projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge openssl_disable_ssl2 branch
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #ifdef EXPERIMENTAL_OCSP
24 #include <openssl/ocsp.h>
25 #endif
26
27 #ifdef EXPERIMENTAL_OCSP
28 #define EXIM_OCSP_SKEW_SECONDS (300L)
29 #define EXIM_OCSP_MAX_AGE (-1L)
30 #endif
31
32 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33 #define EXIM_HAVE_OPENSSL_TLSEXT
34 #endif
35
36 /* Structure for collecting random data for seeding. */
37
38 typedef struct randstuff {
39 struct timeval tv;
40 pid_t p;
41 } randstuff;
42
43 /* Local static variables */
44
45 static BOOL verify_callback_called = FALSE;
46 static const uschar *sid_ctx = US"exim";
47
48 static SSL_CTX *ctx = NULL;
49 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
50 static SSL_CTX *ctx_sni = NULL;
51 #endif
52 static SSL *ssl = NULL;
53
54 static char ssl_errstring[256];
55
56 static int ssl_session_timeout = 200;
57 static BOOL verify_optional = FALSE;
58
59 static BOOL reexpand_tls_files_for_sni = FALSE;
60
61
62 typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
65 #ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69 #endif
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75 } tls_ext_ctx_cb;
76
77 /* should figure out a cleanup of API to handle state preserved per
78 implementation, for various reasons, which can be void * in the APIs.
79 For now, we hack around it. */
80 tls_ext_ctx_cb *static_cbinfo = NULL;
81
82 static int
83 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
84
85 /* Callbacks */
86 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
87 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
88 #endif
89 #ifdef EXPERIMENTAL_OCSP
90 static int tls_stapling_cb(SSL *s, void *arg);
91 #endif
92
93
94 /*************************************************
95 * Handle TLS error *
96 *************************************************/
97
98 /* Called from lots of places when errors occur before actually starting to do
99 the TLS handshake, that is, while the session is still in clear. Always returns
100 DEFER for a server and FAIL for a client so that most calls can use "return
101 tls_error(...)" to do this processing and then give an appropriate return. A
102 single function is used for both server and client, because it is called from
103 some shared functions.
104
105 Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
109 msg error message or NULL if we should ask OpenSSL
110
111 Returns: OK/DEFER/FAIL
112 */
113
114 static int
115 tls_error(uschar *prefix, host_item *host, uschar *msg)
116 {
117 if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
120 msg = (uschar *)ssl_errstring;
121 }
122
123 if (host == NULL)
124 {
125 uschar *conn_info = smtp_get_connection_info();
126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
130 return DEFER;
131 }
132 else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
135 host->name, host->address, prefix, msg);
136 return FAIL;
137 }
138 }
139
140
141
142 /*************************************************
143 * Callback to generate RSA key *
144 *************************************************/
145
146 /*
147 Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152 Returns: pointer to generated key
153 */
154
155 static RSA *
156 rsa_callback(SSL *s, int export, int keylength)
157 {
158 RSA *rsa_key;
159 export = export; /* Shut picky compilers up */
160 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162 if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169 return rsa_key;
170 }
171
172
173
174
175 /*************************************************
176 * Callback for verification *
177 *************************************************/
178
179 /* The SSL library does certificate verification if set up to do so. This
180 callback has the current yes/no state is in "state". If verification succeeded,
181 we set up the tls_peerdn string. If verification failed, what happens depends
182 on whether the client is required to present a verifiable certificate or not.
183
184 If verification is optional, we change the state to yes, but still log the
185 verification error. For some reason (it really would help to have proper
186 documentation of OpenSSL), this callback function then gets called again, this
187 time with state = 1. In fact, that's useful, because we can set up the peerdn
188 value, but we must take care not to set the private verified flag on the second
189 time through.
190
191 Note: this function is not called if the client fails to present a certificate
192 when asked. We get here only if a certificate has been received. Handling of
193 optional verification for this case is done when requesting SSL to verify, by
194 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196 Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200 Returns: 1 if verified, 0 if not
201 */
202
203 static int
204 verify_callback(int state, X509_STORE_CTX *x509ctx)
205 {
206 static uschar txt[256];
207
208 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211 if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225 if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230 else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
237 if (!verify_callback_called) tls_certificate_verified = TRUE;
238 verify_callback_called = TRUE;
239
240 return 1; /* accept */
241 }
242
243
244
245 /*************************************************
246 * Information callback *
247 *************************************************/
248
249 /* The SSL library functions call this from time to time to indicate what they
250 are doing. We copy the string to the debugging output when TLS debugging has
251 been requested.
252
253 Arguments:
254 s the SSL connection
255 where
256 ret
257
258 Returns: nothing
259 */
260
261 static void
262 info_callback(SSL *s, int where, int ret)
263 {
264 where = where;
265 ret = ret;
266 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267 }
268
269
270
271 /*************************************************
272 * Initialize for DH *
273 *************************************************/
274
275 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277 Arguments:
278 dhparam DH parameter file or fixed parameter identity string
279 host connected host, if client; NULL if server
280
281 Returns: TRUE if OK (nothing to set up, or setup worked)
282 */
283
284 static BOOL
285 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
286 {
287 BIO *bio;
288 DH *dh;
289 uschar *dhexpanded;
290 const char *pem;
291
292 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
295 if (dhexpanded == NULL || *dhexpanded == '\0')
296 {
297 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
298 }
299 else if (dhexpanded[0] == '/')
300 {
301 bio = BIO_new_file(CS dhexpanded, "r");
302 if (bio == NULL)
303 {
304 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
305 host, US strerror(errno));
306 return FALSE;
307 }
308 }
309 else
310 {
311 if (Ustrcmp(dhexpanded, "none") == 0)
312 {
313 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
314 return TRUE;
315 }
316
317 pem = std_dh_prime_named(dhexpanded);
318 if (!pem)
319 {
320 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
321 host, US strerror(errno));
322 return FALSE;
323 }
324 bio = BIO_new_mem_buf(CS pem, -1);
325 }
326
327 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
328 if (dh == NULL)
329 {
330 BIO_free(bio);
331 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
332 host, NULL);
333 return FALSE;
334 }
335
336 /* Even if it is larger, we silently return success rather than cause things
337 * to fail out, so that a too-large DH will not knock out all TLS; it's a
338 * debatable choice. */
339 if ((8*DH_size(dh)) > tls_dh_max_bits)
340 {
341 DEBUG(D_tls)
342 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
343 8*DH_size(dh), tls_dh_max_bits);
344 }
345 else
346 {
347 SSL_CTX_set_tmp_dh(sctx, dh);
348 DEBUG(D_tls)
349 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
350 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
351 }
352
353 DH_free(dh);
354 BIO_free(bio);
355
356 return TRUE;
357 }
358
359
360
361
362 #ifdef EXPERIMENTAL_OCSP
363 /*************************************************
364 * Load OCSP information into state *
365 *************************************************/
366
367 /* Called to load the OCSP response from the given file into memory, once
368 caller has determined this is needed. Checks validity. Debugs a message
369 if invalid.
