projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
">" -> ">=" for EXIM_CLIENT_DH_MIN_BITS+10
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2012 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
31
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
39 struct timeval tv;
40 pid_t p;
41} randstuff;
42
43/* Local static variables */
44
45static BOOL verify_callback_called = FALSE;
46static const uschar *sid_ctx = US"exim";
47
48static SSL_CTX *ctx = NULL;
49#ifdef EXIM_HAVE_OPENSSL_TLSEXT
50static SSL_CTX *ctx_sni = NULL;
51#endif
52static SSL *ssl = NULL;
53
54static char ssl_errstring[256];
55
56static int ssl_session_timeout = 200;
57static BOOL verify_optional = FALSE;
58
59static BOOL reexpand_tls_files_for_sni = FALSE;
60
61
62typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
65#ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69#endif
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75} tls_ext_ctx_cb;
76
77/* should figure out a cleanup of API to handle state preserved per
78implementation, for various reasons, which can be void * in the APIs.
79For now, we hack around it. */
80tls_ext_ctx_cb *static_cbinfo = NULL;
81
82static int
83setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
84
85/* Callbacks */
86#ifdef EXIM_HAVE_OPENSSL_TLSEXT
87static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
88#endif
89#ifdef EXPERIMENTAL_OCSP
90static int tls_stapling_cb(SSL *s, void *arg);
91#endif
92
93
94/*************************************************
95* Handle TLS error *
96*************************************************/
97
98/* Called from lots of places when errors occur before actually starting to do
99the TLS handshake, that is, while the session is still in clear. Always returns
100DEFER for a server and FAIL for a client so that most calls can use "return
101tls_error(...)" to do this processing and then give an appropriate return. A
102single function is used for both server and client, because it is called from
103some shared functions.
104
105Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
109 msg error message or NULL if we should ask OpenSSL
110
111Returns: OK/DEFER/FAIL
112*/
113
114static int
115tls_error(uschar *prefix, host_item *host, uschar *msg)
116{
117if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
120 msg = (uschar *)ssl_errstring;
121 }
122
123if (host == NULL)
124 {
125 uschar *conn_info = smtp_get_connection_info();
126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
130 return DEFER;
131 }
132else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
135 host->name, host->address, prefix, msg);
136 return FAIL;
137 }
138}
139
140
141
142/*************************************************
143* Callback to generate RSA key *
144*************************************************/
145
146/*
147Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152Returns: pointer to generated key
153*/
154
155static RSA *
156rsa_callback(SSL *s, int export, int keylength)
157{
158RSA *rsa_key;
159export = export; /* Shut picky compilers up */
160DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169return rsa_key;
170}
171
172
173
174
175/*************************************************
176* Callback for verification *
177*************************************************/
178
179/* The SSL library does certificate verification if set up to do so. This
180callback has the current yes/no state is in "state". If verification succeeded,
181we set up the tls_peerdn string. If verification failed, what happens depends
182on whether the client is required to present a verifiable certificate or not.
183
184If verification is optional, we change the state to yes, but still log the
185verification error. For some reason (it really would help to have proper
186documentation of OpenSSL), this callback function then gets called again, this
187time with state = 1. In fact, that's useful, because we can set up the peerdn
188value, but we must take care not to set the private verified flag on the second
189time through.
190
191Note: this function is not called if the client fails to present a certificate
192when asked. We get here only if a certificate has been received. Handling of
193optional verification for this case is done when requesting SSL to verify, by
194setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200Returns: 1 if verified, 0 if not
201*/
202
203static int
204verify_callback(int state, X509_STORE_CTX *x509ctx)
205{
206static uschar txt[256];
207
208X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
237if (!verify_callback_called) tls_certificate_verified = TRUE;
238verify_callback_called = TRUE;
239
240return 1; /* accept */
241}
242
243
244
245/*************************************************
246* Information callback *
247*************************************************/
248
249/* The SSL library functions call this from time to time to indicate what they
250are doing. We copy the string to the debugging output when TLS debugging has
251been requested.
252
253Arguments:
254 s the SSL connection
255 where
256 ret
257
258Returns: nothing
259*/
260
261static void
262info_callback(SSL *s, int where, int ret)
263{
264where = where;
265ret = ret;
266DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267}
268
269
270
271/*************************************************
272* Initialize for DH *
273*************************************************/
274
275/* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277Arguments:
278 dhparam DH parameter file
279 host connected host, if client; NULL if server
280
281Returns: TRUE if OK (nothing to set up, or setup worked)
282*/
283
284static BOOL
285init_dh(uschar *dhparam, host_item *host)
286{
287BOOL yield = TRUE;
288BIO *bio;
289DH *dh;
290uschar *dhexpanded;
291
292if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
295if (dhexpanded == NULL) return TRUE;
296
297if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
298 {
299 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
300 host, (uschar *)strerror(errno));
301 yield = FALSE;
302 }
303else
304 {
305 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
306 {
307 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
308 host, NULL);
309 yield = FALSE;
310 }
311 else
312 {
313 if ((8*DH_size(dh)) > tls_dh_max_bits)
314 {
315 DEBUG(D_tls)
316 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
317 8*DH_size(dh), tls_dh_max_bits);
318 }
319 else
320 {
321 SSL_CTX_set_tmp_dh(ctx, dh);
322 DEBUG(D_tls)
323 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
324 dhexpanded, 8*DH_size(dh));
325 }
326 DH_free(dh);
327 }
328 BIO_free(bio);
329 }
330
331return yield;
332}
333
334
335
336
337#ifdef EXPERIMENTAL_OCSP
338/*************************************************
339* Load OCSP information into state *
340*************************************************/
341
342/* Called to load the OCSP response from the given file into memory, once
343caller has determined this is needed. Checks validity. Debugs a message
344if invalid.
