projects / exim.git / blob
? search:


3000b8fcb1f8db8d7e52970023eba3ea500f8eec
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifdef EXPERIMENTAL_OCSP
26 #include <openssl/ocsp.h>
27 #endif
28
29 #ifdef EXPERIMENTAL_OCSP
30 #define EXIM_OCSP_SKEW_SECONDS (300L)
31 #define EXIM_OCSP_MAX_AGE (-1L)
32 #endif
33
34 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
35 #define EXIM_HAVE_OPENSSL_TLSEXT
36 #endif
37
38 /* Structure for collecting random data for seeding. */
39
40 typedef struct randstuff {
41 struct timeval tv;
42 pid_t p;
43 } randstuff;
44
45 /* Local static variables */
46
47 static BOOL client_verify_callback_called = FALSE;
48 static BOOL server_verify_callback_called = FALSE;
49 static const uschar *sid_ctx = US"exim";
50
51 /* We have three different contexts to care about.
52
53 Simple case: client, `client_ctx`
54 As a client, we can be doing a callout or cut-through delivery while receiving
55 a message. So we have a client context, which should have options initialised
56 from the SMTP Transport.
57
58 Server:
59 There are two cases: with and without ServerNameIndication from the client.
60 Given TLS SNI, we can be using different keys, certs and various other
61 configuration settings, because they're re-expanded with $tls_sni set. This
62 allows vhosting with TLS. This SNI is sent in the handshake.
63 A client might not send SNI, so we need a fallback, and an initial setup too.
64 So as a server, we start out using `server_ctx`.
65 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
66 `server_sni` from `server_ctx` and then initialise settings by re-expanding
67 configuration.
68 */
69
70 static SSL_CTX *client_ctx = NULL;
71 static SSL_CTX *server_ctx = NULL;
72 static SSL *client_ssl = NULL;
73 static SSL *server_ssl = NULL;
74
75 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
76 static SSL_CTX *server_sni = NULL;
77 #endif
78
79 static char ssl_errstring[256];
80
81 static int ssl_session_timeout = 200;
82 static BOOL client_verify_optional = FALSE;
83 static BOOL server_verify_optional = FALSE;
84
85 static BOOL reexpand_tls_files_for_sni = FALSE;
86
87
88 typedef struct tls_ext_ctx_cb {
89 uschar *certificate;
90 uschar *privatekey;
91 #ifdef EXPERIMENTAL_OCSP
92 BOOL is_server;
93 union {
94 struct {
95 uschar *file;
96 uschar *file_expanded;
97 OCSP_RESPONSE *response;
98 } server;
99 struct {
100 X509_STORE *verify_store; /* non-null if status requested */
101 BOOL verify_required;
102 } client;
103 } u_ocsp;
104 #endif
105 uschar *dhparam;
106 /* these are cached from first expand */
107 uschar *server_cipher_list;
108 /* only passed down to tls_error: */
109 host_item *host;
110 } tls_ext_ctx_cb;
111
112 /* should figure out a cleanup of API to handle state preserved per
113 implementation, for various reasons, which can be void * in the APIs.
114 For now, we hack around it. */
115 tls_ext_ctx_cb *client_static_cbinfo = NULL;
116 tls_ext_ctx_cb *server_static_cbinfo = NULL;
117
118 static int
119 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
120 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
121
122 /* Callbacks */
123 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
124 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
125 #endif
126 #ifdef EXPERIMENTAL_OCSP
127 static int tls_server_stapling_cb(SSL *s, void *arg);
128 #endif
129
130
131 /*************************************************
132 * Handle TLS error *
133 *************************************************/
134
135 /* Called from lots of places when errors occur before actually starting to do
136 the TLS handshake, that is, while the session is still in clear. Always returns
137 DEFER for a server and FAIL for a client so that most calls can use "return
138 tls_error(...)" to do this processing and then give an appropriate return. A
139 single function is used for both server and client, because it is called from
140 some shared functions.
141
142 Argument:
143 prefix text to include in the logged error
144 host NULL if setting up a server;
145 the connected host if setting up a client
146 msg error message or NULL if we should ask OpenSSL
147
148 Returns: OK/DEFER/FAIL
149 */
150
151 static int
152 tls_error(uschar *prefix, host_item *host, uschar *msg)
153 {
154 if (msg == NULL)
155 {
156 ERR_error_string(ERR_get_error(), ssl_errstring);
157 msg = (uschar *)ssl_errstring;
158 }
159
160 if (host == NULL)
161 {
162 uschar *conn_info = smtp_get_connection_info();
163 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
164 conn_info += 5;
165 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
166 conn_info, prefix, msg);
167 return DEFER;
168 }
169 else
170 {
171 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
172 host->name, host->address, prefix, msg);
173 return FAIL;
174 }
175 }
176
177
178
179 /*************************************************
180 * Callback to generate RSA key *
181 *************************************************/
182
183 /*
184 Arguments:
185 s SSL connection
186 export not used
187 keylength keylength
188
189 Returns: pointer to generated key
190 */
191
192 static RSA *
193 rsa_callback(SSL *s, int export, int keylength)
194 {
195 RSA *rsa_key;
196 export = export; /* Shut picky compilers up */
197 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
198 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
199 if (rsa_key == NULL)
200 {
201 ERR_error_string(ERR_get_error(), ssl_errstring);
202 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
203 ssl_errstring);
204 return NULL;
205 }
206 return rsa_key;
207 }
208
209
210
211 /* Extreme debug
212 #if defined(EXPERIMENTAL_OCSP)
213 void
214 x509_store_dump_cert_s_names(X509_STORE * store)
215 {
216 STACK_OF(X509_OBJECT) * roots= store->objs;
217 int i;
218 static uschar name[256];
219
220 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
221 {
222 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
223 if(tmp_obj->type == X509_LU_X509)
224 {
225 X509 * current_cert= tmp_obj->data.x509;
226 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
227 debug_printf(" %s\n", name);
228 }
229 }
230 }
231 #endif
232 */
233
234
235 /*************************************************
236 * Callback for verification *
237 *************************************************/
238
239 /* The SSL library does certificate verification if set up to do so. This
240 callback has the current yes/no state is in "state". If verification succeeded,
241 we set up the tls_peerdn string. If verification failed, what happens depends
242 on whether the client is required to present a verifiable certificate or not.
243
244 If verification is optional, we change the state to yes, but still log the
245 verification error. For some reason (it really would help to have proper
246 documentation of OpenSSL), this callback function then gets called again, this
247 time with state = 1. In fact, that's useful, because we can set up the peerdn
248 value, but we must take care not to set the private verified flag on the second
249 time through.
250
251 Note: this function is not called if the client fails to present a certificate
252 when asked. We get here only if a certificate has been received. Handling of
253 optional verification for this case is done when requesting SSL to verify, by
254 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
255
256 Arguments:
257 state current yes/no state as 1/0
258 x509ctx certificate information.