370
371 ASSUMES: single response, for single cert.
372
373 Arguments:
374 sctx the SSL_CTX* to update
375 cbinfo various parts of session state
376 expanded the filename putatively holding an OCSP response
377
378 */
379
380 static void
381 ocsp_load_response(SSL_CTX *sctx,
382 tls_ext_ctx_cb *cbinfo,
383 const uschar *expanded)
384 {
385 BIO *bio;
386 OCSP_RESPONSE *resp;
387 OCSP_BASICRESP *basic_response;
388 OCSP_SINGLERESP *single_response;
389 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
390 X509_STORE *store;
391 unsigned long verify_flags;
392 int status, reason, i;
393
394 cbinfo->ocsp_file_expanded = string_copy(expanded);
395 if (cbinfo->ocsp_response)
396 {
397 OCSP_RESPONSE_free(cbinfo->ocsp_response);
398 cbinfo->ocsp_response = NULL;
399 }
400
401 bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
402 if (!bio)
403 {
404 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
405 cbinfo->ocsp_file_expanded);
406 return;
407 }
408
409 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
410 BIO_free(bio);
411 if (!resp)
412 {
413 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
414 return;
415 }
416
417 status = OCSP_response_status(resp);
418 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
419 {
420 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
421 OCSP_response_status_str(status), status);
422 return;
423 }
424
425 basic_response = OCSP_response_get1_basic(resp);
426 if (!basic_response)
427 {
428 DEBUG(D_tls)
429 debug_printf("OCSP response parse error: unable to extract basic response.\n");
430 return;
431 }
432
433 store = SSL_CTX_get_cert_store(sctx);
434 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
435
436 /* May need to expose ability to adjust those flags?
437 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
438 OCSP_TRUSTOTHER OCSP_NOINTERN */
439
440 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
441 if (i <= 0)
442 {
443 DEBUG(D_tls) {
444 ERR_error_string(ERR_get_error(), ssl_errstring);
445 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
446 }
447 return;
448 }
449
450 /* Here's the simplifying assumption: there's only one response, for the
451 one certificate we use, and nothing for anything else in a chain. If this
452 proves false, we need to extract a cert id from our issued cert
453 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
454 right cert in the stack and then calls OCSP_single_get0_status()).
455
456 I'm hoping to avoid reworking a bunch more of how we handle state here. */
457 single_response = OCSP_resp_get0(basic_response, 0);
458 if (!single_response)
459 {
460 DEBUG(D_tls)
461 debug_printf("Unable to get first response from OCSP basic response.\n");
462 return;
463 }
464
465 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
466 /* how does this status differ from the one above? */
467 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
468 {
469 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
470 OCSP_response_status_str(status), status);
471 return;
472 }
473
474 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
475 {
476 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
477 return;
478 }
479
480 cbinfo->ocsp_response = resp;
481 }
482 #endif
483
484
485
486
487 /*************************************************
488 * Expand key and cert file specs *
489 *************************************************/
490
491 /* Called once during tls_init and possibly againt during TLS setup, for a
492 new context, if Server Name Indication was used and tls_sni was seen in
493 the certificate string.
494
495 Arguments:
496 sctx the SSL_CTX* to update
497 cbinfo various parts of session state
498
499 Returns: OK/DEFER/FAIL
500 */
501
502 static int
503 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
504 {
505 uschar *expanded;
506
507 if (cbinfo->certificate == NULL)
508 return OK;
509
510 if (Ustrstr(cbinfo->certificate, US"tls_sni"))
511 reexpand_tls_files_for_sni = TRUE;
512
513 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
514 return DEFER;
515
516 if (expanded != NULL)
517 {
518 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
519 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
520 return tls_error(string_sprintf(
521 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
522 cbinfo->host, NULL);
523 }
524
525 if (cbinfo->privatekey != NULL &&
526 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
527 return DEFER;
528
529 /* If expansion was forced to fail, key_expanded will be NULL. If the result
530 of the expansion is an empty string, ignore it also, and assume the private
531 key is in the same file as the certificate. */
532
533 if (expanded != NULL && *expanded != 0)
534 {
535 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
536 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
537 return tls_error(string_sprintf(
538 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
539 }
540
541 #ifdef EXPERIMENTAL_OCSP
542 if (cbinfo->ocsp_file != NULL)
543 {
544 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
545 return DEFER;
546
547 if (expanded != NULL && *expanded != 0)
548 {
549 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
550 if (cbinfo->ocsp_file_expanded &&
551 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
552 {
553 DEBUG(D_tls)
554 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
555 } else {
556 ocsp_load_response(sctx, cbinfo, expanded);
557 }
558 }
559 }
560 #endif
561
562 return OK;
563 }
564
565
566
567
568 /*************************************************
569 * Callback to handle SNI *
570 *************************************************/
571
572 /* Called when acting as server during the TLS session setup if a Server Name
