projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Testsuite: make it compatible with ancient Perl versions.
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2019 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
28#ifndef DISABLE_OCSP
29# include <openssl/ocsp.h>
30#endif
31#ifdef SUPPORT_DANE
32# include "danessl.h"
33#endif
34
35
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
39#endif
40
41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42# define EXIM_HAVE_OPENSSL_TLSEXT
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49# define OPENSSL_AUTO_SHA256
50#else
51# define EXIM_HAVE_EPHEM_RSA_KEX
52# define EXIM_HAVE_RAND_PSEUDO
53#endif
54#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
55# define EXIM_HAVE_SHA256
56#endif
57
58/* X509_check_host provides sane certificate hostname checking, but was added
59to OpenSSL late, after other projects forked off the code-base. So in
60addition to guarding against the base version number, beware that LibreSSL
61does not (at this time) support this function.
62
63If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64opt to disentangle and ask a LibreSSL user to provide glue for a third
65crypto provider for libtls instead of continuing to tie the OpenSSL glue
66into even twistier knots. If LibreSSL gains the same API, we can just
67change this guard and punt the issue for a while longer. */
68
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
72# define EXIM_HAVE_OPENSSL_DH_BITS
73# define EXIM_HAVE_OPENSSL_TLS_METHOD
74# define EXIM_HAVE_OPENSSL_KEYLOG
75# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
76# define EXIM_HAVE_SESSION_TICKET
77# define EXIM_HAVE_OPESSL_TRACE
78# define EXIM_HAVE_OPESSL_GET0_SERIAL
79# ifndef DISABLE_OCSP
80# define EXIM_HAVE_OCSP
81# endif
82# else
83# define EXIM_NEED_OPENSSL_INIT
84# endif
85# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
86 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
87# define EXIM_HAVE_OPENSSL_CHECKHOST
88# endif
89#endif
90
91#if !defined(LIBRESSL_VERSION_NUMBER) \
92 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
93# if !defined(OPENSSL_NO_ECDH)
94# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
95# define EXIM_HAVE_ECDH
96# endif
97# if OPENSSL_VERSION_NUMBER >= 0x10002000L
98# define EXIM_HAVE_OPENSSL_EC_NIST2NID
99# endif
100# endif
101#endif
102
103#ifndef LIBRESSL_VERSION_NUMBER
104# if OPENSSL_VERSION_NUMBER >= 0x010101000L
105# define OPENSSL_HAVE_KEYLOG_CB
106# define OPENSSL_HAVE_NUM_TICKETS
107# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
108# else
109# define OPENSSL_BAD_SRVR_OURCERT
110# endif
111#endif
112
113#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
114# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
115# define DISABLE_OCSP
116#endif
117
118#ifdef EXPERIMENTAL_TLS_RESUME
119# if OPENSSL_VERSION_NUMBER < 0x0101010L
120# error OpenSSL version too old for session-resumption
121# endif
122#endif
123
124#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
125# include <openssl/x509v3.h>
126#endif
127
128#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
129# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
130# define SSL_CIPHER_get_id(c) (c->id)
131# endif
132# ifndef MACRO_PREDEF
133# include "tls-cipher-stdname.c"
134# endif
135#endif
136
137/*************************************************
138* OpenSSL option parse *
139*************************************************/
140
141typedef struct exim_openssl_option {
142 uschar *name;
143 long value;
144} exim_openssl_option;
145/* We could use a macro to expand, but we need the ifdef and not all the
146options document which version they were introduced in. Policylet: include
147all options unless explicitly for DTLS, let the administrator choose which
148to apply.
149
150This list is current as of:
151 ==> 1.0.1b <==
152Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
153Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
154Plus SSL_OP_NO_RENEGOTIATION for 1.1.1
155
156XXX could we autobuild this list, as with predefined-macros?
157Seems just parsing ssl.h for SSL_OP_.* would be enough.
158Also allow a numeric literal?
159*/
160static exim_openssl_option exim_openssl_options[] = {
161/* KEEP SORTED ALPHABETICALLY! */
162#ifdef SSL_OP_ALL
163 { US"all", (long) SSL_OP_ALL },
164#endif
165#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
166 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
167#endif
168#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
169 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
170#endif
171#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
172 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
173#endif
174#ifdef SSL_OP_EPHEMERAL_RSA
175 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
176#endif
177#ifdef SSL_OP_LEGACY_SERVER_CONNECT
178 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
179#endif
180#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
181 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
182#endif
183#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
184 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
185#endif
186#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
187 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
188#endif
189#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
190 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
191#endif
192#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
193 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
194#endif
195#ifdef SSL_OP_NO_COMPRESSION
196 { US"no_compression", SSL_OP_NO_COMPRESSION },
197#endif
198#ifdef SSL_OP_NO_RENEGOTIATION
199 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
200#endif
201#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
202 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
203#endif
204#ifdef SSL_OP_NO_SSLv2
205 { US"no_sslv2", SSL_OP_NO_SSLv2 },
206#endif
207#ifdef SSL_OP_NO_SSLv3
208 { US"no_sslv3", SSL_OP_NO_SSLv3 },
209#endif
210#ifdef SSL_OP_NO_TICKET
211 { US"no_ticket", SSL_OP_NO_TICKET },
212#endif
213#ifdef SSL_OP_NO_TLSv1
214 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
215#endif
216#ifdef SSL_OP_NO_TLSv1_1
217#if SSL_OP_NO_TLSv1_1 == 0x00000400L
218 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
219#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
220#else
221 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
222#endif
223#endif
224#ifdef SSL_OP_NO_TLSv1_2
225 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
226#endif
227#ifdef SSL_OP_NO_TLSv1_3
228 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
229#endif
230#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
231 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
232#endif
233#ifdef SSL_OP_SINGLE_DH_USE
234 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
235#endif
236#ifdef SSL_OP_SINGLE_ECDH_USE
237 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
238#endif
239#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
240 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
241#endif
242#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
243 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
244#endif
245#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
246 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
247#endif
248#ifdef SSL_OP_TLS_D5_BUG
249 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
250#endif
251#ifdef SSL_OP_TLS_ROLLBACK_BUG
252 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
253#endif
254};
255
256#ifndef MACRO_PREDEF
257static int exim_openssl_options_size = nelem(exim_openssl_options);
258#endif
259
260#ifdef MACRO_PREDEF
261void
262options_tls(void)
263{
264uschar buf[64];
265
266for (struct exim_openssl_option * o = exim_openssl_options;
267 o < exim_openssl_options + nelem(exim_openssl_options); o++)
268 {
269 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
270 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
271
272 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
273 builtin_macro_create(buf);
274 }
275
276# ifdef EXPERIMENTAL_TLS_RESUME
277builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
278# endif
279# ifdef SSL_OP_NO_TLSv1_3
280builtin_macro_create(US"_HAVE_TLS1_3");
281# endif
282# ifdef OPENSSL_BAD_SRVR_OURCERT
283builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
284# endif
285# ifdef EXIM_HAVE_OCSP
286builtin_macro_create(US"_HAVE_TLS_OCSP");
287builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
288# endif
289}
290#else
291
292/******************************************************************************/
293
294/* Structure for collecting random data for seeding. */
295
296typedef struct randstuff {
297 struct timeval tv;
298 pid_t p;
299} randstuff;
300
301/* Local static variables */
302
303static BOOL client_verify_callback_called = FALSE;
304static BOOL server_verify_callback_called = FALSE;
305static const uschar *sid_ctx = US"exim";
306
307/* We have three different contexts to care about.
308
309Simple case: client, `client_ctx`
310 As a client, we can be doing a callout or cut-through delivery while receiving
311 a message. So we have a client context, which should have options initialised
312 from the SMTP Transport. We may also concurrently want to make TLS connections
313 to utility daemons, so client-contexts are allocated and passed around in call
314 args rather than using a gobal.
315
316Server:
317 There are two cases: with and without ServerNameIndication from the client.
318 Given TLS SNI, we can be using different keys, certs and various other
319 configuration settings, because they're re-expanded with $tls_sni set. This
320 allows vhosting with TLS. This SNI is sent in the handshake.
321 A client might not send SNI, so we need a fallback, and an initial setup too.
322 So as a server, we start out using `server_ctx`.
323 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
324 `server_sni` from `server_ctx` and then initialise settings by re-expanding
325 configuration.
326*/
327
328typedef struct {
329 SSL_CTX * ctx;
330 SSL * ssl;
331 gstring * corked;
332} exim_openssl_client_tls_ctx;
333
334static SSL_CTX *server_ctx = NULL;
335static SSL *server_ssl = NULL;
336
337#ifdef EXIM_HAVE_OPENSSL_TLSEXT
338static SSL_CTX *server_sni = NULL;
339#endif
340
341static char ssl_errstring[256];
342
343static int ssl_session_timeout = 7200; /* Two hours */
344static BOOL client_verify_optional = FALSE;
345static BOOL server_verify_optional = FALSE;
346
347static BOOL reexpand_tls_files_for_sni = FALSE;
348
349
350typedef struct ocsp_resp {
351 struct ocsp_resp * next;
352 OCSP_RESPONSE * resp;
353} ocsp_resplist;
354
355typedef struct tls_ext_ctx_cb {
356 tls_support * tlsp;
357 uschar *certificate;
358 uschar *privatekey;
359 BOOL is_server;
360#ifndef DISABLE_OCSP
361 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
362 union {
363 struct {
364 uschar *file;
365 const uschar *file_expanded;
366 ocsp_resplist *olist;
367 } server;
368 struct {
369 X509_STORE *verify_store; /* non-null if status requested */
370 BOOL verify_required;
371 } client;
372 } u_ocsp;
373#endif
374 uschar *dhparam;
375 /* these are cached from first expand */
376 uschar *server_cipher_list;
377 /* only passed down to tls_error: */
378 host_item *host;
379 const uschar * verify_cert_hostnames;
380#ifndef DISABLE_EVENT
381 uschar * event_action;
382#endif
383} tls_ext_ctx_cb;
384
385/* should figure out a cleanup of API to handle state preserved per
386implementation, for various reasons, which can be void * in the APIs.
387For now, we hack around it. */
388tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
389tls_ext_ctx_cb *server_static_cbinfo = NULL;
390
391static int
392setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
393 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
394
395/* Callbacks */
396#ifdef EXIM_HAVE_OPENSSL_TLSEXT
397static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
398#endif
399#ifndef DISABLE_OCSP
400static int tls_server_stapling_cb(SSL *s, void *arg);
401#endif
402
403
404
405/* Daemon-called, before every connection, key create/rotate */
406#ifdef EXPERIMENTAL_TLS_RESUME
407static void tk_init(void);
408static int tls_exdata_idx = -1;
409#endif
410
411void
412tls_daemon_init(void)
413{
414#ifdef EXPERIMENTAL_TLS_RESUME
415tk_init();
416#endif
417return;
418}
419
420
421/*************************************************
422* Handle TLS error *
423*************************************************/
424
425/* Called from lots of places when errors occur before actually starting to do
426the TLS handshake, that is, while the session is still in clear. Always returns
427DEFER for a server and FAIL for a client so that most calls can use "return
428tls_error(...)" to do this processing and then give an appropriate return. A
429single function is used for both server and client, because it is called from
430some shared functions.
431
432Argument:
433 prefix text to include in the logged error
434 host NULL if setting up a server;
435 the connected host if setting up a client
436 msg error message or NULL if we should ask OpenSSL
437 errstr pointer to output error message
438
439Returns: OK/DEFER/FAIL
440*/
441
442static int
443tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
444{
445if (!msg)
446 {
447 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
448 msg = US ssl_errstring;
449 }
450
451msg = string_sprintf("(%s): %s", prefix, msg);
452DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
453if (errstr) *errstr = msg;
454return host ? FAIL : DEFER;
455}
456
457
458
459/*************************************************
460* Callback to generate RSA key *
461*************************************************/
462
463/*
464Arguments:
465 s SSL connection (not used)
466 export not used
467 keylength keylength
468
469Returns: pointer to generated key
470*/
471
472static RSA *
473rsa_callback(SSL *s, int export, int keylength)
474{
475RSA *rsa_key;
476#ifdef EXIM_HAVE_RSA_GENKEY_EX
477BIGNUM *bn = BN_new();
478#endif
479
480export = export; /* Shut picky compilers up */
481DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
482
483#ifdef EXIM_HAVE_RSA_GENKEY_EX
484if ( !BN_set_word(bn, (unsigned long)RSA_F4)
485 || !(rsa_key = RSA_new())
486 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
487 )
488#else
489if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
490#endif
491
492 {
493 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
494 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
495 ssl_errstring);
496 return NULL;
497 }
498return rsa_key;
499}
500
501
502
503/* Extreme debug
504#ifndef DISABLE_OCSP
505void
506x509_store_dump_cert_s_names(X509_STORE * store)
507{
508STACK_OF(X509_OBJECT) * roots= store->objs;
509static uschar name[256];
510
511for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
512 {
513 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
514 if(tmp_obj->type == X509_LU_X509)
515 {
516 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
517 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
518 {
519 name[sizeof(name)-1] = '\0';
520 debug_printf(" %s\n", name);
521 }
522 }
523 }
524}
525#endif
526*/
527
528
529#ifndef DISABLE_EVENT
530static int
531verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
532 BOOL *calledp, const BOOL *optionalp, const uschar * what)
533{
534uschar * ev;
535uschar * yield;
536X509 * old_cert;
537
538ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
539if (ev)
540 {
541 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
542 old_cert = tlsp->peercert;
543 tlsp->peercert = X509_dup(cert);
544 /* NB we do not bother setting peerdn */
545 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
546 {
547 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
548 "depth=%d cert=%s: %s",
549 tlsp == &tls_out ? deliver_host_address : sender_host_address,
550 what, depth, dn, yield);
551 *calledp = TRUE;
552 if (!*optionalp)
553 {
554 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
555 return 1; /* reject (leaving peercert set) */
556 }
557 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
558 "(host in tls_try_verify_hosts)\n");
559 tlsp->verify_override = TRUE;
560 }
561 X509_free(tlsp->peercert);
562 tlsp->peercert = old_cert;
563 }
564return 0;
565}
566#endif
567
568/*************************************************
569* Callback for verification *
570*************************************************/
571
572/* The SSL library does certificate verification if set up to do so. This
573callback has the current yes/no state is in "state". If verification succeeded,
574we set the certificate-verified flag. If verification failed, what happens
575depends on whether the client is required to present a verifiable certificate
576or not.