259 client TRUE for client startup, FALSE for server startup
260
261 Returns: 1 if verified, 0 if not
262 */
263
264 static int
265 verify_callback(int state, X509_STORE_CTX *x509ctx,
266 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
267 {
268 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
269 static uschar txt[256];
270
271 X509_NAME_oneline(X509_get_subject_name(cert),
272 CS txt, sizeof(txt));
273
274 if (state == 0)
275 {
276 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
277 X509_STORE_CTX_get_error_depth(x509ctx),
278 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
279 txt);
280 tlsp->certificate_verified = FALSE;
281 *calledp = TRUE;
282 if (!*optionalp)
283 {
284 tlsp->peercert = X509_dup(cert);
285 return 0; /* reject */
286 }
287 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
288 "tls_try_verify_hosts)\n");
289 }
290
291 else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
292 {
293 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
294 X509_STORE_CTX_get_error_depth(x509ctx), txt);
295 #ifdef EXPERIMENTAL_OCSP
296 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
297 { /* client, wanting stapling */
298 /* Add the server cert's signing chain as the one
299 for the verification of the OCSP stapled information. */
300
301 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
302 cert))
303 ERR_clear_error();
304 }
305 #endif
306 }
307 else
308 {
309 tlsp->peerdn = txt;
310 tlsp->peercert = X509_dup(cert);
311 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
312 *calledp ? "" : " authenticated", txt);
313 if (!*calledp) tlsp->certificate_verified = TRUE;
314 *calledp = TRUE;
315 }
316
317 return 1; /* accept */
318 }
319
320 static int
321 verify_callback_client(int state, X509_STORE_CTX *x509ctx)
322 {
323 return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
324 }
325
326 static int
327 verify_callback_server(int state, X509_STORE_CTX *x509ctx)
328 {
329 return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
330 }
331
332
333
334 /*************************************************
335 * Information callback *
336 *************************************************/
337
338 /* The SSL library functions call this from time to time to indicate what they
339 are doing. We copy the string to the debugging output when TLS debugging has
340 been requested.
341
342 Arguments:
343 s the SSL connection
344 where
345 ret
346
347 Returns: nothing
348 */
349
350 static void
351 info_callback(SSL *s, int where, int ret)
352 {
353 where = where;
354 ret = ret;
355 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
356 }
357
358
359
360 /*************************************************
361 * Initialize for DH *
362 *************************************************/
363
364 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
365
366 Arguments:
367 dhparam DH parameter file or fixed parameter identity string
368 host connected host, if client; NULL if server
369
370 Returns: TRUE if OK (nothing to set up, or setup worked)
371 */
372
373 static BOOL
374 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
375 {
376 BIO *bio;
377 DH *dh;
378 uschar *dhexpanded;
379 const char *pem;
380
381 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
382 return FALSE;
383
384 if (dhexpanded == NULL || *dhexpanded == '\0')
385 {
386 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
387 }
388 else if (dhexpanded[0] == '/')
389 {
390 bio = BIO_new_file(CS dhexpanded, "r");
391 if (bio == NULL)
392 {
393 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
394 host, US strerror(errno));
395 return FALSE;
396 }
397 }
398 else
399 {
400 if (Ustrcmp(dhexpanded, "none") == 0)
401 {
402 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
403 return TRUE;
404 }
405
406 pem = std_dh_prime_named(dhexpanded);
407 if (!pem)
408 {
409 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
410 host, US strerror(errno));
411 return FALSE;
412 }
413 bio = BIO_new_mem_buf(CS pem, -1);
414 }
415
416 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
417 if (dh == NULL)
418 {
419 BIO_free(bio);
420 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
421 host, NULL);
422 return FALSE;
423 }
424
425 /* Even if it is larger, we silently return success rather than cause things
426 * to fail out, so that a too-large DH will not knock out all TLS; it's a
427 * debatable choice. */
428 if ((8*DH_size(dh)) > tls_dh_max_bits)
429 {
430 DEBUG(D_tls)
431 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
432 8*DH_size(dh), tls_dh_max_bits);
433 }
434 else
435 {
436 SSL_CTX_set_tmp_dh(sctx, dh);
437 DEBUG(D_tls)
438 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
439 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
440 }
441
442 DH_free(dh);
443 BIO_free(bio);
444
445 return TRUE;
446 }
447
448
449
450
451 #ifdef EXPERIMENTAL_OCSP
452 /*************************************************
453 * Load OCSP information into state *
454 *************************************************/
455
456 /* Called to load the server OCSP response from the given file into memory, once
457 caller has determined this is needed. Checks validity. Debugs a message
458 if invalid.
459
460 ASSUMES: single response, for single cert.
461
462 Arguments:
463 sctx the SSL_CTX* to update
464 cbinfo various parts of session state
465 expanded the filename putatively holding an OCSP response
466
467 */
468
469 static void
470 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
471 {
472 BIO *bio;
473 OCSP_RESPONSE *resp;
474 OCSP_BASICRESP *basic_response;
475 OCSP_SINGLERESP *single_response;
476 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
477 X509_STORE *store;
478 unsigned long verify_flags;
479 int status, reason, i;
480
481 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
482 if (cbinfo->u_ocsp.server.response)
483 {
484 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
485 cbinfo->u_ocsp.server.response = NULL;
486 }
487
488 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
489 if (!bio)
490 {
491 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
492 cbinfo->u_ocsp.server.file_expanded);
493 return;
494 }
495
496 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
497 BIO_free(bio);
498 if (!resp)
499 {
500 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
501 return;
502 }
503
504 status = OCSP_response_status(resp);
505 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
506 {
507 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
508 OCSP_response_status_str(status), status);
509 goto bad;
510 }
511
512 basic_response = OCSP_response_get1_basic(resp);
513 if (!basic_response)
514 {
515 DEBUG(D_tls)
516 debug_printf("OCSP response parse error: unable to extract basic response.\n");
517 goto bad;
518 }
519
520 store = SSL_CTX_get_cert_store(sctx);
521 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
522
523 /* May need to expose ability to adjust those flags?
524 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
525 OCSP_TRUSTOTHER OCSP_NOINTERN */
526
527 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
528 if (i <= 0)
529 {
530 DEBUG(D_tls) {
531 ERR_error_string(ERR_get_error(), ssl_errstring);
532 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
533 }
534 goto bad;
535 }
536
537 /* Here's the simplifying assumption: there's only one response, for the
538 one certificate we use, and nothing for anything else in a chain. If this
539 proves false, we need to extract a cert id from our issued cert
540 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
541 right cert in the stack and then calls OCSP_single_get0_status()).
542
543 I'm hoping to avoid reworking a bunch more of how we handle state here. */
544 single_response = OCSP_resp_get0(basic_response, 0);
545 if (!single_response)
546 {
547 DEBUG(D_tls)
548 debug_printf("Unable to get first response from OCSP basic response.\n");
549 goto bad;
550 }
551
552 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
553 if (status != V_OCSP_CERTSTATUS_GOOD)
554 {
555 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
556 OCSP_cert_status_str(status), status,
557 OCSP_crl_reason_str(reason), reason);
558 goto bad;
559 }
560
561 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
562 {
563 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
564 goto bad;
565 }
566
567 supply_response:
568 cbinfo->u_ocsp.server.response = resp;
569 return;
570
571 bad:
572 if (running_in_test_harness)
573 {
574 extern char ** environ;
575 uschar ** p;
576 for (p = USS environ; *p != NULL; p++)
577 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
578 {
579 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
580 goto supply_response;
581 }
582 }
583 return;
584 }
585 #endif /*EXPERIMENTAL_OCSP*/
586
587
588
589
590 /*************************************************
591 * Expand key and cert file specs *
592 *************************************************/
593
594 /* Called once during tls_init and possibly again during TLS setup, for a
595 new context, if Server Name Indication was used and tls_sni was seen in
596 the certificate string.