573 Indication extension was sent by the client.
574
575 API documentation is OpenSSL s_server.c implementation.
576
577 Arguments:
578 s SSL* of the current session
579 ad unknown (part of OpenSSL API) (unused)
580 arg Callback of "our" registered data
581
582 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
583 */
584
585 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
586 static int
587 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
588 {
589 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
590 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
591 int rc;
592 int old_pool = store_pool;
593
594 if (!servername)
595 return SSL_TLSEXT_ERR_OK;
596
597 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
598 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
599
600 /* Make the extension value available for expansion */
601 store_pool = POOL_PERM;
602 tls_sni = string_copy(US servername);
603 store_pool = old_pool;
604
605 if (!reexpand_tls_files_for_sni)
606 return SSL_TLSEXT_ERR_OK;
607
608 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
609 not confident that memcpy wouldn't break some internal reference counting.
610 Especially since there's a references struct member, which would be off. */
611
612 ctx_sni = SSL_CTX_new(SSLv23_server_method());
613 if (!ctx_sni)
614 {
615 ERR_error_string(ERR_get_error(), ssl_errstring);
616 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
617 return SSL_TLSEXT_ERR_NOACK;
618 }
619
620 /* Not sure how many of these are actually needed, since SSL object
621 already exists. Might even need this selfsame callback, for reneg? */
622
623 SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
624 SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
625 SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
626 SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
627 SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
628 SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
629 if (cbinfo->server_cipher_list)
630 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
631 #ifdef EXPERIMENTAL_OCSP
632 if (cbinfo->ocsp_file)
633 {
634 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
635 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
636 }
637 #endif
638
639 rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
640 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
641
642 /* do this after setup_certs, because this can require the certs for verifying
643 OCSP information. */
644 rc = tls_expand_session_files(ctx_sni, cbinfo);
645 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
646
647 rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
648 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
649
650 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
651 SSL_set_SSL_CTX(s, ctx_sni);
652
653 return SSL_TLSEXT_ERR_OK;
654 }
655 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
656
657
658
659
660 #ifdef EXPERIMENTAL_OCSP
661 /*************************************************
662 * Callback to handle OCSP Stapling *
663 *************************************************/
664
665 /* Called when acting as server during the TLS session setup if the client
666 requests OCSP information with a Certificate Status Request.
667
668 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
669 project.
670
671 */
672
673 static int
674 tls_stapling_cb(SSL *s, void *arg)
675 {
676 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
677 uschar *response_der;
678 int response_der_len;
679
680 DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
681 cbinfo->ocsp_response ? "have" : "lack");
682 if (!cbinfo->ocsp_response)
683 return SSL_TLSEXT_ERR_NOACK;
684
685 response_der = NULL;
686 response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
687 if (response_der_len <= 0)
688 return SSL_TLSEXT_ERR_NOACK;
689
690 SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
691 return SSL_TLSEXT_ERR_OK;
692 }
693
694 #endif /* EXPERIMENTAL_OCSP */
695
696
697
698
699 /*************************************************
700 * Initialize for TLS *
701 *************************************************/
702
703 /* Called from both server and client code, to do preliminary initialization of
704 the library.
705
706 Arguments:
707 host connected host, if client; NULL if server
708 dhparam DH parameter file
709 certificate certificate file
710 privatekey private key
711 addr address if client; NULL if server (for some randomness)
712
713 Returns: OK/DEFER/FAIL
714 */
715
716 static int
717 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
718 uschar *privatekey,
719 #ifdef EXPERIMENTAL_OCSP
720 uschar *ocsp_file,
721 #endif
722 address_item *addr)
723 {
724 long init_options;
725 int rc;
726 BOOL okay;
727 tls_ext_ctx_cb *cbinfo;
728
729 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
730 cbinfo->certificate = certificate;
731 cbinfo->privatekey = privatekey;
732 #ifdef EXPERIMENTAL_OCSP
733 cbinfo->ocsp_file = ocsp_file;
734 #endif
735 cbinfo->dhparam = dhparam;
736 cbinfo->host = host;
737
738 SSL_load_error_strings(); /* basic set up */
739 OpenSSL_add_ssl_algorithms();
740
741 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
742 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
743 list of available digests. */
744 EVP_add_digest(EVP_sha256());
745 #endif
746
747 /* Create a context.
748 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
749 negotiation in the different methods; as far as I can tell, the only
750 *_{server,client}_method which allows negotiation is SSLv23, which exists even
751 when OpenSSL is built without SSLv2 support.
752 By disabling with openssl_options, we can let admins re-enable with the
753 existing knob. */
754
755 ctx = SSL_CTX_new((host == NULL)?
756 SSLv23_server_method() : SSLv23_client_method());
757
758 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
759
760 /* It turns out that we need to seed the random number generator this early in
761 order to get the full complement of ciphers to work. It took me roughly a day
762 of work to discover this by experiment.
763
764 On systems that have /dev/urandom, SSL may automatically seed itself from
765 there. Otherwise, we have to make something up as best we can. Double check
766 afterwards. */
767
768 if (!RAND_status())
769 {
770 randstuff r;
771 gettimeofday(&r.tv, NULL);
772 r.p = getpid();
773
774 RAND_seed((uschar *)(&r), sizeof(r));
775 RAND_seed((uschar *)big_buffer, big_buffer_size);
776 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
777
778 if (!RAND_status())
779 return tls_error(US"RAND_status", host,
780 US"unable to seed random number generator");
781 }
782
783 /* Set up the information callback, which outputs if debugging is at a suitable
784 level. */
785
786 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
787
788 /* Automatically re-try reads/writes after renegotiation. */
789 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
790
791 /* Apply administrator-supplied work-arounds.