577
578If verification is optional, we change the state to yes, but still log the
579verification error. For some reason (it really would help to have proper
580documentation of OpenSSL), this callback function then gets called again, this
581time with state = 1. We must take care not to set the private verified flag on
582the second time through.
583
584Note: this function is not called if the client fails to present a certificate
585when asked. We get here only if a certificate has been received. Handling of
586optional verification for this case is done when requesting SSL to verify, by
587setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
588
589May be called multiple times for different issues with a certificate, even
590for a given "depth" in the certificate chain.
591
592Arguments:
593 preverify_ok current yes/no state as 1/0
594 x509ctx certificate information.
595 tlsp per-direction (client vs. server) support data
596 calledp has-been-called flag
597 optionalp verification-is-optional flag
598
599Returns: 0 if verification should fail, otherwise 1
600*/
601
602static int
603verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
604 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
605{
606X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
607int depth = X509_STORE_CTX_get_error_depth(x509ctx);
608uschar dn[256];
609
610if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
611 {
612 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
613 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
614 tlsp == &tls_out ? deliver_host_address : sender_host_address);
615 return 0;
616 }
617dn[sizeof(dn)-1] = '\0';
618
619tlsp->verify_override = FALSE;
620if (preverify_ok == 0)
621 {
622 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
623 *verify_mode, sender_host_address)
624 : US"";
625 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
626 tlsp == &tls_out ? deliver_host_address : sender_host_address,
627 extra, depth,
628 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
629 *calledp = TRUE;
630 if (!*optionalp)
631 {
632 if (!tlsp->peercert)
633 tlsp->peercert = X509_dup(cert); /* record failing cert */
634 return 0; /* reject */
635 }
636 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
637 "tls_try_verify_hosts)\n");
638 tlsp->verify_override = TRUE;
639 }
640
641else if (depth != 0)
642 {
643 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
644#ifndef DISABLE_OCSP
645 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
646 { /* client, wanting stapling */
647 /* Add the server cert's signing chain as the one
648 for the verification of the OCSP stapled information. */
649
650 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
651 cert))
652 ERR_clear_error();
653 sk_X509_push(client_static_cbinfo->verify_stack, cert);
654 }
655#endif
656#ifndef DISABLE_EVENT
657 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
658 return 0; /* reject, with peercert set */
659#endif
660 }
661else
662 {
663 const uschar * verify_cert_hostnames;
664
665 if ( tlsp == &tls_out
666 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
667 /* client, wanting hostname check */
668 {
669
670#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
671# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
672# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
673# endif
674# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
675# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
676# endif
677 int sep = 0;
678 const uschar * list = verify_cert_hostnames;
679 uschar * name;
680 int rc;
681 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
682 if ((rc = X509_check_host(cert, CCS name, 0,
683 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
684 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
685 NULL)))
686 {
687 if (rc < 0)
688 {
689 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
690 tlsp == &tls_out ? deliver_host_address : sender_host_address);
691 name = NULL;
692 }
693 break;
694 }
695 if (!name)
696#else
697 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
698#endif
699 {
700 uschar * extra = verify_mode
701 ? string_sprintf(" (during %c-verify for [%s])",
702 *verify_mode, sender_host_address)
703 : US"";
704 log_write(0, LOG_MAIN,
705 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
706 tlsp == &tls_out ? deliver_host_address : sender_host_address,
707 extra, dn, verify_cert_hostnames);
708 *calledp = TRUE;
709 if (!*optionalp)
710 {
711 if (!tlsp->peercert)
712 tlsp->peercert = X509_dup(cert); /* record failing cert */
713 return 0; /* reject */
714 }
715 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
716 "tls_try_verify_hosts)\n");
717 tlsp->verify_override = TRUE;
718 }
719 }
720
721#ifndef DISABLE_EVENT
722 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
723 return 0; /* reject, with peercert set */
724#endif
725
726 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
727 *calledp ? "" : " authenticated", dn);
728 *calledp = TRUE;
729 }
730
731return 1; /* accept, at least for this level */
732}
733
734static int
735verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
736{
737return verify_callback(preverify_ok, x509ctx, &tls_out,
738 &client_verify_callback_called, &client_verify_optional);
739}
740
741static int
742verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
743{
744return verify_callback(preverify_ok, x509ctx, &tls_in,
745 &server_verify_callback_called, &server_verify_optional);
746}
747
748
749#ifdef SUPPORT_DANE
750
751/* This gets called *by* the dane library verify callback, which interposes
752itself.
753*/
754static int
755verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
756{
757X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
758uschar dn[256];
759int depth = X509_STORE_CTX_get_error_depth(x509ctx);
760#ifndef DISABLE_EVENT
761BOOL dummy_called, optional = FALSE;
762#endif
763
764if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
765 {
766 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
767 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
768 deliver_host_address);
769 return 0;
770 }
771dn[sizeof(dn)-1] = '\0';
772
773DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
774 preverify_ok ? "ok":"BAD", depth, dn);
775
776#ifndef DISABLE_EVENT
777 if (verify_event(&tls_out, cert, depth, dn,
778 &dummy_called, &optional, US"DANE"))
779 return 0; /* reject, with peercert set */
780#endif
781
782if (preverify_ok == 1)
783 {
784 tls_out.dane_verified = TRUE;
785#ifndef DISABLE_OCSP
786 if (client_static_cbinfo->u_ocsp.client.verify_store)
787 { /* client, wanting stapling */
788 /* Add the server cert's signing chain as the one
789 for the verification of the OCSP stapled information. */
790
791 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
792 cert))
793 ERR_clear_error();
794 sk_X509_push(client_static_cbinfo->verify_stack, cert);
795 }
796#endif
797 }
798else
799 {
800 int err = X509_STORE_CTX_get_error(x509ctx);
801 DEBUG(D_tls)
802 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
803 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
804 preverify_ok = 1;
805 }
806return preverify_ok;
807}
808
809#endif /*SUPPORT_DANE*/
810
811
812/*************************************************
813* Information callback *
814*************************************************/
815
816/* The SSL library functions call this from time to time to indicate what they
817are doing. We copy the string to the debugging output when TLS debugging has
818been requested.
819
820Arguments:
821 s the SSL connection
822 where
823 ret
824
825Returns: nothing
826*/
827
828static void
829info_callback(SSL *s, int where, int ret)
830{
831DEBUG(D_tls)
832 {
833 const uschar * str;
834
835 if (where & SSL_ST_CONNECT)
836 str = US"SSL_connect";
837 else if (where & SSL_ST_ACCEPT)
838 str = US"SSL_accept";
839 else
840 str = US"SSL info (undefined)";
841
842 if (where & SSL_CB_LOOP)
843 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
844 else if (where & SSL_CB_ALERT)
845 debug_printf("SSL3 alert %s:%s:%s\n",
846 str = where & SSL_CB_READ ? US"read" : US"write",
847 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
848 else if (where & SSL_CB_EXIT)
849 if (ret == 0)
850 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
851 else if (ret < 0)
852 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
853 else if (where & SSL_CB_HANDSHAKE_START)
854 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
855 else if (where & SSL_CB_HANDSHAKE_DONE)
856 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
857 }
858}
859
860#ifdef OPENSSL_HAVE_KEYLOG_CB
861static void
862keylog_callback(const SSL *ssl, const char *line)
863{
864char * filename;
865FILE * fp;
866DEBUG(D_tls) debug_printf("%.200s\n", line);
867if (!(filename = getenv("SSLKEYLOGFILE"))) return;
868if (!(fp = fopen(filename, "a"))) return;
869fprintf(fp, "%s\n", line);
870fclose(fp);
871}
872#endif
873
874
875#ifdef EXPERIMENTAL_TLS_RESUME
876/* Manage the keysets used for encrypting the session tickets, on the server. */
877
878typedef struct { /* Session ticket encryption key */
879 uschar name[16];
880
881 const EVP_CIPHER * aes_cipher;
882 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
883 const EVP_MD * hmac_hash;
884 uschar hmac_key[16];
885 time_t renew;
886 time_t expire;
887} exim_stek;
888
889static exim_stek exim_tk; /* current key */
890static exim_stek exim_tk_old; /* previous key */
891
892static void
893tk_init(void)
894{
895time_t t = time(NULL);
896
897if (exim_tk.name[0])
898 {
899 if (exim_tk.renew >= t) return;
900 exim_tk_old = exim_tk;
901 }
902
903if (f.running_in_test_harness) ssl_session_timeout = 6;
904
905DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
906if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
907if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
908if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
909
910exim_tk.name[0] = 'E';
911exim_tk.aes_cipher = EVP_aes_256_cbc();
912exim_tk.hmac_hash = EVP_sha256();
913exim_tk.expire = t + ssl_session_timeout;
914exim_tk.renew = t + ssl_session_timeout/2;
915}
916
917static exim_stek *
918tk_current(void)
919{
920if (!exim_tk.name[0]) return NULL;
921return &exim_tk;
922}
923
924static exim_stek *
925tk_find(const uschar * name)
926{
927return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
928 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
929 : NULL;
930}
931
932/* Callback for session tickets, on server */
933static int
934ticket_key_callback(SSL * ssl, uschar key_name[16],
935 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
936{
937tls_support * tlsp = server_static_cbinfo->tlsp;
938exim_stek * key;
939
940if (enc)
941 {
942 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
943 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
944
945 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
946 return -1; /* insufficient random */
947
948 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
949 return 0; /* key couldn't be created */
950 memcpy(key_name, key->name, 16);
951 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
952
953 /*XXX will want these dependent on the ssl session strength */
954 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
955 key->hmac_hash, NULL);
956 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
957
958 DEBUG(D_tls) debug_printf("ticket created\n");
959 return 1;
960 }
961else
962 {
963 time_t now = time(NULL);
964
965 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
966 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
967
968 if (!(key = tk_find(key_name)) || key->expire < now)
969 {
970 DEBUG(D_tls)
971 {
972 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
973 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
974 }
975 return 0;
976 }
977
978 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
979 key->hmac_hash, NULL);
980 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
981
982 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
983
984 /* The ticket lifetime and renewal are the same as the STEK lifetime and
985 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
986 be better. To do that we'd have to encode ticket lifetime in the name as
987 we don't yet see the restored session. Could check posthandshake for TLS1.3
988 and trigger a new ticket then, but cannot do that for TLS1.2 */
989 return key->renew < now ? 2 : 1;
990 }
991}
992#endif
993
994
995
996/*************************************************
997* Initialize for DH *
998*************************************************/
999
1000/* If dhparam is set, expand it, and load up the parameters for DH encryption.
