = NULL;
1525 }
1526else
1527 cbinfo->u_ocsp.client.verify_store = NULL;
1528#endif
1529cbinfo->dhparam = dhparam;
1530cbinfo->server_cipher_list = NULL;
1531cbinfo->host = host;
1532#ifndef DISABLE_EVENT
1533cbinfo->event_action = NULL;
1534#endif
1535
1536SSL_load_error_strings(); /* basic set up */
1537OpenSSL_add_ssl_algorithms();
1538
1539#ifdef EXIM_HAVE_SHA256
1540/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1541list of available digests. */
1542EVP_add_digest(EVP_sha256());
1543#endif
1544
1545/* Create a context.
1546The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1547negotiation in the different methods; as far as I can tell, the only
1548*_{server,client}_method which allows negotiation is SSLv23, which exists even
1549when OpenSSL is built without SSLv2 support.
1550By disabling with openssl_options, we can let admins re-enable with the
1551existing knob. */
1552
1553#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1554if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1555#else
1556if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1557#endif
1558 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1559
1560/* It turns out that we need to seed the random number generator this early in
1561order to get the full complement of ciphers to work. It took me roughly a day
1562of work to discover this by experiment.
1563
1564On systems that have /dev/urandom, SSL may automatically seed itself from
1565there. Otherwise, we have to make something up as best we can. Double check
1566afterwards. */
1567
1568if (!RAND_status())
1569 {
1570 randstuff r;
1571 gettimeofday(&r.tv, NULL);
1572 r.p = getpid();
1573
1574 RAND_seed(US (&r), sizeof(r));
1575 RAND_seed(US big_buffer, big_buffer_size);
1576 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1577
1578 if (!RAND_status())
1579 return tls_error(US"RAND_status", host,
1580 US"unable to seed random number generator", errstr);
1581 }
1582
1583/* Set up the information callback, which outputs if debugging is at a suitable
1584level. */
1585
1586DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1587
1588/* Automatically re-try reads/writes after renegotiation. */
1589(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1590
1591/* Apply administrator-supplied work-arounds.
1592Historically we applied just one requested option,
1593SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1594moved to an administrator-controlled list of options to specify and
1595grandfathered in the first one as the default value for "openssl_options".
1596
1597No OpenSSL version number checks: the options we accept depend upon the
1598availability of the option value macros from OpenSSL. */
1599
1600if (!tls_openssl_options_parse(openssl_options, &init_options))
1601 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1602
1603if (init_options)
1604 {
1605 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1606 if (!(SSL_CTX_set_options(ctx, init_options)))
1607 return tls_error(string_sprintf(
1608 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1609 }
1610else
1611 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1612
1613/* We'd like to disable session cache unconditionally, but foolish Outlook
1614Express clients then give up the first TLS connection and make a second one
1615(which works). Only when there is an IMAP service on the same machine.
1616Presumably OE is trying to use the cache for A on B. Leave it enabled for
1617now, until we work out a decent way of presenting control to the config. It
1618will never be used because we use a new context every time. */
1619#ifdef notdef
1620(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1621#endif
1622
1623/* Initialize with DH parameters if supplied */
1624/* Initialize ECDH temp key parameter selection */
1625
1626if ( !init_dh(ctx, dhparam, host, errstr)
1627 || !init_ecdh(ctx, host, errstr)
1628 )
1629 return DEFER;
1630
1631/* Set up certificate and key (and perhaps OCSP info) */
1632
1633if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1634 return rc;
1635
1636/* If we need to handle SNI or OCSP, do so */
1637
1638#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1639# ifndef DISABLE_OCSP
1640 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1641 {
1642 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1643 return FAIL;
1644 }
1645# endif
1646
1647if (!host) /* server */
1648 {
1649# ifndef DISABLE_OCSP
1650 /* We check u_ocsp.server.file, not server.response, because we care about if
1651 the option exists, not what the current expansion might be, as SNI might
1652 change the certificate and OCSP file in use between now and the time the
1653 callback is invoked. */
1654 if (cbinfo->u_ocsp.server.file)
1655 {
1656 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1657 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1658 }
1659# endif
1660 /* We always do this, so that $tls_sni is available even if not used in
1661 tls_certificate */
1662 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1663 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1664 }
1665# ifndef DISABLE_OCSP
1666else /* client */
1667 if(ocsp_file) /* wanting stapling */
1668 {
1669 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1670 {
1671 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1672 return FAIL;
1673 }
1674 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1675 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1676 }
1677# endif
1678#endif
1679
1680cbinfo->verify_cert_hostnames = NULL;
1681
1682#ifdef EXIM_HAVE_EPHEM_RSA_KEX
1683/* Set up the RSA callback */
1684SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1685#endif
1686
1687/* Finally, set the timeout, and we are done */
1688
1689SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1690DEBUG(D_tls) debug_printf("Initialized TLS\n");
1691
1692*cbp = cbinfo;
1693*ctxp = ctx;
1694
1695return OK;
1696}
1697
1698
1699
1700
1701/*************************************************
1702* Get name of cipher in use *
1703*************************************************/
1704
1705/*
1706Argument: pointer to an SSL structure for the connection
1707 buffer to use for answer
1708 size of buffer
1709 pointer to number of bits for cipher
1710Returns: nothing
1711*/
1712
1713static void
1714construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1715{
1716/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1717yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1718the accessor functions use const in the prototype. */
1719
1720const uschar * ver = CUS SSL_get_version(ssl);
1721const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1722
1723SSL_CIPHER_get_bits(c, bits);
1724
1725string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1726 SSL_CIPHER_get_name(c), *bits);
1727
1728DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1729}
1730
1731
1732static void
1733peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1734{
1735/*XXX we might consider a list-of-certs variable for the cert chain.