597
598 Arguments:
599 sctx the SSL_CTX* to update
600 cbinfo various parts of session state
601
602 Returns: OK/DEFER/FAIL
603 */
604
605 static int
606 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
607 {
608 uschar *expanded;
609
610 if (cbinfo->certificate == NULL)
611 return OK;
612
613 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
614 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
615 Ustrstr(cbinfo->certificate, US"tls_out_sni")
616 )
617 reexpand_tls_files_for_sni = TRUE;
618
619 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
620 return DEFER;
621
622 if (expanded != NULL)
623 {
624 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
625 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
626 return tls_error(string_sprintf(
627 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
628 cbinfo->host, NULL);
629 }
630
631 if (cbinfo->privatekey != NULL &&
632 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
633 return DEFER;
634
635 /* If expansion was forced to fail, key_expanded will be NULL. If the result
636 of the expansion is an empty string, ignore it also, and assume the private
637 key is in the same file as the certificate. */
638
639 if (expanded != NULL && *expanded != 0)
640 {
641 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
642 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
643 return tls_error(string_sprintf(
644 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
645 }
646
647 #ifdef EXPERIMENTAL_OCSP
648 if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
649 {
650 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
651 return DEFER;
652
653 if (expanded != NULL && *expanded != 0)
654 {
655 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
656 if (cbinfo->u_ocsp.server.file_expanded &&
657 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
658 {
659 DEBUG(D_tls)
660 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
661 } else {
662 ocsp_load_response(sctx, cbinfo, expanded);
663 }
664 }
665 }
666 #endif
667
668 return OK;
669 }
670
671
672
673
674 /*************************************************
675 * Callback to handle SNI *
676 *************************************************/
677
678 /* Called when acting as server during the TLS session setup if a Server Name
679 Indication extension was sent by the client.
680
681 API documentation is OpenSSL s_server.c implementation.
682
683 Arguments:
684 s SSL* of the current session
685 ad unknown (part of OpenSSL API) (unused)
686 arg Callback of "our" registered data
687
688 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
689 */
690
691 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
692 static int
693 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
694 {
695 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
696 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
697 int rc;
698 int old_pool = store_pool;
699
700 if (!servername)
701 return SSL_TLSEXT_ERR_OK;
702
703 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
704 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
705
706 /* Make the extension value available for expansion */
707 store_pool = POOL_PERM;
708 tls_in.sni = string_copy(US servername);
709 store_pool = old_pool;
710
711 if (!reexpand_tls_files_for_sni)
712 return SSL_TLSEXT_ERR_OK;
713
714 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
715 not confident that memcpy wouldn't break some internal reference counting.
716 Especially since there's a references struct member, which would be off. */
717
718 server_sni = SSL_CTX_new(SSLv23_server_method());
719 if (!server_sni)
720 {
721 ERR_error_string(ERR_get_error(), ssl_errstring);
722 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
723 return SSL_TLSEXT_ERR_NOACK;
724 }
725
726 /* Not sure how many of these are actually needed, since SSL object
727 already exists. Might even need this selfsame callback, for reneg? */
728
729 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
730 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
731 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
732 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
733 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
734 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
735 if (cbinfo->server_cipher_list)
736 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
737 #ifdef EXPERIMENTAL_OCSP
738 if (cbinfo->u_ocsp.server.file)
739 {
740 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
741 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
742 }
743 #endif
744
745 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
746 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
747
748 /* do this after setup_certs, because this can require the certs for verifying
749 OCSP information. */
750 rc = tls_expand_session_files(server_sni, cbinfo);
751 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
752
753 rc = init_dh(server_sni, cbinfo->dhparam, NULL);
754 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
755
756 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
757 SSL_set_SSL_CTX(s, server_sni);
758
759 return SSL_TLSEXT_ERR_OK;
760 }
761 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
762
763
764
765
766 #ifdef EXPERIMENTAL_OCSP
767
768 /*************************************************
769 * Callback to handle OCSP Stapling *
770 *************************************************/
771
772 /* Called when acting as server during the TLS session setup if the client
773 requests OCSP information with a Certificate Status Request.
774
775 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
776 project.
777
778 */
779
780 static int
781 tls_server_stapling_cb(SSL *s, void *arg)
782 {
783 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
784 uschar *response_der;
785 int response_der_len;
786
787 DEBUG(D_tls)
788 debug_printf("Received TLS status request (OCSP stapling); %s response.",
789 cbinfo->u_ocsp.server.response ? "have" : "lack");
790
791 tls_in.ocsp = OCSP_NOT_RESP;
792 if (!cbinfo->u_ocsp.server.response)
793 return SSL_TLSEXT_ERR_NOACK;
794
795 response_der = NULL;
796 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
797 &response_der);
798 if (response_der_len <= 0)
799 return SSL_TLSEXT_ERR_NOACK;
800
801 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
802 tls_in.ocsp = OCSP_VFIED;
803 return SSL_TLSEXT_ERR_OK;
804 }
805
806
807 static void
808 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
809 {
810 BIO_printf(bp, "\t%s: ", str);
811 ASN1_GENERALIZEDTIME_print(bp, time);
812 BIO_puts(bp, "\n");
813 }
814
815 static int
816 tls_client_stapling_cb(SSL *s, void *arg)
817 {
818 tls_ext_ctx_cb * cbinfo = arg;
819 const unsigned char * p;
820 int len;
821 OCSP_RESPONSE * rsp;
822 OCSP_BASICRESP * bs;
823 int i;
824
825 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
826 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
827 if(!p)
828 {
829 /* Expect this when we requested ocsp but got none */
830 if ( cbinfo->u_ocsp.client.verify_required
831 && log_extra_selector & LX_tls_cipher)
832 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
833 else
834 DEBUG(D_tls) debug_printf(" null\n");
835 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
836 }
837
838 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
839 {
840 tls_out.ocsp = OCSP_FAILED;
841 if (log_extra_selector & LX_tls_cipher)
842 log_write(0, LOG_MAIN, "Received TLS status response, parse error");
843 else
844 DEBUG(D_tls) debug_printf(" parse error\n");
845 return 0;
846 }
847
848 if(!(bs = OCSP_response_get1_basic(rsp)))
849 {
850 tls_out.ocsp = OCSP_FAILED;
851 if (log_extra_selector & LX_tls_cipher)
852 log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
853 else
854 DEBUG(D_tls) debug_printf(" error parsing response\n");
855 OCSP_RESPONSE_free(rsp);
856 return 0;
857 }
858
859 /* We'd check the nonce here if we'd put one in the request. */
860 /* However that would defeat cacheability on the server so we don't. */
861
862 /* This section of code reworked from OpenSSL apps source;
863 The OpenSSL Project retains copyright:
864 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
865 */
866 {
867 BIO * bp = NULL;
868 int status, reason;
869 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
870
871 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
872
873 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
874
875 /* Use the chain that verified the server cert to verify the stapled info */
876 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
877
878 if ((i = OCSP_basic_verify(bs, NULL,
879 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
880 {
881 tls_out.ocsp = OCSP_FAILED;
882 BIO_printf(bp, "OCSP response verify failure\n");
883 ERR_print_errors(bp);
884 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
885 goto out;
886 }
887
888 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
889
890 {
891 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
892 OCSP_SINGLERESP * single;
893
894 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
895 {
896 tls_out.ocsp = OCSP_FAILED;
897 log_write(0, LOG_MAIN, "OCSP stapling "
898 "with multiple responses not handled");
899 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
900 goto out;
901 }
902 single = OCSP_resp_get0(bs, 0);
903 status = OCSP_single_get0_status(single, &reason, &rev,
904 &thisupd, &nextupd);
905 }
906
907 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
908 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
909 if (!OCSP_check_validity(thisupd, nextupd,
910 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
911 {
912 tls_out.ocsp = OCSP_FAILED;
913 DEBUG(D_tls) ERR_print_errors(bp);
914 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
915 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
916 }
917 else
918 {
919 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
920 OCSP_cert_status_str(status));
921 switch(status)
922 {
923 case V_OCSP_CERTSTATUS_GOOD:
924 tls_out.ocsp = OCSP_VFIED;
925 i = 1;
926 break;
927 case V_OCSP_CERTSTATUS_REVOKED:
928 tls_out.ocsp = OCSP_FAILED;
929 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
930 reason != -1 ? "; reason: " : "",
931 reason != -1 ? OCSP_crl_reason_str(reason) : "");
932 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
933 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
934 break;
935 default:
936 tls_out.ocsp = OCSP_FAILED;
937 log_write(0, LOG_MAIN,
938 "Server certificate status unknown, in OCSP stapling");
939 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
940 break;
941 }
942 }
943 out:
944 BIO_free(bp);
945 }
946
947 OCSP_RESPONSE_free(rsp);
948 return i;
949 }
950 #endif /*EXPERIMENTAL_OCSP*/
951
952
953
954 /*************************************************
955 * Initialize for TLS *
956 *************************************************/
957
958 /* Called from both server and client code, to do preliminary initialization of
959 the library.
