projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
tidying
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2019 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
28#ifndef DISABLE_OCSP
29# include <openssl/ocsp.h>
30#endif
31#ifdef SUPPORT_DANE
32# include "danessl.h"
33#endif
34
35
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
39#endif
40
41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42# define EXIM_HAVE_OPENSSL_TLSEXT
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256
55#endif
56
57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
71# define EXIM_HAVE_OPENSSL_DH_BITS
72# define EXIM_HAVE_OPENSSL_TLS_METHOD
73# define EXIM_HAVE_OPENSSL_KEYLOG
74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
75# define EXIM_HAVE_SESSION_TICKET
76# define EXIM_HAVE_OPESSL_TRACE
77# else
78# define EXIM_NEED_OPENSSL_INIT
79# endif
80# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
82# define EXIM_HAVE_OPENSSL_CHECKHOST
83# endif
84#endif
85
86#if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
88# if !defined(OPENSSL_NO_ECDH)
89# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
90# define EXIM_HAVE_ECDH
91# endif
92# if OPENSSL_VERSION_NUMBER >= 0x10002000L
93# define EXIM_HAVE_OPENSSL_EC_NIST2NID
94# endif
95# endif
96#endif
97
98#ifndef LIBRESSL_VERSION_NUMBER
99# if OPENSSL_VERSION_NUMBER >= 0x010101000L
100# define OPENSSL_HAVE_KEYLOG_CB
101# define OPENSSL_HAVE_NUM_TICKETS
102# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
103# endif
104#endif
105
106#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108# define DISABLE_OCSP
109#endif
110
111#ifdef EXPERIMENTAL_TLS_RESUME
112# if OPENSSL_VERSION_NUMBER < 0x0101010L
113# error OpenSSL version too old for session-resumption
114# endif
115#endif
116
117#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118# include <openssl/x509v3.h>
119#endif
120
121#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123# define SSL_CIPHER_get_id(c) (c->id)
124# endif
125# ifndef MACRO_PREDEF
126# include "tls-cipher-stdname.c"
127# endif
128#endif
129
130/*************************************************
131* OpenSSL option parse *
132*************************************************/
133
134typedef struct exim_openssl_option {
135 uschar *name;
136 long value;
137} exim_openssl_option;
138/* We could use a macro to expand, but we need the ifdef and not all the
139options document which version they were introduced in. Policylet: include
140all options unless explicitly for DTLS, let the administrator choose which
141to apply.
142
143This list is current as of:
144 ==> 1.0.1b <==
145Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
147*/
148static exim_openssl_option exim_openssl_options[] = {
149/* KEEP SORTED ALPHABETICALLY! */
150#ifdef SSL_OP_ALL
151 { US"all", (long) SSL_OP_ALL },
152#endif
153#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
155#endif
156#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
158#endif
159#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
161#endif
162#ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
164#endif
165#ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
167#endif
168#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
170#endif
171#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
173#endif
174#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
176#endif
177#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
179#endif
180#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
182#endif
183#ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
185#endif
186#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
188#endif
189#ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
191#endif
192#ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
194#endif
195#ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
197#endif
198#ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
200#endif
201#ifdef SSL_OP_NO_TLSv1_1
202#if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
205#else
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
207#endif
208#endif
209#ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
211#endif
212#ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
214#endif
215#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
217#endif
218#ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
220#endif
221#ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
223#endif
224#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
226#endif
227#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
229#endif
230#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
232#endif
233#ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
235#endif
236#ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
238#endif
239};
240
241#ifndef MACRO_PREDEF
242static int exim_openssl_options_size = nelem(exim_openssl_options);
243#endif
244
245#ifdef MACRO_PREDEF
246void
247options_tls(void)
248{
249uschar buf[64];
250
251for (struct exim_openssl_option * o = exim_openssl_options;
252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
253 {
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
256
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
259 }
260
261# ifdef EXPERIMENTAL_TLS_RESUME
262builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
263# endif
264# ifdef SSL_OP_NO_TLSv1_3
265builtin_macro_create(US"_HAVE_TLS1_3");
266# endif
267}
268#else
269
270/******************************************************************************/
271
272/* Structure for collecting random data for seeding. */
273
274typedef struct randstuff {
275 struct timeval tv;
276 pid_t p;
277} randstuff;
278
279/* Local static variables */
280
281static BOOL client_verify_callback_called = FALSE;
282static BOOL server_verify_callback_called = FALSE;
283static const uschar *sid_ctx = US"exim";
284
285/* We have three different contexts to care about.
286
287Simple case: client, `client_ctx`
288 As a client, we can be doing a callout or cut-through delivery while receiving
289 a message. So we have a client context, which should have options initialised
290 from the SMTP Transport. We may also concurrently want to make TLS connections
291 to utility daemons, so client-contexts are allocated and passed around in call
292 args rather than using a gobal.
293
294Server:
295 There are two cases: with and without ServerNameIndication from the client.
296 Given TLS SNI, we can be using different keys, certs and various other
297 configuration settings, because they're re-expanded with $tls_sni set. This
298 allows vhosting with TLS. This SNI is sent in the handshake.
299 A client might not send SNI, so we need a fallback, and an initial setup too.
300 So as a server, we start out using `server_ctx`.
301 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
302 `server_sni` from `server_ctx` and then initialise settings by re-expanding
303 configuration.
304*/
305
306typedef struct {
307 SSL_CTX * ctx;
308 SSL * ssl;
309 gstring * corked;
310} exim_openssl_client_tls_ctx;
311
312static SSL_CTX *server_ctx = NULL;
313static SSL *server_ssl = NULL;
314
315#ifdef EXIM_HAVE_OPENSSL_TLSEXT
316static SSL_CTX *server_sni = NULL;
317#endif
318
319static char ssl_errstring[256];
320
321static int ssl_session_timeout = 7200; /* Two hours */
322static BOOL client_verify_optional = FALSE;
323static BOOL server_verify_optional = FALSE;
324
325static BOOL reexpand_tls_files_for_sni = FALSE;
326
327
328typedef struct tls_ext_ctx_cb {
329 tls_support * tlsp;
330 uschar *certificate;
331 uschar *privatekey;
332 BOOL is_server;
333#ifndef DISABLE_OCSP
334 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
335 union {
336 struct {
337 uschar *file;
338 uschar *file_expanded;
339 OCSP_RESPONSE *response;
340 } server;
341 struct {
342 X509_STORE *verify_store; /* non-null if status requested */
343 BOOL verify_required;
344 } client;
345 } u_ocsp;
346#endif
347 uschar *dhparam;
348 /* these are cached from first expand */
349 uschar *server_cipher_list;
350 /* only passed down to tls_error: */
351 host_item *host;
352 const uschar * verify_cert_hostnames;
353#ifndef DISABLE_EVENT
354 uschar * event_action;
355#endif
356} tls_ext_ctx_cb;
357
358/* should figure out a cleanup of API to handle state preserved per
359implementation, for various reasons, which can be void * in the APIs.
360For now, we hack around it. */
361tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
362tls_ext_ctx_cb *server_static_cbinfo = NULL;
363
364static int
365setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
366 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
367
368/* Callbacks */
369#ifdef EXIM_HAVE_OPENSSL_TLSEXT
370static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
371#endif
372#ifndef DISABLE_OCSP
373static int tls_server_stapling_cb(SSL *s, void *arg);
374#endif
375
376
377
378/* Daemon-called, before every connection, key create/rotate */
379#ifdef EXPERIMENTAL_TLS_RESUME
380static void tk_init(void);
381static int tls_exdata_idx = -1;
382#endif
383
384void
385tls_daemon_init(void)
386{
387#ifdef EXPERIMENTAL_TLS_RESUME
388tk_init();
389#endif
390return;
391}
392
393
394/*************************************************
395* Handle TLS error *
396*************************************************/
397
398/* Called from lots of places when errors occur before actually starting to do
399the TLS handshake, that is, while the session is still in clear. Always returns
400DEFER for a server and FAIL for a client so that most calls can use "return
401tls_error(...)" to do this processing and then give an appropriate return. A
402single function is used for both server and client, because it is called from
403some shared functions.
404
405Argument:
406 prefix text to include in the logged error
407 host NULL if setting up a server;
408 the connected host if setting up a client
409 msg error message or NULL if we should ask OpenSSL
410 errstr pointer to output error message
411
412Returns: OK/DEFER/FAIL
413*/
414
415static int
416tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
417{
418if (!msg)
419 {
420 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
421 msg = US ssl_errstring;
422 }
423
424msg = string_sprintf("(%s): %s", prefix, msg);
425DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
426if (errstr) *errstr = msg;
427return host ? FAIL : DEFER;
428}
429
430
431
432/*************************************************
433* Callback to generate RSA key *
434*************************************************/
435
436/*
437Arguments:
438 s SSL connection (not used)
439 export not used
440 keylength keylength
441
442Returns: pointer to generated key
443*/
444
445static RSA *
446rsa_callback(SSL *s, int export, int keylength)
447{
448RSA *rsa_key;
449#ifdef EXIM_HAVE_RSA_GENKEY_EX
450BIGNUM *bn = BN_new();
451#endif
452
453export = export; /* Shut picky compilers up */
454DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
455
456#ifdef EXIM_HAVE_RSA_GENKEY_EX
457if ( !BN_set_word(bn, (unsigned long)RSA_F4)
458 || !(rsa_key = RSA_new())
459 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
460 )
461#else
462if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
463#endif
464
465 {
466 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
467 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
468 ssl_errstring);
469 return NULL;
470 }
471return rsa_key;
472}
473
474
475
476/* Extreme debug
477#ifndef DISABLE_OCSP
478void
479x509_store_dump_cert_s_names(X509_STORE * store)
480{
481STACK_OF(X509_OBJECT) * roots= store->objs;
482static uschar name[256];
483
484for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
485 {
486 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
487 if(tmp_obj->type == X509_LU_X509)
488 {
489 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
490 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
491 {
492 name[sizeof(name)-1] = '\0';
493 debug_printf(" %s\n", name);
494 }
495 }
496 }
497}
498#endif
499*/
500
501
502#ifndef DISABLE_EVENT
503static int
504verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
505 BOOL *calledp, const BOOL *optionalp, const uschar * what)
506{
507uschar * ev;
508uschar * yield;
509X509 * old_cert;
510
511ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
512if (ev)
513 {
514 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
515 old_cert = tlsp->peercert;
516 tlsp->peercert = X509_dup(cert);
517 /* NB we do not bother setting peerdn */
518 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
519 {
520 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
521 "depth=%d cert=%s: %s",
522 tlsp == &tls_out ? deliver_host_address : sender_host_address,
523 what, depth, dn, yield);
524 *calledp = TRUE;
525 if (!*optionalp)
526 {
527 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
528 return 1; /* reject (leaving peercert set) */
529 }
530 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
531 "(host in tls_try_verify_hosts)\n");
532 tlsp->verify_override = TRUE;
533 }
534 X509_free(tlsp->peercert);
535 tlsp->peercert = old_cert;
536 }
537return 0;
538}
539#endif
540
541/*************************************************
542* Callback for verification *
543*************************************************/
544
545/* The SSL library does certificate verification if set up to do so. This
546callback has the current yes/no state is in "state". If verification succeeded,
547we set the certificate-verified flag. If verification failed, what happens
548depends on whether the client is required to present a verifiable certificate
549or not.
550
551If verification is optional, we change the state to yes, but still log the
552verification error. For some reason (it really would help to have proper
553documentation of OpenSSL), this callback function then gets called again, this
554time with state = 1. We must take care not to set the private verified flag on
555the second time through.
556
557Note: this function is not called if the client fails to present a certificate
558when asked. We get here only if a certificate has been received. Handling of
559optional verification for this case is done when requesting SSL to verify, by
560setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
561
562May be called multiple times for different issues with a certificate, even
563for a given "depth" in the certificate chain.
564
565Arguments:
566 preverify_ok current yes/no state as 1/0
567 x509ctx certificate information.