1736SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1737in list-handling functions, also consider the difference between the entire
1738chain and the elements sent by the peer. */
1739
1740/* Will have already noted peercert on a verify fail; possibly not the leaf */
1741if (!tlsp->peercert)
1742 tlsp->peercert = SSL_get_peer_certificate(ssl);
1743/* Beware anonymous ciphers which lead to server_cert being NULL */
1744if (tlsp->peercert)
1745 {
1746 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1747 peerdn[bsize-1] = '\0';
1748 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1749 }
1750else
1751 tlsp->peerdn = NULL;
1752}
1753
1754
1755
1756
1757
1758/*************************************************
1759* Set up for verifying certificates *
1760*************************************************/
1761
1762#ifndef DISABLE_OCSP
1763/* Load certs from file, return TRUE on success */
1764
1765static BOOL
1766chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1767{
1768BIO * bp;
1769X509 * x;
1770
1771while (sk_X509_num(verify_stack) > 0)
1772 X509_free(sk_X509_pop(verify_stack));
1773
1774if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1775while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1776 sk_X509_push(verify_stack, x);
1777BIO_free(bp);
1778return TRUE;
1779}
1780#endif
1781
1782
1783
1784/* Called by both client and server startup; on the server possibly
1785repeated after a Server Name Indication.
1786
1787Arguments:
1788 sctx SSL_CTX* to initialise
1789 certs certs file or NULL
1790 crl CRL file or NULL
1791 host NULL in a server; the remote host in a client
1792 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1793 otherwise passed as FALSE
1794 cert_vfy_cb Callback function for certificate verification
1795 errstr error string pointer
1796
1797Returns: OK/DEFER/FAIL
1798*/
1799
1800static int
1801setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1802 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1803{
1804uschar *expcerts, *expcrl;
1805
1806if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1807 return DEFER;
1808DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1809
1810if (expcerts && *expcerts)
1811 {
1812 /* Tell the library to use its compiled-in location for the system default
1813 CA bundle. Then add the ones specified in the config, if any. */
1814
1815 if (!SSL_CTX_set_default_verify_paths(sctx))
1816 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
1817
1818 if (Ustrcmp(expcerts, "system") != 0)
1819 {
1820 struct stat statbuf;
1821
1822 if (Ustat(expcerts, &statbuf) < 0)
1823 {
1824 log_write(0, LOG_MAIN|LOG_PANIC,
1825 "failed to stat %s for certificates", expcerts);
1826 return DEFER;
1827 }
1828 else
1829 {
1830 uschar *file, *dir;
1831 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1832 { file = NULL; dir = expcerts; }
1833 else
1834 {
1835 file = expcerts; dir = NULL;
1836#ifndef DISABLE_OCSP
1837 /* In the server if we will be offering an OCSP proof, load chain from
1838 file for verifying the OCSP proof at load time. */
1839
1840 if ( !host
1841 && statbuf.st_size > 0
1842 && server_static_cbinfo->u_ocsp.server.file
1843 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1844 )
1845 {
1846 log_write(0, LOG_MAIN|LOG_PANIC,
1847 "failed to load cert chain from %s", file);
1848 return DEFER;
1849 }
1850#endif
1851 }
1852
1853 /* If a certificate file is empty, the next function fails with an
1854 unhelpful error message. If we skip it, we get the correct behaviour (no
1855 certificates are recognized, but the error message is still misleading (it
1856 says no certificate was supplied). But this is better. */
1857
1858 if ( (!file || statbuf.st_size > 0)
1859 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1860 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
1861
1862 /* Load the list of CAs for which we will accept certs, for sending
1863 to the client. This is only for the one-file tls_verify_certificates
1864 variant.
1865 If a list isn't loaded into the server, but
1866 some verify locations are set, the server end appears to make
1867 a wildcard request for client certs.
1868 Meanwhile, the client library as default behaviour *ignores* the list
1869 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1870 Because of this, and that the dir variant is likely only used for
1871 the public-CA bundle (not for a private CA), not worth fixing.
1872 */
1873 if (file)
1874 {
1875 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1876
1877 SSL_CTX_set_client_CA_list(sctx, names);
1878 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1879 sk_X509_NAME_num(names));
1880 }
1881 }
1882 }
1883
1884 /* Handle a certificate revocation list. */
1885
1886#if OPENSSL_VERSION_NUMBER > 0x00907000L
1887
1888 /* This bit of code is now the version supplied by Lars Mainka. (I have
1889 merely reformatted it into the Exim code style.)
1890
1891 "From here I changed the code to add support for multiple crl's
1892 in pem format in one file or to support hashed directory entries in
1893 pem format instead of a file. This method now uses the library function
1894 X509_STORE_load_locations to add the CRL location to the SSL context.
1895 OpenSSL will then handle the verify against CA certs and CRLs by
1896 itself in the verify callback." */
1897
1898 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
1899 if (expcrl && *expcrl)
1900 {
1901 struct stat statbufcrl;
1902 if (Ustat(expcrl, &statbufcrl) < 0)
1903 {
1904 log_write(0, LOG_MAIN|LOG_PANIC,
1905 "failed to stat %s for certificates revocation lists", expcrl);
1906 return DEFER;
1907 }
1908 else
1909 {
1910 /* is it a file or directory? */
1911 uschar *file, *dir;
1912 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1913 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1914 {
1915 file = NULL;
1916 dir = expcrl;
1917 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1918 }
1919 else
1920 {
1921 file = expcrl;
1922 dir = NULL;
1923 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1924 }
1925 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1926 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
1927
1928 /* setting the flags to check against the complete crl chain */
1929
1930 X509_STORE_set_flags(cvstore,
1931 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1932 }
1933 }
1934
1935#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1936
1937 /* If verification is optional, don't fail if no certificate */
1938
1939 SSL_CTX_set_verify(sctx,
1940 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1941 cert_vfy_cb);
1942 }
1943
1944return OK;
1945}
1946
1947
1948
1949/*************************************************
1950* Start a TLS session in a server *
1951*************************************************/
1952
1953/* This is called when Exim is running as a server, after having received
1954the STARTTLS command. It must respond to that command, and then negotiate
1955a TLS session.