960
961 Arguments:
962 host connected host, if client; NULL if server
963 dhparam DH parameter file
964 certificate certificate file
965 privatekey private key
966 ocsp_file file of stapling info (server); flag for require ocsp (client)
967 addr address if client; NULL if server (for some randomness)
968
969 Returns: OK/DEFER/FAIL
970 */
971
972 static int
973 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
974 uschar *privatekey,
975 #ifdef EXPERIMENTAL_OCSP
976 uschar *ocsp_file,
977 #endif
978 address_item *addr, tls_ext_ctx_cb ** cbp)
979 {
980 long init_options;
981 int rc;
982 BOOL okay;
983 tls_ext_ctx_cb *cbinfo;
984
985 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
986 cbinfo->certificate = certificate;
987 cbinfo->privatekey = privatekey;
988 #ifdef EXPERIMENTAL_OCSP
989 if ((cbinfo->is_server = host==NULL))
990 {
991 cbinfo->u_ocsp.server.file = ocsp_file;
992 cbinfo->u_ocsp.server.file_expanded = NULL;
993 cbinfo->u_ocsp.server.response = NULL;
994 }
995 else
996 cbinfo->u_ocsp.client.verify_store = NULL;
997 #endif
998 cbinfo->dhparam = dhparam;
999 cbinfo->host = host;
1000
1001 SSL_load_error_strings(); /* basic set up */
1002 OpenSSL_add_ssl_algorithms();
1003
1004 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1005 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1006 list of available digests. */
1007 EVP_add_digest(EVP_sha256());
1008 #endif
1009
1010 /* Create a context.
1011 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1012 negotiation in the different methods; as far as I can tell, the only
1013 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1014 when OpenSSL is built without SSLv2 support.
1015 By disabling with openssl_options, we can let admins re-enable with the
1016 existing knob. */
1017
1018 *ctxp = SSL_CTX_new((host == NULL)?
1019 SSLv23_server_method() : SSLv23_client_method());
1020
1021 if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
1022
1023 /* It turns out that we need to seed the random number generator this early in
1024 order to get the full complement of ciphers to work. It took me roughly a day
1025 of work to discover this by experiment.
1026
1027 On systems that have /dev/urandom, SSL may automatically seed itself from
1028 there. Otherwise, we have to make something up as best we can. Double check
1029 afterwards. */
1030
1031 if (!RAND_status())
1032 {
1033 randstuff r;
1034 gettimeofday(&r.tv, NULL);
1035 r.p = getpid();
1036
1037 RAND_seed((uschar *)(&r), sizeof(r));
1038 RAND_seed((uschar *)big_buffer, big_buffer_size);
1039 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1040
1041 if (!RAND_status())
1042 return tls_error(US"RAND_status", host,
1043 US"unable to seed random number generator");
1044 }
1045
1046 /* Set up the information callback, which outputs if debugging is at a suitable
1047 level. */
1048
1049 SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1050
1051 /* Automatically re-try reads/writes after renegotiation. */
1052 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1053
1054 /* Apply administrator-supplied work-arounds.
1055 Historically we applied just one requested option,
1056 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1057 moved to an administrator-controlled list of options to specify and
1058 grandfathered in the first one as the default value for "openssl_options".
1059
1060 No OpenSSL version number checks: the options we accept depend upon the
1061 availability of the option value macros from OpenSSL. */
1062
1063 okay = tls_openssl_options_parse(openssl_options, &init_options);
1064 if (!okay)
1065 return tls_error(US"openssl_options parsing failed", host, NULL);
1066
1067 if (init_options)
1068 {
1069 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1070 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1071 return tls_error(string_sprintf(
1072 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1073 }
1074 else
1075 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1076
1077 /* Initialize with DH parameters if supplied */
1078
1079 if (!init_dh(*ctxp, dhparam, host)) return DEFER;
1080
1081 /* Set up certificate and key (and perhaps OCSP info) */
1082
1083 rc = tls_expand_session_files(*ctxp, cbinfo);
1084 if (rc != OK) return rc;
1085
1086 /* If we need to handle SNI, do so */
1087 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1088 if (host == NULL) /* server */
1089 {
1090 # ifdef EXPERIMENTAL_OCSP
1091 /* We check u_ocsp.server.file, not server.response, because we care about if
1092 the option exists, not what the current expansion might be, as SNI might
1093 change the certificate and OCSP file in use between now and the time the
1094 callback is invoked. */
1095 if (cbinfo->u_ocsp.server.file)
1096 {
1097 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1098 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1099 }
1100 # endif
1101 /* We always do this, so that $tls_sni is available even if not used in
1102 tls_certificate */
1103 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1104 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1105 }
1106 # ifdef EXPERIMENTAL_OCSP
1107 else /* client */
1108 if(ocsp_file) /* wanting stapling */
1109 {
1110 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1111 {
1112 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1113 return FAIL;
1114 }
1115 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1116 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1117 }
1118 # endif
1119 #endif
1120
1121 /* Set up the RSA callback */
1122
1123 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1124
1125 /* Finally, set the timeout, and we are done */
1126
1127 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1128 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1129
1130 *cbp = cbinfo;
1131
1132 return OK;
1133 }
1134
1135
1136
1137
1138 /*************************************************
1139 * Get name of cipher in use *
1140 *************************************************/
1141
1142 /*
1143 Argument: pointer to an SSL structure for the connection
1144 buffer to use for answer
1145 size of buffer
1146 pointer to number of bits for cipher
1147 Returns: nothing
1148 */
1149
1150 static void
1151 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1152 {
1153 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1154 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1155 the accessor functions use const in the prototype. */
1156 const SSL_CIPHER *c;
1157 const uschar *ver;
1158
1159 ver = (const uschar *)SSL_get_version(ssl);
1160
1161 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1162 SSL_CIPHER_get_bits(c, bits);
1163
1164 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1165 SSL_CIPHER_get_name(c), *bits);
1166
1167 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1168 }
1169
1170
1171
1172
1173
1174 /*************************************************
1175 * Set up for verifying certificates *
1176 *************************************************/
1177
1178 /* Called by both client and server startup
1179
1180 Arguments:
1181 sctx SSL_CTX* to initialise
1182 certs certs file or NULL
1183 crl CRL file or NULL
1184 host NULL in a server; the remote host in a client
1185 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1186 otherwise passed as FALSE
1187 cert_vfy_cb Callback function for certificate verification
1188
1189 Returns: OK/DEFER/FAIL
1190 */
1191
1192 static int
1193 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1194 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1195 {
1196 uschar *expcerts, *expcrl;
1197
1198 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1199 return DEFER;
1200
1201 if (expcerts != NULL && *expcerts != '\0')
1202 {
1203 struct stat statbuf;
1204 if (!SSL_CTX_set_default_verify_paths(sctx))
1205 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1206
1207 if (Ustat(expcerts, &statbuf) < 0)
1208 {
1209 log_write(0, LOG_MAIN|LOG_PANIC,
1210 "failed to stat %s for certificates", expcerts);
1211 return DEFER;
1212 }
1213 else
1214 {
1215 uschar *file, *dir;
1216 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1217 { file = NULL; dir = expcerts; }
1218 else
1219 { file = expcerts; dir = NULL; }
1220
1221 /* If a certificate file is empty, the next function fails with an
1222 unhelpful error message. If we skip it, we get the correct behaviour (no
1223 certificates are recognized, but the error message is still misleading (it
1224 says no certificate was supplied.) But this is better. */
1225
1226 if ((file == NULL || statbuf.st_size > 0) &&
1227 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1228 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1229
1230 if (file != NULL)
1231 {
1232 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
1233 }
1234 }
1235
1236 /* Handle a certificate revocation list. */
1237
1238 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1239
1240 /* This bit of code is now the version supplied by Lars Mainka. (I have
1241 * merely reformatted it into the Exim code style.)