568 tlsp per-direction (client vs. server) support data
569 calledp has-been-called flag
570 optionalp verification-is-optional flag
571
572Returns: 0 if verification should fail, otherwise 1
573*/
574
575static int
576verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
577 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
578{
579X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
580int depth = X509_STORE_CTX_get_error_depth(x509ctx);
581uschar dn[256];
582
583if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
584 {
585 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
586 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
587 tlsp == &tls_out ? deliver_host_address : sender_host_address);
588 return 0;
589 }
590dn[sizeof(dn)-1] = '\0';
591
592tlsp->verify_override = FALSE;
593if (preverify_ok == 0)
594 {
595 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
596 *verify_mode, sender_host_address)
597 : US"";
598 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
599 tlsp == &tls_out ? deliver_host_address : sender_host_address,
600 extra, depth,
601 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
602 *calledp = TRUE;
603 if (!*optionalp)
604 {
605 if (!tlsp->peercert)
606 tlsp->peercert = X509_dup(cert); /* record failing cert */
607 return 0; /* reject */
608 }
609 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
610 "tls_try_verify_hosts)\n");
611 tlsp->verify_override = TRUE;
612 }
613
614else if (depth != 0)
615 {
616 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
617#ifndef DISABLE_OCSP
618 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
619 { /* client, wanting stapling */
620 /* Add the server cert's signing chain as the one
621 for the verification of the OCSP stapled information. */
622
623 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
624 cert))
625 ERR_clear_error();
626 sk_X509_push(client_static_cbinfo->verify_stack, cert);
627 }
628#endif
629#ifndef DISABLE_EVENT
630 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
631 return 0; /* reject, with peercert set */
632#endif
633 }
634else
635 {
636 const uschar * verify_cert_hostnames;
637
638 if ( tlsp == &tls_out
639 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
640 /* client, wanting hostname check */
641 {
642
643#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
644# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
645# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
646# endif
647# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
648# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
649# endif
650 int sep = 0;
651 const uschar * list = verify_cert_hostnames;
652 uschar * name;
653 int rc;
654 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
655 if ((rc = X509_check_host(cert, CCS name, 0,
656 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
657 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
658 NULL)))
659 {
660 if (rc < 0)
661 {
662 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
663 tlsp == &tls_out ? deliver_host_address : sender_host_address);
664 name = NULL;
665 }
666 break;
667 }
668 if (!name)
669#else
670 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
671#endif
672 {
673 uschar * extra = verify_mode
674 ? string_sprintf(" (during %c-verify for [%s])",
675 *verify_mode, sender_host_address)
676 : US"";
677 log_write(0, LOG_MAIN,
678 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
679 tlsp == &tls_out ? deliver_host_address : sender_host_address,
680 extra, dn, verify_cert_hostnames);
681 *calledp = TRUE;
682 if (!*optionalp)
683 {
684 if (!tlsp->peercert)
685 tlsp->peercert = X509_dup(cert); /* record failing cert */
686 return 0; /* reject */
687 }
688 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
689 "tls_try_verify_hosts)\n");
690 tlsp->verify_override = TRUE;
691 }
692 }
693
694#ifndef DISABLE_EVENT
695 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
696 return 0; /* reject, with peercert set */
697#endif
698
699 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
700 *calledp ? "" : " authenticated", dn);
701 *calledp = TRUE;
702 }
703
704return 1; /* accept, at least for this level */
705}
706
707static int
708verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
709{
710return verify_callback(preverify_ok, x509ctx, &tls_out,
711 &client_verify_callback_called, &client_verify_optional);
712}
713
714static int
715verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
716{
717return verify_callback(preverify_ok, x509ctx, &tls_in,
718 &server_verify_callback_called, &server_verify_optional);
719}
720
721
722#ifdef SUPPORT_DANE
723
724/* This gets called *by* the dane library verify callback, which interposes
725itself.
726*/
727static int
728verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
729{
730X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
731uschar dn[256];
732int depth = X509_STORE_CTX_get_error_depth(x509ctx);
733#ifndef DISABLE_EVENT
734BOOL dummy_called, optional = FALSE;
735#endif
736
737if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
738 {
739 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
740 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
741 deliver_host_address);
742 return 0;
743 }
744dn[sizeof(dn)-1] = '\0';
745
746DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
747 preverify_ok ? "ok":"BAD", depth, dn);
748
749#ifndef DISABLE_EVENT
750 if (verify_event(&tls_out, cert, depth, dn,
751 &dummy_called, &optional, US"DANE"))
752 return 0; /* reject, with peercert set */
753#endif
754
755if (preverify_ok == 1)
756 {
757 tls_out.dane_verified = TRUE;
758#ifndef DISABLE_OCSP
759 if (client_static_cbinfo->u_ocsp.client.verify_store)
760 { /* client, wanting stapling */
761 /* Add the server cert's signing chain as the one
762 for the verification of the OCSP stapled information. */
763
764 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
765 cert))
766 ERR_clear_error();
767 sk_X509_push(client_static_cbinfo->verify_stack, cert);
768 }
769#endif
770 }
771else
772 {
773 int err = X509_STORE_CTX_get_error(x509ctx);
774 DEBUG(D_tls)
775 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
776 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
777 preverify_ok = 1;
778 }
779return preverify_ok;
780}
781
782#endif /*SUPPORT_DANE*/
783
784
785/*************************************************
786* Information callback *
787*************************************************/
788
789/* The SSL library functions call this from time to time to indicate what they
790are doing. We copy the string to the debugging output when TLS debugging has
791been requested.
792
793Arguments:
794 s the SSL connection
795 where
796 ret
797
798Returns: nothing
799*/
800
801static void
802info_callback(SSL *s, int where, int ret)
803{
804DEBUG(D_tls)
805 {
806 const uschar * str;
807
808 if (where & SSL_ST_CONNECT)
809 str = US"SSL_connect";
810 else if (where & SSL_ST_ACCEPT)
811 str = US"SSL_accept";
812 else
813 str = US"SSL info (undefined)";
814
815 if (where & SSL_CB_LOOP)
816 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
817 else if (where & SSL_CB_ALERT)
818 debug_printf("SSL3 alert %s:%s:%s\n",
819 str = where & SSL_CB_READ ? US"read" : US"write",
820 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
821 else if (where & SSL_CB_EXIT)
822 if (ret == 0)
823 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
824 else if (ret < 0)
825 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
826 else if (where & SSL_CB_HANDSHAKE_START)
827 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
828 else if (where & SSL_CB_HANDSHAKE_DONE)
829 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
830 }
831}
832
833#ifdef OPENSSL_HAVE_KEYLOG_CB
834static void
835keylog_callback(const SSL *ssl, const char *line)
836{
837DEBUG(D_tls) debug_printf("%.200s\n", line);
838}
839#endif
840
841
842#ifdef EXPERIMENTAL_TLS_RESUME
843/* Manage the keysets used for encrypting the session tickets, on the server. */
844
845typedef struct { /* Session ticket encryption key */
846 uschar name[16];
847
848 const EVP_CIPHER * aes_cipher;
849 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
850 const EVP_MD * hmac_hash;
851 uschar hmac_key[16];
852 time_t renew;
853 time_t expire;
854} exim_stek;
855
856static exim_stek exim_tk; /* current key */
857static exim_stek exim_tk_old; /* previous key */
858
859static void
860tk_init(void)
861{
862time_t t = time(NULL);
863
864if (exim_tk.name[0])
865 {
866 if (exim_tk.renew >= t) return;
867 exim_tk_old = exim_tk;
868 }
869
870if (f.running_in_test_harness) ssl_session_timeout = 6;
871
872DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
873if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
874if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
875if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
876
877exim_tk.name[0] = 'E';
878exim_tk.aes_cipher = EVP_aes_256_cbc();
879exim_tk.hmac_hash = EVP_sha256();
880exim_tk.expire = t + ssl_session_timeout;
881exim_tk.renew = t + ssl_session_timeout/2;
882}
883
884static exim_stek *
885tk_current(void)
886{
887if (!exim_tk.name[0]) return NULL;
888return &exim_tk;
889}
890
891static exim_stek *
892tk_find(const uschar * name)
893{
894return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
895 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
896 : NULL;
897}
898
899/* Callback for session tickets, on server */
900static int
901ticket_key_callback(SSL * ssl, uschar key_name[16],
902 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
903{
904tls_support * tlsp = server_static_cbinfo->tlsp;
905exim_stek * key;
906
907if (enc)
908 {
909 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
910 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
911
912 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
913 return -1; /* insufficient random */
914
915 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
916 return 0; /* key couldn't be created */
917 memcpy(key_name, key->name, 16);
918 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
919
920 /*XXX will want these dependent on the ssl session strength */
921 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
922 key->hmac_hash, NULL);
923 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
924
925 DEBUG(D_tls) debug_printf("ticket created\n");
926 return 1;
927 }
928else
929 {
930 time_t now = time(NULL);
931
932 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
933 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
934
935 if (!(key = tk_find(key_name)) || key->expire < now)
936 {
937 DEBUG(D_tls)
938 {
939 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
940 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
941 }
942 return 0;
943 }
944
945 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
946 key->hmac_hash, NULL);
947 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
948
949 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
950
951 /* The ticket lifetime and renewal are the same as the STEK lifetime and
952 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
953 be better. To do that we'd have to encode ticket lifetime in the name as
954 we don't yet see the restored session. Could check posthandshake for TLS1.3
955 and trigger a new ticket then, but cannot do that for TLS1.2 */
956 return key->renew < now ? 2 : 1;
957 }
958}
959#endif
960
961
962
963/*************************************************
964* Initialize for DH *
965*************************************************/
966
967/* If dhparam is set, expand it, and load up the parameters for DH encryption.
968
969Arguments:
970 sctx The current SSL CTX (inbound or outbound)
971 dhparam DH parameter file or fixed parameter identity string
972 host connected host, if client; NULL if server
973 errstr error string pointer
974
975Returns: TRUE if OK (nothing to set up, or setup worked)
976*/
977
978static BOOL
979init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
980{
981BIO *bio;
982DH *dh;
983uschar *dhexpanded;
984const char *pem;
985int dh_bitsize;
986
987if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
988 return FALSE;
989
990if (!dhexpanded || !*dhexpanded)
991 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
992else if (dhexpanded[0] == '/')
993 {
994 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
995 {
996 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
997 host, US strerror(errno), errstr);
998 return FALSE;
999 }
1000 }
1001else
1002 {
1003 if (Ustrcmp(dhexpanded, "none") == 0)
1004 {
1005 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1006 return TRUE;
1007 }
1008
1009 if (!(pem = std_dh_prime_named(dhexpanded)))
1010 {
1011 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
1012 host, US strerror(errno), errstr);
1013 return FALSE;
1014 }
1015 bio = BIO_new_mem_buf(CS pem, -1);
1016 }
1017
1018if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1019 {
1020 BIO_free(bio);
1021 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1022 host, NULL, errstr);
1023 return FALSE;
1024 }
1025
1026/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1027 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1028 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1029 * If someone wants to dance at the edge, then they can raise the limit or use
1030 * current libraries. */
1031#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1032/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1033 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1034dh_bitsize = DH_bits(dh);
1035#else
1036dh_bitsize = 8 * DH_size(dh);
1037#endif
1038
1039/* Even if it is larger, we silently return success rather than cause things
1040 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1041 * debatable choice. */
1042if (dh_bitsize > tls_dh_max_bits)
1043 {
1044 DEBUG(D_tls)
1045 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1046 dh_bitsize, tls_dh_max_bits);
1047 }
1048else
1049 {
1050 SSL_CTX_set_tmp_dh(sctx, dh);
1051 DEBUG(D_tls)
1052 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1053 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1054 }
1055
1056DH_free(dh);
1057BIO_free(bio);
1058
1059return TRUE;
1060}
1061
1062
1063
1064
1065/*************************************************
1066* Initialize for ECDH *
1067*************************************************/
1068
1069/* Load parameters for ECDH encryption.
1070
1071For now, we stick to NIST P-256 because: it's simple and easy to configure;
1072it avoids any patent issues that might bite redistributors; despite events in
1073the news and concerns over curve choices, we're not cryptographers, we're not
1074pretending to be, and this is "good enough" to be better than no support,
1075protecting against most adversaries. Given another year or two, there might
1076be sufficient clarity about a "right" way forward to let us make an informed
1077decision, instead of a knee-jerk reaction.