345
346ASSUMES: single response, for single cert.
347
348Arguments:
349 sctx the SSL_CTX* to update
350 cbinfo various parts of session state
351 expanded the filename putatively holding an OCSP response
352
353*/
354
355static void
356ocsp_load_response(SSL_CTX *sctx,
357 tls_ext_ctx_cb *cbinfo,
358 const uschar *expanded)
359{
360BIO *bio;
361OCSP_RESPONSE *resp;
362OCSP_BASICRESP *basic_response;
363OCSP_SINGLERESP *single_response;
364ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
365X509_STORE *store;
366unsigned long verify_flags;
367int status, reason, i;
368
369cbinfo->ocsp_file_expanded = string_copy(expanded);
370if (cbinfo->ocsp_response)
371 {
372 OCSP_RESPONSE_free(cbinfo->ocsp_response);
373 cbinfo->ocsp_response = NULL;
374 }
375
376bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
377if (!bio)
378 {
379 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
380 cbinfo->ocsp_file_expanded);
381 return;
382 }
383
384resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
385BIO_free(bio);
386if (!resp)
387 {
388 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
389 return;
390 }
391
392status = OCSP_response_status(resp);
393if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
394 {
395 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
396 OCSP_response_status_str(status), status);
397 return;
398 }
399
400basic_response = OCSP_response_get1_basic(resp);
401if (!basic_response)
402 {
403 DEBUG(D_tls)
404 debug_printf("OCSP response parse error: unable to extract basic response.\n");
405 return;
406 }
407
408store = SSL_CTX_get_cert_store(sctx);
409verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
410
411/* May need to expose ability to adjust those flags?
412OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
413OCSP_TRUSTOTHER OCSP_NOINTERN */
414
415i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
416if (i <= 0)
417 {
418 DEBUG(D_tls) {
419 ERR_error_string(ERR_get_error(), ssl_errstring);
420 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
421 }
422 return;
423 }
424
425/* Here's the simplifying assumption: there's only one response, for the
426one certificate we use, and nothing for anything else in a chain. If this
427proves false, we need to extract a cert id from our issued cert
428(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
429right cert in the stack and then calls OCSP_single_get0_status()).
430
431I'm hoping to avoid reworking a bunch more of how we handle state here. */
432single_response = OCSP_resp_get0(basic_response, 0);
433if (!single_response)
434 {
435 DEBUG(D_tls)
436 debug_printf("Unable to get first response from OCSP basic response.\n");
437 return;
438 }
439
440status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
441/* how does this status differ from the one above? */
442if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
443 {
444 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
445 OCSP_response_status_str(status), status);
446 return;
447 }
448
449if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
450 {
451 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
452 return;
453 }
454
455cbinfo->ocsp_response = resp;
456}
457#endif
458
459
460
461
462/*************************************************
463* Expand key and cert file specs *
464*************************************************/
465
466/* Called once during tls_init and possibly againt during TLS setup, for a
467new context, if Server Name Indication was used and tls_sni was seen in
468the certificate string.
469
470Arguments:
471 sctx the SSL_CTX* to update
472 cbinfo various parts of session state
473
474Returns: OK/DEFER/FAIL
475*/
476
477static int
478tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
479{
480uschar *expanded;
481
482if (cbinfo->certificate == NULL)
483 return OK;
484
485if (Ustrstr(cbinfo->certificate, US"tls_sni"))
486 reexpand_tls_files_for_sni = TRUE;
487
488if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
489 return DEFER;
490
491if (expanded != NULL)
492 {
493 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
494 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
495 return tls_error(string_sprintf(
496 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
497 cbinfo->host, NULL);
498 }
499
500if (cbinfo->privatekey != NULL &&
501 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
502 return DEFER;
503
504/* If expansion was forced to fail, key_expanded will be NULL. If the result
505of the expansion is an empty string, ignore it also, and assume the private
506key is in the same file as the certificate. */
507
508if (expanded != NULL && *expanded != 0)
509 {
510 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
511 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
512 return tls_error(string_sprintf(
513 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
514 }
515
516#ifdef EXPERIMENTAL_OCSP
517if (cbinfo->ocsp_file != NULL)
518 {
519 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
520 return DEFER;
521
522 if (expanded != NULL && *expanded != 0)
523 {
524 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
525 if (cbinfo->ocsp_file_expanded &&
526 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
527 {
528 DEBUG(D_tls)
529 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
530 } else {
531 ocsp_load_response(sctx, cbinfo, expanded);
532 }
533 }
534 }
535#endif
536
537return OK;
538}
539
540
541
542
543/*************************************************
544* Callback to handle SNI *
545*************************************************/
546
547/* Called when acting as server during the TLS session setup if a Server Name
548Indication extension was sent by the client.
549
550API documentation is OpenSSL s_server.c implementation.
551
552Arguments:
553 s SSL* of the current session
554 ad unknown (part of OpenSSL API) (unused)
555 arg Callback of "our" registered data
556
557Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
558*/
559
560#ifdef EXIM_HAVE_OPENSSL_TLSEXT
561static int
562tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
563{
564const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
565tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
566int rc;
567int old_pool = store_pool;
568
569if (!servername)
570 return SSL_TLSEXT_ERR_OK;
571
572DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
573 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
574
575/* Make the extension value available for expansion */
576store_pool = POOL_PERM;
577tls_sni = string_copy(US servername);
578store_pool = old_pool;
579
580if (!reexpand_tls_files_for_sni)
581 return SSL_TLSEXT_ERR_OK;
582
583/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
584not confident that memcpy wouldn't break some internal reference counting.