1242
1243 * "From here I changed the code to add support for multiple crl's
1244 * in pem format in one file or to support hashed directory entries in
1245 * pem format instead of a file. This method now uses the library function
1246 * X509_STORE_load_locations to add the CRL location to the SSL context.
1247 * OpenSSL will then handle the verify against CA certs and CRLs by
1248 * itself in the verify callback." */
1249
1250 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1251 if (expcrl != NULL && *expcrl != 0)
1252 {
1253 struct stat statbufcrl;
1254 if (Ustat(expcrl, &statbufcrl) < 0)
1255 {
1256 log_write(0, LOG_MAIN|LOG_PANIC,
1257 "failed to stat %s for certificates revocation lists", expcrl);
1258 return DEFER;
1259 }
1260 else
1261 {
1262 /* is it a file or directory? */
1263 uschar *file, *dir;
1264 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1265 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1266 {
1267 file = NULL;
1268 dir = expcrl;
1269 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1270 }
1271 else
1272 {
1273 file = expcrl;
1274 dir = NULL;
1275 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1276 }
1277 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1278 return tls_error(US"X509_STORE_load_locations", host, NULL);
1279
1280 /* setting the flags to check against the complete crl chain */
1281
1282 X509_STORE_set_flags(cvstore,
1283 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1284 }
1285 }
1286
1287 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1288
1289 /* If verification is optional, don't fail if no certificate */
1290
1291 SSL_CTX_set_verify(sctx,
1292 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1293 cert_vfy_cb);
1294 }
1295
1296 return OK;
1297 }
1298
1299
1300
1301 /*************************************************
1302 * Start a TLS session in a server *
1303 *************************************************/
1304
1305 /* This is called when Exim is running as a server, after having received
1306 the STARTTLS command. It must respond to that command, and then negotiate
1307 a TLS session.
1308
1309 Arguments:
1310 require_ciphers allowed ciphers
1311
1312 Returns: OK on success
1313 DEFER for errors before the start of the negotiation
1314 FAIL for errors during the negotation; the server can't
1315 continue running.
1316 */
1317
1318 int
1319 tls_server_start(const uschar *require_ciphers)
1320 {
1321 int rc;
1322 uschar *expciphers;
1323 tls_ext_ctx_cb *cbinfo;
1324 static uschar cipherbuf[256];
1325
1326 /* Check for previous activation */
1327
1328 if (tls_in.active >= 0)
1329 {
1330 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1331 smtp_printf("554 Already in TLS\r\n");
1332 return FAIL;
1333 }
1334
1335 /* Initialize the SSL library. If it fails, it will already have logged
1336 the error. */
1337
1338 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1339 #ifdef EXPERIMENTAL_OCSP
1340 tls_ocsp_file,
1341 #endif
1342 NULL, &server_static_cbinfo);
1343 if (rc != OK) return rc;
1344 cbinfo = server_static_cbinfo;
1345
1346 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1347 return FAIL;
1348
1349 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1350 were historically separated by underscores. So that I can use either form in my
1351 tests, and also for general convenience, we turn underscores into hyphens here.
1352 */
1353
1354 if (expciphers != NULL)
1355 {
1356 uschar *s = expciphers;
1357 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1358 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1359 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1360 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1361 cbinfo->server_cipher_list = expciphers;
1362 }
1363
1364 /* If this is a host for which certificate verification is mandatory or
1365 optional, set up appropriately. */
1366
1367 tls_in.certificate_verified = FALSE;
1368 server_verify_callback_called = FALSE;
1369
1370 if (verify_check_host(&tls_verify_hosts) == OK)
1371 {
1372 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1373 FALSE, verify_callback_server);
1374 if (rc != OK) return rc;
1375 server_verify_optional = FALSE;
1376 }
1377 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1378 {
1379 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1380 TRUE, verify_callback_server);
1381 if (rc != OK) return rc;
1382 server_verify_optional = TRUE;
1383 }
1384
1385 /* Prepare for new connection */
1386
1387 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1388
1389 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1390 *
1391 * With the SSL_clear(), we get strange interoperability bugs with
1392 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1393 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1394 *
1395 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1396 * session shutdown. In this case, we have a brand new object and there's no
1397 * obvious reason to immediately clear it. I'm guessing that this was
1398 * originally added because of incomplete initialisation which the clear fixed,
1399 * in some historic release.
1400 */
1401
1402 /* Set context and tell client to go ahead, except in the case of TLS startup
1403 on connection, where outputting anything now upsets the clients and tends to
1404 make them disconnect. We need to have an explicit fflush() here, to force out
1405 the response. Other smtp_printf() calls do not need it, because in non-TLS
1406 mode, the fflush() happens when smtp_getc() is called. */
1407
1408 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1409 if (!tls_in.on_connect)
1410 {
1411 smtp_printf("220 TLS go ahead\r\n");
1412 fflush(smtp_out);
1413 }
1414
1415 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1416 that the OpenSSL library doesn't. */
1417
1418 SSL_set_wfd(server_ssl, fileno(smtp_out));
1419 SSL_set_rfd(server_ssl, fileno(smtp_in));
1420 SSL_set_accept_state(server_ssl);
1421
1422 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1423
1424 sigalrm_seen = FALSE;
1425 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1426 rc = SSL_accept(server_ssl);
1427 alarm(0);
1428
1429 if (rc <= 0)
1430 {
1431 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1432 if (ERR_get_error() == 0)
1433 log_write(0, LOG_MAIN,
1434 "TLS client disconnected cleanly (rejected our certificate?)");
1435 return FAIL;
1436 }
1437
1438 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1439
1440 /* TLS has been set up. Adjust the input functions to read via TLS,
1441 and initialize things. */
1442
1443 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1444 tls_in.cipher = cipherbuf;
1445
1446 DEBUG(D_tls)
1447 {
1448 uschar buf[2048];
1449 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1450 debug_printf("Shared ciphers: %s\n", buf);
1451 }
1452
1453 /* Record the certificate we presented */
1454 {
1455 X509 * crt = SSL_get_certificate(server_ssl);
1456 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1457 }
1458
1459 /* Only used by the server-side tls (tls_in), including tls_getc.