1078
1079Longer-term, we should look at supporting both various named curves and
1080external files generated with "openssl ecparam", much as we do for init_dh().
1081We should also support "none" as a value, to explicitly avoid initialisation.
1082
1083Patches welcome.
1084
1085Arguments:
1086 sctx The current SSL CTX (inbound or outbound)
1087 host connected host, if client; NULL if server
1088 errstr error string pointer
1089
1090Returns: TRUE if OK (nothing to set up, or setup worked)
1091*/
1092
1093static BOOL
1094init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1095{
1096#ifdef OPENSSL_NO_ECDH
1097return TRUE;
1098#else
1099
1100EC_KEY * ecdh;
1101uschar * exp_curve;
1102int nid;
1103BOOL rv;
1104
1105if (host) /* No ECDH setup for clients, only for servers */
1106 return TRUE;
1107
1108# ifndef EXIM_HAVE_ECDH
1109DEBUG(D_tls)
1110 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1111return TRUE;
1112# else
1113
1114if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1115 return FALSE;
1116if (!exp_curve || !*exp_curve)
1117 return TRUE;
1118
1119/* "auto" needs to be handled carefully.
1120 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1121 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1122 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1123 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1124 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1125 */
1126if (Ustrcmp(exp_curve, "auto") == 0)
1127 {
1128#if OPENSSL_VERSION_NUMBER < 0x10002000L
1129 DEBUG(D_tls) debug_printf(
1130 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1131 exp_curve = US"prime256v1";
1132#else
1133# if defined SSL_CTRL_SET_ECDH_AUTO
1134 DEBUG(D_tls) debug_printf(
1135 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1136 SSL_CTX_set_ecdh_auto(sctx, 1);
1137 return TRUE;
1138# else
1139 DEBUG(D_tls) debug_printf(
1140 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1141 return TRUE;
1142# endif
1143#endif
1144 }
1145
1146DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1147if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1148# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1149 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1150# endif
1151 )
1152 {
1153 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1154 host, NULL, errstr);
1155 return FALSE;
1156 }
1157
1158if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1159 {
1160 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1161 return FALSE;
1162 }
1163
1164/* The "tmp" in the name here refers to setting a temporary key
1165not to the stability of the interface. */
1166
1167if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1168 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1169else
1170 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1171
1172EC_KEY_free(ecdh);
1173return !rv;
1174
1175# endif /*EXIM_HAVE_ECDH*/
1176#endif /*OPENSSL_NO_ECDH*/
1177}
1178
1179
1180
1181
1182#ifndef DISABLE_OCSP
1183/*************************************************
1184* Load OCSP information into state *
1185*************************************************/
1186/* Called to load the server OCSP response from the given file into memory, once
1187caller has determined this is needed. Checks validity. Debugs a message
1188if invalid.
1189
1190ASSUMES: single response, for single cert.
1191
1192Arguments:
1193 sctx the SSL_CTX* to update
1194 cbinfo various parts of session state
1195 expanded the filename putatively holding an OCSP response
1196
1197*/
1198
1199static void
1200ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1201{
1202BIO * bio;
1203OCSP_RESPONSE * resp;
1204OCSP_BASICRESP * basic_response;
1205OCSP_SINGLERESP * single_response;
1206ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1207STACK_OF(X509) * sk;
1208unsigned long verify_flags;
1209int status, reason, i;
1210
1211cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1212if (cbinfo->u_ocsp.server.response)
1213 {
1214 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1215 cbinfo->u_ocsp.server.response = NULL;
1216 }
1217
1218if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1219 {
1220 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1221 cbinfo->u_ocsp.server.file_expanded);
1222 return;
1223 }
1224
1225resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1226BIO_free(bio);
1227if (!resp)
1228 {
1229 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1230 return;
1231 }
1232
1233if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1234 {
1235 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1236 OCSP_response_status_str(status), status);
1237 goto bad;
1238 }
1239
1240if (!(basic_response = OCSP_response_get1_basic(resp)))
1241 {
1242 DEBUG(D_tls)
1243 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1244 goto bad;
1245 }
1246
1247sk = cbinfo->verify_stack;
1248verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1249
1250/* May need to expose ability to adjust those flags?
1251OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1252OCSP_TRUSTOTHER OCSP_NOINTERN */
1253
1254/* This does a full verify on the OCSP proof before we load it for serving
1255up; possibly overkill - just date-checks might be nice enough.
1256
1257OCSP_basic_verify takes a "store" arg, but does not
1258use it for the chain verification, which is all we do
1259when OCSP_NOVERIFY is set. The content from the wire
1260"basic_response" and a cert-stack "sk" are all that is used.
1261
1262We have a stack, loaded in setup_certs() if tls_verify_certificates
1263was a file (not a directory, or "system"). It is unfortunate we
1264cannot used the connection context store, as that would neatly
1265handle the "system" case too, but there seems to be no library
1266function for getting a stack from a store.
1267[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1268We do not free the stack since it could be needed a second time for
1269SNI handling.
1270
1271Separately we might try to replace using OCSP_basic_verify() - which seems to not
1272be a public interface into the OpenSSL library (there's no manual entry) -
1273But what with? We also use OCSP_basic_verify in the client stapling callback.
1274And there we NEED it; we must verify that status... unless the
1275library does it for us anyway? */
1276
1277if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1278 {
1279 DEBUG(D_tls)
1280 {
1281 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1282 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1283 }
1284 goto bad;
1285 }
1286
1287/* Here's the simplifying assumption: there's only one response, for the
1288one certificate we use, and nothing for anything else in a chain. If this
1289proves false, we need to extract a cert id from our issued cert
1290(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1291right cert in the stack and then calls OCSP_single_get0_status()).
1292
1293I'm hoping to avoid reworking a bunch more of how we handle state here. */
1294
1295if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1296 {
1297 DEBUG(D_tls)
1298 debug_printf("Unable to get first response from OCSP basic response.\n");
1299 goto bad;
1300 }
1301
1302status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1303if (status != V_OCSP_CERTSTATUS_GOOD)
1304 {
1305 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1306 OCSP_cert_status_str(status), status,
1307 OCSP_crl_reason_str(reason), reason);
1308 goto bad;
1309 }
1310
1311if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1312 {
1313 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1314 goto bad;
1315 }
1316
1317supply_response:
1318 /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */
1319 cbinfo->u_ocsp.server.response = resp;
1320return;
1321
1322bad:
1323 if (f.running_in_test_harness)
1324 {
1325 extern char ** environ;
1326 if (environ) for (uschar ** p = USS environ; *p; p++)
1327 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1328 {
1329 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1330 goto supply_response;
1331 }
1332 }
1333return;
1334}
1335#endif /*!DISABLE_OCSP*/
1336
1337
1338
1339
1340/* Create and install a selfsigned certificate, for use in server mode */
1341
1342static int
1343tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1344{
1345X509 * x509 = NULL;
1346EVP_PKEY * pkey;
1347RSA * rsa;
1348X509_NAME * name;
1349uschar * where;
1350
1351where = US"allocating pkey";
1352if (!(pkey = EVP_PKEY_new()))
1353 goto err;
1354
1355where = US"allocating cert";
1356if (!(x509 = X509_new()))
1357 goto err;
1358
1359where = US"generating pkey";
1360if (!(rsa = rsa_callback(NULL, 0, 2048)))
1361 goto err;
1362
1363where = US"assigning pkey";
1364if (!EVP_PKEY_assign_RSA(pkey, rsa))
1365 goto err;
1366
1367X509_set_version(x509, 2); /* N+1 - version 3 */
1368ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1369X509_gmtime_adj(X509_get_notBefore(x509), 0);
1370X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1371X509_set_pubkey(x509, pkey);
1372
1373name = X509_get_subject_name(x509);
1374X509_NAME_add_entry_by_txt(name, "C",
1375 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1376X509_NAME_add_entry_by_txt(name, "O",
1377 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1378X509_NAME_add_entry_by_txt(name, "CN",
1379 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1380X509_set_issuer_name(x509, name);
1381
1382where = US"signing cert";
1383if (!X509_sign(x509, pkey, EVP_md5()))
1384 goto err;
1385
1386where = US"installing selfsign cert";
1387if (!SSL_CTX_use_certificate(sctx, x509))
1388 goto err;
1389
1390where = US"installing selfsign key";
1391if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1392 goto err;
1393
1394return OK;
1395
1396err:
1397 (void) tls_error(where, NULL, NULL, errstr);
1398 if (x509) X509_free(x509);
1399 if (pkey) EVP_PKEY_free(pkey);
1400 return DEFER;
1401}
1402
1403
1404
1405
1406static int
1407tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1408 uschar ** errstr)
1409{
1410DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1411if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1412 return tls_error(string_sprintf(
1413 "SSL_CTX_use_certificate_chain_file file=%s", file),
1414 cbinfo->host, NULL, errstr);
1415return 0;
1416}
1417
1418static int
1419tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1420 uschar ** errstr)
1421{
1422DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1423if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1424 return tls_error(string_sprintf(
1425 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1426return 0;
1427}
1428
1429
1430/*************************************************
1431* Expand key and cert file specs *
1432*************************************************/
1433
1434/* Called once during tls_init and possibly again during TLS setup, for a
1435new context, if Server Name Indication was used and tls_sni was seen in
1436the certificate string.
1437
1438Arguments:
1439 sctx the SSL_CTX* to update
1440 cbinfo various parts of session state
1441 errstr error string pointer
1442
1443Returns: OK/DEFER/FAIL
1444*/
1445
1446static int
1447tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1448 uschar ** errstr)
1449{
1450uschar *expanded;
1451
1452if (!cbinfo->certificate)
1453 {
1454 if (!cbinfo->is_server) /* client */
1455 return OK;
1456 /* server */
1457 if (tls_install_selfsign(sctx, errstr) != OK)
1458 return DEFER;
1459 }
1460else
1461 {
1462 int err;
1463
1464 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1465 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1466 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1467 )
1468 reexpand_tls_files_for_sni = TRUE;
1469
1470 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1471 return DEFER;
1472
1473 if (expanded)
1474 if (cbinfo->is_server)
1475 {
1476 const uschar * file_list = expanded;
1477 int sep = 0;
1478 uschar * file;
1479
1480 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1481 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1482 return err;
1483 }
1484 else /* would there ever be a need for multiple client certs? */
1485 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1486 return err;
1487
1488 if ( cbinfo->privatekey
1489 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1490 return DEFER;
1491
1492 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1493 of the expansion is an empty string, ignore it also, and assume the private
1494 key is in the same file as the certificate. */
1495
1496 if (expanded && *expanded)
1497 if (cbinfo->is_server)
1498 {
1499 const uschar * file_list = expanded;
1500 int sep = 0;
1501 uschar * file;
1502
1503 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1504 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1505 return err;
1506 }
1507 else /* would there ever be a need for multiple client certs? */
1508 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1509 return err;
1510 }
1511
1512#ifndef DISABLE_OCSP
1513if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1514 {
1515 /*XXX stack*/
1516 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1517 return DEFER;
1518
1519 if (expanded && *expanded)
1520 {
1521 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1522 if ( cbinfo->u_ocsp.server.file_expanded
1523 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1524 {
1525 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1526 }
1527 else
1528 ocsp_load_response(sctx, cbinfo, expanded);
1529 }
1530 }
1531#endif
1532
1533return OK;
1534}
1535
1536
1537
1538
1539/*************************************************
1540* Callback to handle SNI *
1541*************************************************/
1542
1543/* Called when acting as server during the TLS session setup if a Server Name
1544Indication extension was sent by the client.
1545
1546API documentation is OpenSSL s_server.c implementation.