1956
1957Arguments:
1958 require_ciphers allowed ciphers
1959 errstr pointer to error message
1960
1961Returns: OK on success
1962 DEFER for errors before the start of the negotiation
1963 FAIL for errors during the negotiation; the server can't
1964 continue running.
1965*/
1966
1967int
1968tls_server_start(const uschar * require_ciphers, uschar ** errstr)
1969{
1970int rc;
1971uschar * expciphers;
1972tls_ext_ctx_cb * cbinfo;
1973static uschar peerdn[256];
1974static uschar cipherbuf[256];
1975
1976/* Check for previous activation */
1977
1978if (tls_in.active >= 0)
1979 {
1980 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
1981 smtp_printf("554 Already in TLS\r\n", FALSE);
1982 return FAIL;
1983 }
1984
1985/* Initialize the SSL library. If it fails, it will already have logged
1986the error. */
1987
1988rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1989#ifndef DISABLE_OCSP
1990 tls_ocsp_file, /*XXX stack*/
1991#endif
1992 NULL, &server_static_cbinfo, errstr);
1993if (rc != OK) return rc;
1994cbinfo = server_static_cbinfo;
1995
1996if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
1997 return FAIL;
1998
1999/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2000were historically separated by underscores. So that I can use either form in my
2001tests, and also for general convenience, we turn underscores into hyphens here.
2002
2003XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2004for TLS 1.3 . Since we do not call it at present we get the default list:
2005TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2006*/
2007
2008if (expciphers)
2009 {
2010 uschar * s = expciphers;
2011 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2012 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2013 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2014 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2015 cbinfo->server_cipher_list = expciphers;
2016 }
2017
2018/* If this is a host for which certificate verification is mandatory or
2019optional, set up appropriately. */
2020
2021tls_in.certificate_verified = FALSE;
2022#ifdef SUPPORT_DANE
2023tls_in.dane_verified = FALSE;
2024#endif
2025server_verify_callback_called = FALSE;
2026
2027if (verify_check_host(&tls_verify_hosts) == OK)
2028 {
2029 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2030 FALSE, verify_callback_server, errstr);
2031 if (rc != OK) return rc;
2032 server_verify_optional = FALSE;
2033 }
2034else if (verify_check_host(&tls_try_verify_hosts) == OK)
2035 {
2036 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2037 TRUE, verify_callback_server, errstr);
2038 if (rc != OK) return rc;
2039 server_verify_optional = TRUE;
2040 }
2041
2042/* Prepare for new connection */
2043
2044if (!(server_ssl = SSL_new(server_ctx)))
2045 return tls_error(US"SSL_new", NULL, NULL, errstr);
2046
2047/* Warning: we used to SSL_clear(ssl) here, it was removed.
2048 *
2049 * With the SSL_clear(), we get strange interoperability bugs with
2050 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2051 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2052 *
2053 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2054 * session shutdown. In this case, we have a brand new object and there's no
2055 * obvious reason to immediately clear it. I'm guessing that this was
2056 * originally added because of incomplete initialisation which the clear fixed,
2057 * in some historic release.
2058 */
2059
2060/* Set context and tell client to go ahead, except in the case of TLS startup
2061on connection, where outputting anything now upsets the clients and tends to
2062make them disconnect. We need to have an explicit fflush() here, to force out
2063the response. Other smtp_printf() calls do not need it, because in non-TLS
2064mode, the fflush() happens when smtp_getc() is called. */
2065
2066SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2067if (!tls_in.on_connect)
2068 {
2069 smtp_printf("220 TLS go ahead\r\n", FALSE);
2070 fflush(smtp_out);
2071 }
2072
2073/* Now negotiate the TLS session. We put our own timer on it, since it seems
2074that the OpenSSL library doesn't. */
2075
2076SSL_set_wfd(server_ssl, fileno(smtp_out));
2077SSL_set_rfd(server_ssl, fileno(smtp_in));
2078SSL_set_accept_state(server_ssl);
2079
2080DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2081
2082sigalrm_seen = FALSE;
2083if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2084rc = SSL_accept(server_ssl);
2085alarm(0);
2086
2087if (rc <= 0)
2088 {
2089 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2090 return FAIL;
2091 }
2092
2093DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2094
2095/* TLS has been set up. Adjust the input functions to read via TLS,
2096and initialize things. */
2097
2098peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2099
2100construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2101tls_in.cipher = cipherbuf;
2102
2103DEBUG(D_tls)
2104 {
2105 uschar buf[2048];
2106 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2107 debug_printf("Shared ciphers: %s\n", buf);
2108 }
2109
2110/* Record the certificate we presented */
2111 {
2112 X509 * crt = SSL_get_certificate(server_ssl);
2113 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2114 }
2115
2116/* Only used by the server-side tls (tls_in), including tls_getc.
2117 Client-side (tls_out) reads (seem to?) go via
2118 smtp_read_response()/ip_recv().