1001
1002Arguments:
1003 sctx The current SSL CTX (inbound or outbound)
1004 dhparam DH parameter file or fixed parameter identity string
1005 host connected host, if client; NULL if server
1006 errstr error string pointer
1007
1008Returns: TRUE if OK (nothing to set up, or setup worked)
1009*/
1010
1011static BOOL
1012init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
1013{
1014BIO *bio;
1015DH *dh;
1016uschar *dhexpanded;
1017const char *pem;
1018int dh_bitsize;
1019
1020if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
1021 return FALSE;
1022
1023if (!dhexpanded || !*dhexpanded)
1024 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
1025else if (dhexpanded[0] == '/')
1026 {
1027 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
1028 {
1029 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
1030 host, US strerror(errno), errstr);
1031 return FALSE;
1032 }
1033 }
1034else
1035 {
1036 if (Ustrcmp(dhexpanded, "none") == 0)
1037 {
1038 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1039 return TRUE;
1040 }
1041
1042 if (!(pem = std_dh_prime_named(dhexpanded)))
1043 {
1044 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
1045 host, US strerror(errno), errstr);
1046 return FALSE;
1047 }
1048 bio = BIO_new_mem_buf(CS pem, -1);
1049 }
1050
1051if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1052 {
1053 BIO_free(bio);
1054 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1055 host, NULL, errstr);
1056 return FALSE;
1057 }
1058
1059/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1060 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1061 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1062 * If someone wants to dance at the edge, then they can raise the limit or use
1063 * current libraries. */
1064#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1065/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1066 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1067dh_bitsize = DH_bits(dh);
1068#else
1069dh_bitsize = 8 * DH_size(dh);
1070#endif
1071
1072/* Even if it is larger, we silently return success rather than cause things
1073 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1074 * debatable choice. */
1075if (dh_bitsize > tls_dh_max_bits)
1076 {
1077 DEBUG(D_tls)
1078 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1079 dh_bitsize, tls_dh_max_bits);
1080 }
1081else
1082 {
1083 SSL_CTX_set_tmp_dh(sctx, dh);
1084 DEBUG(D_tls)
1085 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1086 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1087 }
1088
1089DH_free(dh);
1090BIO_free(bio);
1091
1092return TRUE;
1093}
1094
1095
1096
1097
1098/*************************************************
1099* Initialize for ECDH *
1100*************************************************/
1101
1102/* Load parameters for ECDH encryption.
1103
1104For now, we stick to NIST P-256 because: it's simple and easy to configure;
1105it avoids any patent issues that might bite redistributors; despite events in
1106the news and concerns over curve choices, we're not cryptographers, we're not
1107pretending to be, and this is "good enough" to be better than no support,
1108protecting against most adversaries. Given another year or two, there might
1109be sufficient clarity about a "right" way forward to let us make an informed
1110decision, instead of a knee-jerk reaction.
1111
1112Longer-term, we should look at supporting both various named curves and
1113external files generated with "openssl ecparam", much as we do for init_dh().
1114We should also support "none" as a value, to explicitly avoid initialisation.
1115
1116Patches welcome.
1117
1118Arguments:
1119 sctx The current SSL CTX (inbound or outbound)
1120 host connected host, if client; NULL if server
1121 errstr error string pointer
1122
1123Returns: TRUE if OK (nothing to set up, or setup worked)
1124*/
1125
1126static BOOL
1127init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1128{
1129#ifdef OPENSSL_NO_ECDH
1130return TRUE;
1131#else
1132
1133EC_KEY * ecdh;
1134uschar * exp_curve;
1135int nid;
1136BOOL rv;
1137
1138if (host) /* No ECDH setup for clients, only for servers */
1139 return TRUE;
1140
1141# ifndef EXIM_HAVE_ECDH
1142DEBUG(D_tls)
1143 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1144return TRUE;
1145# else
1146
1147if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1148 return FALSE;
1149if (!exp_curve || !*exp_curve)
1150 return TRUE;
1151
1152/* "auto" needs to be handled carefully.
1153 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1154 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1155 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1156 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1157 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1158 */
1159if (Ustrcmp(exp_curve, "auto") == 0)
1160 {
1161#if OPENSSL_VERSION_NUMBER < 0x10002000L
1162 DEBUG(D_tls) debug_printf(
1163 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1164 exp_curve = US"prime256v1";
1165#else
1166# if defined SSL_CTRL_SET_ECDH_AUTO
1167 DEBUG(D_tls) debug_printf(
1168 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1169 SSL_CTX_set_ecdh_auto(sctx, 1);
1170 return TRUE;
1171# else
1172 DEBUG(D_tls) debug_printf(
1173 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1174 return TRUE;
1175# endif
1176#endif
1177 }
1178
1179DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1180if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1181# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1182 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1183# endif
1184 )
1185 {
1186 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1187 host, NULL, errstr);
1188 return FALSE;
1189 }
1190
1191if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1192 {
1193 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1194 return FALSE;
1195 }
1196
1197/* The "tmp" in the name here refers to setting a temporary key
1198not to the stability of the interface. */
1199
1200if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1201 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1202else
1203 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1204
1205EC_KEY_free(ecdh);
1206return !rv;
1207
1208# endif /*EXIM_HAVE_ECDH*/
1209#endif /*OPENSSL_NO_ECDH*/
1210}
1211
1212
1213
1214
1215#ifndef DISABLE_OCSP
1216/*************************************************
1217* Load OCSP information into state *
1218*************************************************/
1219/* Called to load the server OCSP response from the given file into memory, once
1220caller has determined this is needed. Checks validity. Debugs a message
1221if invalid.
1222
1223ASSUMES: single response, for single cert.
1224
1225Arguments:
1226 sctx the SSL_CTX* to update
1227 cbinfo various parts of session state
1228 filename the filename putatively holding an OCSP response
1229 is_pem file is PEM format; otherwise is DER
1230
1231*/
1232
1233static void
1234ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1235 const uschar * filename, BOOL is_pem)
1236{
1237BIO * bio;
1238OCSP_RESPONSE * resp;
1239OCSP_BASICRESP * basic_response;
1240OCSP_SINGLERESP * single_response;
1241ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1242STACK_OF(X509) * sk;
1243unsigned long verify_flags;
1244int status, reason, i;
1245
1246DEBUG(D_tls)
1247 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1248
1249if (!(bio = BIO_new_file(CS filename, "rb")))
1250 {
1251 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1252 filename);
1253 return;
1254 }
1255
1256if (is_pem)
1257 {
1258 uschar * data, * freep;
1259 char * dummy;
1260 long len;
1261 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1262 {
1263 DEBUG(D_tls) debug_printf("Failed to read PEM file \"%s\"\n",
1264 filename);
1265 return;
1266 }
1267debug_printf("read pem file\n");
1268 freep = data;
1269 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1270 OPENSSL_free(freep);
1271 }
1272else
1273 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1274BIO_free(bio);
1275
1276if (!resp)
1277 {
1278 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1279 return;
1280 }
1281
1282if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1283 {
1284 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1285 OCSP_response_status_str(status), status);
1286 goto bad;
1287 }
1288
1289#ifdef notdef
1290 {
1291 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1292 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1293 BIO_free(bp);
1294 }
1295#endif
1296
1297if (!(basic_response = OCSP_response_get1_basic(resp)))
1298 {
1299 DEBUG(D_tls)
1300 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1301 goto bad;
1302 }
1303
1304sk = cbinfo->verify_stack;
1305verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1306
1307/* May need to expose ability to adjust those flags?
1308OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1309OCSP_TRUSTOTHER OCSP_NOINTERN */
1310
1311/* This does a full verify on the OCSP proof before we load it for serving
1312up; possibly overkill - just date-checks might be nice enough.
1313
1314OCSP_basic_verify takes a "store" arg, but does not
1315use it for the chain verification, which is all we do
1316when OCSP_NOVERIFY is set. The content from the wire
1317"basic_response" and a cert-stack "sk" are all that is used.
1318
1319We have a stack, loaded in setup_certs() if tls_verify_certificates
1320was a file (not a directory, or "system"). It is unfortunate we
1321cannot used the connection context store, as that would neatly
1322handle the "system" case too, but there seems to be no library
1323function for getting a stack from a store.
1324[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1325We do not free the stack since it could be needed a second time for
1326SNI handling.
1327
1328Separately we might try to replace using OCSP_basic_verify() - which seems to not
1329be a public interface into the OpenSSL library (there's no manual entry) -
1330But what with? We also use OCSP_basic_verify in the client stapling callback.
1331And there we NEED it; we must verify that status... unless the
1332library does it for us anyway? */
1333
1334if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1335 {
1336 DEBUG(D_tls)
1337 {
1338 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1339 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1340 }
1341 goto bad;
1342 }
1343
1344/* Here's the simplifying assumption: there's only one response, for the
1345one certificate we use, and nothing for anything else in a chain. If this
1346proves false, we need to extract a cert id from our issued cert
1347(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1348right cert in the stack and then calls OCSP_single_get0_status()).
1349
1350I'm hoping to avoid reworking a bunch more of how we handle state here.
1351
1352XXX that will change when we add support for (TLS1.3) whole-chain stapling
1353*/
1354
1355if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1356 {
1357 DEBUG(D_tls)
1358 debug_printf("Unable to get first response from OCSP basic response.\n");
1359 goto bad;
1360 }
1361
1362status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1363if (status != V_OCSP_CERTSTATUS_GOOD)
1364 {
1365 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1366 OCSP_cert_status_str(status), status,
1367 OCSP_crl_reason_str(reason), reason);
1368 goto bad;
1369 }
1370
1371if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1372 {
1373 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1374 goto bad;
1375 }
1376
1377supply_response:
1378 /* Add the resp to the list used by tls_server_stapling_cb() */
1379 {
1380 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1381 while (oentry = *op)
1382 op = &oentry->next;
1383 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1384 oentry->next = NULL;
1385 oentry->resp = resp;
1386 }
1387return;
1388
1389bad:
1390 if (f.running_in_test_harness)
1391 {
1392 extern char ** environ;
1393 if (environ) for (uschar ** p = USS environ; *p; p++)
1394 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1395 {
1396 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1397 goto supply_response;
1398 }
1399 }
1400return;
1401}
1402
1403
1404static void
1405ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1406{
1407for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1408 olist = olist->next)
1409 OCSP_RESPONSE_free(olist->resp);
1410cbinfo->u_ocsp.server.olist = NULL;
1411}
1412#endif /*!DISABLE_OCSP*/
1413
1414
1415
1416
1417/* Create and install a selfsigned certificate, for use in server mode */
1418
1419static int
1420tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1421{
1422X509 * x509 = NULL;
1423EVP_PKEY * pkey;
1424RSA * rsa;
1425X509_NAME * name;
1426uschar * where;
1427
1428where = US"allocating pkey";
1429if (!(pkey = EVP_PKEY_new()))
1430 goto err;
1431
1432where = US"allocating cert";
1433if (!(x509 = X509_new()))
1434 goto err;
1435
1436where = US"generating pkey";
1437if (!(rsa = rsa_callback(NULL, 0, 2048)))
1438 goto err;
1439
1440where = US"assigning pkey";
1441if (!EVP_PKEY_assign_RSA(pkey, rsa))
1442 goto err;
1443
1444X509_set_version(x509, 2); /* N+1 - version 3 */
1445ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1446X509_gmtime_adj(X509_get_notBefore(x509), 0);
1447X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1448X509_set_pubkey(x509, pkey);
1449
1450name = X509_get_subject_name(x509);
1451X509_NAME_add_entry_by_txt(name, "C",
1452 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1453X509_NAME_add_entry_by_txt(name, "O",
1454 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1455X509_NAME_add_entry_by_txt(name, "CN",
1456 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1457X509_set_issuer_name(x509, name);
1458
1459where = US"signing cert";
1460if (!X509_sign(x509, pkey, EVP_md5()))
1461 goto err;
1462
1463where = US"installing selfsign cert";
1464if (!SSL_CTX_use_certificate(sctx, x509))
1465 goto err;
1466
1467where = US"installing selfsign key";
1468if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1469 goto err;
1470
1471return OK;
1472
1473err:
1474 (void) tls_error(where, NULL, NULL, errstr);
1475 if (x509) X509_free(x509);
1476 if (pkey) EVP_PKEY_free(pkey);
1477 return DEFER;
1478}
1479
1480
1481
1482
1483static int
1484tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1485 uschar ** errstr)
1486{
1487DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1488if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1489 return tls_error(string_sprintf(
1490 "SSL_CTX_use_certificate_chain_file file=%s", file),
1491 cbinfo->host, NULL, errstr);
1492return 0;
1493}
1494
1495static int
1496tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1497 uschar ** errstr)
1498{
1499DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1500if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1501 return tls_error(string_sprintf(
1502 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1503return 0;
1504}
1505
1506
1507/*************************************************
1508* Expand key and cert file specs *
1509*************************************************/
1510
1511/* Called once during tls_init and possibly again during TLS setup, for a
1512new context, if Server Name Indication was used and tls_sni was seen in
1513the certificate string.