792 Historically we applied just one requested option,
793 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
794 moved to an administrator-controlled list of options to specify and
795 grandfathered in the first one as the default value for "openssl_options".
796
797 No OpenSSL version number checks: the options we accept depend upon the
798 availability of the option value macros from OpenSSL. */
799
800 okay = tls_openssl_options_parse(openssl_options, &init_options);
801 if (!okay)
802 return tls_error(US"openssl_options parsing failed", host, NULL);
803
804 if (init_options)
805 {
806 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
807 if (!(SSL_CTX_set_options(ctx, init_options)))
808 return tls_error(string_sprintf(
809 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
810 }
811 else
812 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
813
814 /* Initialize with DH parameters if supplied */
815
816 if (!init_dh(ctx, dhparam, host)) return DEFER;
817
818 /* Set up certificate and key (and perhaps OCSP info) */
819
820 rc = tls_expand_session_files(ctx, cbinfo);
821 if (rc != OK) return rc;
822
823 /* If we need to handle SNI, do so */
824 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
825 if (host == NULL)
826 {
827 #ifdef EXPERIMENTAL_OCSP
828 /* We check ocsp_file, not ocsp_response, because we care about if
829 the option exists, not what the current expansion might be, as SNI might
830 change the certificate and OCSP file in use between now and the time the
831 callback is invoked. */
832 if (cbinfo->ocsp_file)
833 {
834 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
835 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
836 }
837 #endif
838 /* We always do this, so that $tls_sni is available even if not used in
839 tls_certificate */
840 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
841 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
842 }
843 #endif
844
845 /* Set up the RSA callback */
846
847 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
848
849 /* Finally, set the timeout, and we are done */
850
851 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
852 DEBUG(D_tls) debug_printf("Initialized TLS\n");
853
854 static_cbinfo = cbinfo;
855
856 return OK;
857 }
858
859
860
861
862 /*************************************************
863 * Get name of cipher in use *
864 *************************************************/
865
866 /* The answer is left in a static buffer, and tls_cipher is set to point
867 to it.
868
869 Argument: pointer to an SSL structure for the connection
870 Returns: nothing
871 */
872
873 static void
874 construct_cipher_name(SSL *ssl)
875 {
876 static uschar cipherbuf[256];
877 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
878 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
879 the accessor functions use const in the prototype. */
880 const SSL_CIPHER *c;
881 uschar *ver;
882
883 switch (ssl->session->ssl_version)
884 {
885 case SSL2_VERSION:
886 ver = US"SSLv2";
887 break;
888
889 case SSL3_VERSION:
890 ver = US"SSLv3";
891 break;
892
893 case TLS1_VERSION:
894 ver = US"TLSv1";
895 break;
896
897 #ifdef TLS1_1_VERSION
898 case TLS1_1_VERSION:
899 ver = US"TLSv1.1";
900 break;
901 #endif
902
903 #ifdef TLS1_2_VERSION
904 case TLS1_2_VERSION:
905 ver = US"TLSv1.2";
906 break;
907 #endif
908
909 default:
910 ver = US"UNKNOWN";
911 }
912
913 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
914 SSL_CIPHER_get_bits(c, &tls_bits);
915
916 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
917 SSL_CIPHER_get_name(c), tls_bits);
918 tls_cipher = cipherbuf;
919
920 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
921 }
922
923
924
925
926
927 /*************************************************
928 * Set up for verifying certificates *
929 *************************************************/
930
931 /* Called by both client and server startup
932
933 Arguments:
934 sctx SSL_CTX* to initialise
935 certs certs file or NULL
936 crl CRL file or NULL
937 host NULL in a server; the remote host in a client
938 optional TRUE if called from a server for a host in tls_try_verify_hosts;
939 otherwise passed as FALSE
940
941 Returns: OK/DEFER/FAIL
942 */
943
944 static int
945 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
946 {
947 uschar *expcerts, *expcrl;
948
949 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
950 return DEFER;
951
952 if (expcerts != NULL)
953 {
954 struct stat statbuf;
955 if (!SSL_CTX_set_default_verify_paths(sctx))
956 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
957
958 if (Ustat(expcerts, &statbuf) < 0)
959 {
960 log_write(0, LOG_MAIN|LOG_PANIC,
961 "failed to stat %s for certificates", expcerts);
962 return DEFER;
963 }
964 else
965 {
966 uschar *file, *dir;
967 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
968 { file = NULL; dir = expcerts; }
969 else
970 { file = expcerts; dir = NULL; }
971
972 /* If a certificate file is empty, the next function fails with an
973 unhelpful error message. If we skip it, we get the correct behaviour (no
974 certificates are recognized, but the error message is still misleading (it
975 says no certificate was supplied.) But this is better. */
976
977 if ((file == NULL || statbuf.st_size > 0) &&
978 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
979 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
980
981 if (file != NULL)
982 {
983 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
984 }
985 }
986
987 /* Handle a certificate revocation list. */
988
989 #if OPENSSL_VERSION_NUMBER > 0x00907000L
990
991 /* This bit of code is now the version supplied by Lars Mainka. (I have
992 * merely reformatted it into the Exim code style.)
993
994 * "From here I changed the code to add support for multiple crl's
995 * in pem format in one file or to support hashed directory entries in
996 * pem format instead of a file. This method now uses the library function
997 * X509_STORE_load_locations to add the CRL location to the SSL context.