1460 Client-side (tls_out) reads (seem to?) go via
1461 smtp_read_response()/ip_recv().
1462 Hence no need to duplicate for _in and _out.
1463 */
1464 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1465 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1466 ssl_xfer_eof = ssl_xfer_error = 0;
1467
1468 receive_getc = tls_getc;
1469 receive_ungetc = tls_ungetc;
1470 receive_feof = tls_feof;
1471 receive_ferror = tls_ferror;
1472 receive_smtp_buffered = tls_smtp_buffered;
1473
1474 tls_in.active = fileno(smtp_out);
1475 return OK;
1476 }
1477
1478
1479
1480
1481
1482 /*************************************************
1483 * Start a TLS session in a client *
1484 *************************************************/
1485
1486 /* Called from the smtp transport after STARTTLS has been accepted.
1487
1488 Argument:
1489 fd the fd of the connection
1490 host connected host (for messages)
1491 addr the first address
1492 ob smtp transport options
1493
1494 Returns: OK on success
1495 FAIL otherwise - note that tls_error() will not give DEFER
1496 because this is not a server
1497 */
1498
1499 int
1500 tls_client_start(int fd, host_item *host, address_item *addr,
1501 void *v_ob)
1502 {
1503 smtp_transport_options_block * ob = v_ob;
1504 static uschar txt[256];
1505 uschar *expciphers;
1506 X509* server_cert;
1507 int rc;
1508 static uschar cipherbuf[256];
1509 #ifdef EXPERIMENTAL_OCSP
1510 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1511 NULL, host->name, host->address, NULL) == OK;
1512 BOOL request_ocsp = require_ocsp ? TRUE
1513 : verify_check_this_host(&ob->hosts_request_ocsp,
1514 NULL, host->name, host->address, NULL) == OK;
1515 #endif
1516
1517 rc = tls_init(&client_ctx, host, NULL,
1518 ob->tls_certificate, ob->tls_privatekey,
1519 #ifdef EXPERIMENTAL_OCSP
1520 (void *)(long)request_ocsp,
1521 #endif
1522 addr, &client_static_cbinfo);
1523 if (rc != OK) return rc;
1524
1525 tls_out.certificate_verified = FALSE;
1526 client_verify_callback_called = FALSE;
1527
1528 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1529 &expciphers))
1530 return FAIL;
1531
1532 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1533 are separated by underscores. So that I can use either form in my tests, and
1534 also for general convenience, we turn underscores into hyphens here. */
1535
1536 if (expciphers != NULL)
1537 {
1538 uschar *s = expciphers;
1539 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1540 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1541 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
1542 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1543 }
1544
1545 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1546 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1547 the specified host patterns if one of them is defined */
1548 if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
1549 (verify_check_host(&ob->tls_verify_hosts) == OK))
1550 {
1551 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1552 ob->tls_crl, host, FALSE, verify_callback_client)) != OK)
1553 return rc;
1554 client_verify_optional = FALSE;
1555 }
1556 else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
1557 {
1558 if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
1559 ob->tls_crl, host, TRUE, verify_callback_client)) != OK)
1560 return rc;
1561 client_verify_optional = TRUE;
1562 }
1563
1564 if ((client_ssl = SSL_new(client_ctx)) == NULL)
1565 return tls_error(US"SSL_new", host, NULL);
1566 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1567 SSL_set_fd(client_ssl, fd);
1568 SSL_set_connect_state(client_ssl);
1569
1570 if (ob->tls_sni)
1571 {
1572 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
1573 return FAIL;
1574 if (tls_out.sni == NULL)
1575 {
1576 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1577 }
1578 else if (!Ustrlen(tls_out.sni))
1579 tls_out.sni = NULL;
1580 else
1581 {
1582 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1583 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1584 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
1585 #else
1586 DEBUG(D_tls)
1587 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1588 tls_out.sni);
1589 #endif
1590 }
1591 }
1592
1593 #ifdef EXPERIMENTAL_OCSP
1594 /* Request certificate status at connection-time. If the server
1595 does OCSP stapling we will get the callback (set in tls_init()) */
1596 if (request_ocsp)
1597 {
1598 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
1599 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
1600 tls_out.ocsp = OCSP_NOT_RESP;
1601 }
1602 #endif
1603
1604 /* There doesn't seem to be a built-in timeout on connection. */
1605
1606 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1607 sigalrm_seen = FALSE;
1608 alarm(ob->command_timeout);
1609 rc = SSL_connect(client_ssl);
1610 alarm(0);
1611
1612 if (rc <= 0)
1613 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1614
1615 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1616
1617 /* Beware anonymous ciphers which lead to server_cert being NULL */
1618 /*XXX server_cert is never freed... use X509_free() */
1619 server_cert = SSL_get_peer_certificate (client_ssl);
1620 if (server_cert)
1621 {
1622 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1623 CS txt, sizeof(txt));
1624 tls_out.peerdn = txt; /*XXX a static buffer... */
1625 }
1626 else
1627 tls_out.peerdn = NULL;
1628
1629 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1630 tls_out.cipher = cipherbuf;
1631
1632 /* Record the certificate we presented */
1633 {
1634 X509 * crt = SSL_get_certificate(client_ssl);
1635 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
1636 }
1637
1638 tls_out.active = fd;
1639 return OK;
1640 }
1641
1642
1643
1644
1645
1646 /*************************************************
1647 * TLS version of getc *
1648 *************************************************/
1649
1650 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1651 it refills the buffer via the SSL reading function.
1652
1653 Arguments: none
1654 Returns: the next character or EOF
1655
1656 Only used by the server-side TLS.
1657 */
1658
1659 int
1660 tls_getc(void)
1661 {
1662 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1663 {
1664 int error;
1665 int inbytes;
1666
1667 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
1668 ssl_xfer_buffer, ssl_xfer_buffer_size);
1669
1670 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1671 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1672 error = SSL_get_error(server_ssl, inbytes);
1673 alarm(0);
1674
1675 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1676 closed down, not that the socket itself has been closed down. Revert to
1677 non-SSL handling. */
1678
1679 if (error == SSL_ERROR_ZERO_RETURN)
1680 {
1681 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1682
1683 receive_getc = smtp_getc;
1684 receive_ungetc = smtp_ungetc;
1685 receive_feof = smtp_feof;
1686 receive_ferror = smtp_ferror;
1687 receive_smtp_buffered = smtp_buffered;
1688
1689 SSL_free(server_ssl);
1690 server_ssl = NULL;
1691 tls_in.active = -1;
1692 tls_in.bits = 0;
1693 tls_in.cipher = NULL;
1694 tls_in.peerdn = NULL;
1695 tls_in.sni = NULL;
1696
1697 return smtp_getc();
1698 }
1699
1700 /* Handle genuine errors */
1701
1702 else if (error == SSL_ERROR_SSL)
1703 {
1704 ERR_error_string(ERR_get_error(), ssl_errstring);
1705 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1706 ssl_xfer_error = 1;
1707 return EOF;
1708 }
1709
1710 else if (error != SSL_ERROR_NONE)
1711 {
1712 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1713 ssl_xfer_error = 1;
1714 return EOF;
1715 }
1716
1717 #ifndef DISABLE_DKIM
1718 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1719 #endif
1720 ssl_xfer_buffer_hwm = inbytes;
1721 ssl_xfer_buffer_lwm = 0;