1514
1515Arguments:
1516 sctx the SSL_CTX* to update
1517 cbinfo various parts of session state
1518 errstr error string pointer
1519
1520Returns: OK/DEFER/FAIL
1521*/
1522
1523static int
1524tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1525 uschar ** errstr)
1526{
1527uschar * expanded;
1528
1529if (!cbinfo->certificate)
1530 {
1531 if (!cbinfo->is_server) /* client */
1532 return OK;
1533 /* server */
1534 if (tls_install_selfsign(sctx, errstr) != OK)
1535 return DEFER;
1536 }
1537else
1538 {
1539 int err;
1540
1541 if ( !reexpand_tls_files_for_sni
1542 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1543 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1544 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1545 ) )
1546 reexpand_tls_files_for_sni = TRUE;
1547
1548 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1549 return DEFER;
1550
1551 if (expanded)
1552 if (cbinfo->is_server)
1553 {
1554 const uschar * file_list = expanded;
1555 int sep = 0;
1556 uschar * file;
1557#ifndef DISABLE_OCSP
1558 const uschar * olist = cbinfo->u_ocsp.server.file;
1559 int osep = 0;
1560 uschar * ofile;
1561 BOOL fmt_pem = FALSE;
1562
1563 if (olist)
1564 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1565 return DEFER;
1566 if (olist && !*olist)
1567 olist = NULL;
1568
1569 if ( cbinfo->u_ocsp.server.file_expanded && olist
1570 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1571 {
1572 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1573 olist = NULL;
1574 }
1575 else
1576 {
1577 ocsp_free_response_list(cbinfo);
1578 cbinfo->u_ocsp.server.file_expanded = olist;
1579 }
1580#endif
1581
1582 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1583 {
1584 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1585 return err;
1586
1587#ifndef DISABLE_OCSP
1588 if (olist)
1589 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1590 {
1591 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1592 {
1593 fmt_pem = TRUE;
1594 ofile += 4;
1595 }
1596 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1597 {
1598 fmt_pem = FALSE;
1599 ofile += 4;
1600 }
1601 ocsp_load_response(sctx, cbinfo, ofile, fmt_pem);
1602 }
1603 else
1604 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1605#endif
1606 }
1607 }
1608 else /* would there ever be a need for multiple client certs? */
1609 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1610 return err;
1611
1612 if ( cbinfo->privatekey
1613 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1614 return DEFER;
1615
1616 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1617 of the expansion is an empty string, ignore it also, and assume the private
1618 key is in the same file as the certificate. */
1619
1620 if (expanded && *expanded)
1621 if (cbinfo->is_server)
1622 {
1623 const uschar * file_list = expanded;
1624 int sep = 0;
1625 uschar * file;
1626
1627 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1628 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1629 return err;
1630 }
1631 else /* would there ever be a need for multiple client certs? */
1632 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1633 return err;
1634 }
1635
1636return OK;
1637}
1638
1639
1640
1641
1642/*************************************************
1643* Callback to handle SNI *
1644*************************************************/
1645
1646/* Called when acting as server during the TLS session setup if a Server Name
1647Indication extension was sent by the client.
1648
1649API documentation is OpenSSL s_server.c implementation.
1650
1651Arguments:
1652 s SSL* of the current session
1653 ad unknown (part of OpenSSL API) (unused)
1654 arg Callback of "our" registered data
1655
1656Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1657
1658XXX might need to change to using ClientHello callback,
1659per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1660*/
1661
1662#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1663static int
1664tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1665{
1666const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1667tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1668int rc;
1669int old_pool = store_pool;
1670uschar * dummy_errstr;
1671
1672if (!servername)
1673 return SSL_TLSEXT_ERR_OK;
1674
1675DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1676 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1677
1678/* Make the extension value available for expansion */
1679store_pool = POOL_PERM;
1680tls_in.sni = string_copy_taint(US servername, TRUE);
1681store_pool = old_pool;
1682
1683if (!reexpand_tls_files_for_sni)
1684 return SSL_TLSEXT_ERR_OK;
1685
1686/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1687not confident that memcpy wouldn't break some internal reference counting.
1688Especially since there's a references struct member, which would be off. */
1689
1690#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1691if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1692#else
1693if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1694#endif
1695 {
1696 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1697 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1698 goto bad;
1699 }
1700
1701/* Not sure how many of these are actually needed, since SSL object
1702already exists. Might even need this selfsame callback, for reneg? */
1703
1704SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1705SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1706SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1707SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1708SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1709SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1710
1711if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1712 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1713 )
1714 goto bad;
1715
1716if ( cbinfo->server_cipher_list
1717 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1718 goto bad;
1719
1720#ifndef DISABLE_OCSP
1721if (cbinfo->u_ocsp.server.file)
1722 {
1723 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1724 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1725 }
1726#endif
1727
1728if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1729 verify_callback_server, &dummy_errstr)) != OK)
1730 goto bad;
1731
1732/* do this after setup_certs, because this can require the certs for verifying
1733OCSP information. */
1734if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1735 goto bad;
1736
1737DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1738SSL_set_SSL_CTX(s, server_sni);
1739return SSL_TLSEXT_ERR_OK;
1740
1741bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1742}
1743#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1744
1745
1746
1747
1748#ifndef DISABLE_OCSP
1749
1750/*************************************************
1751* Callback to handle OCSP Stapling *
1752*************************************************/
1753
1754/* Called when acting as server during the TLS session setup if the client
1755requests OCSP information with a Certificate Status Request.
1756
1757Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1758project.
1759
1760*/
1761
1762static int
1763tls_server_stapling_cb(SSL *s, void *arg)
1764{
1765const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1766ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1767uschar * response_der; /*XXX blob */
1768int response_der_len;
1769
1770DEBUG(D_tls)
1771 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1772 olist ? "have" : "lack");
1773
1774tls_in.ocsp = OCSP_NOT_RESP;
1775if (!olist)
1776 return SSL_TLSEXT_ERR_NOACK;
1777
1778#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
1779 {
1780 const X509 * cert_sent = SSL_get_certificate(s);
1781 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1782 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1783 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1784 uschar * chash;
1785 uint chash_len;
1786
1787 for (; olist; olist = olist->next)
1788 {
1789 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1790 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1791 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1792 ASN1_INTEGER * res_cert_serial;
1793 const BIGNUM * resp_bn;
1794 ASN1_OCTET_STRING * res_cert_iNameHash;
1795
1796
1797 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1798 (OCSP_CERTID *) cid);
1799 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1800
1801 DEBUG(D_tls)
1802 {
1803 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1804 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1805 }
1806
1807 if (BN_cmp(cert_bn, resp_bn) == 0)
1808 {
1809 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1810
1811 /*XXX TODO: check the rest of the list for duplicate matches.
1812 If any, need to also check the Issuer Name hash.
1813 Without this, we will provide the wrong status in the case of
1814 duplicate id. */
1815
1816 break;
1817 }
1818 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1819 }
1820 if (!olist)
1821 {
1822 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1823 return SSL_TLSEXT_ERR_NOACK;
1824 }
1825 }
1826#else
1827if (olist->next)
1828 {
1829 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1830 return SSL_TLSEXT_ERR_NOACK;
1831 }
1832#endif
1833
1834/*XXX could we do the i2d earlier, rather than during the callback? */
1835response_der = NULL;
1836response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
1837if (response_der_len <= 0)
1838 return SSL_TLSEXT_ERR_NOACK;
1839
1840SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1841tls_in.ocsp = OCSP_VFIED;
1842return SSL_TLSEXT_ERR_OK;
1843}
1844
1845
1846static void
1847time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1848{
1849BIO_printf(bp, "\t%s: ", str);
1850ASN1_GENERALIZEDTIME_print(bp, time);
1851BIO_puts(bp, "\n");
1852}
1853
1854static int
1855tls_client_stapling_cb(SSL *s, void *arg)
1856{
1857tls_ext_ctx_cb * cbinfo = arg;
1858const unsigned char * p;
1859int len;
1860OCSP_RESPONSE * rsp;
1861OCSP_BASICRESP * bs;
1862int i;
1863
1864DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
1865len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1866if(!p)
1867 {
1868 /* Expect this when we requested ocsp but got none */
1869 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1870 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
1871 else
1872 DEBUG(D_tls) debug_printf(" null\n");
1873 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1874 }
1875
1876if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1877 {
1878 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
1879 if (LOGGING(tls_cipher))
1880 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1881 else
1882 DEBUG(D_tls) debug_printf(" parse error\n");
1883 return 0;
1884 }
1885
1886if (!(bs = OCSP_response_get1_basic(rsp)))
1887 {
1888 tls_out.ocsp = OCSP_FAILED;
1889 if (LOGGING(tls_cipher))
1890 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1891 else
1892 DEBUG(D_tls) debug_printf(" error parsing response\n");
1893 OCSP_RESPONSE_free(rsp);
1894 return 0;
1895 }
1896
1897/* We'd check the nonce here if we'd put one in the request. */
1898/* However that would defeat cacheability on the server so we don't. */
1899
1900/* This section of code reworked from OpenSSL apps source;
1901 The OpenSSL Project retains copyright:
1902 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1903*/
1904 {
1905 BIO * bp = NULL;
1906#ifndef EXIM_HAVE_OCSP_RESP_COUNT
1907 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1908#endif
1909
1910 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1911
1912 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1913
1914 /* Use the chain that verified the server cert to verify the stapled info */
1915 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1916
1917 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1918 cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
1919 if (ERR_peek_error())
1920 {
1921 tls_out.ocsp = OCSP_FAILED;
1922 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1923 "Received TLS cert status response, itself unverifiable: %s",
1924 ERR_reason_error_string(ERR_peek_error()));
1925 BIO_printf(bp, "OCSP response verify failure\n");
1926 ERR_print_errors(bp);
1927 OCSP_RESPONSE_print(bp, rsp, 0);
1928 goto failed;
1929 }
1930 else
1931 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
1932 " in the root CA certificate; ignoring\n");
1933
1934 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
1935
1936 /*XXX So we have a good stapled OCSP status. How do we know
1937 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1938 OCSP_resp_find_status() which matches on a cert id, which presumably
1939 we should use. Making an id needs OCSP_cert_id_new(), which takes
1940 issuerName, issuerKey, serialNumber. Are they all in the cert?
1941
1942 For now, carry on blindly accepting the resp. */
1943
1944 for (int idx =
1945#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1946 OCSP_resp_count(bs) - 1;
1947#else
1948 sk_OCSP_SINGLERESP_num(sresp) - 1;
1949#endif
1950 idx >= 0; idx--)
1951 {
1952 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
1953 int status, reason;
1954 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1955
1956 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
1957 - but what happens with a GnuTLS-style input?
1958
1959 we could do with a debug label for each singleresp
1960 - it has a certID with a serialNumber, but I see no API to get that
1961 */
1962 status = OCSP_single_get0_status(single, &reason, &rev,
1963 &thisupd, &nextupd);
1964
1965 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1966 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1967 if (!OCSP_check_validity(thisupd, nextupd,
1968 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1969 {
1970 tls_out.ocsp = OCSP_FAILED;
1971 DEBUG(D_tls) ERR_print_errors(bp);
1972 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1973 goto failed;
1974 }
1975
1976 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1977 OCSP_cert_status_str(status));
1978 switch(status)
1979 {
1980 case V_OCSP_CERTSTATUS_GOOD:
1981 continue; /* the idx loop */
1982 case V_OCSP_CERTSTATUS_REVOKED:
1983 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1984 reason != -1 ? "; reason: " : "",
1985 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1986 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1987 break;
1988 default:
1989 log_write(0, LOG_MAIN,
1990 "Server certificate status unknown, in OCSP stapling");
1991 break;
1992 }
1993
1994 goto failed;
1995 }
1996
1997 i = 1;
1998 tls_out.ocsp = OCSP_VFIED;
1999 goto good;
2000
2001 failed:
2002 tls_out.ocsp = OCSP_FAILED;
2003 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2004 good:
2005 BIO_free(bp);
2006 }
2007
2008OCSP_RESPONSE_free(rsp);
2009return i;
2010}
2011#endif /*!DISABLE_OCSP*/
2012
2013
2014/*************************************************
2015* Initialize for TLS *
2016*************************************************/
2017
2018static void
2019tls_openssl_init(void)
2020{
2021#ifdef EXIM_NEED_OPENSSL_INIT
2022SSL_load_error_strings(); /* basic set up */
2023OpenSSL_add_ssl_algorithms();
2024#endif
2025
2026#if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
2027/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2028list of available digests. */
2029EVP_add_digest(EVP_sha256());
2030#endif
2031}
2032
2033
2034
2035/* Called from both server and client code, to do preliminary initialization
2036of the library. We allocate and return a context structure.
2037
2038Arguments:
2039 ctxp returned SSL context
2040 host connected host, if client; NULL if server
2041 dhparam DH parameter file
2042 certificate certificate file
2043 privatekey private key
2044 ocsp_file file of stapling info (server); flag for require ocsp (client)
2045 addr address if client; NULL if server (for some randomness)
2046 cbp place to put allocated callback context
2047 errstr error string pointer
2048
2049Returns: OK/DEFER/FAIL
2050*/
2051
2052static int
2053tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
2054 uschar *privatekey,
2055#ifndef DISABLE_OCSP
2056 uschar *ocsp_file,
2057#endif
2058 address_item *addr, tls_ext_ctx_cb ** cbp,
2059 tls_support * tlsp,
2060 uschar ** errstr)
2061{
2062SSL_CTX * ctx;
2063long init_options;
2064int rc;
2065tls_ext_ctx_cb * cbinfo;
2066
2067cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
2068cbinfo->tlsp = tlsp;
2069cbinfo->certificate = certificate;
2070cbinfo->privatekey = privatekey;
2071cbinfo->is_server = host==NULL;
2072#ifndef DISABLE_OCSP
2073cbinfo->verify_stack = NULL;
2074if (!host)
2075 {
2076 cbinfo->u_ocsp.server.file = ocsp_file;
2077 cbinfo->u_ocsp.server.file_expanded = NULL;
2078 cbinfo->u_ocsp.server.olist = NULL;
2079 }
2080else
2081 cbinfo->u_ocsp.client.verify_store = NULL;
2082#endif
2083cbinfo->dhparam = dhparam;
2084cbinfo->server_cipher_list = NULL;
2085cbinfo->host = host;
2086#ifndef DISABLE_EVENT
2087cbinfo->event_action = NULL;
2088#endif
2089
2090tls_openssl_init();
2091
2092/* Create a context.