998 * OpenSSL will then handle the verify against CA certs and CRLs by
999 * itself in the verify callback." */
1000
1001 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1002 if (expcrl != NULL && *expcrl != 0)
1003 {
1004 struct stat statbufcrl;
1005 if (Ustat(expcrl, &statbufcrl) < 0)
1006 {
1007 log_write(0, LOG_MAIN|LOG_PANIC,
1008 "failed to stat %s for certificates revocation lists", expcrl);
1009 return DEFER;
1010 }
1011 else
1012 {
1013 /* is it a file or directory? */
1014 uschar *file, *dir;
1015 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1016 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1017 {
1018 file = NULL;
1019 dir = expcrl;
1020 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1021 }
1022 else
1023 {
1024 file = expcrl;
1025 dir = NULL;
1026 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1027 }
1028 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1029 return tls_error(US"X509_STORE_load_locations", host, NULL);
1030
1031 /* setting the flags to check against the complete crl chain */
1032
1033 X509_STORE_set_flags(cvstore,
1034 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1035 }
1036 }
1037
1038 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1039
1040 /* If verification is optional, don't fail if no certificate */
1041
1042 SSL_CTX_set_verify(sctx,
1043 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1044 verify_callback);
1045 }
1046
1047 return OK;
1048 }
1049
1050
1051
1052 /*************************************************
1053 * Start a TLS session in a server *
1054 *************************************************/
1055
1056 /* This is called when Exim is running as a server, after having received
1057 the STARTTLS command. It must respond to that command, and then negotiate
1058 a TLS session.
1059
1060 Arguments:
1061 require_ciphers allowed ciphers
1062
1063 Returns: OK on success
1064 DEFER for errors before the start of the negotiation
1065 FAIL for errors during the negotation; the server can't
1066 continue running.
1067 */
1068
1069 int
1070 tls_server_start(const uschar *require_ciphers)
1071 {
1072 int rc;
1073 uschar *expciphers;
1074 tls_ext_ctx_cb *cbinfo;
1075
1076 /* Check for previous activation */
1077
1078 if (tls_active >= 0)
1079 {
1080 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1081 smtp_printf("554 Already in TLS\r\n");
1082 return FAIL;
1083 }
1084
1085 /* Initialize the SSL library. If it fails, it will already have logged
1086 the error. */
1087
1088 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1089 #ifdef EXPERIMENTAL_OCSP
1090 tls_ocsp_file,
1091 #endif
1092 NULL);
1093 if (rc != OK) return rc;
1094 cbinfo = static_cbinfo;
1095
1096 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1097 return FAIL;
1098
1099 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1100 were historically separated by underscores. So that I can use either form in my
1101 tests, and also for general convenience, we turn underscores into hyphens here.
1102 */
1103
1104 if (expciphers != NULL)
1105 {
1106 uschar *s = expciphers;
1107 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1108 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1109 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1110 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1111 cbinfo->server_cipher_list = expciphers;
1112 }
1113
1114 /* If this is a host for which certificate verification is mandatory or
1115 optional, set up appropriately. */
1116
1117 tls_certificate_verified = FALSE;
1118 verify_callback_called = FALSE;
1119
1120 if (verify_check_host(&tls_verify_hosts) == OK)
1121 {
1122 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
1123 if (rc != OK) return rc;
1124 verify_optional = FALSE;
1125 }
1126 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1127 {
1128 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
1129 if (rc != OK) return rc;
1130 verify_optional = TRUE;
1131 }
1132
1133 /* Prepare for new connection */
1134
1135 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1136
1137 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1138 *
1139 * With the SSL_clear(), we get strange interoperability bugs with
1140 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1141 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1142 *
1143 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1144 * session shutdown. In this case, we have a brand new object and there's no
1145 * obvious reason to immediately clear it. I'm guessing that this was
1146 * originally added because of incomplete initialisation which the clear fixed,
1147 * in some historic release.
1148 */
1149
1150 /* Set context and tell client to go ahead, except in the case of TLS startup
1151 on connection, where outputting anything now upsets the clients and tends to
1152 make them disconnect. We need to have an explicit fflush() here, to force out
1153 the response. Other smtp_printf() calls do not need it, because in non-TLS
1154 mode, the fflush() happens when smtp_getc() is called. */
1155
1156 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1157 if (!tls_on_connect)
1158 {
1159 smtp_printf("220 TLS go ahead\r\n");
1160 fflush(smtp_out);
1161 }
1162
1163 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1164 that the OpenSSL library doesn't. */
1165
1166 SSL_set_wfd(ssl, fileno(smtp_out));
1167 SSL_set_rfd(ssl, fileno(smtp_in));
1168 SSL_set_accept_state(ssl);
1169
1170 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1171
1172 sigalrm_seen = FALSE;
1173 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1174 rc = SSL_accept(ssl);
1175 alarm(0);
1176
1177 if (rc <= 0)
1178 {
1179 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1180 if (ERR_get_error() == 0)
1181 log_write(0, LOG_MAIN,
1182 "TLS client disconnected cleanly (rejected our certificate?)");
1183 return FAIL;
1184 }
1185
1186 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1187
1188 /* TLS has been set up. Adjust the input functions to read via TLS,
1189 and initialize things. */
1190
1191 construct_cipher_name(ssl);
1192
1193 DEBUG(D_tls)
1194 {
1195 uschar buf[2048];
1196 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1197 debug_printf("Shared ciphers: %s\n", buf);
1198 }
1199
1200
1201 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1202 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1203 ssl_xfer_eof = ssl_xfer_error = 0;
1204
1205 receive_getc = tls_getc;
1206 receive_ungetc = tls_ungetc;
1207 receive_feof = tls_feof;
1208 receive_ferror = tls_ferror;
1209 receive_smtp_buffered = tls_smtp_buffered;
1210
1211 tls_active = fileno(smtp_out);
1212 return OK;
1213 }
1214
1215
1216
1217
1218
1219 /*************************************************
1220 * Start a TLS session in a client *
1221 *************************************************/
1222
1223 /* Called from the smtp transport after STARTTLS has been accepted.