585Especially since there's a references struct member, which would be off. */
586
587ctx_sni = SSL_CTX_new(SSLv23_server_method());
588if (!ctx_sni)
589 {
590 ERR_error_string(ERR_get_error(), ssl_errstring);
591 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
592 return SSL_TLSEXT_ERR_NOACK;
593 }
594
595/* Not sure how many of these are actually needed, since SSL object
596already exists. Might even need this selfsame callback, for reneg? */
597
598SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
599SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
600SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
601SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
602SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
603SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
604if (cbinfo->server_cipher_list)
605 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
606#ifdef EXPERIMENTAL_OCSP
607if (cbinfo->ocsp_file)
608 {
609 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
610 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
611 }
612#endif
613
614rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
615if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
616
617/* do this after setup_certs, because this can require the certs for verifying
618OCSP information. */
619rc = tls_expand_session_files(ctx_sni, cbinfo);
620if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
621
622DEBUG(D_tls) debug_printf("Switching SSL context.\n");
623SSL_set_SSL_CTX(s, ctx_sni);
624
625return SSL_TLSEXT_ERR_OK;
626}
627#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
628
629
630
631
632#ifdef EXPERIMENTAL_OCSP
633/*************************************************
634* Callback to handle OCSP Stapling *
635*************************************************/
636
637/* Called when acting as server during the TLS session setup if the client
638requests OCSP information with a Certificate Status Request.
639
640Documentation via openssl s_server.c and the Apache patch from the OpenSSL
641project.
642
643*/
644
645static int
646tls_stapling_cb(SSL *s, void *arg)
647{
648const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
649uschar *response_der;
650int response_der_len;
651
652DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
653 cbinfo->ocsp_response ? "have" : "lack");
654if (!cbinfo->ocsp_response)
655 return SSL_TLSEXT_ERR_NOACK;
656
657response_der = NULL;
658response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
659if (response_der_len <= 0)
660 return SSL_TLSEXT_ERR_NOACK;
661
662SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
663return SSL_TLSEXT_ERR_OK;
664}
665
666#endif /* EXPERIMENTAL_OCSP */
667
668
669
670
671/*************************************************
672* Initialize for TLS *
673*************************************************/
674
675/* Called from both server and client code, to do preliminary initialization of
676the library.
677
678Arguments:
679 host connected host, if client; NULL if server
680 dhparam DH parameter file
681 certificate certificate file
682 privatekey private key
683 addr address if client; NULL if server (for some randomness)
684
685Returns: OK/DEFER/FAIL
686*/
687
688static int
689tls_init(host_item *host, uschar *dhparam, uschar *certificate,
690 uschar *privatekey,
691#ifdef EXPERIMENTAL_OCSP
692 uschar *ocsp_file,
693#endif
694 address_item *addr)
695{
696long init_options;
697int rc;
698BOOL okay;
699tls_ext_ctx_cb *cbinfo;
700
701cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
702cbinfo->certificate = certificate;
703cbinfo->privatekey = privatekey;
704#ifdef EXPERIMENTAL_OCSP
705cbinfo->ocsp_file = ocsp_file;
706#endif
707cbinfo->dhparam = dhparam;
708cbinfo->host = host;
709
710SSL_load_error_strings(); /* basic set up */
711OpenSSL_add_ssl_algorithms();
712
713#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
714/* SHA256 is becoming ever more popular. This makes sure it gets added to the
715list of available digests. */
716EVP_add_digest(EVP_sha256());
717#endif
718
719/* Create a context */
720
721ctx = SSL_CTX_new((host == NULL)?
722 SSLv23_server_method() : SSLv23_client_method());
723
724if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
725
726/* It turns out that we need to seed the random number generator this early in
727order to get the full complement of ciphers to work. It took me roughly a day
728of work to discover this by experiment.
729
730On systems that have /dev/urandom, SSL may automatically seed itself from
731there. Otherwise, we have to make something up as best we can. Double check
732afterwards. */
733
734if (!RAND_status())
735 {
736 randstuff r;
737 gettimeofday(&r.tv, NULL);
738 r.p = getpid();
739
740 RAND_seed((uschar *)(&r), sizeof(r));
741 RAND_seed((uschar *)big_buffer, big_buffer_size);
742 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
743
744 if (!RAND_status())
745 return tls_error(US"RAND_status", host,
746 US"unable to seed random number generator");
747 }
748
749/* Set up the information callback, which outputs if debugging is at a suitable
750level. */
751
752SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
753
754/* Automatically re-try reads/writes after renegotiation. */
755(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
756
757/* Apply administrator-supplied work-arounds.
758Historically we applied just one requested option,
759SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
760moved to an administrator-controlled list of options to specify and
761grandfathered in the first one as the default value for "openssl_options".