2093The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2094negotiation in the different methods; as far as I can tell, the only
2095*_{server,client}_method which allows negotiation is SSLv23, which exists even
2096when OpenSSL is built without SSLv2 support.
2097By disabling with openssl_options, we can let admins re-enable with the
2098existing knob. */
2099
2100#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2101if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2102#else
2103if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
2104#endif
2105 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
2106
2107/* It turns out that we need to seed the random number generator this early in
2108order to get the full complement of ciphers to work. It took me roughly a day
2109of work to discover this by experiment.
2110
2111On systems that have /dev/urandom, SSL may automatically seed itself from
2112there. Otherwise, we have to make something up as best we can. Double check
2113afterwards. */
2114
2115if (!RAND_status())
2116 {
2117 randstuff r;
2118 gettimeofday(&r.tv, NULL);
2119 r.p = getpid();
2120
2121 RAND_seed(US (&r), sizeof(r));
2122 RAND_seed(US big_buffer, big_buffer_size);
2123 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
2124
2125 if (!RAND_status())
2126 return tls_error(US"RAND_status", host,
2127 US"unable to seed random number generator", errstr);
2128 }
2129
2130/* Set up the information callback, which outputs if debugging is at a suitable
2131level. */
2132
2133DEBUG(D_tls)
2134 {
2135 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
2136#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2137 /* this needs a debug build of OpenSSL */
2138 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2139#endif
2140#ifdef OPENSSL_HAVE_KEYLOG_CB
2141 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
2142#endif
2143 }
2144
2145/* Automatically re-try reads/writes after renegotiation. */
2146(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
2147
2148/* Apply administrator-supplied work-arounds.
2149Historically we applied just one requested option,
2150SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2151moved to an administrator-controlled list of options to specify and
2152grandfathered in the first one as the default value for "openssl_options".
2153
2154No OpenSSL version number checks: the options we accept depend upon the
2155availability of the option value macros from OpenSSL. */
2156
2157if (!tls_openssl_options_parse(openssl_options, &init_options))
2158 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2159
2160#ifdef EXPERIMENTAL_TLS_RESUME
2161tlsp->resumption = RESUME_SUPPORTED;
2162#endif
2163if (init_options)
2164 {
2165#ifdef EXPERIMENTAL_TLS_RESUME
2166 /* Should the server offer session resumption? */
2167 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2168 {
2169 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2170 init_options &= ~SSL_OP_NO_TICKET;
2171 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2172 tlsp->host_resumable = TRUE;
2173 }
2174#endif
2175
2176 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
2177 if (!(SSL_CTX_set_options(ctx, init_options)))
2178 return tls_error(string_sprintf(
2179 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2180 }
2181else
2182 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2183
2184/* We'd like to disable session cache unconditionally, but foolish Outlook
2185Express clients then give up the first TLS connection and make a second one
2186(which works). Only when there is an IMAP service on the same machine.
2187Presumably OE is trying to use the cache for A on B. Leave it enabled for
2188now, until we work out a decent way of presenting control to the config. It
2189will never be used because we use a new context every time. */
2190#ifdef notdef
2191(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2192#endif
2193
2194/* Initialize with DH parameters if supplied */
2195/* Initialize ECDH temp key parameter selection */
2196
2197if ( !init_dh(ctx, dhparam, host, errstr)
2198 || !init_ecdh(ctx, host, errstr)
2199 )
2200 return DEFER;
2201
2202/* Set up certificate and key (and perhaps OCSP info) */
2203
2204if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2205 return rc;
2206
2207/* If we need to handle SNI or OCSP, do so */
2208
2209#ifdef EXIM_HAVE_OPENSSL_TLSEXT
2210# ifndef DISABLE_OCSP
2211 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2212 {
2213 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2214 return FAIL;
2215 }
2216# endif
2217
2218if (!host) /* server */
2219 {
2220# ifndef DISABLE_OCSP
2221 /* We check u_ocsp.server.file, not server.olist, because we care about if
2222 the option exists, not what the current expansion might be, as SNI might
2223 change the certificate and OCSP file in use between now and the time the
2224 callback is invoked. */
2225 if (cbinfo->u_ocsp.server.file)
2226 {
2227 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2228 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2229 }
2230# endif
2231 /* We always do this, so that $tls_sni is available even if not used in
2232 tls_certificate */
2233 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2234 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2235 }
2236# ifndef DISABLE_OCSP
2237else /* client */
2238 if(ocsp_file) /* wanting stapling */
2239 {
2240 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2241 {
2242 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2243 return FAIL;
2244 }
2245 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2246 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2247 }
2248# endif
2249#endif
2250
2251cbinfo->verify_cert_hostnames = NULL;
2252
2253#ifdef EXIM_HAVE_EPHEM_RSA_KEX
2254/* Set up the RSA callback */
2255SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2256#endif
2257
2258/* Finally, set the session cache timeout, and we are done.
2259The period appears to be also used for (server-generated) session tickets */
2260
2261SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2262DEBUG(D_tls) debug_printf("Initialized TLS\n");
2263
2264*cbp = cbinfo;
2265*ctxp = ctx;
2266
2267return OK;
2268}
2269
2270
2271
2272
2273/*************************************************
2274* Get name of cipher in use *
2275*************************************************/
2276
2277/*
2278Argument: pointer to an SSL structure for the connection
2279 pointer to number of bits for cipher
2280Returns: pointer to allocated string in perm-pool
2281*/
2282
2283static uschar *
2284construct_cipher_name(SSL * ssl, int * bits)
2285{
2286int pool = store_pool;
2287/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2288yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2289the accessor functions use const in the prototype. */
2290
2291const uschar * ver = CUS SSL_get_version(ssl);
2292const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2293uschar * s;
2294
2295SSL_CIPHER_get_bits(c, bits);
2296
2297store_pool = POOL_PERM;
2298s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2299store_pool = pool;
2300DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2301return s;
2302}
2303
2304
2305/* Get IETF-standard name for ciphersuite.
2306Argument: pointer to an SSL structure for the connection
2307Returns: pointer to string
2308*/
2309
2310static const uschar *
2311cipher_stdname_ssl(SSL * ssl)
2312{
2313#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2314return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2315#else
2316ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2317return cipher_stdname(id >> 8, id & 0xff);
2318#endif
2319}
2320
2321
2322static void
2323peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2324{
2325/*XXX we might consider a list-of-certs variable for the cert chain.
2326SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2327in list-handling functions, also consider the difference between the entire
2328chain and the elements sent by the peer. */
2329
2330tlsp->peerdn = NULL;
2331
2332/* Will have already noted peercert on a verify fail; possibly not the leaf */
2333if (!tlsp->peercert)
2334 tlsp->peercert = SSL_get_peer_certificate(ssl);
2335/* Beware anonymous ciphers which lead to server_cert being NULL */
2336if (tlsp->peercert)
2337 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2338 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2339 else
2340 {
2341 int oldpool = store_pool;
2342
2343 peerdn[siz-1] = '\0'; /* paranoia */
2344 store_pool = POOL_PERM;
2345 tlsp->peerdn = string_copy(peerdn);
2346 store_pool = oldpool;
2347
2348 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2349 but they don't get called on session-resumption. So use the official
2350 interface, which uses the resumed value. Unfortunately this claims verified
2351 when it actually failed but we're in try-verify mode, due to us wanting the
2352 knowlege that it failed so needing to have the callback and forcing a
2353 permissive return. If we don't force it, the TLS startup is failed.
2354 The extra bit of information is set in verify_override in the cb, stashed
2355 for resumption next to the TLS session, and used here. */
2356
2357 if (!tlsp->verify_override)
2358 tlsp->certificate_verified =
2359#ifdef SUPPORT_DANE
2360 tlsp->dane_verified ||
2361#endif
2362 SSL_get_verify_result(ssl) == X509_V_OK;
2363 }
2364}
2365
2366
2367
2368
2369
2370/*************************************************
2371* Set up for verifying certificates *
2372*************************************************/
2373
2374#ifndef DISABLE_OCSP
2375/* Load certs from file, return TRUE on success */
2376
2377static BOOL
2378chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2379{
2380BIO * bp;
2381X509 * x;
2382
2383while (sk_X509_num(verify_stack) > 0)
2384 X509_free(sk_X509_pop(verify_stack));
2385
2386if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2387while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2388 sk_X509_push(verify_stack, x);
2389BIO_free(bp);
2390return TRUE;
2391}
2392#endif
2393
2394
2395
2396/* Called by both client and server startup; on the server possibly
2397repeated after a Server Name Indication.
2398
2399Arguments:
2400 sctx SSL_CTX* to initialise
2401 certs certs file or NULL
2402 crl CRL file or NULL
2403 host NULL in a server; the remote host in a client
2404 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2405 otherwise passed as FALSE
2406 cert_vfy_cb Callback function for certificate verification
2407 errstr error string pointer
2408
2409Returns: OK/DEFER/FAIL
2410*/
2411
2412static int
2413setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2414 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2415{
2416uschar *expcerts, *expcrl;
2417
2418if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2419 return DEFER;
2420DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2421
2422if (expcerts && *expcerts)
2423 {
2424 /* Tell the library to use its compiled-in location for the system default
2425 CA bundle. Then add the ones specified in the config, if any. */
2426
2427 if (!SSL_CTX_set_default_verify_paths(sctx))
2428 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2429
2430 if (Ustrcmp(expcerts, "system") != 0)
2431 {
2432 struct stat statbuf;
2433
2434 if (Ustat(expcerts, &statbuf) < 0)
2435 {
2436 log_write(0, LOG_MAIN|LOG_PANIC,
2437 "failed to stat %s for certificates", expcerts);
2438 return DEFER;
2439 }
2440 else
2441 {
2442 uschar *file, *dir;
2443 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2444 { file = NULL; dir = expcerts; }
2445 else
2446 {
2447 file = expcerts; dir = NULL;
2448#ifndef DISABLE_OCSP
2449 /* In the server if we will be offering an OCSP proof, load chain from
2450 file for verifying the OCSP proof at load time. */
2451
2452/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2453This is inconsistent with the need to verify the OCSP proof of the server cert.
2454*/
2455
2456 if ( !host
2457 && statbuf.st_size > 0
2458 && server_static_cbinfo->u_ocsp.server.file
2459 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2460 )
2461 {
2462 log_write(0, LOG_MAIN|LOG_PANIC,
2463 "failed to load cert chain from %s", file);
2464 return DEFER;
2465 }
2466#endif
2467 }
2468
2469 /* If a certificate file is empty, the next function fails with an
2470 unhelpful error message. If we skip it, we get the correct behaviour (no
2471 certificates are recognized, but the error message is still misleading (it
2472 says no certificate was supplied). But this is better. */
2473
2474 if ( (!file || statbuf.st_size > 0)
2475 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2476 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2477
2478 /* Load the list of CAs for which we will accept certs, for sending
2479 to the client. This is only for the one-file tls_verify_certificates
2480 variant.
2481 If a list isn't loaded into the server, but some verify locations are set,
2482 the server end appears to make a wildcard request for client certs.
2483 Meanwhile, the client library as default behaviour *ignores* the list
2484 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2485 Because of this, and that the dir variant is likely only used for
2486 the public-CA bundle (not for a private CA), not worth fixing. */
2487
2488 if (file)
2489 {
2490 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2491
2492 SSL_CTX_set_client_CA_list(sctx, names);
2493 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2494 sk_X509_NAME_num(names));
2495 }
2496 }
2497 }
2498
2499 /* Handle a certificate revocation list. */
2500
2501#if OPENSSL_VERSION_NUMBER > 0x00907000L
2502
2503 /* This bit of code is now the version supplied by Lars Mainka. (I have
2504 merely reformatted it into the Exim code style.)
2505
2506 "From here I changed the code to add support for multiple crl's
2507 in pem format in one file or to support hashed directory entries in
2508 pem format instead of a file. This method now uses the library function
2509 X509_STORE_load_locations to add the CRL location to the SSL context.
2510 OpenSSL will then handle the verify against CA certs and CRLs by
2511 itself in the verify callback." */
2512
2513 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2514 if (expcrl && *expcrl)
2515 {
2516 struct stat statbufcrl;
2517 if (Ustat(expcrl, &statbufcrl) < 0)
2518 {
2519 log_write(0, LOG_MAIN|LOG_PANIC,
2520 "failed to stat %s for certificates revocation lists", expcrl);
2521 return DEFER;
2522 }
2523 else
2524 {
2525 /* is it a file or directory? */
2526 uschar *file, *dir;
2527 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2528 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2529 {
2530 file = NULL;
2531 dir = expcrl;
2532 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2533 }
2534 else
2535 {
2536 file = expcrl;
2537 dir = NULL;
2538 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2539 }
2540 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2541 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2542
2543 /* setting the flags to check against the complete crl chain */
2544
2545 X509_STORE_set_flags(cvstore,
2546 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2547 }
2548 }
2549
2550#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2551
2552 /* If verification is optional, don't fail if no certificate */
2553
2554 SSL_CTX_set_verify(sctx,
2555 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2556 cert_vfy_cb);
2557 }
2558
2559return OK;
2560}
2561
2562
2563
2564/*************************************************
2565* Start a TLS session in a server *
2566*************************************************/
2567
2568/* This is called when Exim is running as a server, after having received
2569the STARTTLS command. It must respond to that command, and then negotiate
2570a TLS session.