1224
1225 Argument:
1226 fd the fd of the connection
1227 host connected host (for messages)
1228 addr the first address
1229 dhparam DH parameter file
1230 certificate certificate file
1231 privatekey private key file
1232 sni TLS SNI to send to remote host
1233 verify_certs file for certificate verify
1234 crl file containing CRL
1235 require_ciphers list of allowed ciphers
1236 timeout startup timeout
1237
1238 Returns: OK on success
1239 FAIL otherwise - note that tls_error() will not give DEFER
1240 because this is not a server
1241 */
1242
1243 int
1244 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
1245 uschar *certificate, uschar *privatekey, uschar *sni,
1246 uschar *verify_certs, uschar *crl,
1247 uschar *require_ciphers, int timeout)
1248 {
1249 static uschar txt[256];
1250 uschar *expciphers;
1251 X509* server_cert;
1252 int rc;
1253
1254 rc = tls_init(host, dhparam, certificate, privatekey,
1255 #ifdef EXPERIMENTAL_OCSP
1256 NULL,
1257 #endif
1258 addr);
1259 if (rc != OK) return rc;
1260
1261 tls_certificate_verified = FALSE;
1262 verify_callback_called = FALSE;
1263
1264 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1265 return FAIL;
1266
1267 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1268 are separated by underscores. So that I can use either form in my tests, and
1269 also for general convenience, we turn underscores into hyphens here. */
1270
1271 if (expciphers != NULL)
1272 {
1273 uschar *s = expciphers;
1274 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1275 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1276 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1277 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1278 }
1279
1280 rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
1281 if (rc != OK) return rc;
1282
1283 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1284 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1285 SSL_set_fd(ssl, fd);
1286 SSL_set_connect_state(ssl);
1287
1288 if (sni)
1289 {
1290 if (!expand_check(sni, US"tls_sni", &tls_sni))
1291 return FAIL;
1292 if (!Ustrlen(tls_sni))
1293 tls_sni = NULL;
1294 else
1295 {
1296 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1297 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1298 SSL_set_tlsext_host_name(ssl, tls_sni);
1299 #else
1300 DEBUG(D_tls)
1301 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1302 tls_sni);
1303 #endif
1304 }
1305 }
1306
1307 /* There doesn't seem to be a built-in timeout on connection. */
1308
1309 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1310 sigalrm_seen = FALSE;
1311 alarm(timeout);
1312 rc = SSL_connect(ssl);
1313 alarm(0);
1314
1315 if (rc <= 0)
1316 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1317
1318 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1319
1320 /* Beware anonymous ciphers which lead to server_cert being NULL */
1321 server_cert = SSL_get_peer_certificate (ssl);
1322 if (server_cert)
1323 {
1324 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1325 CS txt, sizeof(txt));
1326 tls_peerdn = txt;
1327 }
1328 else
1329 tls_peerdn = NULL;
1330
1331 construct_cipher_name(ssl); /* Sets tls_cipher */
1332
1333 tls_active = fd;
1334 return OK;
1335 }
1336
1337
1338
1339
1340
1341 /*************************************************
1342 * TLS version of getc *
1343 *************************************************/
1344
1345 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1346 it refills the buffer via the SSL reading function.
1347
1348 Arguments: none
1349 Returns: the next character or EOF
1350 */
1351
1352 int
1353 tls_getc(void)
1354 {
1355 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1356 {
1357 int error;
1358 int inbytes;
1359
1360 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1361 ssl_xfer_buffer, ssl_xfer_buffer_size);
1362
1363 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1364 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1365 error = SSL_get_error(ssl, inbytes);
1366 alarm(0);
1367
1368 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1369 closed down, not that the socket itself has been closed down. Revert to
1370 non-SSL handling. */
1371
1372 if (error == SSL_ERROR_ZERO_RETURN)
1373 {
1374 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1375
1376 receive_getc = smtp_getc;
1377 receive_ungetc = smtp_ungetc;
1378 receive_feof = smtp_feof;
1379 receive_ferror = smtp_ferror;
1380 receive_smtp_buffered = smtp_buffered;
1381
1382 SSL_free(ssl);
1383 ssl = NULL;
1384 tls_active = -1;
1385 tls_bits = 0;
1386 tls_cipher = NULL;
1387 tls_peerdn = NULL;
1388 tls_sni = NULL;
1389
1390 return smtp_getc();
1391 }
1392
1393 /* Handle genuine errors */
1394
1395 else if (error == SSL_ERROR_SSL)
1396 {
1397 ERR_error_string(ERR_get_error(), ssl_errstring);
1398 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1399 ssl_xfer_error = 1;
1400 return EOF;
1401 }
1402
1403 else if (error != SSL_ERROR_NONE)
1404 {
1405 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1406 ssl_xfer_error = 1;
1407 return EOF;
1408 }
1409
1410 #ifndef DISABLE_DKIM
1411 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1412 #endif
1413 ssl_xfer_buffer_hwm = inbytes;
1414 ssl_xfer_buffer_lwm = 0;
1415 }
1416
1417 /* Something in the buffer; return next uschar */
1418
1419 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1420 }
1421
1422
1423
1424 /*************************************************
1425 * Read bytes from TLS channel *
1426 *************************************************/
1427
1428 /*
1429 Arguments:
1430 buff buffer of data
1431 len size of buffer
1432
1433 Returns: the number of bytes read
1434 -1 after a failed read
1435 */
1436
1437 int
1438 tls_read(uschar *buff, size_t len)
1439 {
1440 int inbytes;
1441 int error;
1442
1443 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1444 buff, (unsigned int)len);
1445
1446 inbytes = SSL_read(ssl, CS buff, len);
1447 error = SSL_get_error(ssl, inbytes);
1448
1449 if (error == SSL_ERROR_ZERO_RETURN)
1450 {
1451 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1452 return -1;
1453 }
1454 else if (error != SSL_ERROR_NONE)
1455 {
1456 return -1;
1457 }
1458
1459 return inbytes;
1460 }
1461
1462
1463
1464
1465
1466 /*************************************************
1467 * Write bytes down TLS channel *
1468 *************************************************/
1469
1470 /*
1471 Arguments:
1472 buff buffer of data
1473 len number of bytes
1474
1475 Returns: the number of bytes after a successful write,
1476 -1 after a failed write
1477 */
1478
1479 int
1480 tls_write(const uschar *buff, size_t len)
1481 {
1482 int outbytes;
1483 int error;
1484 int left = len;
1485
1486 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1487 while (left > 0)
1488 {
1489 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1490 outbytes = SSL_write(ssl, CS buff, left);
1491 error = SSL_get_error(ssl, outbytes);
1492 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1493 switch (error)
1494 {
1495 case SSL_ERROR_SSL:
1496 ERR_error_string(ERR_get_error(), ssl_errstring);
1497 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1498 return -1;
1499
1500 case SSL_ERROR_NONE:
1501 left -= outbytes;
1502 buff += outbytes;
1503 break;
1504
1505 case SSL_ERROR_ZERO_RETURN:
1506 log_write(0, LOG_MAIN, "SSL channel closed on write");
1507 return -1;
1508
1509 default:
1510 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1511 return -1;
1512 }
1513 }
1514 return len;
1515 }
1516
1517
1518
1519 /*************************************************
1520 * Close down a TLS session *
1521 *************************************************/
1522
1523 /* This is also called from within a delivery subprocess forked from the
1524 daemon, to shut down the TLS library, without actually doing a shutdown (which
1525 would tamper with the SSL session in the parent process).