2119 Hence no need to duplicate for _in and _out.
2120 */
2121if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2122ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2123ssl_xfer_eof = ssl_xfer_error = FALSE;
2124
2125receive_getc = tls_getc;
2126receive_getbuf = tls_getbuf;
2127receive_get_cache = tls_get_cache;
2128receive_ungetc = tls_ungetc;
2129receive_feof = tls_feof;
2130receive_ferror = tls_ferror;
2131receive_smtp_buffered = tls_smtp_buffered;
2132
2133tls_in.active = fileno(smtp_out);
2134return OK;
2135}
2136
2137
2138
2139
2140static int
2141tls_client_basic_ctx_init(SSL_CTX * ctx,
2142 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2143 uschar ** errstr)
2144{
2145int rc;
2146/* stick to the old behaviour for compatibility if tls_verify_certificates is
2147 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2148 the specified host patterns if one of them is defined */
2149
2150if ( ( !ob->tls_verify_hosts
2151 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2152 )
2153 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
2154 )
2155 client_verify_optional = FALSE;
2156else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
2157 client_verify_optional = TRUE;
2158else
2159 return OK;
2160
2161if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2162 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2163 errstr)) != OK)
2164 return rc;
2165
2166if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
2167 {
2168 cbinfo->verify_cert_hostnames =
2169#ifdef SUPPORT_I18N
2170 string_domain_utf8_to_alabel(host->name, NULL);
2171#else
2172 host->name;
2173#endif
2174 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2175 cbinfo->verify_cert_hostnames);
2176 }
2177return OK;
2178}
2179
2180
2181#ifdef SUPPORT_DANE
2182static int
2183dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2184{
2185dns_record * rr;
2186dns_scan dnss;
2187const char * hostnames[2] = { CS host->name, NULL };
2188int found = 0;
2189
2190if (DANESSL_init(ssl, NULL, hostnames) != 1)
2191 return tls_error(US"hostnames load", host, NULL, errstr);
2192
2193for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2194 rr;
2195 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2196 ) if (rr->type == T_TLSA)
2197 {
2198 const uschar * p = rr->data;
2199 uint8_t usage, selector, mtype;
2200 const char * mdname;
2201
2202 usage = *p++;
2203
2204 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2205 if (usage != 2 && usage != 3) continue;
2206
2207 selector = *p++;
2208 mtype = *p++;
2209
2210 switch (mtype)
2211 {
2212 default: continue; /* Only match-types 0, 1, 2 are supported */
2213 case 0: mdname = NULL; break;
2214 case 1: mdname = "sha256"; break;
2215 case 2: mdname = "sha512"; break;
2216 }
2217
2218 found++;
2219 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2220 {
2221 default:
2222 return tls_error(US"tlsa load", host, NULL, errstr);
2223 case 0: /* action not taken */
2224 case 1: break;
2225 }
2226
2227 tls_out.tlsa_usage |= 1<<usage;
2228 }
2229
2230if (found)
2231 return OK;
2232
2233log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2234return DEFER;
2235}
2236#endif /*SUPPORT_DANE*/
2237
2238
2239
2240/*************************************************
2241* Start a TLS session in a client *
2242*************************************************/
2243
2244/* Called from the smtp transport after STARTTLS has been accepted.
2245
2246Argument:
2247 fd the fd of the connection
2248 host connected host (for messages)
2249 addr the first address
2250 tb transport (always smtp)
2251 tlsa_dnsa tlsa lookup, if DANE, else null
2252 errstr error string pointer
2253
2254Returns: OK on success
2255 FAIL otherwise - note that tls_error() will not give DEFER
2256 because this is not a server
2257*/
2258
2259int
2260tls_client_start(int fd, host_item *host, address_item *addr,
2261 transport_instance * tb,
2262#ifdef SUPPORT_DANE
2263 dns_answer * tlsa_dnsa,
2264#endif
2265 uschar ** errstr)
2266{
2267smtp_transport_options_block * ob =
2268 (smtp_transport_options_block *)tb->options_block;
2269static uschar peerdn[256];
2270uschar * expciphers;
2271int rc;
2272static uschar cipherbuf[256];
2273
2274#ifndef DISABLE_OCSP
2275BOOL request_ocsp = FALSE;
2276BOOL require_ocsp = FALSE;
2277#endif
2278
2279#ifdef SUPPORT_DANE
2280tls_out.tlsa_usage = 0;
2281#endif
2282
2283#ifndef DISABLE_OCSP
2284 {
2285# ifdef SUPPORT_DANE
2286 if ( tlsa_dnsa
2287 && ob->hosts_request_ocsp[0] == '*'
2288 && ob->hosts_request_ocsp[1] == '\0'
2289 )
2290 {
2291 /* Unchanged from default. Use a safer one under DANE */
2292 request_ocsp = TRUE;
2293 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2294 " {= {4}{$tls_out_tlsa_usage}} } "
2295 " {*}{}}";
2296 }
2297# endif
2298
2299 if ((require_ocsp =
2300 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2301 request_ocsp = TRUE;
2302 else
2303# ifdef SUPPORT_DANE
2304 if (!request_ocsp)
2305# endif
2306 request_ocsp =
2307 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2308 }
2309#endif
2310
2311rc = tls_init(&client_ctx, host, NULL,
2312 ob->tls_certificate, ob->tls_privatekey,
2313#ifndef DISABLE_OCSP
2314 (void *)(long)request_ocsp,
2315#endif
2316 addr, &client_static_cbinfo, errstr);
2317if (rc != OK) return rc;
2318
2319tls_out.certificate_verified = FALSE;
2320client_verify_callback_called = FALSE;
2321
2322expciphers = NULL;
2323#ifdef SUPPORT_DANE
2324if (tlsa_dnsa)
2325 {
2326 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2327 other failures should be treated as problems. */
2328 if (ob->dane_require_tls_ciphers &&
2329 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2330 &expciphers, errstr))
2331 return FAIL;
2332 if (expciphers && *expciphers == '\0')
2333 expciphers = NULL;
2334 }
2335#endif
2336if (!expciphers &&
2337 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2338 &expciphers, errstr))
2339 return FAIL;
2340
2341/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2342are separated by underscores. So that I can use either form in my tests, and
2343also for general convenience, we turn underscores into hyphens here. */
2344
2345if (expciphers)
2346 {
2347 uschar *s = expciphers;