2571
2572Arguments:
2573 require_ciphers allowed ciphers
2574 errstr pointer to error message
2575
2576Returns: OK on success
2577 DEFER for errors before the start of the negotiation
2578 FAIL for errors during the negotiation; the server can't
2579 continue running.
2580*/
2581
2582int
2583tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2584{
2585int rc;
2586uschar * expciphers;
2587tls_ext_ctx_cb * cbinfo;
2588static uschar peerdn[256];
2589
2590/* Check for previous activation */
2591
2592if (tls_in.active.sock >= 0)
2593 {
2594 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2595 smtp_printf("554 Already in TLS\r\n", FALSE);
2596 return FAIL;
2597 }
2598
2599/* Initialize the SSL library. If it fails, it will already have logged
2600the error. */
2601
2602rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2603#ifndef DISABLE_OCSP
2604 tls_ocsp_file,
2605#endif
2606 NULL, &server_static_cbinfo, &tls_in, errstr);
2607if (rc != OK) return rc;
2608cbinfo = server_static_cbinfo;
2609
2610if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2611 return FAIL;
2612
2613/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2614were historically separated by underscores. So that I can use either form in my
2615tests, and also for general convenience, we turn underscores into hyphens here.
2616
2617XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2618for TLS 1.3 . Since we do not call it at present we get the default list:
2619TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2620*/
2621
2622if (expciphers)
2623 {
2624 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2625 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2626 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2627 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2628 cbinfo->server_cipher_list = expciphers;
2629 }
2630
2631/* If this is a host for which certificate verification is mandatory or
2632optional, set up appropriately. */
2633
2634tls_in.certificate_verified = FALSE;
2635#ifdef SUPPORT_DANE
2636tls_in.dane_verified = FALSE;
2637#endif
2638server_verify_callback_called = FALSE;
2639
2640if (verify_check_host(&tls_verify_hosts) == OK)
2641 {
2642 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2643 FALSE, verify_callback_server, errstr);
2644 if (rc != OK) return rc;
2645 server_verify_optional = FALSE;
2646 }
2647else if (verify_check_host(&tls_try_verify_hosts) == OK)
2648 {
2649 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2650 TRUE, verify_callback_server, errstr);
2651 if (rc != OK) return rc;
2652 server_verify_optional = TRUE;
2653 }
2654
2655#ifdef EXPERIMENTAL_TLS_RESUME
2656SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2657/* despite working, appears to always return failure, so ignoring */
2658#endif
2659#ifdef OPENSSL_HAVE_NUM_TICKETS
2660# ifdef EXPERIMENTAL_TLS_RESUME
2661SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2662# else
2663SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2664# endif
2665#endif
2666
2667
2668/* Prepare for new connection */
2669
2670if (!(server_ssl = SSL_new(server_ctx)))
2671 return tls_error(US"SSL_new", NULL, NULL, errstr);
2672
2673/* Warning: we used to SSL_clear(ssl) here, it was removed.
2674 *
2675 * With the SSL_clear(), we get strange interoperability bugs with
2676 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2677 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2678 *
2679 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2680 * session shutdown. In this case, we have a brand new object and there's no
2681 * obvious reason to immediately clear it. I'm guessing that this was
2682 * originally added because of incomplete initialisation which the clear fixed,
2683 * in some historic release.
2684 */
2685
2686/* Set context and tell client to go ahead, except in the case of TLS startup
2687on connection, where outputting anything now upsets the clients and tends to
2688make them disconnect. We need to have an explicit fflush() here, to force out
2689the response. Other smtp_printf() calls do not need it, because in non-TLS
2690mode, the fflush() happens when smtp_getc() is called. */
2691
2692SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2693if (!tls_in.on_connect)
2694 {
2695 smtp_printf("220 TLS go ahead\r\n", FALSE);
2696 fflush(smtp_out);
2697 }
2698
2699/* Now negotiate the TLS session. We put our own timer on it, since it seems
2700that the OpenSSL library doesn't. */
2701
2702SSL_set_wfd(server_ssl, fileno(smtp_out));
2703SSL_set_rfd(server_ssl, fileno(smtp_in));
2704SSL_set_accept_state(server_ssl);
2705
2706DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2707
2708sigalrm_seen = FALSE;
2709if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2710rc = SSL_accept(server_ssl);
2711ALARM_CLR(0);
2712
2713if (rc <= 0)
2714 {
2715 int error = SSL_get_error(server_ssl, rc);
2716 switch(error)
2717 {
2718 case SSL_ERROR_NONE:
2719 break;
2720
2721 case SSL_ERROR_ZERO_RETURN:
2722 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2723 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2724
2725 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2726 SSL_shutdown(server_ssl);
2727
2728 tls_close(NULL, TLS_NO_SHUTDOWN);
2729 return FAIL;
2730
2731 /* Handle genuine errors */
2732 case SSL_ERROR_SSL:
2733 {
2734 uschar * s = US"SSL_accept";
2735 unsigned long e = ERR_peek_error();
2736 if (ERR_GET_REASON(e) == SSL_R_WRONG_VERSION_NUMBER)
2737 s = string_sprintf("%s (%s)", s, SSL_get_version(server_ssl));
2738 (void) tls_error(s, NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2739 return FAIL;
2740 }
2741
2742 default:
2743 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2744 if (error == SSL_ERROR_SYSCALL)
2745 {
2746 if (!errno)
2747 {
2748 *errstr = US"SSL_accept: TCP connection closed by peer";
2749 return FAIL;
2750 }
2751 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2752 }
2753 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2754 return FAIL;
2755 }
2756 }
2757
2758DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2759ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2760 anon-authentication ciphersuite negotiated. */
2761
2762#ifdef EXPERIMENTAL_TLS_RESUME
2763if (SSL_session_reused(server_ssl))
2764 {
2765 tls_in.resumption |= RESUME_USED;
2766 DEBUG(D_tls) debug_printf("Session reused\n");
2767 }
2768#endif
2769
2770/* TLS has been set up. Adjust the input functions to read via TLS,
2771and initialize things. */
2772
2773peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2774
2775tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2776tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2777
2778DEBUG(D_tls)
2779 {
2780 uschar buf[2048];
2781 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2782 debug_printf("Shared ciphers: %s\n", buf);
2783
2784#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2785 {
2786 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2787 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2788 BIO_free(bp);
2789 }
2790#endif
2791
2792#ifdef EXIM_HAVE_SESSION_TICKET
2793 {
2794 SSL_SESSION * ss = SSL_get_session(server_ssl);
2795 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
2796 debug_printf("The session has a ticket, life %lu seconds\n",
2797 SSL_SESSION_get_ticket_lifetime_hint(ss));
2798 }
2799#endif
2800 }
2801
2802/* Record the certificate we presented */
2803 {
2804 X509 * crt = SSL_get_certificate(server_ssl);
2805 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2806 }
2807
2808/* Only used by the server-side tls (tls_in), including tls_getc.
2809 Client-side (tls_out) reads (seem to?) go via
2810 smtp_read_response()/ip_recv().
2811 Hence no need to duplicate for _in and _out.
2812 */
2813if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2814ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2815ssl_xfer_eof = ssl_xfer_error = FALSE;
2816
2817receive_getc = tls_getc;
2818receive_getbuf = tls_getbuf;
2819receive_get_cache = tls_get_cache;
2820receive_ungetc = tls_ungetc;
2821receive_feof = tls_feof;
2822receive_ferror = tls_ferror;
2823receive_smtp_buffered = tls_smtp_buffered;
2824
2825tls_in.active.sock = fileno(smtp_out);
2826tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2827return OK;
2828}
2829
2830
2831
2832
2833static int
2834tls_client_basic_ctx_init(SSL_CTX * ctx,
2835 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2836 uschar ** errstr)
2837{
2838int rc;
2839/* stick to the old behaviour for compatibility if tls_verify_certificates is
2840 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2841 the specified host patterns if one of them is defined */
2842
2843if ( ( !ob->tls_verify_hosts
2844 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2845 )
2846 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2847 )
2848 client_verify_optional = FALSE;
2849else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2850 client_verify_optional = TRUE;
2851else
2852 return OK;
2853
2854if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2855 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2856 errstr)) != OK)
2857 return rc;
2858
2859if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2860 {
2861 cbinfo->verify_cert_hostnames =
2862#ifdef SUPPORT_I18N
2863 string_domain_utf8_to_alabel(host->name, NULL);
2864#else
2865 host->name;
2866#endif
2867 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2868 cbinfo->verify_cert_hostnames);
2869 }
2870return OK;
2871}
2872
2873
2874#ifdef SUPPORT_DANE
2875static int
2876dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2877{
2878dns_scan dnss;
2879const char * hostnames[2] = { CS host->name, NULL };
2880int found = 0;
2881
2882if (DANESSL_init(ssl, NULL, hostnames) != 1)
2883 return tls_error(US"hostnames load", host, NULL, errstr);
2884
2885for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2886 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2887 ) if (rr->type == T_TLSA && rr->size > 3)
2888 {
2889 const uschar * p = rr->data;
2890 uint8_t usage, selector, mtype;
2891 const char * mdname;
2892
2893 usage = *p++;
2894
2895 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2896 if (usage != 2 && usage != 3) continue;
2897
2898 selector = *p++;
2899 mtype = *p++;
2900
2901 switch (mtype)
2902 {
2903 default: continue; /* Only match-types 0, 1, 2 are supported */
2904 case 0: mdname = NULL; break;
2905 case 1: mdname = "sha256"; break;
2906 case 2: mdname = "sha512"; break;
2907 }
2908
2909 found++;
2910 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2911 {
2912 default:
2913 return tls_error(US"tlsa load", host, NULL, errstr);
2914 case 0: /* action not taken */
2915 case 1: break;
2916 }
2917
2918 tls_out.tlsa_usage |= 1<<usage;
2919 }
2920
2921if (found)
2922 return OK;
2923
2924log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2925return DEFER;
2926}
2927#endif /*SUPPORT_DANE*/
2928
2929
2930
2931#ifdef EXPERIMENTAL_TLS_RESUME
2932/* On the client, get any stashed session for the given IP from hints db
2933and apply it to the ssl-connection for attempted resumption. */
2934
2935static void
2936tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2937{
2938tlsp->resumption |= RESUME_SUPPORTED;
2939if (tlsp->host_resumable)
2940 {
2941 dbdata_tls_session * dt;
2942 int len;
2943 open_db dbblock, * dbm_file;
2944
2945 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2946 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2947 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2948 {
2949 /* key for the db is the IP */
2950 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2951 {
2952 SSL_SESSION * ss = NULL;
2953 const uschar * sess_asn1 = dt->session;
2954
2955 len -= sizeof(dbdata_tls_session);
2956 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2957 {
2958 DEBUG(D_tls)
2959 {
2960 ERR_error_string_n(ERR_get_error(),
2961 ssl_errstring, sizeof(ssl_errstring));
2962 debug_printf("decoding session: %s\n", ssl_errstring);
2963 }
2964 }
2965#ifdef EXIM_HAVE_SESSION_TICKET
2966 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2967 < time(NULL))
2968 {
2969 DEBUG(D_tls) debug_printf("session expired\n");
2970 dbfn_delete(dbm_file, key);
2971 }
2972#endif
2973 else if (!SSL_set_session(ssl, ss))
2974 {
2975 DEBUG(D_tls)
2976 {
2977 ERR_error_string_n(ERR_get_error(),
2978 ssl_errstring, sizeof(ssl_errstring));
2979 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2980 }
2981 }
2982 else
2983 {
2984 DEBUG(D_tls) debug_printf("good session\n");
2985 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2986 tlsp->verify_override = dt->verify_override;
2987 tlsp->ocsp = dt->ocsp;
2988 }
2989 }
2990 else
2991 DEBUG(D_tls) debug_printf("no session record\n");
2992 dbfn_close(dbm_file);
2993 }
2994 }
2995}
2996
2997
2998/* On the client, save the session for later resumption */
2999
3000static int
3001tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3002{
3003tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3004tls_support * tlsp;
3005
3006DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3007
3008if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3009
3010# ifdef OPENSSL_HAVE_NUM_TICKETS
3011if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3012# endif
3013 {
3014 int len = i2d_SSL_SESSION(ss, NULL);
3015 int dlen = sizeof(dbdata_tls_session) + len;
3016 dbdata_tls_session * dt = store_get(dlen, TRUE);
3017 uschar * s = dt->session;
3018 open_db dbblock, * dbm_file;
3019
3020 DEBUG(D_tls) debug_printf("session is resumable\n");
3021 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3022
3023 dt->verify_override = tlsp->verify_override;
3024 dt->ocsp = tlsp->ocsp;
3025 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3026
3027 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3028 {
3029 const uschar * key = cbinfo->host->address;
3030 dbfn_delete(dbm_file, key);
3031 dbfn_write(dbm_file, key, dt, dlen);
3032 dbfn_close(dbm_file);
3033 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3034 (unsigned)dlen);
3035 }
3036 }
3037return 1;
3038}
3039
3040
3041static void
3042tls_client_ctx_resume_prehandshake(
3043 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
3044 smtp_transport_options_block * ob, host_item * host)
3045{
3046/* Should the client request a session resumption ticket? */
3047if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
3048 {
3049 tlsp->host_resumable = TRUE;
3050
3051 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3052 SSL_SESS_CACHE_CLIENT
3053 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3054 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
3055 }
3056}
3057
3058static BOOL
3059tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
3060 host_item * host, uschar ** errstr)
3061{
3062if (tlsp->host_resumable)
3063 {
3064 DEBUG(D_tls)
3065 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3066 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3067
3068 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3069 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
3070 {
3071 tls_error(US"set ex_data", host, NULL, errstr);
3072 return FALSE;
3073 }
3074 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3075 }
3076
3077tlsp->resumption = RESUME_SUPPORTED;
3078/* Pick up a previous session, saved on an old ticket */
3079tls_retrieve_session(tlsp, ssl, host->address);
3080return TRUE;
3081}
3082
3083static void
3084tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3085 tls_support * tlsp)
3086{
3087if (SSL_session_reused(exim_client_ctx->ssl))
3088 {
3089 DEBUG(D_tls) debug_printf("The session was reused\n");
3090 tlsp->resumption |= RESUME_USED;
3091 }
3092}
3093#endif /* EXPERIMENTAL_TLS_RESUME */
3094
3095
3096/*************************************************
3097* Start a TLS session in a client *
3098*************************************************/
3099
3100/* Called from the smtp transport after STARTTLS has been accepted.