762
763No OpenSSL version number checks: the options we accept depend upon the
764availability of the option value macros from OpenSSL. */
765
766okay = tls_openssl_options_parse(openssl_options, &init_options);
767if (!okay)
768 return tls_error(US"openssl_options parsing failed", host, NULL);
769
770if (init_options)
771 {
772 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
773 if (!(SSL_CTX_set_options(ctx, init_options)))
774 return tls_error(string_sprintf(
775 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
776 }
777else
778 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
779
780/* Initialize with DH parameters if supplied */
781
782if (!init_dh(dhparam, host)) return DEFER;
783
784/* Set up certificate and key (and perhaps OCSP info) */
785
786rc = tls_expand_session_files(ctx, cbinfo);
787if (rc != OK) return rc;
788
789/* If we need to handle SNI, do so */
790#ifdef EXIM_HAVE_OPENSSL_TLSEXT
791if (host == NULL)
792 {
793#ifdef EXPERIMENTAL_OCSP
794 /* We check ocsp_file, not ocsp_response, because we care about if
795 the option exists, not what the current expansion might be, as SNI might
796 change the certificate and OCSP file in use between now and the time the
797 callback is invoked. */
798 if (cbinfo->ocsp_file)
799 {
800 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
801 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
802 }
803#endif
804 /* We always do this, so that $tls_sni is available even if not used in
805 tls_certificate */
806 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
807 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
808 }
809#endif
810
811/* Set up the RSA callback */
812
813SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
814
815/* Finally, set the timeout, and we are done */
816
817SSL_CTX_set_timeout(ctx, ssl_session_timeout);
818DEBUG(D_tls) debug_printf("Initialized TLS\n");
819
820static_cbinfo = cbinfo;
821
822return OK;
823}
824
825
826
827
828/*************************************************
829* Get name of cipher in use *
830*************************************************/
831
832/* The answer is left in a static buffer, and tls_cipher is set to point
833to it.
834
835Argument: pointer to an SSL structure for the connection
836Returns: nothing
837*/
838
839static void
840construct_cipher_name(SSL *ssl)
841{
842static uschar cipherbuf[256];
843/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
844yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
845the accessor functions use const in the prototype. */
846const SSL_CIPHER *c;
847uschar *ver;
848
849switch (ssl->session->ssl_version)
850 {
851 case SSL2_VERSION:
852 ver = US"SSLv2";
853 break;
854
855 case SSL3_VERSION:
856 ver = US"SSLv3";
857 break;
858
859 case TLS1_VERSION:
860 ver = US"TLSv1";
861 break;
862
863#ifdef TLS1_1_VERSION
864 case TLS1_1_VERSION:
865 ver = US"TLSv1.1";
866 break;
867#endif
868
869#ifdef TLS1_2_VERSION
870 case TLS1_2_VERSION:
871 ver = US"TLSv1.2";
872 break;
873#endif
874
875 default:
876 ver = US"UNKNOWN";
877 }
878
879c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
880SSL_CIPHER_get_bits(c, &tls_bits);
881
882string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
883 SSL_CIPHER_get_name(c), tls_bits);
884tls_cipher = cipherbuf;
885
886DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
887}
888
889
890
891
892
893/*************************************************
894* Set up for verifying certificates *
895*************************************************/
896
897/* Called by both client and server startup
898
899Arguments:
900 sctx SSL_CTX* to initialise
901 certs certs file or NULL
902 crl CRL file or NULL
903 host NULL in a server; the remote host in a client
904 optional TRUE if called from a server for a host in tls_try_verify_hosts;
905 otherwise passed as FALSE
906
907Returns: OK/DEFER/FAIL
908*/
909
910static int
911setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
912{
913uschar *expcerts, *expcrl;
914
915if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
916 return DEFER;
917
918if (expcerts != NULL)
919 {
920 struct stat statbuf;
921 if (!SSL_CTX_set_default_verify_paths(sctx))
922 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
923
924 if (Ustat(expcerts, &statbuf) < 0)
925 {
926 log_write(0, LOG_MAIN|LOG_PANIC,
927 "failed to stat %s for certificates", expcerts);
928 return DEFER;
929 }
930 else
931 {
932 uschar *file, *dir;
933 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
934 { file = NULL; dir = expcerts; }
935 else
936 { file = expcerts; dir = NULL; }
937
938 /* If a certificate file is empty, the next function fails with an
939 unhelpful error message. If we skip it, we get the correct behaviour (no
940 certificates are recognized, but the error message is still misleading (it
941 says no certificate was supplied.) But this is better. */
942
943 if ((file == NULL || statbuf.st_size > 0) &&
944 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
945 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
946
947 if (file != NULL)
948 {
949 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
950 }
951 }
952
953 /* Handle a certificate revocation list. */
954
955 #if OPENSSL_VERSION_NUMBER > 0x00907000L
956
957 /* This bit of code is now the version supplied by Lars Mainka. (I have
958 * merely reformatted it into the Exim code style.)
959
960 * "From here I changed the code to add support for multiple crl's
961 * in pem format in one file or to support hashed directory entries in
962 * pem format instead of a file. This method now uses the library function
963 * X509_STORE_load_locations to add the CRL location to the SSL context.
964 * OpenSSL will then handle the verify against CA certs and CRLs by
965 * itself in the verify callback." */
966
967 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
968 if (expcrl != NULL && *expcrl != 0)
969 {
970 struct stat statbufcrl;
971 if (Ustat(expcrl, &statbufcrl) < 0)
972 {
973 log_write(0, LOG_MAIN|LOG_PANIC,
974 "failed to stat %s for certificates revocation lists", expcrl);
975 return DEFER;
976 }
977 else
978 {
979 /* is it a file or directory? */
980 uschar *file, *dir;
981 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
982 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
983 {
984 file = NULL;
985 dir = expcrl;
986 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
987 }
988 else
989 {
990 file = expcrl;
991 dir = NULL;
992 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
993 }
994 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
995 return tls_error(US"X509_STORE_load_locations", host, NULL);
996
997 /* setting the flags to check against the complete crl chain */
998
999 X509_STORE_set_flags(cvstore,
1000 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1001 }
1002 }
1003
1004 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1005
1006 /* If verification is optional, don't fail if no certificate */
1007
1008 SSL_CTX_set_verify(sctx,
1009 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1010 verify_callback);
1011 }
1012
1013return OK;
1014}
1015
1016
1017
1018/*************************************************
1019* Start a TLS session in a server *
1020*************************************************/
1021
1022/* This is called when Exim is running as a server, after having received
1023the STARTTLS command. It must respond to that command, and then negotiate
1024a TLS session.