1547
1548Arguments:
1549 s SSL* of the current session
1550 ad unknown (part of OpenSSL API) (unused)
1551 arg Callback of "our" registered data
1552
1553Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1554
1555XXX might need to change to using ClientHello callback,
1556per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1557*/
1558
1559#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1560static int
1561tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1562{
1563const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1564tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1565int rc;
1566int old_pool = store_pool;
1567uschar * dummy_errstr;
1568
1569if (!servername)
1570 return SSL_TLSEXT_ERR_OK;
1571
1572DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1573 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1574
1575/* Make the extension value available for expansion */
1576store_pool = POOL_PERM;
1577tls_in.sni = string_copy_taint(US servername, TRUE);
1578store_pool = old_pool;
1579
1580if (!reexpand_tls_files_for_sni)
1581 return SSL_TLSEXT_ERR_OK;
1582
1583/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1584not confident that memcpy wouldn't break some internal reference counting.
1585Especially since there's a references struct member, which would be off. */
1586
1587#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1588if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1589#else
1590if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1591#endif
1592 {
1593 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1594 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1595 goto bad;
1596 }
1597
1598/* Not sure how many of these are actually needed, since SSL object
1599already exists. Might even need this selfsame callback, for reneg? */
1600
1601SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1602SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1603SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1604SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1605SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1606SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1607
1608if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1609 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1610 )
1611 goto bad;
1612
1613if ( cbinfo->server_cipher_list
1614 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1615 goto bad;
1616
1617#ifndef DISABLE_OCSP
1618if (cbinfo->u_ocsp.server.file)
1619 {
1620 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1621 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1622 }
1623#endif
1624
1625if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1626 verify_callback_server, &dummy_errstr)) != OK)
1627 goto bad;
1628
1629/* do this after setup_certs, because this can require the certs for verifying
1630OCSP information. */
1631if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1632 goto bad;
1633
1634DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1635SSL_set_SSL_CTX(s, server_sni);
1636return SSL_TLSEXT_ERR_OK;
1637
1638bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1639}
1640#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1641
1642
1643
1644
1645#ifndef DISABLE_OCSP
1646
1647/*************************************************
1648* Callback to handle OCSP Stapling *
1649*************************************************/
1650
1651/* Called when acting as server during the TLS session setup if the client
1652requests OCSP information with a Certificate Status Request.
1653
1654Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1655project.
1656
1657*/
1658
1659static int
1660tls_server_stapling_cb(SSL *s, void *arg)
1661{
1662const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1663uschar *response_der; /*XXX blob */
1664int response_der_len;
1665
1666/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1667out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1668buggy in current OpenSSL; it returns the last cert loaded always rather than
1669the one actually presented. So we can't support a stack of OCSP proofs at
1670this time. */
1671
1672DEBUG(D_tls)
1673 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1674 cbinfo->u_ocsp.server.response ? "have" : "lack");
1675
1676tls_in.ocsp = OCSP_NOT_RESP;
1677if (!cbinfo->u_ocsp.server.response)
1678 return SSL_TLSEXT_ERR_NOACK;
1679
1680response_der = NULL;
1681response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1682 &response_der);
1683if (response_der_len <= 0)
1684 return SSL_TLSEXT_ERR_NOACK;
1685
1686SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1687tls_in.ocsp = OCSP_VFIED;
1688return SSL_TLSEXT_ERR_OK;
1689}
1690
1691
1692static void
1693time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1694{
1695BIO_printf(bp, "\t%s: ", str);
1696ASN1_GENERALIZEDTIME_print(bp, time);
1697BIO_puts(bp, "\n");
1698}
1699
1700static int
1701tls_client_stapling_cb(SSL *s, void *arg)
1702{
1703tls_ext_ctx_cb * cbinfo = arg;
1704const unsigned char * p;
1705int len;
1706OCSP_RESPONSE * rsp;
1707OCSP_BASICRESP * bs;
1708int i;
1709
1710DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1711len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1712if(!p)
1713 {
1714 /* Expect this when we requested ocsp but got none */
1715 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1716 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1717 else
1718 DEBUG(D_tls) debug_printf(" null\n");
1719 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1720 }
1721
1722if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1723 {
1724 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
1725 if (LOGGING(tls_cipher))
1726 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1727 else
1728 DEBUG(D_tls) debug_printf(" parse error\n");
1729 return 0;
1730 }
1731
1732if (!(bs = OCSP_response_get1_basic(rsp)))
1733 {
1734 tls_out.ocsp = OCSP_FAILED;
1735 if (LOGGING(tls_cipher))
1736 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1737 else
1738 DEBUG(D_tls) debug_printf(" error parsing response\n");
1739 OCSP_RESPONSE_free(rsp);
1740 return 0;
1741 }
1742
1743/* We'd check the nonce here if we'd put one in the request. */
1744/* However that would defeat cacheability on the server so we don't. */
1745
1746/* This section of code reworked from OpenSSL apps source;
1747 The OpenSSL Project retains copyright:
1748 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1749*/
1750 {
1751 BIO * bp = NULL;
1752 int status, reason;
1753 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1754
1755 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1756
1757 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1758
1759 /* Use the chain that verified the server cert to verify the stapled info */
1760 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1761
1762 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1763 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1764 {
1765 tls_out.ocsp = OCSP_FAILED;
1766 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1767 "Received TLS cert status response, itself unverifiable: %s",
1768 ERR_reason_error_string(ERR_peek_error()));
1769 BIO_printf(bp, "OCSP response verify failure\n");
1770 ERR_print_errors(bp);
1771 OCSP_RESPONSE_print(bp, rsp, 0);
1772 goto failed;
1773 }
1774
1775 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1776
1777 /*XXX So we have a good stapled OCSP status. How do we know
1778 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1779 OCSP_resp_find_status() which matches on a cert id, which presumably
1780 we should use. Making an id needs OCSP_cert_id_new(), which takes
1781 issuerName, issuerKey, serialNumber. Are they all in the cert?
1782
1783 For now, carry on blindly accepting the resp. */
1784
1785 {
1786 OCSP_SINGLERESP * single;
1787
1788#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1789 if (OCSP_resp_count(bs) != 1)
1790#else
1791 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1792 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1793#endif
1794 {
1795 tls_out.ocsp = OCSP_FAILED;
1796 log_write(0, LOG_MAIN, "OCSP stapling "
1797 "with multiple responses not handled");
1798 goto failed;
1799 }
1800 single = OCSP_resp_get0(bs, 0);
1801 status = OCSP_single_get0_status(single, &reason, &rev,
1802 &thisupd, &nextupd);
1803 }
1804
1805 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1806 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1807 if (!OCSP_check_validity(thisupd, nextupd,
1808 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1809 {
1810 tls_out.ocsp = OCSP_FAILED;
1811 DEBUG(D_tls) ERR_print_errors(bp);
1812 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1813 }
1814 else
1815 {
1816 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1817 OCSP_cert_status_str(status));
1818 switch(status)
1819 {
1820 case V_OCSP_CERTSTATUS_GOOD:
1821 tls_out.ocsp = OCSP_VFIED;
1822 i = 1;
1823 goto good;
1824 case V_OCSP_CERTSTATUS_REVOKED:
1825 tls_out.ocsp = OCSP_FAILED;
1826 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1827 reason != -1 ? "; reason: " : "",
1828 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1829 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1830 break;
1831 default:
1832 tls_out.ocsp = OCSP_FAILED;
1833 log_write(0, LOG_MAIN,
1834 "Server certificate status unknown, in OCSP stapling");
1835 break;
1836 }
1837 }
1838 failed:
1839 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1840 good:
1841 BIO_free(bp);
1842 }
1843
1844OCSP_RESPONSE_free(rsp);
1845return i;
1846}
1847#endif /*!DISABLE_OCSP*/
1848
1849
1850/*************************************************
1851* Initialize for TLS *
1852*************************************************/
1853
1854/* Called from both server and client code, to do preliminary initialization
1855of the library. We allocate and return a context structure.
1856
1857Arguments:
1858 ctxp returned SSL context
1859 host connected host, if client; NULL if server
1860 dhparam DH parameter file
1861 certificate certificate file
1862 privatekey private key
1863 ocsp_file file of stapling info (server); flag for require ocsp (client)
1864 addr address if client; NULL if server (for some randomness)
1865 cbp place to put allocated callback context
1866 errstr error string pointer
1867
1868Returns: OK/DEFER/FAIL
1869*/
1870
1871static int
1872tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1873 uschar *privatekey,
1874#ifndef DISABLE_OCSP
1875 uschar *ocsp_file, /*XXX stack, in server*/
1876#endif
1877 address_item *addr, tls_ext_ctx_cb ** cbp,
1878 tls_support * tlsp,
1879 uschar ** errstr)
1880{
1881SSL_CTX * ctx;
1882long init_options;
1883int rc;
1884tls_ext_ctx_cb * cbinfo;
1885
1886cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1887cbinfo->tlsp = tlsp;
1888cbinfo->certificate = certificate;
1889cbinfo->privatekey = privatekey;
1890cbinfo->is_server = host==NULL;
1891#ifndef DISABLE_OCSP
1892cbinfo->verify_stack = NULL;
1893if (!host)
1894 {
1895 cbinfo->u_ocsp.server.file = ocsp_file;
1896 cbinfo->u_ocsp.server.file_expanded = NULL;
1897 cbinfo->u_ocsp.server.response = NULL;
1898 }
1899else
1900 cbinfo->u_ocsp.client.verify_store = NULL;
1901#endif
1902cbinfo->dhparam = dhparam;
1903cbinfo->server_cipher_list = NULL;
1904cbinfo->host = host;
1905#ifndef DISABLE_EVENT
1906cbinfo->event_action = NULL;
1907#endif
1908
1909#ifdef EXIM_NEED_OPENSSL_INIT
1910SSL_load_error_strings(); /* basic set up */
1911OpenSSL_add_ssl_algorithms();
1912#endif
1913
1914#ifdef EXIM_HAVE_SHA256
1915/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1916list of available digests. */
1917EVP_add_digest(EVP_sha256());
1918#endif
1919
1920/* Create a context.
1921The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1922negotiation in the different methods; as far as I can tell, the only
1923*_{server,client}_method which allows negotiation is SSLv23, which exists even
1924when OpenSSL is built without SSLv2 support.
1925By disabling with openssl_options, we can let admins re-enable with the
1926existing knob. */
1927
1928#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1929if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1930#else
1931if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1932#endif
1933 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1934
1935/* It turns out that we need to seed the random number generator this early in
1936order to get the full complement of ciphers to work. It took me roughly a day
1937of work to discover this by experiment.
1938
1939On systems that have /dev/urandom, SSL may automatically seed itself from
1940there. Otherwise, we have to make something up as best we can. Double check
1941afterwards. */
1942
1943if (!RAND_status())
1944 {
1945 randstuff r;
1946 gettimeofday(&r.tv, NULL);
1947 r.p = getpid();
1948
1949 RAND_seed(US (&r), sizeof(r));
1950 RAND_seed(US big_buffer, big_buffer_size);
1951 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1952
1953 if (!RAND_status())
1954 return tls_error(US"RAND_status", host,
1955 US"unable to seed random number generator", errstr);
1956 }
1957
1958/* Set up the information callback, which outputs if debugging is at a suitable
1959level. */
1960
1961DEBUG(D_tls)
1962 {
1963 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1964#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1965 /* this needs a debug build of OpenSSL */
1966 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1967#endif
1968#ifdef OPENSSL_HAVE_KEYLOG_CB
1969 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1970#endif
1971 }
1972
1973/* Automatically re-try reads/writes after renegotiation. */
1974(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1975
1976/* Apply administrator-supplied work-arounds.
1977Historically we applied just one requested option,
1978SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1979moved to an administrator-controlled list of options to specify and
1980grandfathered in the first one as the default value for "openssl_options".
1981
1982No OpenSSL version number checks: the options we accept depend upon the
1983availability of the option value macros from OpenSSL. */
1984
1985if (!tls_openssl_options_parse(openssl_options, &init_options))
1986 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1987
1988#ifdef EXPERIMENTAL_TLS_RESUME
1989tlsp->resumption = RESUME_SUPPORTED;
1990#endif
1991if (init_options)
1992 {
1993#ifdef EXPERIMENTAL_TLS_RESUME
1994 /* Should the server offer session resumption? */
1995 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1996 {
1997 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1998 init_options &= ~SSL_OP_NO_TICKET;
1999 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2000 tlsp->host_resumable = TRUE;
2001 }
2002#endif
2003
2004 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
2005 if (!(SSL_CTX_set_options(ctx, init_options)))
2006 return tls_error(string_sprintf(
2007 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2008 }
2009else
2010 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2011
2012/* We'd like to disable session cache unconditionally, but foolish Outlook
2013Express clients then give up the first TLS connection and make a second one
2014(which works). Only when there is an IMAP service on the same machine.