1722 }
1723
1724 /* Something in the buffer; return next uschar */
1725
1726 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1727 }
1728
1729
1730
1731 /*************************************************
1732 * Read bytes from TLS channel *
1733 *************************************************/
1734
1735 /*
1736 Arguments:
1737 buff buffer of data
1738 len size of buffer
1739
1740 Returns: the number of bytes read
1741 -1 after a failed read
1742
1743 Only used by the client-side TLS.
1744 */
1745
1746 int
1747 tls_read(BOOL is_server, uschar *buff, size_t len)
1748 {
1749 SSL *ssl = is_server ? server_ssl : client_ssl;
1750 int inbytes;
1751 int error;
1752
1753 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1754 buff, (unsigned int)len);
1755
1756 inbytes = SSL_read(ssl, CS buff, len);
1757 error = SSL_get_error(ssl, inbytes);
1758
1759 if (error == SSL_ERROR_ZERO_RETURN)
1760 {
1761 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1762 return -1;
1763 }
1764 else if (error != SSL_ERROR_NONE)
1765 {
1766 return -1;
1767 }
1768
1769 return inbytes;
1770 }
1771
1772
1773
1774
1775
1776 /*************************************************
1777 * Write bytes down TLS channel *
1778 *************************************************/
1779
1780 /*
1781 Arguments:
1782 is_server channel specifier
1783 buff buffer of data
1784 len number of bytes
1785
1786 Returns: the number of bytes after a successful write,
1787 -1 after a failed write
1788
1789 Used by both server-side and client-side TLS.
1790 */
1791
1792 int
1793 tls_write(BOOL is_server, const uschar *buff, size_t len)
1794 {
1795 int outbytes;
1796 int error;
1797 int left = len;
1798 SSL *ssl = is_server ? server_ssl : client_ssl;
1799
1800 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1801 while (left > 0)
1802 {
1803 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1804 outbytes = SSL_write(ssl, CS buff, left);
1805 error = SSL_get_error(ssl, outbytes);
1806 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1807 switch (error)
1808 {
1809 case SSL_ERROR_SSL:
1810 ERR_error_string(ERR_get_error(), ssl_errstring);
1811 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1812 return -1;
1813
1814 case SSL_ERROR_NONE:
1815 left -= outbytes;
1816 buff += outbytes;
1817 break;
1818
1819 case SSL_ERROR_ZERO_RETURN:
1820 log_write(0, LOG_MAIN, "SSL channel closed on write");
1821 return -1;
1822
1823 case SSL_ERROR_SYSCALL:
1824 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1825 sender_fullhost ? sender_fullhost : US"<unknown>",
1826 strerror(errno));
1827
1828 default:
1829 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1830 return -1;
1831 }
1832 }
1833 return len;
1834 }
1835
1836
1837
1838 /*************************************************
1839 * Close down a TLS session *
1840 *************************************************/
1841
1842 /* This is also called from within a delivery subprocess forked from the
1843 daemon, to shut down the TLS library, without actually doing a shutdown (which
1844 would tamper with the SSL session in the parent process).
1845
1846 Arguments: TRUE if SSL_shutdown is to be called
1847 Returns: nothing
1848
1849 Used by both server-side and client-side TLS.
1850 */
1851
1852 void
1853 tls_close(BOOL is_server, BOOL shutdown)
1854 {
1855 SSL **sslp = is_server ? &server_ssl : &client_ssl;
1856 int *fdp = is_server ? &tls_in.active : &tls_out.active;
1857
1858 if (*fdp < 0) return; /* TLS was not active */
1859
1860 if (shutdown)
1861 {
1862 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1863 SSL_shutdown(*sslp);
1864 }
1865
1866 SSL_free(*sslp);
1867 *sslp = NULL;
1868
1869 *fdp = -1;
1870 }
1871
1872
1873
1874
1875 /*************************************************
1876 * Let tls_require_ciphers be checked at startup *
1877 *************************************************/
1878
1879 /* The tls_require_ciphers option, if set, must be something which the
1880 library can parse.
1881
1882 Returns: NULL on success, or error message
1883 */
1884
1885 uschar *
1886 tls_validate_require_cipher(void)
1887 {
1888 SSL_CTX *ctx;
1889 uschar *s, *expciphers, *err;
1890
1891 /* this duplicates from tls_init(), we need a better "init just global
1892 state, for no specific purpose" singleton function of our own */
1893
1894 SSL_load_error_strings();
1895 OpenSSL_add_ssl_algorithms();
1896 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1897 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1898 list of available digests. */
1899 EVP_add_digest(EVP_sha256());
1900 #endif
1901
1902 if (!(tls_require_ciphers && *tls_require_ciphers))
1903 return NULL;
1904
1905 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1906 return US"failed to expand tls_require_ciphers";
1907
1908 if (!(expciphers && *expciphers))
1909 return NULL;
1910
1911 /* normalisation ripped from above */
1912 s = expciphers;
1913 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1914
1915 err = NULL;
1916
1917 ctx = SSL_CTX_new(SSLv23_server_method());
1918 if (!ctx)
1919 {
1920 ERR_error_string(ERR_get_error(), ssl_errstring);
1921 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1922 }
1923
1924 DEBUG(D_tls)
1925 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1926
1927 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1928 {
1929 ERR_error_string(ERR_get_error(), ssl_errstring);
1930 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1931 }
1932
1933 SSL_CTX_free(ctx);
1934
1935 return err;
1936 }
1937
1938
1939
1940
1941 /*************************************************
1942 * Report the library versions. *
1943 *************************************************/
1944
1945 /* There have historically been some issues with binary compatibility in
1946 OpenSSL libraries; if Exim (like many other applications) is built against
1947 one version of OpenSSL but the run-time linker picks up another version,
1948 it can result in serious failures, including crashing with a SIGSEGV. So
1949 report the version found by the compiler and the run-time version.
1950
1951 Note: some OS vendors backport security fixes without changing the version
1952 number/string, and the version date remains unchanged. The _build_ date
1953 will change, so we can more usefully assist with version diagnosis by also
1954 reporting the build date.
1955
1956 Arguments: a FILE* to print the results to
1957 Returns: nothing
1958 */
1959
1960 void
1961 tls_version_report(FILE *f)
1962 {
1963 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1964 " Runtime: %s\n"
1965 " : %s\n",
1966 OPENSSL_VERSION_TEXT,
1967 SSLeay_version(SSLEAY_VERSION),
1968 SSLeay_version(SSLEAY_BUILT_ON));
1969 /* third line is 38 characters for the %s and the line is 73 chars long;
1970 the OpenSSL output includes a "built on: " prefix already. */
1971 }
1972
1973
1974
1975
1976 /*************************************************
1977 * Random number generation *
1978 *************************************************/
1979
1980 /* Pseudo-random number generation. The result is not expected to be
1981 cryptographically strong but not so weak that someone will shoot themselves
1982 in the foot using it as a nonce in input in some email header scheme or
1983 whatever weirdness they'll twist this into. The result should handle fork()
1984 and avoid repeating sequences. OpenSSL handles that for us.