1025
1026Arguments:
1027 require_ciphers allowed ciphers
1028
1029Returns: OK on success
1030 DEFER for errors before the start of the negotiation
1031 FAIL for errors during the negotation; the server can't
1032 continue running.
1033*/
1034
1035int
1036tls_server_start(const uschar *require_ciphers)
1037{
1038int rc;
1039uschar *expciphers;
1040tls_ext_ctx_cb *cbinfo;
1041
1042/* Check for previous activation */
1043
1044if (tls_active >= 0)
1045 {
1046 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1047 smtp_printf("554 Already in TLS\r\n");
1048 return FAIL;
1049 }
1050
1051/* Initialize the SSL library. If it fails, it will already have logged
1052the error. */
1053
1054rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1055#ifdef EXPERIMENTAL_OCSP
1056 tls_ocsp_file,
1057#endif
1058 NULL);
1059if (rc != OK) return rc;
1060cbinfo = static_cbinfo;
1061
1062if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1063 return FAIL;
1064
1065/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1066were historically separated by underscores. So that I can use either form in my
1067tests, and also for general convenience, we turn underscores into hyphens here.
1068*/
1069
1070if (expciphers != NULL)
1071 {
1072 uschar *s = expciphers;
1073 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1074 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1075 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1076 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1077 cbinfo->server_cipher_list = expciphers;
1078 }
1079
1080/* If this is a host for which certificate verification is mandatory or
1081optional, set up appropriately. */
1082
1083tls_certificate_verified = FALSE;
1084verify_callback_called = FALSE;
1085
1086if (verify_check_host(&tls_verify_hosts) == OK)
1087 {
1088 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
1089 if (rc != OK) return rc;
1090 verify_optional = FALSE;
1091 }
1092else if (verify_check_host(&tls_try_verify_hosts) == OK)
1093 {
1094 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
1095 if (rc != OK) return rc;
1096 verify_optional = TRUE;
1097 }
1098
1099/* Prepare for new connection */
1100
1101if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1102
1103/* Warning: we used to SSL_clear(ssl) here, it was removed.
1104 *
1105 * With the SSL_clear(), we get strange interoperability bugs with
1106 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1107 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1108 *
1109 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1110 * session shutdown. In this case, we have a brand new object and there's no
1111 * obvious reason to immediately clear it. I'm guessing that this was
1112 * originally added because of incomplete initialisation which the clear fixed,
1113 * in some historic release.
1114 */
1115
1116/* Set context and tell client to go ahead, except in the case of TLS startup
1117on connection, where outputting anything now upsets the clients and tends to
1118make them disconnect. We need to have an explicit fflush() here, to force out
1119the response. Other smtp_printf() calls do not need it, because in non-TLS
1120mode, the fflush() happens when smtp_getc() is called. */
1121
1122SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1123if (!tls_on_connect)
1124 {
1125 smtp_printf("220 TLS go ahead\r\n");
1126 fflush(smtp_out);
1127 }
1128
1129/* Now negotiate the TLS session. We put our own timer on it, since it seems
1130that the OpenSSL library doesn't. */
1131
1132SSL_set_wfd(ssl, fileno(smtp_out));
1133SSL_set_rfd(ssl, fileno(smtp_in));
1134SSL_set_accept_state(ssl);
1135
1136DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1137
1138sigalrm_seen = FALSE;
1139if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1140rc = SSL_accept(ssl);
1141alarm(0);
1142
1143if (rc <= 0)
1144 {
1145 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1146 if (ERR_get_error() == 0)
1147 log_write(0, LOG_MAIN,
1148 "TLS client disconnected cleanly (rejected our certificate?)");
1149 return FAIL;
1150 }
1151
1152DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1153
1154/* TLS has been set up. Adjust the input functions to read via TLS,
1155and initialize things. */
1156
1157construct_cipher_name(ssl);
1158
1159DEBUG(D_tls)
1160 {
1161 uschar buf[2048];
1162 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1163 debug_printf("Shared ciphers: %s\n", buf);
1164 }
1165
1166
1167ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1168ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1169ssl_xfer_eof = ssl_xfer_error = 0;
1170
1171receive_getc = tls_getc;
1172receive_ungetc = tls_ungetc;
1173receive_feof = tls_feof;
1174receive_ferror = tls_ferror;
1175receive_smtp_buffered = tls_smtp_buffered;
1176
1177tls_active = fileno(smtp_out);
1178return OK;
1179}
1180
1181
1182
1183
1184
1185/*************************************************
1186* Start a TLS session in a client *
1187*************************************************/
1188
1189/* Called from the smtp transport after STARTTLS has been accepted.