2015Presumably OE is trying to use the cache for A on B. Leave it enabled for
2016now, until we work out a decent way of presenting control to the config. It
2017will never be used because we use a new context every time. */
2018#ifdef notdef
2019(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2020#endif
2021
2022/* Initialize with DH parameters if supplied */
2023/* Initialize ECDH temp key parameter selection */
2024
2025if ( !init_dh(ctx, dhparam, host, errstr)
2026 || !init_ecdh(ctx, host, errstr)
2027 )
2028 return DEFER;
2029
2030/* Set up certificate and key (and perhaps OCSP info) */
2031
2032if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2033 return rc;
2034
2035/* If we need to handle SNI or OCSP, do so */
2036
2037#ifdef EXIM_HAVE_OPENSSL_TLSEXT
2038# ifndef DISABLE_OCSP
2039 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2040 {
2041 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2042 return FAIL;
2043 }
2044# endif
2045
2046if (!host) /* server */
2047 {
2048# ifndef DISABLE_OCSP
2049 /* We check u_ocsp.server.file, not server.response, because we care about if
2050 the option exists, not what the current expansion might be, as SNI might
2051 change the certificate and OCSP file in use between now and the time the
2052 callback is invoked. */
2053 if (cbinfo->u_ocsp.server.file)
2054 {
2055 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2056 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2057 }
2058# endif
2059 /* We always do this, so that $tls_sni is available even if not used in
2060 tls_certificate */
2061 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2062 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2063 }
2064# ifndef DISABLE_OCSP
2065else /* client */
2066 if(ocsp_file) /* wanting stapling */
2067 {
2068 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2069 {
2070 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2071 return FAIL;
2072 }
2073 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2074 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2075 }
2076# endif
2077#endif
2078
2079cbinfo->verify_cert_hostnames = NULL;
2080
2081#ifdef EXIM_HAVE_EPHEM_RSA_KEX
2082/* Set up the RSA callback */
2083SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2084#endif
2085
2086/* Finally, set the session cache timeout, and we are done.
2087The period appears to be also used for (server-generated) session tickets */
2088
2089SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2090DEBUG(D_tls) debug_printf("Initialized TLS\n");
2091
2092*cbp = cbinfo;
2093*ctxp = ctx;
2094
2095return OK;
2096}
2097
2098
2099
2100
2101/*************************************************
2102* Get name of cipher in use *
2103*************************************************/
2104
2105/*
2106Argument: pointer to an SSL structure for the connection
2107 pointer to number of bits for cipher
2108Returns: pointer to allocated string in perm-pool
2109*/
2110
2111static uschar *
2112construct_cipher_name(SSL * ssl, int * bits)
2113{
2114int pool = store_pool;
2115/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2116yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2117the accessor functions use const in the prototype. */
2118
2119const uschar * ver = CUS SSL_get_version(ssl);
2120const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2121uschar * s;
2122
2123SSL_CIPHER_get_bits(c, bits);
2124
2125store_pool = POOL_PERM;
2126s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2127store_pool = pool;
2128DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2129return s;
2130}
2131
2132
2133/* Get IETF-standard name for ciphersuite.
2134Argument: pointer to an SSL structure for the connection
2135Returns: pointer to string
2136*/
2137
2138static const uschar *
2139cipher_stdname_ssl(SSL * ssl)
2140{
2141#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2142return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2143#else
2144ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2145return cipher_stdname(id >> 8, id & 0xff);
2146#endif
2147}
2148
2149
2150static void
2151peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2152{
2153/*XXX we might consider a list-of-certs variable for the cert chain.
2154SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2155in list-handling functions, also consider the difference between the entire
2156chain and the elements sent by the peer. */
2157
2158tlsp->peerdn = NULL;
2159
2160/* Will have already noted peercert on a verify fail; possibly not the leaf */
2161if (!tlsp->peercert)
2162 tlsp->peercert = SSL_get_peer_certificate(ssl);
2163/* Beware anonymous ciphers which lead to server_cert being NULL */
2164if (tlsp->peercert)
2165 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2166 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2167 else
2168 {
2169 int oldpool = store_pool;
2170
2171 peerdn[siz-1] = '\0'; /* paranoia */
2172 store_pool = POOL_PERM;
2173 tlsp->peerdn = string_copy(peerdn);
2174 store_pool = oldpool;
2175
2176 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2177 but they don't get called on session-resumption. So use the official
2178 interface, which uses the resumed value. Unfortunately this claims verified
2179 when it actually failed but we're in try-verify mode, due to us wanting the
2180 knowlege that it failed so needing to have the callback and forcing a
2181 permissive return. If we don't force it, the TLS startup is failed.
2182 The extra bit of information is set in verify_override in the cb, stashed
2183 for resumption next to the TLS session, and used here. */
2184
2185 if (!tlsp->verify_override)
2186 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
2187 }
2188}
2189
2190
2191
2192
2193
2194/*************************************************
2195* Set up for verifying certificates *
2196*************************************************/
2197
2198#ifndef DISABLE_OCSP
2199/* Load certs from file, return TRUE on success */
2200
2201static BOOL
2202chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2203{
2204BIO * bp;
2205X509 * x;
2206
2207while (sk_X509_num(verify_stack) > 0)
2208 X509_free(sk_X509_pop(verify_stack));
2209
2210if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2211while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2212 sk_X509_push(verify_stack, x);
2213BIO_free(bp);
2214return TRUE;
2215}
2216#endif
2217
2218
2219
2220/* Called by both client and server startup; on the server possibly
2221repeated after a Server Name Indication.
2222
2223Arguments:
2224 sctx SSL_CTX* to initialise
2225 certs certs file or NULL
2226 crl CRL file or NULL
2227 host NULL in a server; the remote host in a client
2228 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2229 otherwise passed as FALSE
2230 cert_vfy_cb Callback function for certificate verification
2231 errstr error string pointer
2232
2233Returns: OK/DEFER/FAIL
2234*/
2235
2236static int
2237setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2238 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2239{
2240uschar *expcerts, *expcrl;
2241
2242if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2243 return DEFER;
2244DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2245
2246if (expcerts && *expcerts)
2247 {
2248 /* Tell the library to use its compiled-in location for the system default
2249 CA bundle. Then add the ones specified in the config, if any. */
2250
2251 if (!SSL_CTX_set_default_verify_paths(sctx))
2252 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2253
2254 if (Ustrcmp(expcerts, "system") != 0)
2255 {
2256 struct stat statbuf;
2257
2258 if (Ustat(expcerts, &statbuf) < 0)
2259 {
2260 log_write(0, LOG_MAIN|LOG_PANIC,
2261 "failed to stat %s for certificates", expcerts);
2262 return DEFER;
2263 }
2264 else
2265 {
2266 uschar *file, *dir;
2267 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2268 { file = NULL; dir = expcerts; }
2269 else
2270 {
2271 file = expcerts; dir = NULL;
2272#ifndef DISABLE_OCSP
2273 /* In the server if we will be offering an OCSP proof, load chain from
2274 file for verifying the OCSP proof at load time. */
2275
2276 if ( !host
2277 && statbuf.st_size > 0
2278 && server_static_cbinfo->u_ocsp.server.file
2279 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2280 )
2281 {
2282 log_write(0, LOG_MAIN|LOG_PANIC,
2283 "failed to load cert chain from %s", file);
2284 return DEFER;
2285 }
2286#endif
2287 }
2288
2289 /* If a certificate file is empty, the next function fails with an
2290 unhelpful error message. If we skip it, we get the correct behaviour (no
2291 certificates are recognized, but the error message is still misleading (it
2292 says no certificate was supplied). But this is better. */
2293
2294 if ( (!file || statbuf.st_size > 0)
2295 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2296 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2297
2298 /* Load the list of CAs for which we will accept certs, for sending
2299 to the client. This is only for the one-file tls_verify_certificates
2300 variant.
2301 If a list isn't loaded into the server, but some verify locations are set,
2302 the server end appears to make a wildcard request for client certs.
2303 Meanwhile, the client library as default behaviour *ignores* the list
2304 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2305 Because of this, and that the dir variant is likely only used for
2306 the public-CA bundle (not for a private CA), not worth fixing. */
2307
2308 if (file)
2309 {
2310 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2311
2312 SSL_CTX_set_client_CA_list(sctx, names);
2313 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2314 sk_X509_NAME_num(names));
2315 }
2316 }
2317 }
2318
2319 /* Handle a certificate revocation list. */
2320
2321#if OPENSSL_VERSION_NUMBER > 0x00907000L
2322
2323 /* This bit of code is now the version supplied by Lars Mainka. (I have
2324 merely reformatted it into the Exim code style.)
2325
2326 "From here I changed the code to add support for multiple crl's
2327 in pem format in one file or to support hashed directory entries in
2328 pem format instead of a file. This method now uses the library function
2329 X509_STORE_load_locations to add the CRL location to the SSL context.
2330 OpenSSL will then handle the verify against CA certs and CRLs by
2331 itself in the verify callback." */
2332
2333 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2334 if (expcrl && *expcrl)
2335 {
2336 struct stat statbufcrl;
2337 if (Ustat(expcrl, &statbufcrl) < 0)
2338 {
2339 log_write(0, LOG_MAIN|LOG_PANIC,
2340 "failed to stat %s for certificates revocation lists", expcrl);
2341 return DEFER;
2342 }
2343 else
2344 {
2345 /* is it a file or directory? */
2346 uschar *file, *dir;
2347 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2348 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2349 {
2350 file = NULL;
2351 dir = expcrl;
2352 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2353 }
2354 else
2355 {
2356 file = expcrl;
2357 dir = NULL;
2358 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2359 }
2360 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2361 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2362
2363 /* setting the flags to check against the complete crl chain */
2364
2365 X509_STORE_set_flags(cvstore,
2366 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2367 }
2368 }
2369
2370#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2371
2372 /* If verification is optional, don't fail if no certificate */
2373
2374 SSL_CTX_set_verify(sctx,
2375 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2376 cert_vfy_cb);
2377 }
2378
2379return OK;
2380}
2381
2382
2383
2384/*************************************************
2385* Start a TLS session in a server *
2386*************************************************/
2387
2388/* This is called when Exim is running as a server, after having received
2389the STARTTLS command. It must respond to that command, and then negotiate
2390a TLS session.
2391
2392Arguments:
2393 require_ciphers allowed ciphers
2394 errstr pointer to error message
2395
2396Returns: OK on success
2397 DEFER for errors before the start of the negotiation
2398 FAIL for errors during the negotiation; the server can't
2399 continue running.
2400*/
2401
2402int
2403tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2404{
2405int rc;
2406uschar * expciphers;
2407tls_ext_ctx_cb * cbinfo;
2408static uschar peerdn[256];
2409
2410/* Check for previous activation */
2411
2412if (tls_in.active.sock >= 0)
2413 {
2414 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2415 smtp_printf("554 Already in TLS\r\n", FALSE);
2416 return FAIL;
2417 }
2418
2419/* Initialize the SSL library. If it fails, it will already have logged
2420the error. */
2421
2422rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2423#ifndef DISABLE_OCSP
2424 tls_ocsp_file, /*XXX stack*/
2425#endif
2426 NULL, &server_static_cbinfo, &tls_in, errstr);
2427if (rc != OK) return rc;
2428cbinfo = server_static_cbinfo;
2429
2430if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2431 return FAIL;
2432
2433/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2434were historically separated by underscores. So that I can use either form in my
2435tests, and also for general convenience, we turn underscores into hyphens here.