2348 while (*s) { if (*s == '_') *s = '-'; s++; }
2349 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2350 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2351 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2352 }
2353
2354#ifdef SUPPORT_DANE
2355if (tlsa_dnsa)
2356 {
2357 SSL_CTX_set_verify(client_ctx,
2358 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2359 verify_callback_client_dane);
2360
2361 if (!DANESSL_library_init())
2362 return tls_error(US"library init", host, NULL, errstr);
2363 if (DANESSL_CTX_init(client_ctx) <= 0)
2364 return tls_error(US"context init", host, NULL, errstr);
2365 }
2366else
2367
2368#endif
2369
2370 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2371 client_static_cbinfo, errstr)) != OK)
2372 return rc;
2373
2374if (!(client_ssl = SSL_new(client_ctx)))
2375 return tls_error(US"SSL_new", host, NULL, errstr);
2376SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2377SSL_set_fd(client_ssl, fd);
2378SSL_set_connect_state(client_ssl);
2379
2380if (ob->tls_sni)
2381 {
2382 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
2383 return FAIL;
2384 if (!tls_out.sni)
2385 {
2386 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2387 }
2388 else if (!Ustrlen(tls_out.sni))
2389 tls_out.sni = NULL;
2390 else
2391 {
2392#ifdef EXIM_HAVE_OPENSSL_TLSEXT
2393 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2394 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2395#else
2396 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2397 tls_out.sni);
2398#endif
2399 }
2400 }
2401
2402#ifdef SUPPORT_DANE
2403if (tlsa_dnsa)
2404 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
2405 return rc;
2406#endif
2407
2408#ifndef DISABLE_OCSP
2409/* Request certificate status at connection-time. If the server
2410does OCSP stapling we will get the callback (set in tls_init()) */
2411# ifdef SUPPORT_DANE
2412if (request_ocsp)
2413 {
2414 const uschar * s;
2415 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2416 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2417 )
2418 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2419 this means we avoid the OCSP request, we wasted the setup
2420 cost in tls_init(). */
2421 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2422 request_ocsp = require_ocsp
2423 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2424 }
2425 }
2426# endif
2427
2428if (request_ocsp)
2429 {
2430 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2431 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2432 tls_out.ocsp = OCSP_NOT_RESP;
2433 }
2434#endif
2435
2436#ifndef DISABLE_EVENT
2437client_static_cbinfo->event_action = tb->event_action;
2438#endif
2439
2440/* There doesn't seem to be a built-in timeout on connection. */
2441
2442DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2443sigalrm_seen = FALSE;
2444alarm(ob->command_timeout);
2445rc = SSL_connect(client_ssl);
2446alarm(0);
2447
2448#ifdef SUPPORT_DANE
2449if (tlsa_dnsa)
2450 DANESSL_cleanup(client_ssl);
2451#endif
2452
2453if (rc <= 0)
2454 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2455 errstr);
2456
2457DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2458
2459peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2460
2461construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2462tls_out.cipher = cipherbuf;
2463
2464/* Record the certificate we presented */
2465 {
2466 X509 * crt = SSL_get_certificate(client_ssl);
2467 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2468 }
2469
2470tls_out.active = fd;
2471return OK;
2472}
2473
2474
2475
2476
2477
2478static BOOL
2479tls_refill(unsigned lim)
2480{
2481int error;
2482int inbytes;
2483
2484DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2485 ssl_xfer_buffer, ssl_xfer_buffer_size);
2486
2487if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2488inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2489 MIN(ssl_xfer_buffer_size, lim));
2490error = SSL_get_error(server_ssl, inbytes);
2491if (smtp_receive_timeout > 0) alarm(0);
2492
2493if (had_command_timeout) /* set by signal handler */
2494 smtp_command_timeout_exit(); /* does not return */
2495if (had_command_sigterm)
2496 smtp_command_sigterm_exit();
2497if (had_data_timeout)
2498 smtp_data_timeout_exit();
2499if (had_data_sigint)
2500 smtp_data_sigint_exit();
2501
2502/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2503closed down, not that the socket itself has been closed down. Revert to
2504non-SSL handling. */
2505
2506if (error == SSL_ERROR_ZERO_RETURN)
2507 {
2508 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2509
2510 receive_getc = smtp_getc;
2511 receive_getbuf = smtp_getbuf;
2512 receive_get_cache = smtp_get_cache;
2513 receive_ungetc = smtp_ungetc;
2514 receive_feof = smtp_feof;
2515 receive_ferror = smtp_ferror;
2516 receive_smtp_buffered = smtp_buffered;
2517
2518 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2519 SSL_shutdown(server_ssl);
2520
2521#ifndef DISABLE_OCSP
2522 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2523 server_static_cbinfo->verify_stack = NULL;
2524#endif
2525 SSL_free(server_ssl);
2526 SSL_CTX_free(server_ctx);
2527 server_ctx = NULL;
2528 server_ssl = NULL;
2529 tls_in.active = -1;
2530 tls_in.bits = 0;
2531 tls_in.cipher = NULL;
2532 tls_in.peerdn = NULL;
2533 tls_in.sni = NULL;
2534
2535 return FALSE;
2536 }
2537
2538/* Handle genuine errors */
2539
2540else if (error == SSL_ERROR_SSL)
2541 {
2542 ERR_error_string(ERR_get_error(), ssl_errstring);
2543 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2544 ssl_xfer_error = TRUE;
2545 return FALSE;
2546 }
2547
2548else if (error != SSL_ERROR_NONE)
2549 {
2550 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2551 ssl_xfer_error = TRUE;
2552 return FALSE;
2553 }
2554
2555#ifndef DISABLE_DKIM
2556dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2557#endif
2558ssl_xfer_buffer_hwm = inbytes;
2559ssl_xfer_buffer_lwm = 0;
2560return TRUE;
2561}
2562
2563
2564/*************************************************
2565* TLS version of getc *
2566*************************************************/
2567
2568/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2569it refills the buffer via the SSL reading function.