1526
1527 Arguments: TRUE if SSL_shutdown is to be called
1528 Returns: nothing
1529 */
1530
1531 void
1532 tls_close(BOOL shutdown)
1533 {
1534 if (tls_active < 0) return; /* TLS was not active */
1535
1536 if (shutdown)
1537 {
1538 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1539 SSL_shutdown(ssl);
1540 }
1541
1542 SSL_free(ssl);
1543 ssl = NULL;
1544
1545 tls_active = -1;
1546 }
1547
1548
1549
1550
1551 /*************************************************
1552 * Let tls_require_ciphers be checked at startup *
1553 *************************************************/
1554
1555 /* The tls_require_ciphers option, if set, must be something which the
1556 library can parse.
1557
1558 Returns: NULL on success, or error message
1559 */
1560
1561 uschar *
1562 tls_validate_require_cipher(void)
1563 {
1564 SSL_CTX *ctx;
1565 uschar *s, *expciphers, *err;
1566
1567 /* this duplicates from tls_init(), we need a better "init just global
1568 state, for no specific purpose" singleton function of our own */
1569
1570 SSL_load_error_strings();
1571 OpenSSL_add_ssl_algorithms();
1572 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1573 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1574 list of available digests. */
1575 EVP_add_digest(EVP_sha256());
1576 #endif
1577
1578 if (!(tls_require_ciphers && *tls_require_ciphers))
1579 return NULL;
1580
1581 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1582 return US"failed to expand tls_require_ciphers";
1583
1584 if (!(expciphers && *expciphers))
1585 return NULL;
1586
1587 /* normalisation ripped from above */
1588 s = expciphers;
1589 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1590
1591 err = NULL;
1592
1593 ctx = SSL_CTX_new(SSLv23_server_method());
1594 if (!ctx)
1595 {
1596 ERR_error_string(ERR_get_error(), ssl_errstring);
1597 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1598 }
1599
1600 DEBUG(D_tls)
1601 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1602
1603 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1604 {
1605 ERR_error_string(ERR_get_error(), ssl_errstring);
1606 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1607 }
1608
1609 SSL_CTX_free(ctx);
1610
1611 return err;
1612 }
1613
1614
1615
1616
1617 /*************************************************
1618 * Report the library versions. *
1619 *************************************************/
1620
1621 /* There have historically been some issues with binary compatibility in
1622 OpenSSL libraries; if Exim (like many other applications) is built against
1623 one version of OpenSSL but the run-time linker picks up another version,
1624 it can result in serious failures, including crashing with a SIGSEGV. So
1625 report the version found by the compiler and the run-time version.
1626
1627 Arguments: a FILE* to print the results to
1628 Returns: nothing
1629 */
1630
1631 void
1632 tls_version_report(FILE *f)
1633 {
1634 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1635 " Runtime: %s\n",
1636 OPENSSL_VERSION_TEXT,
1637 SSLeay_version(SSLEAY_VERSION));
1638 }
1639
1640
1641
1642
1643 /*************************************************
1644 * Random number generation *
1645 *************************************************/
1646
1647 /* Pseudo-random number generation. The result is not expected to be
1648 cryptographically strong but not so weak that someone will shoot themselves
1649 in the foot using it as a nonce in input in some email header scheme or
1650 whatever weirdness they'll twist this into. The result should handle fork()
1651 and avoid repeating sequences. OpenSSL handles that for us.