2436
2437XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2438for TLS 1.3 . Since we do not call it at present we get the default list:
2439TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2440*/
2441
2442if (expciphers)
2443 {
2444 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2445 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2446 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2447 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2448 cbinfo->server_cipher_list = expciphers;
2449 }
2450
2451/* If this is a host for which certificate verification is mandatory or
2452optional, set up appropriately. */
2453
2454tls_in.certificate_verified = FALSE;
2455#ifdef SUPPORT_DANE
2456tls_in.dane_verified = FALSE;
2457#endif
2458server_verify_callback_called = FALSE;
2459
2460if (verify_check_host(&tls_verify_hosts) == OK)
2461 {
2462 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2463 FALSE, verify_callback_server, errstr);
2464 if (rc != OK) return rc;
2465 server_verify_optional = FALSE;
2466 }
2467else if (verify_check_host(&tls_try_verify_hosts) == OK)
2468 {
2469 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2470 TRUE, verify_callback_server, errstr);
2471 if (rc != OK) return rc;
2472 server_verify_optional = TRUE;
2473 }
2474
2475#ifdef EXPERIMENTAL_TLS_RESUME
2476SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2477/* despite working, appears to always return failure, so ignoring */
2478#endif
2479#ifdef OPENSSL_HAVE_NUM_TICKETS
2480# ifdef EXPERIMENTAL_TLS_RESUME
2481SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2482# else
2483SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2484# endif
2485#endif
2486
2487
2488/* Prepare for new connection */
2489
2490if (!(server_ssl = SSL_new(server_ctx)))
2491 return tls_error(US"SSL_new", NULL, NULL, errstr);
2492
2493/* Warning: we used to SSL_clear(ssl) here, it was removed.
2494 *
2495 * With the SSL_clear(), we get strange interoperability bugs with
2496 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2497 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2498 *
2499 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2500 * session shutdown. In this case, we have a brand new object and there's no
2501 * obvious reason to immediately clear it. I'm guessing that this was
2502 * originally added because of incomplete initialisation which the clear fixed,
2503 * in some historic release.
2504 */
2505
2506/* Set context and tell client to go ahead, except in the case of TLS startup
2507on connection, where outputting anything now upsets the clients and tends to
2508make them disconnect. We need to have an explicit fflush() here, to force out
2509the response. Other smtp_printf() calls do not need it, because in non-TLS
2510mode, the fflush() happens when smtp_getc() is called. */
2511
2512SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2513if (!tls_in.on_connect)
2514 {
2515 smtp_printf("220 TLS go ahead\r\n", FALSE);
2516 fflush(smtp_out);
2517 }
2518
2519/* Now negotiate the TLS session. We put our own timer on it, since it seems
2520that the OpenSSL library doesn't. */
2521
2522SSL_set_wfd(server_ssl, fileno(smtp_out));
2523SSL_set_rfd(server_ssl, fileno(smtp_in));
2524SSL_set_accept_state(server_ssl);
2525
2526DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2527
2528sigalrm_seen = FALSE;
2529if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2530rc = SSL_accept(server_ssl);
2531ALARM_CLR(0);
2532
2533if (rc <= 0)
2534 {
2535 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2536 return FAIL;
2537 }
2538
2539DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2540ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2541 anon-authentication ciphersuite negotiated. */
2542
2543#ifdef EXPERIMENTAL_TLS_RESUME
2544if (SSL_session_reused(server_ssl))
2545 {
2546 tls_in.resumption |= RESUME_USED;
2547 DEBUG(D_tls) debug_printf("Session reused\n");
2548 }
2549#endif
2550
2551/* TLS has been set up. Adjust the input functions to read via TLS,
2552and initialize things. */
2553
2554peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2555
2556tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2557tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2558
2559DEBUG(D_tls)
2560 {
2561 uschar buf[2048];
2562 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2563 debug_printf("Shared ciphers: %s\n", buf);
2564
2565#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2566 {
2567 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2568 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2569 BIO_free(bp);
2570 }
2571#endif
2572
2573#ifdef EXIM_HAVE_SESSION_TICKET
2574 {
2575 SSL_SESSION * ss = SSL_get_session(server_ssl);
2576 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
2577 debug_printf("The session has a ticket, life %lu seconds\n",
2578 SSL_SESSION_get_ticket_lifetime_hint(ss));
2579 }
2580#endif
2581 }
2582
2583/* Record the certificate we presented */
2584 {
2585 X509 * crt = SSL_get_certificate(server_ssl);
2586 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2587 }
2588
2589/* Only used by the server-side tls (tls_in), including tls_getc.
2590 Client-side (tls_out) reads (seem to?) go via
2591 smtp_read_response()/ip_recv().
2592 Hence no need to duplicate for _in and _out.
2593 */
2594if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2595ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2596ssl_xfer_eof = ssl_xfer_error = FALSE;
2597
2598receive_getc = tls_getc;
2599receive_getbuf = tls_getbuf;
2600receive_get_cache = tls_get_cache;
2601receive_ungetc = tls_ungetc;
2602receive_feof = tls_feof;
2603receive_ferror = tls_ferror;
2604receive_smtp_buffered = tls_smtp_buffered;
2605
2606tls_in.active.sock = fileno(smtp_out);
2607tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2608return OK;
2609}
2610
2611
2612
2613
2614static int
2615tls_client_basic_ctx_init(SSL_CTX * ctx,
2616 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2617 uschar ** errstr)
2618{
2619int rc;
2620/* stick to the old behaviour for compatibility if tls_verify_certificates is
2621 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2622 the specified host patterns if one of them is defined */
2623
2624if ( ( !ob->tls_verify_hosts
2625 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2626 )
2627 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2628 )
2629 client_verify_optional = FALSE;
2630else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2631 client_verify_optional = TRUE;
2632else
2633 return OK;
2634
2635if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2636 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2637 errstr)) != OK)
2638 return rc;
2639
2640if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2641 {
2642 cbinfo->verify_cert_hostnames =
2643#ifdef SUPPORT_I18N
2644 string_domain_utf8_to_alabel(host->name, NULL);
2645#else
2646 host->name;
2647#endif
2648 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2649 cbinfo->verify_cert_hostnames);
2650 }
2651return OK;
2652}
2653
2654
2655#ifdef SUPPORT_DANE
2656static int
2657dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2658{
2659dns_scan dnss;
2660const char * hostnames[2] = { CS host->name, NULL };
2661int found = 0;
2662
2663if (DANESSL_init(ssl, NULL, hostnames) != 1)
2664 return tls_error(US"hostnames load", host, NULL, errstr);
2665
2666for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2667 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2668 ) if (rr->type == T_TLSA && rr->size > 3)
2669 {
2670 const uschar * p = rr->data;
2671 uint8_t usage, selector, mtype;
2672 const char * mdname;
2673
2674 usage = *p++;
2675
2676 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2677 if (usage != 2 && usage != 3) continue;
2678
2679 selector = *p++;
2680 mtype = *p++;
2681
2682 switch (mtype)
2683 {
2684 default: continue; /* Only match-types 0, 1, 2 are supported */
2685 case 0: mdname = NULL; break;
2686 case 1: mdname = "sha256"; break;
2687 case 2: mdname = "sha512"; break;
2688 }
2689
2690 found++;
2691 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2692 {
2693 default:
2694 return tls_error(US"tlsa load", host, NULL, errstr);
2695 case 0: /* action not taken */
2696 case 1: break;
2697 }
2698
2699 tls_out.tlsa_usage |= 1<<usage;
2700 }
2701
2702if (found)
2703 return OK;
2704
2705log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2706return DEFER;
2707}
2708#endif /*SUPPORT_DANE*/
2709
2710
2711
2712#ifdef EXPERIMENTAL_TLS_RESUME
2713/* On the client, get any stashed session for the given IP from hints db
2714and apply it to the ssl-connection for attempted resumption. */
2715
2716static void
2717tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2718{
2719tlsp->resumption |= RESUME_SUPPORTED;
2720if (tlsp->host_resumable)
2721 {
2722 dbdata_tls_session * dt;
2723 int len;
2724 open_db dbblock, * dbm_file;
2725
2726 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2727 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2728 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2729 {
2730 /* key for the db is the IP */
2731 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2732 {
2733 SSL_SESSION * ss = NULL;
2734 const uschar * sess_asn1 = dt->session;
2735
2736 len -= sizeof(dbdata_tls_session);
2737 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2738 {
2739 DEBUG(D_tls)
2740 {
2741 ERR_error_string_n(ERR_get_error(),
2742 ssl_errstring, sizeof(ssl_errstring));
2743 debug_printf("decoding session: %s\n", ssl_errstring);
2744 }
2745 }
2746#ifdef EXIM_HAVE_SESSION_TICKET
2747 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2748 < time(NULL))
2749 {
2750 DEBUG(D_tls) debug_printf("session expired\n");
2751 dbfn_delete(dbm_file, key);
2752 }
2753#endif
2754 else if (!SSL_set_session(ssl, ss))
2755 {
2756 DEBUG(D_tls)
2757 {
2758 ERR_error_string_n(ERR_get_error(),
2759 ssl_errstring, sizeof(ssl_errstring));
2760 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2761 }
2762 }
2763 else
2764 {
2765 DEBUG(D_tls) debug_printf("good session\n");
2766 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2767 tlsp->verify_override = dt->verify_override;
2768 tlsp->ocsp = dt->ocsp;
2769 }
2770 }
2771 else
2772 DEBUG(D_tls) debug_printf("no session record\n");
2773 dbfn_close(dbm_file);
2774 }
2775 }
2776}
2777
2778
2779/* On the client, save the session for later resumption */
2780
2781static int
2782tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2783{
2784tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2785tls_support * tlsp;
2786
2787DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2788
2789if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2790
2791# ifdef OPENSSL_HAVE_NUM_TICKETS
2792if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2793# endif
2794 {
2795 int len = i2d_SSL_SESSION(ss, NULL);
2796 int dlen = sizeof(dbdata_tls_session) + len;
2797 dbdata_tls_session * dt = store_get(dlen, TRUE);
2798 uschar * s = dt->session;
2799 open_db dbblock, * dbm_file;
2800
2801 DEBUG(D_tls) debug_printf("session is resumable\n");
2802 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2803
2804 dt->verify_override = tlsp->verify_override;
2805 dt->ocsp = tlsp->ocsp;
2806 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
2807
2808 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2809 {
2810 const uschar * key = cbinfo->host->address;
2811 dbfn_delete(dbm_file, key);
2812 dbfn_write(dbm_file, key, dt, dlen);
2813 dbfn_close(dbm_file);
2814 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2815 (unsigned)dlen);
2816 }
2817 }
2818return 1;
2819}
2820
2821
2822static void
2823tls_client_ctx_resume_prehandshake(
2824 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2825 smtp_transport_options_block * ob, host_item * host)
2826{
2827/* Should the client request a session resumption ticket? */
2828if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2829 {
2830 tlsp->host_resumable = TRUE;
2831
2832 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2833 SSL_SESS_CACHE_CLIENT
2834 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2835 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2836 }
2837}
2838
2839static BOOL
2840tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2841 host_item * host, uschar ** errstr)
2842{
2843if (tlsp->host_resumable)
2844 {
2845 DEBUG(D_tls)
2846 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2847 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2848
2849 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2850 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2851 {
2852 tls_error(US"set ex_data", host, NULL, errstr);
2853 return FALSE;
2854 }
2855 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2856 }
2857
2858tlsp->resumption = RESUME_SUPPORTED;
2859/* Pick up a previous session, saved on an old ticket */
2860tls_retrieve_session(tlsp, ssl, host->address);
2861return TRUE;
2862}
2863
2864static void
2865tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2866 tls_support * tlsp)
2867{
2868if (SSL_session_reused(exim_client_ctx->ssl))
2869 {
2870 DEBUG(D_tls) debug_printf("The session was reused\n");
2871 tlsp->resumption |= RESUME_USED;
2872 }
2873}
2874#endif /* EXPERIMENTAL_TLS_RESUME */
2875
2876
2877/*************************************************
2878* Start a TLS session in a client *
2879*************************************************/
2880
2881/* Called from the smtp transport after STARTTLS has been accepted.