2570
2571Arguments: lim Maximum amount to read/buffer
2572Returns: the next character or EOF
2573
2574Only used by the server-side TLS.
2575*/
2576
2577int
2578tls_getc(unsigned lim)
2579{
2580if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2581 if (!tls_refill(lim))
2582 return ssl_xfer_error ? EOF : smtp_getc(lim);
2583
2584/* Something in the buffer; return next uschar */
2585
2586return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2587}
2588
2589uschar *
2590tls_getbuf(unsigned * len)
2591{
2592unsigned size;
2593uschar * buf;
2594
2595if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2596 if (!tls_refill(*len))
2597 {
2598 if (!ssl_xfer_error) return smtp_getbuf(len);
2599 *len = 0;
2600 return NULL;
2601 }
2602
2603if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2604 size = *len;
2605buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2606ssl_xfer_buffer_lwm += size;
2607*len = size;
2608return buf;
2609}
2610
2611
2612void
2613tls_get_cache()
2614{
2615#ifndef DISABLE_DKIM
2616int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2617if (n > 0)
2618 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2619#endif
2620}
2621
2622
2623BOOL
2624tls_could_read(void)
2625{
2626return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2627}
2628
2629
2630/*************************************************
2631* Read bytes from TLS channel *
2632*************************************************/
2633
2634/*
2635Arguments:
2636 buff buffer of data
2637 len size of buffer
2638
2639Returns: the number of bytes read
2640 -1 after a failed read
2641
2642Only used by the client-side TLS.
2643*/
2644
2645int
2646tls_read(BOOL is_server, uschar *buff, size_t len)
2647{
2648SSL *ssl = is_server ? server_ssl : client_ssl;
2649int inbytes;
2650int error;
2651
2652DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2653 buff, (unsigned int)len);
2654
2655inbytes = SSL_read(ssl, CS buff, len);
2656error = SSL_get_error(ssl, inbytes);
2657
2658if (error == SSL_ERROR_ZERO_RETURN)
2659 {
2660 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2661 return -1;
2662 }
2663else if (error != SSL_ERROR_NONE)
2664 return -1;
2665
2666return inbytes;
2667}
2668
2669
2670
2671
2672
2673/*************************************************
2674* Write bytes down TLS channel *
2675*************************************************/
2676
2677/*
2678Arguments:
2679 is_server channel specifier
2680 buff buffer of data
2681 len number of bytes
2682 more further data expected soon
2683
2684Returns: the number of bytes after a successful write,
2685 -1 after a failed write
2686
2687Used by both server-side and client-side TLS.
2688*/
2689
2690int
2691tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
2692{
2693int outbytes, error, left;
2694SSL *ssl = is_server ? server_ssl : client_ssl;
2695static gstring * corked = NULL;
2696
2697DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2698 buff, (unsigned long)len, more ? ", more" : "");
2699
2700/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2701"more" is notified. This hack is only ok if small amounts are involved AND only
2702one stream does it, in one context (i.e. no store reset). Currently it is used
2703for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2704
2705if (is_server && (more || corked))
2706 {
2707 corked = string_catn(corked, buff, len);
2708 if (more)
2709 return len;
2710 buff = CUS corked->s;
2711 len = corked->ptr;
2712 corked = NULL;
2713 }
2714
2715for (left = len; left > 0;)
2716 {
2717 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2718 outbytes = SSL_write(ssl, CS buff, left);
2719 error = SSL_get_error(ssl, outbytes);
2720 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2721 switch (error)
2722 {
2723 case SSL_ERROR_SSL:
2724 ERR_error_string(ERR_get_error(), ssl_errstring);
2725 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2726 return -1;
2727
2728 case SSL_ERROR_NONE:
2729 left -= outbytes;
2730 buff += outbytes;
2731 break;
2732
2733 case SSL_ERROR_ZERO_RETURN:
2734 log_write(0, LOG_MAIN, "SSL channel closed on write");
2735 return -1;
2736
2737 case SSL_ERROR_SYSCALL:
2738 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2739 sender_fullhost ? sender_fullhost : US"<unknown>",
2740 strerror(errno));
2741 return -1;
2742
2743 default:
2744 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2745 return -1;
2746 }
2747 }
2748return len;
2749}
2750
2751
2752
2753/*************************************************
2754* Close down a TLS session *
2755*************************************************/
2756
2757/* This is also called from within a delivery subprocess forked from the
2758daemon, to shut down the TLS library, without actually doing a shutdown (which
2759would tamper with the SSL session in the parent process).
2760
2761Arguments:
2762 shutdown 1 if TLS close-alert is to be sent,
2763 2 if also response to be waited for
2764
2765Returns: nothing
2766
2767Used by both server-side and client-side TLS.
2768*/
2769
2770void
2771tls_close(BOOL is_server, int shutdown)
2772{
2773SSL_CTX **ctxp = is_server ? &server_ctx : &client_ctx;
2774SSL **sslp = is_server ? &server_ssl : &client_ssl;
2775int *fdp = is_server ? &tls_in.active : &tls_out.active;
2776
2777if (*fdp < 0) return; /* TLS was not active */
2778
2779if (shutdown)
2780 {
2781 int rc;
2782 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2783 shutdown > 1 ? " (with response-wait)" : "");
2784
2785 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
2786 && shutdown > 1)
2787 {
2788 alarm(2);
2789 rc = SSL_shutdown(*sslp); /* wait for response */
2790 alarm(0);
2791 }
2792
2793 if (rc < 0) DEBUG(D_tls)
2794 {
2795 ERR_error_string(ERR_get_error(), ssl_errstring);
2796 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
2797 }
2798 }
2799
2800#ifndef DISABLE_OCSP
2801if (is_server)
2802 {
2803 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2804 server_static_cbinfo->verify_stack = NULL;
2805 }
2806#endif
2807
2808SSL_CTX_free(*ctxp);
2809SSL_free(*sslp);
2810*ctxp = NULL;
2811*sslp = NULL;
2812*fdp = -1;
2813}
2814
2815
2816
2817
2818/*************************************************
2819* Let tls_require_ciphers be checked at startup *
2820*************************************************/
2821
2822/* The tls_require_ciphers option, if set, must be something which the
2823library can parse.