1985
1986 Arguments:
1987 max range maximum
1988 Returns a random number in range [0, max-1]
1989 */
1990
1991 int
1992 vaguely_random_number(int max)
1993 {
1994 unsigned int r;
1995 int i, needed_len;
1996 static pid_t pidlast = 0;
1997 pid_t pidnow;
1998 uschar *p;
1999 uschar smallbuf[sizeof(r)];
2000
2001 if (max <= 1)
2002 return 0;
2003
2004 pidnow = getpid();
2005 if (pidnow != pidlast)
2006 {
2007 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2008 is unique for each thread", this doesn't apparently apply across processes,
2009 so our own warning from vaguely_random_number_fallback() applies here too.
2010 Fix per PostgreSQL. */
2011 if (pidlast != 0)
2012 RAND_cleanup();
2013 pidlast = pidnow;
2014 }
2015
2016 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2017 if (!RAND_status())
2018 {
2019 randstuff r;
2020 gettimeofday(&r.tv, NULL);
2021 r.p = getpid();
2022
2023 RAND_seed((uschar *)(&r), sizeof(r));
2024 }
2025 /* We're after pseudo-random, not random; if we still don't have enough data
2026 in the internal PRNG then our options are limited. We could sleep and hope
2027 for entropy to come along (prayer technique) but if the system is so depleted
2028 in the first place then something is likely to just keep taking it. Instead,
2029 we'll just take whatever little bit of pseudo-random we can still manage to
2030 get. */
2031
2032 needed_len = sizeof(r);
2033 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2034 asked for a number less than 10. */
2035 for (r = max, i = 0; r; ++i)
2036 r >>= 1;
2037 i = (i + 7) / 8;
2038 if (i < needed_len)
2039 needed_len = i;
2040
2041 /* We do not care if crypto-strong */
2042 i = RAND_pseudo_bytes(smallbuf, needed_len);
2043 if (i < 0)
2044 {
2045 DEBUG(D_all)
2046 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2047 return vaguely_random_number_fallback(max);
2048 }
2049
2050 r = 0;
2051 for (p = smallbuf; needed_len; --needed_len, ++p)
2052 {
2053 r *= 256;
2054 r += *p;
2055 }
2056
2057 /* We don't particularly care about weighted results; if someone wants
2058 smooth distribution and cares enough then they should submit a patch then. */
2059 return r % max;
2060 }
2061
2062
2063
2064
2065 /*************************************************
2066 * OpenSSL option parse *
2067 *************************************************/
2068
2069 /* Parse one option for tls_openssl_options_parse below
2070
2071 Arguments:
2072 name one option name
2073 value place to store a value for it
2074 Returns success or failure in parsing
2075 */
2076
2077 struct exim_openssl_option {
2078 uschar *name;
2079 long value;
2080 };
2081 /* We could use a macro to expand, but we need the ifdef and not all the
2082 options document which version they were introduced in. Policylet: include
2083 all options unless explicitly for DTLS, let the administrator choose which
2084 to apply.
2085
2086 This list is current as of:
2087 ==> 1.0.1b <==
2088 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2089 */
2090 static struct exim_openssl_option exim_openssl_options[] = {
2091 /* KEEP SORTED ALPHABETICALLY! */
2092 #ifdef SSL_OP_ALL
2093 { US"all", SSL_OP_ALL },
2094 #endif
2095 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2096 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2097 #endif
2098 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2099 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2100 #endif
2101 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2102 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2103 #endif
2104 #ifdef SSL_OP_EPHEMERAL_RSA
2105 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2106 #endif
2107 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2108 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2109 #endif
2110 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2111 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2112 #endif
2113 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2114 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2115 #endif
2116 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2117 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2118 #endif
2119 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2120 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2121 #endif
2122 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2123 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2124 #endif
2125 #ifdef SSL_OP_NO_COMPRESSION
2126 { US"no_compression", SSL_OP_NO_COMPRESSION },
2127 #endif
2128 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2129 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2130 #endif
2131 #ifdef SSL_OP_NO_SSLv2
2132 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2133 #endif
2134 #ifdef SSL_OP_NO_SSLv3
2135 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2136 #endif
2137 #ifdef SSL_OP_NO_TICKET
2138 { US"no_ticket", SSL_OP_NO_TICKET },
2139 #endif
2140 #ifdef SSL_OP_NO_TLSv1
2141 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2142 #endif
2143 #ifdef SSL_OP_NO_TLSv1_1
2144 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2145 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2146 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2147 #else
2148 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2149 #endif
2150 #endif
2151 #ifdef SSL_OP_NO_TLSv1_2
2152 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2153 #endif
2154 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2155 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2156 #endif
2157 #ifdef SSL_OP_SINGLE_DH_USE
2158 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2159 #endif
2160 #ifdef SSL_OP_SINGLE_ECDH_USE
2161 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2162 #endif
2163 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2164 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2165 #endif
2166 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2167 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2168 #endif
2169 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2170 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2171 #endif
2172 #ifdef SSL_OP_TLS_D5_BUG
2173 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2174 #endif
2175 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2176 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2177 #endif
2178 };
2179 static int exim_openssl_options_size =
2180 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2181
2182
2183 static BOOL
2184 tls_openssl_one_option_parse(uschar *name, long *value)
2185 {
2186 int first = 0;
2187 int last = exim_openssl_options_size;
2188 while (last > first)
2189 {
2190 int middle = (first + last)/2;
2191 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2192 if (c == 0)
2193 {
2194 *value = exim_openssl_options[middle].value;
2195 return TRUE;
2196 }
2197 else if (c > 0)
2198 first = middle + 1;
2199 else
2200 last = middle;
2201 }
2202 return FALSE;
2203 }
2204
2205
2206
2207
2208 /*************************************************
2209 * OpenSSL option parsing logic *
2210 *************************************************/
2211
2212 /* OpenSSL has a number of compatibility options which an administrator might
2213 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2214 we look like log_selector.
2215
2216 Arguments:
2217 option_spec the administrator-supplied string of options
2218 results ptr to long storage for the options bitmap
2219 Returns success or failure
2220 */
2221
2222 BOOL
2223 tls_openssl_options_parse(uschar *option_spec, long *results)
2224 {
2225 long result, item;
2226 uschar *s, *end;
2227 uschar keep_c;
2228 BOOL adding, item_parsed;
2229
2230 result = 0L;
2231 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2232 * from default because it increases BEAST susceptibility. */
2233 #ifdef SSL_OP_NO_SSLv2
2234 result |= SSL_OP_NO_SSLv2;
2235 #endif
2236
2237 if (option_spec == NULL)
2238 {
2239 *results = result;
2240 return TRUE;
2241 }
2242
2243 for (s=option_spec; *s != '\0'; /**/)
2244 {
2245 while (isspace(*s)) ++s;
2246 if (*s == '\0')
2247 break;
2248 if (*s != '+' && *s != '-')
2249 {
2250 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2251 "+ or - expected but found \"%s\"\n", s);
2252 return FALSE;
2253 }
2254 adding = *s++ == '+';
2255 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2256 keep_c = *end;
2257 *end = '\0';
2258 item_parsed = tls_openssl_one_option_parse(s, &item);
2259 if (!item_parsed)
2260 {
2261 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2262 return FALSE;
2263 }
2264 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2265 adding ? "adding" : "removing", result, item, s);
2266 if (adding)
2267 result |= item;
2268 else
2269 result &= ~item;
2270 *end = keep_c;
2271 s = end;
2272 }
2273
2274 *results = result;
2275 return TRUE;
2276 }
2277
2278 /* vi: aw ai sw=2
2279 */
2280 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.