2882
2883Arguments:
2884 cctx connection context
2885 conn_args connection details
2886 cookie datum for randomness; can be NULL
2887 tlsp record details of TLS channel configuration here; must be non-NULL
2888 errstr error string pointer
2889
2890Returns: TRUE for success with TLS session context set in connection context,
2891 FALSE on error
2892*/
2893
2894BOOL
2895tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2896 void * cookie, tls_support * tlsp, uschar ** errstr)
2897{
2898host_item * host = conn_args->host; /* for msgs and option-tests */
2899transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2900smtp_transport_options_block * ob = tb
2901 ? (smtp_transport_options_block *)tb->options_block
2902 : &smtp_transport_option_defaults;
2903exim_openssl_client_tls_ctx * exim_client_ctx;
2904uschar * expciphers;
2905int rc;
2906static uschar peerdn[256];
2907
2908#ifndef DISABLE_OCSP
2909BOOL request_ocsp = FALSE;
2910BOOL require_ocsp = FALSE;
2911#endif
2912
2913rc = store_pool;
2914store_pool = POOL_PERM;
2915exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
2916exim_client_ctx->corked = NULL;
2917store_pool = rc;
2918
2919#ifdef SUPPORT_DANE
2920tlsp->tlsa_usage = 0;
2921#endif
2922
2923#ifndef DISABLE_OCSP
2924 {
2925# ifdef SUPPORT_DANE
2926 if ( conn_args->dane
2927 && ob->hosts_request_ocsp[0] == '*'
2928 && ob->hosts_request_ocsp[1] == '\0'
2929 )
2930 {
2931 /* Unchanged from default. Use a safer one under DANE */
2932 request_ocsp = TRUE;
2933 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2934 " {= {4}{$tls_out_tlsa_usage}} } "
2935 " {*}{}}";
2936 }
2937# endif
2938
2939 if ((require_ocsp =
2940 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2941 request_ocsp = TRUE;
2942 else
2943# ifdef SUPPORT_DANE
2944 if (!request_ocsp)
2945# endif
2946 request_ocsp =
2947 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2948 }
2949#endif
2950
2951rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2952 ob->tls_certificate, ob->tls_privatekey,
2953#ifndef DISABLE_OCSP
2954 (void *)(long)request_ocsp,
2955#endif
2956 cookie, &client_static_cbinfo, tlsp, errstr);
2957if (rc != OK) return FALSE;
2958
2959tlsp->certificate_verified = FALSE;
2960client_verify_callback_called = FALSE;
2961
2962expciphers = NULL;
2963#ifdef SUPPORT_DANE
2964if (conn_args->dane)
2965 {
2966 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2967 other failures should be treated as problems. */
2968 if (ob->dane_require_tls_ciphers &&
2969 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2970 &expciphers, errstr))
2971 return FALSE;
2972 if (expciphers && *expciphers == '\0')
2973 expciphers = NULL;
2974 }
2975#endif
2976if (!expciphers &&
2977 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2978 &expciphers, errstr))
2979 return FALSE;
2980
2981/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2982are separated by underscores. So that I can use either form in my tests, and
2983also for general convenience, we turn underscores into hyphens here. */
2984
2985if (expciphers)
2986 {
2987 uschar *s = expciphers;
2988 while (*s) { if (*s == '_') *s = '-'; s++; }
2989 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2990 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2991 {
2992 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2993 return FALSE;
2994 }
2995 }
2996
2997#ifdef SUPPORT_DANE
2998if (conn_args->dane)
2999 {
3000 SSL_CTX_set_verify(exim_client_ctx->ctx,
3001 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3002 verify_callback_client_dane);
3003
3004 if (!DANESSL_library_init())
3005 {
3006 tls_error(US"library init", host, NULL, errstr);
3007 return FALSE;
3008 }
3009 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3010 {
3011 tls_error(US"context init", host, NULL, errstr);
3012 return FALSE;
3013 }
3014 }
3015else
3016
3017#endif
3018
3019 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3020 client_static_cbinfo, errstr) != OK)
3021 return FALSE;
3022
3023#ifdef EXPERIMENTAL_TLS_RESUME
3024tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3025#endif
3026
3027
3028if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3029 {
3030 tls_error(US"SSL_new", host, NULL, errstr);
3031 return FALSE;
3032 }
3033SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
3034
3035SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3036SSL_set_connect_state(exim_client_ctx->ssl);
3037
3038if (ob->tls_sni)
3039 {
3040 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3041 return FALSE;
3042 if (!tlsp->sni)
3043 {
3044 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3045 }
3046 else if (!Ustrlen(tlsp->sni))
3047 tlsp->sni = NULL;
3048 else
3049 {
3050#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3051 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3052 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3053#else
3054 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3055 tlsp->sni);
3056#endif
3057 }
3058 }
3059
3060#ifdef SUPPORT_DANE
3061if (conn_args->dane)
3062 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3063 return FALSE;
3064#endif
3065
3066#ifndef DISABLE_OCSP
3067/* Request certificate status at connection-time. If the server
3068does OCSP stapling we will get the callback (set in tls_init()) */
3069# ifdef SUPPORT_DANE
3070if (request_ocsp)
3071 {
3072 const uschar * s;
3073 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3074 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3075 )
3076 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3077 this means we avoid the OCSP request, we wasted the setup
3078 cost in tls_init(). */
3079 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3080 request_ocsp = require_ocsp
3081 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3082 }
3083 }
3084# endif
3085
3086if (request_ocsp)
3087 {
3088 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3089 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3090 tlsp->ocsp = OCSP_NOT_RESP;
3091 }
3092#endif
3093
3094#ifdef EXPERIMENTAL_TLS_RESUME
3095if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3096 errstr))
3097 return FALSE;
3098#endif
3099
3100#ifndef DISABLE_EVENT
3101client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3102#endif
3103
3104/* There doesn't seem to be a built-in timeout on connection. */
3105
3106DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3107sigalrm_seen = FALSE;
3108ALARM(ob->command_timeout);
3109rc = SSL_connect(exim_client_ctx->ssl);
3110ALARM_CLR(0);
3111
3112#ifdef SUPPORT_DANE
3113if (conn_args->dane)
3114 DANESSL_cleanup(exim_client_ctx->ssl);
3115#endif
3116
3117if (rc <= 0)
3118 {
3119 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3120 return FALSE;
3121 }
3122
3123DEBUG(D_tls)
3124 {
3125 debug_printf("SSL_connect succeeded\n");
3126#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3127 {
3128 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3129 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3130 BIO_free(bp);
3131 }
3132#endif
3133 }
3134
3135#ifdef EXPERIMENTAL_TLS_RESUME
3136tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3137#endif
3138
3139peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3140
3141tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3142tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3143
3144/* Record the certificate we presented */
3145 {
3146 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3147 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3148 }
3149
3150tlsp->active.sock = cctx->sock;
3151tlsp->active.tls_ctx = exim_client_ctx;
3152cctx->tls_ctx = exim_client_ctx;
3153return TRUE;
3154}
3155
3156
3157
3158
3159
3160static BOOL
3161tls_refill(unsigned lim)
3162{
3163int error;
3164int inbytes;
3165
3166DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3167 ssl_xfer_buffer, ssl_xfer_buffer_size);
3168
3169if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3170inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3171 MIN(ssl_xfer_buffer_size, lim));
3172error = SSL_get_error(server_ssl, inbytes);
3173if (smtp_receive_timeout > 0) ALARM_CLR(0);
3174
3175if (had_command_timeout) /* set by signal handler */
3176 smtp_command_timeout_exit(); /* does not return */
3177if (had_command_sigterm)
3178 smtp_command_sigterm_exit();
3179if (had_data_timeout)
3180 smtp_data_timeout_exit();
3181if (had_data_sigint)
3182 smtp_data_sigint_exit();
3183
3184/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3185closed down, not that the socket itself has been closed down. Revert to
3186non-SSL handling. */
3187
3188switch(error)
3189 {
3190 case SSL_ERROR_NONE:
3191 break;
3192
3193 case SSL_ERROR_ZERO_RETURN:
3194 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3195
3196 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3197 SSL_shutdown(server_ssl);
3198
3199 tls_close(NULL, TLS_NO_SHUTDOWN);
3200 return FALSE;
3201
3202 /* Handle genuine errors */
3203 case SSL_ERROR_SSL:
3204 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3205 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3206 ssl_xfer_error = TRUE;
3207 return FALSE;
3208
3209 default:
3210 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3211 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3212 debug_printf(" - syscall %s\n", strerror(errno));
3213 ssl_xfer_error = TRUE;
3214 return FALSE;
3215 }
3216
3217#ifndef DISABLE_DKIM
3218dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3219#endif
3220ssl_xfer_buffer_hwm = inbytes;
3221ssl_xfer_buffer_lwm = 0;
3222return TRUE;
3223}
3224
3225
3226/*************************************************
3227* TLS version of getc *
3228*************************************************/
3229
3230/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3231it refills the buffer via the SSL reading function.
3232
3233Arguments: lim Maximum amount to read/buffer
3234Returns: the next character or EOF
3235
3236Only used by the server-side TLS.
3237*/
3238
3239int
3240tls_getc(unsigned lim)
3241{
3242if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3243 if (!tls_refill(lim))
3244 return ssl_xfer_error ? EOF : smtp_getc(lim);
3245
3246/* Something in the buffer; return next uschar */
3247
3248return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3249}
3250
3251uschar *
3252tls_getbuf(unsigned * len)
3253{
3254unsigned size;
3255uschar * buf;
3256
3257if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3258 if (!tls_refill(*len))
3259 {
3260 if (!ssl_xfer_error) return smtp_getbuf(len);
3261 *len = 0;
3262 return NULL;
3263 }
3264
3265if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3266 size = *len;
3267buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3268ssl_xfer_buffer_lwm += size;
3269*len = size;
3270return buf;
3271}
3272
3273
3274void
3275tls_get_cache()
3276{
3277#ifndef DISABLE_DKIM
3278int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3279if (n > 0)
3280 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3281#endif
3282}
3283
3284
3285BOOL
3286tls_could_read(void)
3287{
3288return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3289}
3290
3291
3292/*************************************************
3293* Read bytes from TLS channel *
3294*************************************************/
3295
3296/*
3297Arguments:
3298 ct_ctx client context pointer, or NULL for the one global server context
3299 buff buffer of data
3300 len size of buffer
3301
3302Returns: the number of bytes read
3303 -1 after a failed read, including EOF
3304
3305Only used by the client-side TLS.
3306*/
3307
3308int
3309tls_read(void * ct_ctx, uschar *buff, size_t len)
3310{
3311SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3312int inbytes;
3313int error;
3314
3315DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3316 buff, (unsigned int)len);
3317
3318inbytes = SSL_read(ssl, CS buff, len);
3319error = SSL_get_error(ssl, inbytes);
3320
3321if (error == SSL_ERROR_ZERO_RETURN)
3322 {
3323 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3324 return -1;
3325 }
3326else if (error != SSL_ERROR_NONE)
3327 return -1;
3328
3329return inbytes;
3330}
3331
3332
3333
3334
3335
3336/*************************************************
3337* Write bytes down TLS channel *
3338*************************************************/
3339
3340/*
3341Arguments:
3342 ct_ctx client context pointer, or NULL for the one global server context
3343 buff buffer of data
3344 len number of bytes
3345 more further data expected soon
3346
3347Returns: the number of bytes after a successful write,
3348 -1 after a failed write
3349
3350Used by both server-side and client-side TLS.