2824
2825Returns: NULL on success, or error message
2826*/
2827
2828uschar *
2829tls_validate_require_cipher(void)
2830{
2831SSL_CTX *ctx;
2832uschar *s, *expciphers, *err;
2833
2834/* this duplicates from tls_init(), we need a better "init just global
2835state, for no specific purpose" singleton function of our own */
2836
2837SSL_load_error_strings();
2838OpenSSL_add_ssl_algorithms();
2839#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2840/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2841list of available digests. */
2842EVP_add_digest(EVP_sha256());
2843#endif
2844
2845if (!(tls_require_ciphers && *tls_require_ciphers))
2846 return NULL;
2847
2848if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2849 &err))
2850 return US"failed to expand tls_require_ciphers";
2851
2852if (!(expciphers && *expciphers))
2853 return NULL;
2854
2855/* normalisation ripped from above */
2856s = expciphers;
2857while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2858
2859err = NULL;
2860
2861#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2862if (!(ctx = SSL_CTX_new(TLS_server_method())))
2863#else
2864if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
2865#endif
2866 {
2867 ERR_error_string(ERR_get_error(), ssl_errstring);
2868 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2869 }
2870
2871DEBUG(D_tls)
2872 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2873
2874if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2875 {
2876 ERR_error_string(ERR_get_error(), ssl_errstring);
2877 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2878 expciphers, ssl_errstring);
2879 }
2880
2881SSL_CTX_free(ctx);
2882
2883return err;
2884}
2885
2886
2887
2888
2889/*************************************************
2890* Report the library versions. *
2891*************************************************/
2892
2893/* There have historically been some issues with binary compatibility in
2894OpenSSL libraries; if Exim (like many other applications) is built against
2895one version of OpenSSL but the run-time linker picks up another version,
2896it can result in serious failures, including crashing with a SIGSEGV. So
2897report the version found by the compiler and the run-time version.
2898
2899Note: some OS vendors backport security fixes without changing the version
2900number/string, and the version date remains unchanged. The _build_ date
2901will change, so we can more usefully assist with version diagnosis by also
2902reporting the build date.
2903
2904Arguments: a FILE* to print the results to
2905Returns: nothing
2906*/
2907
2908void
2909tls_version_report(FILE *f)
2910{
2911fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2912 " Runtime: %s\n"
2913 " : %s\n",
2914 OPENSSL_VERSION_TEXT,
2915 SSLeay_version(SSLEAY_VERSION),
2916 SSLeay_version(SSLEAY_BUILT_ON));
2917/* third line is 38 characters for the %s and the line is 73 chars long;
2918the OpenSSL output includes a "built on: " prefix already. */
2919}
2920
2921
2922
2923
2924/*************************************************
2925* Random number generation *
2926*************************************************/
2927
2928/* Pseudo-random number generation. The result is not expected to be
2929cryptographically strong but not so weak that someone will shoot themselves
2930in the foot using it as a nonce in input in some email header scheme or
2931whatever weirdness they'll twist this into. The result should handle fork()
2932and avoid repeating sequences. OpenSSL handles that for us.
2933
2934Arguments:
2935 max range maximum
2936Returns a random number in range [0, max-1]
2937*/
2938
2939int
2940vaguely_random_number(int max)
2941{
2942unsigned int r;
2943int i, needed_len;
2944static pid_t pidlast = 0;
2945pid_t pidnow;
2946uschar *p;
2947uschar smallbuf[sizeof(r)];
2948
2949if (max <= 1)
2950 return 0;
2951
2952pidnow = getpid();
2953if (pidnow != pidlast)
2954 {
2955 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2956 is unique for each thread", this doesn't apparently apply across processes,
2957 so our own warning from vaguely_random_number_fallback() applies here too.
2958 Fix per PostgreSQL. */
2959 if (pidlast != 0)
2960 RAND_cleanup();
2961 pidlast = pidnow;
2962 }
2963
2964/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2965if (!RAND_status())
2966 {
2967 randstuff r;
2968 gettimeofday(&r.tv, NULL);
2969 r.p = getpid();
2970
2971 RAND_seed(US (&r), sizeof(r));
2972 }
2973/* We're after pseudo-random, not random; if we still don't have enough data
2974in the internal PRNG then our options are limited. We could sleep and hope
2975for entropy to come along (prayer technique) but if the system is so depleted
2976in the first place then something is likely to just keep taking it. Instead,
2977we'll just take whatever little bit of pseudo-random we can still manage to
2978get. */
2979
2980needed_len = sizeof(r);
2981/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2982asked for a number less than 10. */
2983for (r = max, i = 0; r; ++i)
2984 r >>= 1;
2985i = (i + 7) / 8;
2986if (i < needed_len)
2987 needed_len = i;
2988
2989#ifdef EXIM_HAVE_RAND_PSEUDO
2990/* We do not care if crypto-strong */
2991i = RAND_pseudo_bytes(smallbuf, needed_len);
2992#else
2993i = RAND_bytes(smallbuf, needed_len);
2994#endif
2995
2996if (i < 0)
2997 {
2998 DEBUG(D_all)
2999 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3000 return vaguely_random_number_fallback(max);
3001 }
3002
3003r = 0;
3004for (p = smallbuf; needed_len; --needed_len, ++p)
3005 {
3006 r *= 256;
3007 r += *p;
3008 }
3009
3010/* We don't particularly care about weighted results; if someone wants
3011smooth distribution and cares enough then they should submit a patch then. */
3012return r % max;
3013}
3014
3015
3016
3017
3018/*************************************************
3019* OpenSSL option parse *
3020*************************************************/
3021
3022/* Parse one option for tls_openssl_options_parse below
3023
3024Arguments:
3025 name one option name
3026 value place to store a value for it
3027Returns success or failure in parsing
3028*/
3029
3030struct exim_openssl_option {
3031 uschar *name;
3032 long value;
3033};
3034/* We could use a macro to expand, but we need the ifdef and not all the
3035options document which version they were introduced in. Policylet: include
3036all options unless explicitly for DTLS, let the administrator choose which
3037to apply.