1190
1191Argument:
1192 fd the fd of the connection
1193 host connected host (for messages)
1194 addr the first address
1195 dhparam DH parameter file
1196 certificate certificate file
1197 privatekey private key file
1198 sni TLS SNI to send to remote host
1199 verify_certs file for certificate verify
1200 crl file containing CRL
1201 require_ciphers list of allowed ciphers
1202 timeout startup timeout
1203
1204Returns: OK on success
1205 FAIL otherwise - note that tls_error() will not give DEFER
1206 because this is not a server
1207*/
1208
1209int
1210tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
1211 uschar *certificate, uschar *privatekey, uschar *sni,
1212 uschar *verify_certs, uschar *crl,
1213 uschar *require_ciphers, int timeout)
1214{
1215static uschar txt[256];
1216uschar *expciphers;
1217X509* server_cert;
1218int rc;
1219
1220rc = tls_init(host, dhparam, certificate, privatekey,
1221#ifdef EXPERIMENTAL_OCSP
1222 NULL,
1223#endif
1224 addr);
1225if (rc != OK) return rc;
1226
1227tls_certificate_verified = FALSE;
1228verify_callback_called = FALSE;
1229
1230if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1231 return FAIL;
1232
1233/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1234are separated by underscores. So that I can use either form in my tests, and
1235also for general convenience, we turn underscores into hyphens here. */
1236
1237if (expciphers != NULL)
1238 {
1239 uschar *s = expciphers;
1240 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1241 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1242 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1243 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1244 }
1245
1246rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
1247if (rc != OK) return rc;
1248
1249if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1250SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1251SSL_set_fd(ssl, fd);
1252SSL_set_connect_state(ssl);
1253
1254if (sni)
1255 {
1256 if (!expand_check(sni, US"tls_sni", &tls_sni))
1257 return FAIL;
1258 if (!Ustrlen(tls_sni))
1259 tls_sni = NULL;
1260 else
1261 {
1262#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1263 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1264 SSL_set_tlsext_host_name(ssl, tls_sni);
1265#else
1266 DEBUG(D_tls)
1267 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1268 tls_sni);
1269#endif
1270 }
1271 }
1272
1273/* There doesn't seem to be a built-in timeout on connection. */
1274
1275DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1276sigalrm_seen = FALSE;
1277alarm(timeout);
1278rc = SSL_connect(ssl);
1279alarm(0);
1280
1281if (rc <= 0)
1282 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1283
1284DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1285
1286/* Beware anonymous ciphers which lead to server_cert being NULL */
1287server_cert = SSL_get_peer_certificate (ssl);
1288if (server_cert)
1289 {
1290 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1291 CS txt, sizeof(txt));
1292 tls_peerdn = txt;
1293 }
1294else
1295 tls_peerdn = NULL;
1296
1297construct_cipher_name(ssl); /* Sets tls_cipher */
1298
1299tls_active = fd;
1300return OK;
1301}
1302
1303
1304
1305
1306
1307/*************************************************
1308* TLS version of getc *
1309*************************************************/
1310
1311/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1312it refills the buffer via the SSL reading function.
1313
1314Arguments: none
1315Returns: the next character or EOF
1316*/
1317
1318int
1319tls_getc(void)
1320{
1321if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1322 {
1323 int error;
1324 int inbytes;
1325
1326 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1327 ssl_xfer_buffer, ssl_xfer_buffer_size);
1328
1329 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1330 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1331 error = SSL_get_error(ssl, inbytes);
1332 alarm(0);
1333
1334 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1335 closed down, not that the socket itself has been closed down. Revert to
1336 non-SSL handling. */
1337
1338 if (error == SSL_ERROR_ZERO_RETURN)
1339 {
1340 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1341
1342 receive_getc = smtp_getc;
1343 receive_ungetc = smtp_ungetc;
1344 receive_feof = smtp_feof;
1345 receive_ferror = smtp_ferror;
1346 receive_smtp_buffered = smtp_buffered;
1347
1348 SSL_free(ssl);
1349 ssl = NULL;
1350 tls_active = -1;
1351 tls_bits = 0;
1352 tls_cipher = NULL;
1353 tls_peerdn = NULL;
1354 tls_sni = NULL;
1355
1356 return smtp_getc();
1357 }
1358
1359 /* Handle genuine errors */
1360
1361 else if (error == SSL_ERROR_SSL)
1362 {
1363 ERR_error_string(ERR_get_error(), ssl_errstring);
1364 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1365 ssl_xfer_error = 1;
1366 return EOF;
1367 }
1368
1369 else if (error != SSL_ERROR_NONE)
1370 {
1371 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1372 ssl_xfer_error = 1;
1373 return EOF;
1374 }
1375
1376#ifndef DISABLE_DKIM
1377 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1378#endif
1379 ssl_xfer_buffer_hwm = inbytes;
1380 ssl_xfer_buffer_lwm = 0;
1381 }
1382
1383/* Something in the buffer; return next uschar */
1384
1385return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1386}
1387
1388
1389
1390/*************************************************
1391* Read bytes from TLS channel *
1392*************************************************/
1393
1394/*
1395Arguments:
1396 buff buffer of data
1397 len size of buffer
1398
1399Returns: the number of bytes read
1400 -1 after a failed read
1401*/
1402
1403int
1404tls_read(uschar *buff, size_t len)
1405{
1406int inbytes;
1407int error;
1408
1409DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1410 buff, (unsigned int)len);
1411
1412inbytes = SSL_read(ssl, CS buff, len);
1413error = SSL_get_error(ssl, inbytes);
1414
1415if (error == SSL_ERROR_ZERO_RETURN)
1416 {
1417 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1418 return -1;
1419 }
1420else if (error != SSL_ERROR_NONE)
1421 {
1422 return -1;
1423 }
1424
1425return inbytes;
1426}
1427
1428
1429
1430
1431
1432/*************************************************
1433* Write bytes down TLS channel *
1434*************************************************/
1435
1436/*
1437Arguments:
1438 buff buffer of data
1439 len number of bytes
1440
1441Returns: the number of bytes after a successful write,
1442 -1 after a failed write
1443*/
1444
1445int
1446tls_write(const uschar *buff, size_t len)
1447{
1448int outbytes;
1449int error;
1450int left = len;
1451
1452DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1453while (left > 0)
1454 {
1455 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1456 outbytes = SSL_write(ssl, CS buff, left);
1457 error = SSL_get_error(ssl, outbytes);
1458 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1459 switch (error)
1460 {
1461 case SSL_ERROR_SSL:
1462 ERR_error_string(ERR_get_error(), ssl_errstring);
1463 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1464 return -1;
1465
1466 case SSL_ERROR_NONE:
1467 left -= outbytes;
1468 buff += outbytes;
1469 break;
1470
1471 case SSL_ERROR_ZERO_RETURN:
1472 log_write(0, LOG_MAIN, "SSL channel closed on write");
1473 return -1;
1474
1475 default:
1476 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1477 return -1;
1478 }
1479 }
1480return len;
1481}
1482
1483
1484
1485/*************************************************
1486* Close down a TLS session *
1487*************************************************/
1488
1489/* This is also called from within a delivery subprocess forked from the
1490daemon, to shut down the TLS library, without actually doing a shutdown (which
1491would tamper with the SSL session in the parent process).