3351*/
3352
3353int
3354tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
3355{
3356size_t olen = len;
3357int outbytes, error;
3358SSL * ssl = ct_ctx
3359 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3360static gstring * server_corked = NULL;
3361gstring ** corkedp = ct_ctx
3362 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3363gstring * corked = *corkedp;
3364
3365DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3366 buff, (unsigned long)len, more ? ", more" : "");
3367
3368/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3369"more" is notified. This hack is only ok if small amounts are involved AND only
3370one stream does it, in one context (i.e. no store reset). Currently it is used
3371for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3372We support callouts done by the server process by using a separate client
3373context for the stashed information. */
3374/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3375a store reset there, so use POOL_PERM. */
3376/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3377
3378if ((more || corked))
3379 {
3380#ifdef SUPPORT_PIPE_CONNECT
3381 int save_pool = store_pool;
3382 store_pool = POOL_PERM;
3383#endif
3384
3385 corked = string_catn(corked, buff, len);
3386
3387#ifdef SUPPORT_PIPE_CONNECT
3388 store_pool = save_pool;
3389#endif
3390
3391 if (more)
3392 {
3393 *corkedp = corked;
3394 return len;
3395 }
3396 buff = CUS corked->s;
3397 len = corked->ptr;
3398 *corkedp = NULL;
3399 }
3400
3401for (int left = len; left > 0;)
3402 {
3403 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3404 outbytes = SSL_write(ssl, CS buff, left);
3405 error = SSL_get_error(ssl, outbytes);
3406 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3407 switch (error)
3408 {
3409 case SSL_ERROR_SSL:
3410 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3411 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3412 return -1;
3413
3414 case SSL_ERROR_NONE:
3415 left -= outbytes;
3416 buff += outbytes;
3417 break;
3418
3419 case SSL_ERROR_ZERO_RETURN:
3420 log_write(0, LOG_MAIN, "SSL channel closed on write");
3421 return -1;
3422
3423 case SSL_ERROR_SYSCALL:
3424 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3425 sender_fullhost ? sender_fullhost : US"<unknown>",
3426 strerror(errno));
3427 return -1;
3428
3429 default:
3430 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3431 return -1;
3432 }
3433 }
3434return olen;
3435}
3436
3437
3438
3439/*************************************************
3440* Close down a TLS session *
3441*************************************************/
3442
3443/* This is also called from within a delivery subprocess forked from the
3444daemon, to shut down the TLS library, without actually doing a shutdown (which
3445would tamper with the SSL session in the parent process).
3446
3447Arguments:
3448 ct_ctx client TLS context pointer, or NULL for the one global server context
3449 shutdown 1 if TLS close-alert is to be sent,
3450 2 if also response to be waited for
3451
3452Returns: nothing
3453
3454Used by both server-side and client-side TLS.
3455*/
3456
3457void
3458tls_close(void * ct_ctx, int shutdown)
3459{
3460exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3461SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3462SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3463int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3464
3465if (*fdp < 0) return; /* TLS was not active */
3466
3467if (shutdown)
3468 {
3469 int rc;
3470 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3471 shutdown > 1 ? " (with response-wait)" : "");
3472
3473 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3474 && shutdown > 1)
3475 {
3476 ALARM(2);
3477 rc = SSL_shutdown(*sslp); /* wait for response */
3478 ALARM_CLR(0);
3479 }
3480
3481 if (rc < 0) DEBUG(D_tls)
3482 {
3483 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3484 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3485 }
3486 }
3487
3488if (!o_ctx) /* server side */
3489 {
3490#ifndef DISABLE_OCSP
3491 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3492 server_static_cbinfo->verify_stack = NULL;
3493#endif
3494
3495 receive_getc = smtp_getc;
3496 receive_getbuf = smtp_getbuf;
3497 receive_get_cache = smtp_get_cache;
3498 receive_ungetc = smtp_ungetc;
3499 receive_feof = smtp_feof;
3500 receive_ferror = smtp_ferror;
3501 receive_smtp_buffered = smtp_buffered;
3502 tls_in.active.tls_ctx = NULL;
3503 tls_in.sni = NULL;
3504 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3505 }
3506
3507SSL_CTX_free(*ctxp);
3508SSL_free(*sslp);
3509*ctxp = NULL;
3510*sslp = NULL;
3511*fdp = -1;
3512}
3513
3514
3515
3516
3517/*************************************************
3518* Let tls_require_ciphers be checked at startup *
3519*************************************************/
3520
3521/* The tls_require_ciphers option, if set, must be something which the
3522library can parse.
3523
3524Returns: NULL on success, or error message
3525*/
3526
3527uschar *
3528tls_validate_require_cipher(void)
3529{
3530SSL_CTX *ctx;
3531uschar *s, *expciphers, *err;
3532
3533/* this duplicates from tls_init(), we need a better "init just global
3534state, for no specific purpose" singleton function of our own */
3535
3536#ifdef EXIM_NEED_OPENSSL_INIT
3537SSL_load_error_strings();
3538OpenSSL_add_ssl_algorithms();
3539#endif
3540#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3541/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3542list of available digests. */
3543EVP_add_digest(EVP_sha256());
3544#endif
3545
3546if (!(tls_require_ciphers && *tls_require_ciphers))
3547 return NULL;
3548
3549if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3550 &err))
3551 return US"failed to expand tls_require_ciphers";
3552
3553if (!(expciphers && *expciphers))
3554 return NULL;
3555
3556/* normalisation ripped from above */
3557s = expciphers;
3558while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3559
3560err = NULL;
3561
3562#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3563if (!(ctx = SSL_CTX_new(TLS_server_method())))
3564#else
3565if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3566#endif
3567 {
3568 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3569 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3570 }
3571
3572DEBUG(D_tls)
3573 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3574
3575if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3576 {
3577 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3578 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3579 expciphers, ssl_errstring);
3580 }
3581
3582SSL_CTX_free(ctx);
3583
3584return err;
3585}
3586
3587
3588
3589
3590/*************************************************
3591* Report the library versions. *
3592*************************************************/
3593
3594/* There have historically been some issues with binary compatibility in
3595OpenSSL libraries; if Exim (like many other applications) is built against
3596one version of OpenSSL but the run-time linker picks up another version,
3597it can result in serious failures, including crashing with a SIGSEGV. So
3598report the version found by the compiler and the run-time version.
3599
3600Note: some OS vendors backport security fixes without changing the version
3601number/string, and the version date remains unchanged. The _build_ date
3602will change, so we can more usefully assist with version diagnosis by also
3603reporting the build date.
3604
3605Arguments: a FILE* to print the results to
3606Returns: nothing
3607*/
3608
3609void
3610tls_version_report(FILE *f)
3611{
3612fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3613 " Runtime: %s\n"
3614 " : %s\n",
3615 OPENSSL_VERSION_TEXT,
3616 SSLeay_version(SSLEAY_VERSION),
3617 SSLeay_version(SSLEAY_BUILT_ON));
3618/* third line is 38 characters for the %s and the line is 73 chars long;
3619the OpenSSL output includes a "built on: " prefix already. */
3620}
3621
3622
3623
3624
3625/*************************************************
3626* Random number generation *
3627*************************************************/
3628
3629/* Pseudo-random number generation. The result is not expected to be
3630cryptographically strong but not so weak that someone will shoot themselves
3631in the foot using it as a nonce in input in some email header scheme or
3632whatever weirdness they'll twist this into. The result should handle fork()
3633and avoid repeating sequences. OpenSSL handles that for us.
3634
3635Arguments:
3636 max range maximum
3637Returns a random number in range [0, max-1]
3638*/
3639
3640int
3641vaguely_random_number(int max)
3642{
3643unsigned int r;
3644int i, needed_len;
3645static pid_t pidlast = 0;
3646pid_t pidnow;
3647uschar smallbuf[sizeof(r)];
3648
3649if (max <= 1)
3650 return 0;
3651
3652pidnow = getpid();
3653if (pidnow != pidlast)
3654 {
3655 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3656 is unique for each thread", this doesn't apparently apply across processes,
3657 so our own warning from vaguely_random_number_fallback() applies here too.
3658 Fix per PostgreSQL. */
3659 if (pidlast != 0)
3660 RAND_cleanup();
3661 pidlast = pidnow;
3662 }
3663
3664/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3665if (!RAND_status())
3666 {
3667 randstuff r;
3668 gettimeofday(&r.tv, NULL);
3669 r.p = getpid();
3670
3671 RAND_seed(US (&r), sizeof(r));
3672 }
3673/* We're after pseudo-random, not random; if we still don't have enough data
3674in the internal PRNG then our options are limited. We could sleep and hope
3675for entropy to come along (prayer technique) but if the system is so depleted
3676in the first place then something is likely to just keep taking it. Instead,
3677we'll just take whatever little bit of pseudo-random we can still manage to
3678get. */
3679
3680needed_len = sizeof(r);
3681/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3682asked for a number less than 10. */
3683for (r = max, i = 0; r; ++i)
3684 r >>= 1;
3685i = (i + 7) / 8;
3686if (i < needed_len)
3687 needed_len = i;
3688
3689#ifdef EXIM_HAVE_RAND_PSEUDO
3690/* We do not care if crypto-strong */
3691i = RAND_pseudo_bytes(smallbuf, needed_len);
3692#else
3693i = RAND_bytes(smallbuf, needed_len);
3694#endif
3695
3696if (i < 0)
3697 {
3698 DEBUG(D_all)
3699 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3700 return vaguely_random_number_fallback(max);
3701 }
3702
3703r = 0;
3704for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3705 r = 256 * r + *p;
3706
3707/* We don't particularly care about weighted results; if someone wants
3708smooth distribution and cares enough then they should submit a patch then. */
3709return r % max;
3710}
3711
3712
3713
3714
3715/*************************************************
3716* OpenSSL option parse *
3717*************************************************/
3718
3719/* Parse one option for tls_openssl_options_parse below
3720
3721Arguments:
3722 name one option name
3723 value place to store a value for it
3724Returns success or failure in parsing
3725*/
3726
3727
3728
3729static BOOL
3730tls_openssl_one_option_parse(uschar *name, long *value)
3731{
3732int first = 0;
3733int last = exim_openssl_options_size;
3734while (last > first)
3735 {
3736 int middle = (first + last)/2;
3737 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3738 if (c == 0)
3739 {
3740 *value = exim_openssl_options[middle].value;
3741 return TRUE;
3742 }
3743 else if (c > 0)
3744 first = middle + 1;
3745 else
3746 last = middle;
3747 }
3748return FALSE;
3749}
3750
3751
3752
3753
3754/*************************************************
3755* OpenSSL option parsing logic *
3756*************************************************/
3757
3758/* OpenSSL has a number of compatibility options which an administrator might
3759reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3760we look like log_selector.
3761
3762Arguments:
3763 option_spec the administrator-supplied string of options
3764 results ptr to long storage for the options bitmap
3765Returns success or failure
3766*/
3767
3768BOOL
3769tls_openssl_options_parse(uschar *option_spec, long *results)
3770{
3771long result, item;
3772uschar *end;
3773uschar keep_c;
3774BOOL adding, item_parsed;
3775
3776/* Server: send no (<= TLS1.2) session tickets */
3777result = SSL_OP_NO_TICKET;
3778
3779/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3780 * from default because it increases BEAST susceptibility. */
3781#ifdef SSL_OP_NO_SSLv2
3782result |= SSL_OP_NO_SSLv2;
3783#endif
3784#ifdef SSL_OP_NO_SSLv3
3785result |= SSL_OP_NO_SSLv3;
3786#endif
3787#ifdef SSL_OP_SINGLE_DH_USE
3788result |= SSL_OP_SINGLE_DH_USE;
3789#endif
3790
3791if (!option_spec)
3792 {
3793 *results = result;
3794 return TRUE;
3795 }
3796
3797for (uschar * s = option_spec; *s; /**/)
3798 {
3799 while (isspace(*s)) ++s;
3800 if (*s == '\0')
3801 break;
3802 if (*s != '+' && *s != '-')
3803 {
3804 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3805 "+ or - expected but found \"%s\"\n", s);
3806 return FALSE;
3807 }
3808 adding = *s++ == '+';
3809 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3810 keep_c = *end;
3811 *end = '\0';
3812 item_parsed = tls_openssl_one_option_parse(s, &item);
3813 *end = keep_c;
3814 if (!item_parsed)
3815 {
3816 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3817 return FALSE;
3818 }
3819 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3820 adding ? "adding to " : "removing from", result, item, s);
3821 if (adding)
3822 result |= item;
3823 else
3824 result &= ~item;
3825 s = end;
3826 }
3827
3828*results = result;
3829return TRUE;
3830}
3831
3832#endif /*!MACRO_PREDEF*/
3833/* vi: aw ai sw=2
3834*/
3835/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.