3101
3102Arguments:
3103 cctx connection context
3104 conn_args connection details
3105 cookie datum for randomness; can be NULL
3106 tlsp record details of TLS channel configuration here; must be non-NULL
3107 errstr error string pointer
3108
3109Returns: TRUE for success with TLS session context set in connection context,
3110 FALSE on error
3111*/
3112
3113BOOL
3114tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3115 void * cookie, tls_support * tlsp, uschar ** errstr)
3116{
3117host_item * host = conn_args->host; /* for msgs and option-tests */
3118transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3119smtp_transport_options_block * ob = tb
3120 ? (smtp_transport_options_block *)tb->options_block
3121 : &smtp_transport_option_defaults;
3122exim_openssl_client_tls_ctx * exim_client_ctx;
3123uschar * expciphers;
3124int rc;
3125static uschar peerdn[256];
3126
3127#ifndef DISABLE_OCSP
3128BOOL request_ocsp = FALSE;
3129BOOL require_ocsp = FALSE;
3130#endif
3131
3132rc = store_pool;
3133store_pool = POOL_PERM;
3134exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
3135exim_client_ctx->corked = NULL;
3136store_pool = rc;
3137
3138#ifdef SUPPORT_DANE
3139tlsp->tlsa_usage = 0;
3140#endif
3141
3142#ifndef DISABLE_OCSP
3143 {
3144# ifdef SUPPORT_DANE
3145 if ( conn_args->dane
3146 && ob->hosts_request_ocsp[0] == '*'
3147 && ob->hosts_request_ocsp[1] == '\0'
3148 )
3149 {
3150 /* Unchanged from default. Use a safer one under DANE */
3151 request_ocsp = TRUE;
3152 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3153 " {= {4}{$tls_out_tlsa_usage}} } "
3154 " {*}{}}";
3155 }
3156# endif
3157
3158 if ((require_ocsp =
3159 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
3160 request_ocsp = TRUE;
3161 else
3162# ifdef SUPPORT_DANE
3163 if (!request_ocsp)
3164# endif
3165 request_ocsp =
3166 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3167 }
3168#endif
3169
3170rc = tls_init(&exim_client_ctx->ctx, host, NULL,
3171 ob->tls_certificate, ob->tls_privatekey,
3172#ifndef DISABLE_OCSP
3173 (void *)(long)request_ocsp,
3174#endif
3175 cookie, &client_static_cbinfo, tlsp, errstr);
3176if (rc != OK) return FALSE;
3177
3178tlsp->certificate_verified = FALSE;
3179client_verify_callback_called = FALSE;
3180
3181expciphers = NULL;
3182#ifdef SUPPORT_DANE
3183if (conn_args->dane)
3184 {
3185 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3186 other failures should be treated as problems. */
3187 if (ob->dane_require_tls_ciphers &&
3188 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3189 &expciphers, errstr))
3190 return FALSE;
3191 if (expciphers && *expciphers == '\0')
3192 expciphers = NULL;
3193 }
3194#endif
3195if (!expciphers &&
3196 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3197 &expciphers, errstr))
3198 return FALSE;
3199
3200/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3201are separated by underscores. So that I can use either form in my tests, and
3202also for general convenience, we turn underscores into hyphens here. */
3203
3204if (expciphers)
3205 {
3206 uschar *s = expciphers;
3207 while (*s) { if (*s == '_') *s = '-'; s++; }
3208 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
3209 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3210 {
3211 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
3212 return FALSE;
3213 }
3214 }
3215
3216#ifdef SUPPORT_DANE
3217if (conn_args->dane)
3218 {
3219 SSL_CTX_set_verify(exim_client_ctx->ctx,
3220 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3221 verify_callback_client_dane);
3222
3223 if (!DANESSL_library_init())
3224 {
3225 tls_error(US"library init", host, NULL, errstr);
3226 return FALSE;
3227 }
3228 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3229 {
3230 tls_error(US"context init", host, NULL, errstr);
3231 return FALSE;
3232 }
3233 }
3234else
3235
3236#endif
3237
3238 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3239 client_static_cbinfo, errstr) != OK)
3240 return FALSE;
3241
3242#ifdef EXPERIMENTAL_TLS_RESUME
3243tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3244#endif
3245
3246
3247if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3248 {
3249 tls_error(US"SSL_new", host, NULL, errstr);
3250 return FALSE;
3251 }
3252SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
3253
3254SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3255SSL_set_connect_state(exim_client_ctx->ssl);
3256
3257if (ob->tls_sni)
3258 {
3259 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3260 return FALSE;
3261 if (!tlsp->sni)
3262 {
3263 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3264 }
3265 else if (!Ustrlen(tlsp->sni))
3266 tlsp->sni = NULL;
3267 else
3268 {
3269#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3270 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3271 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3272#else
3273 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3274 tlsp->sni);
3275#endif
3276 }
3277 }
3278
3279#ifdef SUPPORT_DANE
3280if (conn_args->dane)
3281 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3282 return FALSE;
3283#endif
3284
3285#ifndef DISABLE_OCSP
3286/* Request certificate status at connection-time. If the server
3287does OCSP stapling we will get the callback (set in tls_init()) */
3288# ifdef SUPPORT_DANE
3289if (request_ocsp)
3290 {
3291 const uschar * s;
3292 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3293 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3294 )
3295 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3296 this means we avoid the OCSP request, we wasted the setup
3297 cost in tls_init(). */
3298 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3299 request_ocsp = require_ocsp
3300 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3301 }
3302 }
3303# endif
3304
3305if (request_ocsp)
3306 {
3307 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3308 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3309 tlsp->ocsp = OCSP_NOT_RESP;
3310 }
3311#endif
3312
3313#ifdef EXPERIMENTAL_TLS_RESUME
3314if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3315 errstr))
3316 return FALSE;
3317#endif
3318
3319#ifndef DISABLE_EVENT
3320client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3321#endif
3322
3323/* There doesn't seem to be a built-in timeout on connection. */
3324
3325DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3326sigalrm_seen = FALSE;
3327ALARM(ob->command_timeout);
3328rc = SSL_connect(exim_client_ctx->ssl);
3329ALARM_CLR(0);
3330
3331#ifdef SUPPORT_DANE
3332if (conn_args->dane)
3333 DANESSL_cleanup(exim_client_ctx->ssl);
3334#endif
3335
3336if (rc <= 0)
3337 {
3338 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3339 return FALSE;
3340 }
3341
3342DEBUG(D_tls)
3343 {
3344 debug_printf("SSL_connect succeeded\n");
3345#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3346 {
3347 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3348 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3349 BIO_free(bp);
3350 }
3351#endif
3352 }
3353
3354#ifdef EXPERIMENTAL_TLS_RESUME
3355tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3356#endif
3357
3358peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3359
3360tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3361tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3362
3363/* Record the certificate we presented */
3364 {
3365 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3366 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3367 }
3368
3369tlsp->active.sock = cctx->sock;
3370tlsp->active.tls_ctx = exim_client_ctx;
3371cctx->tls_ctx = exim_client_ctx;
3372return TRUE;
3373}
3374
3375
3376
3377
3378
3379static BOOL
3380tls_refill(unsigned lim)
3381{
3382int error;
3383int inbytes;
3384
3385DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3386 ssl_xfer_buffer, ssl_xfer_buffer_size);
3387
3388if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3389inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3390 MIN(ssl_xfer_buffer_size, lim));
3391error = SSL_get_error(server_ssl, inbytes);
3392if (smtp_receive_timeout > 0) ALARM_CLR(0);
3393
3394if (had_command_timeout) /* set by signal handler */
3395 smtp_command_timeout_exit(); /* does not return */
3396if (had_command_sigterm)
3397 smtp_command_sigterm_exit();
3398if (had_data_timeout)
3399 smtp_data_timeout_exit();
3400if (had_data_sigint)
3401 smtp_data_sigint_exit();
3402
3403/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3404closed down, not that the socket itself has been closed down. Revert to
3405non-SSL handling. */
3406
3407switch(error)
3408 {
3409 case SSL_ERROR_NONE:
3410 break;
3411
3412 case SSL_ERROR_ZERO_RETURN:
3413 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3414
3415 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3416 SSL_shutdown(server_ssl);
3417
3418 tls_close(NULL, TLS_NO_SHUTDOWN);
3419 return FALSE;
3420
3421 /* Handle genuine errors */
3422 case SSL_ERROR_SSL:
3423 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3424 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3425 ssl_xfer_error = TRUE;
3426 return FALSE;
3427
3428 default:
3429 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3430 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3431 debug_printf(" - syscall %s\n", strerror(errno));
3432 ssl_xfer_error = TRUE;
3433 return FALSE;
3434 }
3435
3436#ifndef DISABLE_DKIM
3437dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3438#endif
3439ssl_xfer_buffer_hwm = inbytes;
3440ssl_xfer_buffer_lwm = 0;
3441return TRUE;
3442}
3443
3444
3445/*************************************************
3446* TLS version of getc *
3447*************************************************/
3448
3449/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3450it refills the buffer via the SSL reading function.
3451
3452Arguments: lim Maximum amount to read/buffer
3453Returns: the next character or EOF
3454
3455Only used by the server-side TLS.
3456*/
3457
3458int
3459tls_getc(unsigned lim)
3460{
3461if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3462 if (!tls_refill(lim))
3463 return ssl_xfer_error ? EOF : smtp_getc(lim);
3464
3465/* Something in the buffer; return next uschar */
3466
3467return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3468}
3469
3470uschar *
3471tls_getbuf(unsigned * len)
3472{
3473unsigned size;
3474uschar * buf;
3475
3476if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3477 if (!tls_refill(*len))
3478 {
3479 if (!ssl_xfer_error) return smtp_getbuf(len);
3480 *len = 0;
3481 return NULL;
3482 }
3483
3484if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3485 size = *len;
3486buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3487ssl_xfer_buffer_lwm += size;
3488*len = size;
3489return buf;
3490}
3491
3492
3493void
3494tls_get_cache()
3495{
3496#ifndef DISABLE_DKIM
3497int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3498if (n > 0)
3499 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3500#endif
3501}
3502
3503
3504BOOL
3505tls_could_read(void)
3506{
3507return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3508}
3509
3510
3511/*************************************************
3512* Read bytes from TLS channel *
3513*************************************************/
3514
3515/*
3516Arguments:
3517 ct_ctx client context pointer, or NULL for the one global server context
3518 buff buffer of data
3519 len size of buffer
3520
3521Returns: the number of bytes read
3522 -1 after a failed read, including EOF
3523
3524Only used by the client-side TLS.
3525*/
3526
3527int
3528tls_read(void * ct_ctx, uschar *buff, size_t len)
3529{
3530SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3531int inbytes;
3532int error;
3533
3534DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3535 buff, (unsigned int)len);
3536
3537inbytes = SSL_read(ssl, CS buff, len);
3538error = SSL_get_error(ssl, inbytes);
3539
3540if (error == SSL_ERROR_ZERO_RETURN)
3541 {
3542 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3543 return -1;
3544 }
3545else if (error != SSL_ERROR_NONE)
3546 return -1;
3547
3548return inbytes;
3549}
3550
3551
3552
3553
3554
3555/*************************************************
3556* Write bytes down TLS channel *
3557*************************************************/
3558
3559/*
3560Arguments:
3561 ct_ctx client context pointer, or NULL for the one global server context
3562 buff buffer of data
3563 len number of bytes
3564 more further data expected soon
3565
3566Returns: the number of bytes after a successful write,
3567 -1 after a failed write
3568
3569Used by both server-side and client-side TLS.