1492
1493Arguments: TRUE if SSL_shutdown is to be called
1494Returns: nothing
1495*/
1496
1497void
1498tls_close(BOOL shutdown)
1499{
1500if (tls_active < 0) return; /* TLS was not active */
1501
1502if (shutdown)
1503 {
1504 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1505 SSL_shutdown(ssl);
1506 }
1507
1508SSL_free(ssl);
1509ssl = NULL;
1510
1511tls_active = -1;
1512}
1513
1514
1515
1516
1517/*************************************************
1518* Let tls_require_ciphers be checked at startup *
1519*************************************************/
1520
1521/* The tls_require_ciphers option, if set, must be something which the
1522library can parse.
1523
1524Returns: NULL on success, or error message
1525*/
1526
1527uschar *
1528tls_validate_require_cipher(void)
1529{
1530SSL_CTX *ctx;
1531uschar *s, *expciphers, *err;
1532
1533/* this duplicates from tls_init(), we need a better "init just global
1534state, for no specific purpose" singleton function of our own */
1535
1536SSL_load_error_strings();
1537OpenSSL_add_ssl_algorithms();
1538#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1539/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1540list of available digests. */
1541EVP_add_digest(EVP_sha256());
1542#endif
1543
1544if (!(tls_require_ciphers && *tls_require_ciphers))
1545 return NULL;
1546
1547if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1548 return US"failed to expand tls_require_ciphers";
1549
1550if (!(expciphers && *expciphers))
1551 return NULL;
1552
1553/* normalisation ripped from above */
1554s = expciphers;
1555while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1556
1557err = NULL;
1558
1559ctx = SSL_CTX_new(SSLv23_server_method());
1560if (!ctx)
1561 {
1562 ERR_error_string(ERR_get_error(), ssl_errstring);
1563 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1564 }
1565
1566DEBUG(D_tls)
1567 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1568
1569if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1570 {
1571 ERR_error_string(ERR_get_error(), ssl_errstring);
1572 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1573 }
1574
1575SSL_CTX_free(ctx);
1576
1577return err;
1578}
1579
1580
1581
1582
1583/*************************************************
1584* Report the library versions. *
1585*************************************************/
1586
1587/* There have historically been some issues with binary compatibility in
1588OpenSSL libraries; if Exim (like many other applications) is built against
1589one version of OpenSSL but the run-time linker picks up another version,
1590it can result in serious failures, including crashing with a SIGSEGV. So
1591report the version found by the compiler and the run-time version.
1592
1593Arguments: a FILE* to print the results to
1594Returns: nothing
1595*/
1596
1597void
1598tls_version_report(FILE *f)
1599{
1600fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1601 " Runtime: %s\n",
1602 OPENSSL_VERSION_TEXT,
1603 SSLeay_version(SSLEAY_VERSION));
1604}
1605
1606
1607
1608
1609/*************************************************
1610* Random number generation *
1611*************************************************/
1612
1613/* Pseudo-random number generation. The result is not expected to be
1614cryptographically strong but not so weak that someone will shoot themselves
1615in the foot using it as a nonce in input in some email header scheme or
1616whatever weirdness they'll twist this into. The result should handle fork()
1617and avoid repeating sequences. OpenSSL handles that for us.
1618
1619Arguments:
1620 max range maximum
1621Returns a random number in range [0, max-1]
1622*/
1623
1624int
1625vaguely_random_number(int max)
1626{
1627unsigned int r;
1628int i, needed_len;
1629uschar *p;
1630uschar smallbuf[sizeof(r)];
1631
1632if (max <= 1)
1633 return 0;
1634
1635/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1636if (!RAND_status())
1637 {
1638 randstuff r;
1639 gettimeofday(&r.tv, NULL);
1640 r.p = getpid();
1641
1642 RAND_seed((uschar *)(&r), sizeof(r));
1643 }
1644/* We're after pseudo-random, not random; if we still don't have enough data
1645in the internal PRNG then our options are limited. We could sleep and hope
1646for entropy to come along (prayer technique) but if the system is so depleted
1647in the first place then something is likely to just keep taking it. Instead,
1648we'll just take whatever little bit of pseudo-random we can still manage to
1649get. */
1650
1651needed_len = sizeof(r);
1652/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1653asked for a number less than 10. */
1654for (r = max, i = 0; r; ++i)
1655 r >>= 1;
1656i = (i + 7) / 8;
1657if (i < needed_len)
1658 needed_len = i;
1659
1660/* We do not care if crypto-strong */
1661i = RAND_pseudo_bytes(smallbuf, needed_len);
1662if (i < 0)
1663 {
1664 DEBUG(D_all)
1665 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1666 return vaguely_random_number_fallback(max);
1667 }
1668
1669r = 0;
1670for (p = smallbuf; needed_len; --needed_len, ++p)
1671 {
1672 r *= 256;
1673 r += *p;
1674 }
1675
1676/* We don't particularly care about weighted results; if someone wants
1677smooth distribution and cares enough then they should submit a patch then. */
1678return r % max;
1679}
1680
1681
1682
1683
1684/*************************************************
1685* OpenSSL option parse *
1686*************************************************/
1687
1688/* Parse one option for tls_openssl_options_parse below
1689
1690Arguments:
1691 name one option name
1692 value place to store a value for it
1693Returns success or failure in parsing
1694*/
1695
1696struct exim_openssl_option {
1697 uschar *name;
1698 long value;
1699};
1700/* We could use a macro to expand, but we need the ifdef and not all the
1701options document which version they were introduced in. Policylet: include
1702all options unless explicitly for DTLS, let the administrator choose which
1703to apply.