1652
1653 Arguments:
1654 max range maximum
1655 Returns a random number in range [0, max-1]
1656 */
1657
1658 int
1659 vaguely_random_number(int max)
1660 {
1661 unsigned int r;
1662 int i, needed_len;
1663 uschar *p;
1664 uschar smallbuf[sizeof(r)];
1665
1666 if (max <= 1)
1667 return 0;
1668
1669 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1670 if (!RAND_status())
1671 {
1672 randstuff r;
1673 gettimeofday(&r.tv, NULL);
1674 r.p = getpid();
1675
1676 RAND_seed((uschar *)(&r), sizeof(r));
1677 }
1678 /* We're after pseudo-random, not random; if we still don't have enough data
1679 in the internal PRNG then our options are limited. We could sleep and hope
1680 for entropy to come along (prayer technique) but if the system is so depleted
1681 in the first place then something is likely to just keep taking it. Instead,
1682 we'll just take whatever little bit of pseudo-random we can still manage to
1683 get. */
1684
1685 needed_len = sizeof(r);
1686 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1687 asked for a number less than 10. */
1688 for (r = max, i = 0; r; ++i)
1689 r >>= 1;
1690 i = (i + 7) / 8;
1691 if (i < needed_len)
1692 needed_len = i;
1693
1694 /* We do not care if crypto-strong */
1695 i = RAND_pseudo_bytes(smallbuf, needed_len);
1696 if (i < 0)
1697 {
1698 DEBUG(D_all)
1699 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1700 return vaguely_random_number_fallback(max);
1701 }
1702
1703 r = 0;
1704 for (p = smallbuf; needed_len; --needed_len, ++p)
1705 {
1706 r *= 256;
1707 r += *p;
1708 }
1709
1710 /* We don't particularly care about weighted results; if someone wants
1711 smooth distribution and cares enough then they should submit a patch then. */
1712 return r % max;
1713 }
1714
1715
1716
1717
1718 /*************************************************
1719 * OpenSSL option parse *
1720 *************************************************/
1721
1722 /* Parse one option for tls_openssl_options_parse below
1723
1724 Arguments:
1725 name one option name
1726 value place to store a value for it
1727 Returns success or failure in parsing
1728 */
1729
1730 struct exim_openssl_option {
1731 uschar *name;
1732 long value;
1733 };
1734 /* We could use a macro to expand, but we need the ifdef and not all the
1735 options document which version they were introduced in. Policylet: include
1736 all options unless explicitly for DTLS, let the administrator choose which
1737 to apply.
1738
1739 This list is current as of:
1740 ==> 1.0.1b <== */
1741 static struct exim_openssl_option exim_openssl_options[] = {
1742 /* KEEP SORTED ALPHABETICALLY! */
1743 #ifdef SSL_OP_ALL
1744 { US"all", SSL_OP_ALL },
1745 #endif
1746 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1747 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1748 #endif
1749 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1750 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1751 #endif
1752 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1753 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1754 #endif
1755 #ifdef SSL_OP_EPHEMERAL_RSA
1756 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1757 #endif
1758 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1759 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1760 #endif
1761 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1762 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1763 #endif
1764 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1765 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1766 #endif
1767 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1768 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1769 #endif
1770 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1771 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1772 #endif
1773 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1774 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1775 #endif
1776 #ifdef SSL_OP_NO_COMPRESSION
1777 { US"no_compression", SSL_OP_NO_COMPRESSION },
1778 #endif
1779 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1780 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1781 #endif
1782 #ifdef SSL_OP_NO_SSLv2
1783 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1784 #endif
1785 #ifdef SSL_OP_NO_SSLv3
1786 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1787 #endif
1788 #ifdef SSL_OP_NO_TICKET
1789 { US"no_ticket", SSL_OP_NO_TICKET },
1790 #endif
1791 #ifdef SSL_OP_NO_TLSv1
1792 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1793 #endif
1794 #ifdef SSL_OP_NO_TLSv1_1
1795 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1796 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1797 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1798 #else
1799 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1800 #endif
1801 #endif
1802 #ifdef SSL_OP_NO_TLSv1_2
1803 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1804 #endif
1805 #ifdef SSL_OP_SINGLE_DH_USE
1806 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1807 #endif
1808 #ifdef SSL_OP_SINGLE_ECDH_USE
1809 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1810 #endif
1811 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1812 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1813 #endif
1814 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1815 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1816 #endif
1817 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1818 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1819 #endif
1820 #ifdef SSL_OP_TLS_D5_BUG
1821 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1822 #endif
1823 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1824 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1825 #endif
1826 };
1827 static int exim_openssl_options_size =
1828 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1829
1830
1831 static BOOL
1832 tls_openssl_one_option_parse(uschar *name, long *value)
1833 {
1834 int first = 0;
1835 int last = exim_openssl_options_size;
1836 while (last > first)
1837 {
1838 int middle = (first + last)/2;
1839 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1840 if (c == 0)
1841 {
1842 *value = exim_openssl_options[middle].value;
1843 return TRUE;
1844 }
1845 else if (c > 0)
1846 first = middle + 1;
1847 else
1848 last = middle;
1849 }
1850 return FALSE;
1851 }
1852
1853
1854
1855
1856 /*************************************************
1857 * OpenSSL option parsing logic *
1858 *************************************************/
1859
1860 /* OpenSSL has a number of compatibility options which an administrator might
1861 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1862 we look like log_selector.
1863
1864 Arguments:
1865 option_spec the administrator-supplied string of options
1866 results ptr to long storage for the options bitmap
1867 Returns success or failure
1868 */
1869
1870 BOOL
1871 tls_openssl_options_parse(uschar *option_spec, long *results)
1872 {
1873 long result, item;
1874 uschar *s, *end;
1875 uschar keep_c;
1876 BOOL adding, item_parsed;
1877
1878 result = 0L;
1879 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1880 * from default because it increases BEAST susceptibility. */
1881 #ifdef SSL_OP_NO_SSLv2
1882 result |= SSL_OP_NO_SSLv2;
1883 #endif
1884
1885 if (option_spec == NULL)
1886 {
1887 *results = result;
1888 return TRUE;
1889 }
1890
1891 for (s=option_spec; *s != '\0'; /**/)
1892 {
1893 while (isspace(*s)) ++s;
1894 if (*s == '\0')
1895 break;
1896 if (*s != '+' && *s != '-')
1897 {
1898 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1899 "+ or - expected but found \"%s\"\n", s);
1900 return FALSE;
1901 }
1902 adding = *s++ == '+';
1903 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1904 keep_c = *end;
1905 *end = '\0';
1906 item_parsed = tls_openssl_one_option_parse(s, &item);
1907 if (!item_parsed)
1908 {
1909 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1910 return FALSE;
1911 }
1912 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1913 adding ? "adding" : "removing", result, item, s);
1914 if (adding)
1915 result |= item;
1916 else
1917 result &= ~item;
1918 *end = keep_c;
1919 s = end;
1920 }
1921
1922 *results = result;
1923 return TRUE;
1924 }
1925
1926 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.