3038
3039This list is current as of:
3040 ==> 1.0.1b <==
3041Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
3042*/
3043static struct exim_openssl_option exim_openssl_options[] = {
3044/* KEEP SORTED ALPHABETICALLY! */
3045#ifdef SSL_OP_ALL
3046 { US"all", SSL_OP_ALL },
3047#endif
3048#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
3049 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
3050#endif
3051#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
3052 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
3053#endif
3054#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
3055 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
3056#endif
3057#ifdef SSL_OP_EPHEMERAL_RSA
3058 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
3059#endif
3060#ifdef SSL_OP_LEGACY_SERVER_CONNECT
3061 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
3062#endif
3063#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
3064 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
3065#endif
3066#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
3067 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
3068#endif
3069#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
3070 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
3071#endif
3072#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
3073 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
3074#endif
3075#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
3076 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
3077#endif
3078#ifdef SSL_OP_NO_COMPRESSION
3079 { US"no_compression", SSL_OP_NO_COMPRESSION },
3080#endif
3081#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
3082 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
3083#endif
3084#ifdef SSL_OP_NO_SSLv2
3085 { US"no_sslv2", SSL_OP_NO_SSLv2 },
3086#endif
3087#ifdef SSL_OP_NO_SSLv3
3088 { US"no_sslv3", SSL_OP_NO_SSLv3 },
3089#endif
3090#ifdef SSL_OP_NO_TICKET
3091 { US"no_ticket", SSL_OP_NO_TICKET },
3092#endif
3093#ifdef SSL_OP_NO_TLSv1
3094 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
3095#endif
3096#ifdef SSL_OP_NO_TLSv1_1
3097#if SSL_OP_NO_TLSv1_1 == 0x00000400L
3098 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
3099#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
3100#else
3101 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
3102#endif
3103#endif
3104#ifdef SSL_OP_NO_TLSv1_2
3105 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
3106#endif
3107#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
3108 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
3109#endif
3110#ifdef SSL_OP_SINGLE_DH_USE
3111 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
3112#endif
3113#ifdef SSL_OP_SINGLE_ECDH_USE
3114 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
3115#endif
3116#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
3117 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
3118#endif
3119#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
3120 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
3121#endif
3122#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
3123 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
3124#endif
3125#ifdef SSL_OP_TLS_D5_BUG
3126 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
3127#endif
3128#ifdef SSL_OP_TLS_ROLLBACK_BUG
3129 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
3130#endif
3131};
3132static int exim_openssl_options_size =
3133 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
3134
3135
3136static BOOL
3137tls_openssl_one_option_parse(uschar *name, long *value)
3138{
3139int first = 0;
3140int last = exim_openssl_options_size;
3141while (last > first)
3142 {
3143 int middle = (first + last)/2;
3144 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3145 if (c == 0)
3146 {
3147 *value = exim_openssl_options[middle].value;
3148 return TRUE;
3149 }
3150 else if (c > 0)
3151 first = middle + 1;
3152 else
3153 last = middle;
3154 }
3155return FALSE;
3156}
3157
3158
3159
3160
3161/*************************************************
3162* OpenSSL option parsing logic *
3163*************************************************/
3164
3165/* OpenSSL has a number of compatibility options which an administrator might
3166reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3167we look like log_selector.
3168
3169Arguments:
3170 option_spec the administrator-supplied string of options
3171 results ptr to long storage for the options bitmap
3172Returns success or failure
3173*/
3174
3175BOOL
3176tls_openssl_options_parse(uschar *option_spec, long *results)
3177{
3178long result, item;
3179uschar *s, *end;
3180uschar keep_c;
3181BOOL adding, item_parsed;
3182
3183result = SSL_OP_NO_TICKET;
3184/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3185 * from default because it increases BEAST susceptibility. */
3186#ifdef SSL_OP_NO_SSLv2
3187result |= SSL_OP_NO_SSLv2;
3188#endif
3189#ifdef SSL_OP_SINGLE_DH_USE
3190result |= SSL_OP_SINGLE_DH_USE;
3191#endif
3192
3193if (!option_spec)
3194 {
3195 *results = result;
3196 return TRUE;
3197 }
3198
3199for (s=option_spec; *s != '\0'; /**/)
3200 {
3201 while (isspace(*s)) ++s;
3202 if (*s == '\0')
3203 break;
3204 if (*s != '+' && *s != '-')
3205 {
3206 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3207 "+ or - expected but found \"%s\"\n", s);
3208 return FALSE;
3209 }
3210 adding = *s++ == '+';
3211 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3212 keep_c = *end;
3213 *end = '\0';
3214 item_parsed = tls_openssl_one_option_parse(s, &item);
3215 *end = keep_c;
3216 if (!item_parsed)
3217 {
3218 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3219 return FALSE;
3220 }
3221 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3222 adding ? "adding" : "removing", result, item, s);
3223 if (adding)
3224 result |= item;
3225 else
3226 result &= ~item;
3227 s = end;
3228 }
3229
3230*results = result;
3231return TRUE;
3232}
3233
3234/* vi: aw ai sw=2
3235*/
3236/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.