1704
1705This list is current as of:
1706 ==> 1.0.1b <== */
1707static struct exim_openssl_option exim_openssl_options[] = {
1708/* KEEP SORTED ALPHABETICALLY! */
1709#ifdef SSL_OP_ALL
1710 { US"all", SSL_OP_ALL },
1711#endif
1712#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1713 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1714#endif
1715#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1716 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1717#endif
1718#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1719 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1720#endif
1721#ifdef SSL_OP_EPHEMERAL_RSA
1722 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1723#endif
1724#ifdef SSL_OP_LEGACY_SERVER_CONNECT
1725 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1726#endif
1727#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1728 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1729#endif
1730#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1731 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1732#endif
1733#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1734 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1735#endif
1736#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1737 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1738#endif
1739#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1740 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1741#endif
1742#ifdef SSL_OP_NO_COMPRESSION
1743 { US"no_compression", SSL_OP_NO_COMPRESSION },
1744#endif
1745#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1746 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1747#endif
1748#ifdef SSL_OP_NO_SSLv2
1749 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1750#endif
1751#ifdef SSL_OP_NO_SSLv3
1752 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1753#endif
1754#ifdef SSL_OP_NO_TICKET
1755 { US"no_ticket", SSL_OP_NO_TICKET },
1756#endif
1757#ifdef SSL_OP_NO_TLSv1
1758 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1759#endif
1760#ifdef SSL_OP_NO_TLSv1_1
1761#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1762 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1763#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1764#else
1765 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1766#endif
1767#endif
1768#ifdef SSL_OP_NO_TLSv1_2
1769 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1770#endif
1771#ifdef SSL_OP_SINGLE_DH_USE
1772 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1773#endif
1774#ifdef SSL_OP_SINGLE_ECDH_USE
1775 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1776#endif
1777#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1778 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1779#endif
1780#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1781 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1782#endif
1783#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1784 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1785#endif
1786#ifdef SSL_OP_TLS_D5_BUG
1787 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1788#endif
1789#ifdef SSL_OP_TLS_ROLLBACK_BUG
1790 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1791#endif
1792};
1793static int exim_openssl_options_size =
1794 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1795
1796
1797static BOOL
1798tls_openssl_one_option_parse(uschar *name, long *value)
1799{
1800int first = 0;
1801int last = exim_openssl_options_size;
1802while (last > first)
1803 {
1804 int middle = (first + last)/2;
1805 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1806 if (c == 0)
1807 {
1808 *value = exim_openssl_options[middle].value;
1809 return TRUE;
1810 }
1811 else if (c > 0)
1812 first = middle + 1;
1813 else
1814 last = middle;
1815 }
1816return FALSE;
1817}
1818
1819
1820
1821
1822/*************************************************
1823* OpenSSL option parsing logic *
1824*************************************************/
1825
1826/* OpenSSL has a number of compatibility options which an administrator might
1827reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1828we look like log_selector.
1829
1830Arguments:
1831 option_spec the administrator-supplied string of options
1832 results ptr to long storage for the options bitmap
1833Returns success or failure
1834*/
1835
1836BOOL
1837tls_openssl_options_parse(uschar *option_spec, long *results)
1838{
1839long result, item;
1840uschar *s, *end;
1841uschar keep_c;
1842BOOL adding, item_parsed;
1843
1844result = 0L;
1845/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1846 * from default because it increases BEAST susceptibility. */
1847
1848if (option_spec == NULL)
1849 {
1850 *results = result;
1851 return TRUE;
1852 }
1853
1854for (s=option_spec; *s != '\0'; /**/)
1855 {
1856 while (isspace(*s)) ++s;
1857 if (*s == '\0')
1858 break;
1859 if (*s != '+' && *s != '-')
1860 {
1861 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1862 "+ or - expected but found \"%s\"\n", s);
1863 return FALSE;
1864 }
1865 adding = *s++ == '+';
1866 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1867 keep_c = *end;
1868 *end = '\0';
1869 item_parsed = tls_openssl_one_option_parse(s, &item);
1870 if (!item_parsed)
1871 {
1872 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1873 return FALSE;
1874 }
1875 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1876 adding ? "adding" : "removing", result, item, s);
1877 if (adding)
1878 result |= item;
1879 else
1880 result &= ~item;
1881 *end = keep_c;
1882 s = end;
1883 }
1884
1885*results = result;
1886return TRUE;
1887}
1888
1889/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.