3570*/
3571
3572int
3573tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
3574{
3575size_t olen = len;
3576int outbytes, error;
3577SSL * ssl = ct_ctx
3578 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3579static gstring * server_corked = NULL;
3580gstring ** corkedp = ct_ctx
3581 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3582gstring * corked = *corkedp;
3583
3584DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3585 buff, (unsigned long)len, more ? ", more" : "");
3586
3587/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3588"more" is notified. This hack is only ok if small amounts are involved AND only
3589one stream does it, in one context (i.e. no store reset). Currently it is used
3590for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3591We support callouts done by the server process by using a separate client
3592context for the stashed information. */
3593/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3594a store reset there, so use POOL_PERM. */
3595/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3596
3597if ((more || corked))
3598 {
3599#ifdef SUPPORT_PIPE_CONNECT
3600 int save_pool = store_pool;
3601 store_pool = POOL_PERM;
3602#endif
3603
3604 corked = string_catn(corked, buff, len);
3605
3606#ifdef SUPPORT_PIPE_CONNECT
3607 store_pool = save_pool;
3608#endif
3609
3610 if (more)
3611 {
3612 *corkedp = corked;
3613 return len;
3614 }
3615 buff = CUS corked->s;
3616 len = corked->ptr;
3617 *corkedp = NULL;
3618 }
3619
3620for (int left = len; left > 0;)
3621 {
3622 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3623 outbytes = SSL_write(ssl, CS buff, left);
3624 error = SSL_get_error(ssl, outbytes);
3625 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3626 switch (error)
3627 {
3628 case SSL_ERROR_SSL:
3629 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3630 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3631 return -1;
3632
3633 case SSL_ERROR_NONE:
3634 left -= outbytes;
3635 buff += outbytes;
3636 break;
3637
3638 case SSL_ERROR_ZERO_RETURN:
3639 log_write(0, LOG_MAIN, "SSL channel closed on write");
3640 return -1;
3641
3642 case SSL_ERROR_SYSCALL:
3643 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3644 sender_fullhost ? sender_fullhost : US"<unknown>",
3645 strerror(errno));
3646 return -1;
3647
3648 default:
3649 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3650 return -1;
3651 }
3652 }
3653return olen;
3654}
3655
3656
3657
3658/*************************************************
3659* Close down a TLS session *
3660*************************************************/
3661
3662/* This is also called from within a delivery subprocess forked from the
3663daemon, to shut down the TLS library, without actually doing a shutdown (which
3664would tamper with the SSL session in the parent process).
3665
3666Arguments:
3667 ct_ctx client TLS context pointer, or NULL for the one global server context
3668 shutdown 1 if TLS close-alert is to be sent,
3669 2 if also response to be waited for
3670
3671Returns: nothing
3672
3673Used by both server-side and client-side TLS.
3674*/
3675
3676void
3677tls_close(void * ct_ctx, int shutdown)
3678{
3679exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3680SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3681SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3682int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3683
3684if (*fdp < 0) return; /* TLS was not active */
3685
3686if (shutdown)
3687 {
3688 int rc;
3689 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3690 shutdown > 1 ? " (with response-wait)" : "");
3691
3692 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3693 && shutdown > 1)
3694 {
3695 ALARM(2);
3696 rc = SSL_shutdown(*sslp); /* wait for response */
3697 ALARM_CLR(0);
3698 }
3699
3700 if (rc < 0) DEBUG(D_tls)
3701 {
3702 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3703 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3704 }
3705 }
3706
3707if (!o_ctx) /* server side */
3708 {
3709#ifndef DISABLE_OCSP
3710 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3711 server_static_cbinfo->verify_stack = NULL;
3712#endif
3713
3714 receive_getc = smtp_getc;
3715 receive_getbuf = smtp_getbuf;
3716 receive_get_cache = smtp_get_cache;
3717 receive_ungetc = smtp_ungetc;
3718 receive_feof = smtp_feof;
3719 receive_ferror = smtp_ferror;
3720 receive_smtp_buffered = smtp_buffered;
3721 tls_in.active.tls_ctx = NULL;
3722 tls_in.sni = NULL;
3723 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3724 }
3725
3726SSL_CTX_free(*ctxp);
3727SSL_free(*sslp);
3728*ctxp = NULL;
3729*sslp = NULL;
3730*fdp = -1;
3731}
3732
3733
3734
3735
3736/*************************************************
3737* Let tls_require_ciphers be checked at startup *
3738*************************************************/
3739
3740/* The tls_require_ciphers option, if set, must be something which the
3741library can parse.
3742
3743Returns: NULL on success, or error message
3744*/
3745
3746uschar *
3747tls_validate_require_cipher(void)
3748{
3749SSL_CTX *ctx;
3750uschar *s, *expciphers, *err;
3751
3752tls_openssl_init();
3753
3754if (!(tls_require_ciphers && *tls_require_ciphers))
3755 return NULL;
3756
3757if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3758 &err))
3759 return US"failed to expand tls_require_ciphers";
3760
3761if (!(expciphers && *expciphers))
3762 return NULL;
3763
3764/* normalisation ripped from above */
3765s = expciphers;
3766while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3767
3768err = NULL;
3769
3770#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3771if (!(ctx = SSL_CTX_new(TLS_server_method())))
3772#else
3773if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3774#endif
3775 {
3776 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3777 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3778 }
3779
3780DEBUG(D_tls)
3781 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3782
3783if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3784 {
3785 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3786 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3787 expciphers, ssl_errstring);
3788 }
3789
3790SSL_CTX_free(ctx);
3791
3792return err;
3793}
3794
3795
3796
3797
3798/*************************************************
3799* Report the library versions. *
3800*************************************************/
3801
3802/* There have historically been some issues with binary compatibility in
3803OpenSSL libraries; if Exim (like many other applications) is built against
3804one version of OpenSSL but the run-time linker picks up another version,
3805it can result in serious failures, including crashing with a SIGSEGV. So
3806report the version found by the compiler and the run-time version.
3807
3808Note: some OS vendors backport security fixes without changing the version
3809number/string, and the version date remains unchanged. The _build_ date
3810will change, so we can more usefully assist with version diagnosis by also
3811reporting the build date.
3812
3813Arguments: a FILE* to print the results to
3814Returns: nothing
3815*/
3816
3817void
3818tls_version_report(FILE *f)
3819{
3820fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3821 " Runtime: %s\n"
3822 " : %s\n",
3823 OPENSSL_VERSION_TEXT,
3824 SSLeay_version(SSLEAY_VERSION),
3825 SSLeay_version(SSLEAY_BUILT_ON));
3826/* third line is 38 characters for the %s and the line is 73 chars long;
3827the OpenSSL output includes a "built on: " prefix already. */
3828}
3829
3830
3831
3832
3833/*************************************************
3834* Random number generation *
3835*************************************************/
3836
3837/* Pseudo-random number generation. The result is not expected to be
3838cryptographically strong but not so weak that someone will shoot themselves
3839in the foot using it as a nonce in input in some email header scheme or
3840whatever weirdness they'll twist this into. The result should handle fork()
3841and avoid repeating sequences. OpenSSL handles that for us.
3842
3843Arguments:
3844 max range maximum
3845Returns a random number in range [0, max-1]
3846*/
3847
3848int
3849vaguely_random_number(int max)
3850{
3851unsigned int r;
3852int i, needed_len;
3853static pid_t pidlast = 0;
3854pid_t pidnow;
3855uschar smallbuf[sizeof(r)];
3856
3857if (max <= 1)
3858 return 0;
3859
3860pidnow = getpid();
3861if (pidnow != pidlast)
3862 {
3863 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3864 is unique for each thread", this doesn't apparently apply across processes,
3865 so our own warning from vaguely_random_number_fallback() applies here too.
3866 Fix per PostgreSQL. */
3867 if (pidlast != 0)
3868 RAND_cleanup();
3869 pidlast = pidnow;
3870 }
3871
3872/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3873if (!RAND_status())
3874 {
3875 randstuff r;
3876 gettimeofday(&r.tv, NULL);
3877 r.p = getpid();
3878
3879 RAND_seed(US (&r), sizeof(r));
3880 }
3881/* We're after pseudo-random, not random; if we still don't have enough data
3882in the internal PRNG then our options are limited. We could sleep and hope
3883for entropy to come along (prayer technique) but if the system is so depleted
3884in the first place then something is likely to just keep taking it. Instead,
3885we'll just take whatever little bit of pseudo-random we can still manage to
3886get. */
3887
3888needed_len = sizeof(r);
3889/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3890asked for a number less than 10. */
3891for (r = max, i = 0; r; ++i)
3892 r >>= 1;
3893i = (i + 7) / 8;
3894if (i < needed_len)
3895 needed_len = i;
3896
3897#ifdef EXIM_HAVE_RAND_PSEUDO
3898/* We do not care if crypto-strong */
3899i = RAND_pseudo_bytes(smallbuf, needed_len);
3900#else
3901i = RAND_bytes(smallbuf, needed_len);
3902#endif
3903
3904if (i < 0)
3905 {
3906 DEBUG(D_all)
3907 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3908 return vaguely_random_number_fallback(max);
3909 }
3910
3911r = 0;
3912for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3913 r = 256 * r + *p;
3914
3915/* We don't particularly care about weighted results; if someone wants
3916smooth distribution and cares enough then they should submit a patch then. */
3917return r % max;
3918}
3919
3920
3921
3922
3923/*************************************************
3924* OpenSSL option parse *
3925*************************************************/
3926
3927/* Parse one option for tls_openssl_options_parse below
3928
3929Arguments:
3930 name one option name
3931 value place to store a value for it
3932Returns success or failure in parsing
3933*/
3934
3935
3936
3937static BOOL
3938tls_openssl_one_option_parse(uschar *name, long *value)
3939{
3940int first = 0;
3941int last = exim_openssl_options_size;
3942while (last > first)
3943 {
3944 int middle = (first + last)/2;
3945 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3946 if (c == 0)
3947 {
3948 *value = exim_openssl_options[middle].value;
3949 return TRUE;
3950 }
3951 else if (c > 0)
3952 first = middle + 1;
3953 else
3954 last = middle;
3955 }
3956return FALSE;
3957}
3958
3959
3960
3961
3962/*************************************************
3963* OpenSSL option parsing logic *
3964*************************************************/
3965
3966/* OpenSSL has a number of compatibility options which an administrator might
3967reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3968we look like log_selector.
3969
3970Arguments:
3971 option_spec the administrator-supplied string of options
3972 results ptr to long storage for the options bitmap
3973Returns success or failure
3974*/
3975
3976BOOL
3977tls_openssl_options_parse(uschar *option_spec, long *results)
3978{
3979long result, item;
3980uschar * exp, * end;
3981uschar keep_c;
3982BOOL adding, item_parsed;
3983
3984/* Server: send no (<= TLS1.2) session tickets */
3985result = SSL_OP_NO_TICKET;
3986
3987/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3988from default because it increases BEAST susceptibility. */
3989#ifdef SSL_OP_NO_SSLv2
3990result |= SSL_OP_NO_SSLv2;
3991#endif
3992#ifdef SSL_OP_NO_SSLv3
3993result |= SSL_OP_NO_SSLv3;
3994#endif
3995#ifdef SSL_OP_SINGLE_DH_USE
3996result |= SSL_OP_SINGLE_DH_USE;
3997#endif
3998#ifdef SSL_OP_NO_RENEGOTIATION
3999result |= SSL_OP_NO_RENEGOTIATION;
4000#endif
4001
4002if (!option_spec)
4003 {
4004 *results = result;
4005 return TRUE;
4006 }
4007
4008if (!expand_check(option_spec, US"openssl_options", &exp, &end))
4009 return FALSE;
4010
4011for (uschar * s = exp; *s; /**/)
4012 {
4013 while (isspace(*s)) ++s;
4014 if (*s == '\0')
4015 break;
4016 if (*s != '+' && *s != '-')
4017 {
4018 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
4019 "+ or - expected but found \"%s\"\n", s);
4020 return FALSE;
4021 }
4022 adding = *s++ == '+';
4023 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
4024 keep_c = *end;
4025 *end = '\0';
4026 item_parsed = tls_openssl_one_option_parse(s, &item);
4027 *end = keep_c;
4028 if (!item_parsed)
4029 {
4030 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
4031 return FALSE;
4032 }
4033 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
4034 adding ? "adding to " : "removing from", result, item, s);
4035 if (adding)
4036 result |= item;
4037 else
4038 result &= ~item;
4039 s = end;
4040 }
4041
4042*results = result;
4043return TRUE;
4044}
4045
4046#endif /*!MACRO_PREDEF*/
4047/* vi: aw ai sw=2
4048*/
4049/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.