projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
For DH, use standard primes from RFCs
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #ifdef EXPERIMENTAL_OCSP
24 #include <openssl/ocsp.h>
25 #endif
26
27 #ifdef EXPERIMENTAL_OCSP
28 #define EXIM_OCSP_SKEW_SECONDS (300L)
29 #define EXIM_OCSP_MAX_AGE (-1L)
30 #endif
31
32 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33 #define EXIM_HAVE_OPENSSL_TLSEXT
34 #endif
35
36 /* Structure for collecting random data for seeding. */
37
38 typedef struct randstuff {
39 struct timeval tv;
40 pid_t p;
41 } randstuff;
42
43 /* Local static variables */
44
45 static BOOL verify_callback_called = FALSE;
46 static const uschar *sid_ctx = US"exim";
47
48 static SSL_CTX *ctx = NULL;
49 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
50 static SSL_CTX *ctx_sni = NULL;
51 #endif
52 static SSL *ssl = NULL;
53
54 static char ssl_errstring[256];
55
56 static int ssl_session_timeout = 200;
57 static BOOL verify_optional = FALSE;
58
59 static BOOL reexpand_tls_files_for_sni = FALSE;
60
61
62 typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
65 #ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69 #endif
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75 } tls_ext_ctx_cb;
76
77 /* should figure out a cleanup of API to handle state preserved per
78 implementation, for various reasons, which can be void * in the APIs.
79 For now, we hack around it. */
80 tls_ext_ctx_cb *static_cbinfo = NULL;
81
82 static int
83 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
84
85 /* Callbacks */
86 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
87 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
88 #endif
89 #ifdef EXPERIMENTAL_OCSP
90 static int tls_stapling_cb(SSL *s, void *arg);
91 #endif
92
93
94 /*************************************************
95 * Handle TLS error *
96 *************************************************/
97
98 /* Called from lots of places when errors occur before actually starting to do
99 the TLS handshake, that is, while the session is still in clear. Always returns
100 DEFER for a server and FAIL for a client so that most calls can use "return
101 tls_error(...)" to do this processing and then give an appropriate return. A
102 single function is used for both server and client, because it is called from
103 some shared functions.
104
105 Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
109 msg error message or NULL if we should ask OpenSSL
110
111 Returns: OK/DEFER/FAIL
112 */
113
114 static int
115 tls_error(uschar *prefix, host_item *host, uschar *msg)
116 {
117 if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
120 msg = (uschar *)ssl_errstring;
121 }
122
123 if (host == NULL)
124 {
125 uschar *conn_info = smtp_get_connection_info();
126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
130 return DEFER;
131 }
132 else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
135 host->name, host->address, prefix, msg);
136 return FAIL;
137 }
138 }
139
140
141
142 /*************************************************
143 * Callback to generate RSA key *
144 *************************************************/
145
146 /*
147 Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152 Returns: pointer to generated key
153 */
154
155 static RSA *
156 rsa_callback(SSL *s, int export, int keylength)
157 {
158 RSA *rsa_key;
159 export = export; /* Shut picky compilers up */
160 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162 if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169 return rsa_key;
170 }
171
172
173
174
175 /*************************************************
176 * Callback for verification *
177 *************************************************/
178
179 /* The SSL library does certificate verification if set up to do so. This
180 callback has the current yes/no state is in "state". If verification succeeded,
181 we set up the tls_peerdn string. If verification failed, what happens depends
182 on whether the client is required to present a verifiable certificate or not.
183
184 If verification is optional, we change the state to yes, but still log the
185 verification error. For some reason (it really would help to have proper
186 documentation of OpenSSL), this callback function then gets called again, this
187 time with state = 1. In fact, that's useful, because we can set up the peerdn
188 value, but we must take care not to set the private verified flag on the second
189 time through.
190
191 Note: this function is not called if the client fails to present a certificate
192 when asked. We get here only if a certificate has been received. Handling of
193 optional verification for this case is done when requesting SSL to verify, by
194 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196 Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200 Returns: 1 if verified, 0 if not
201 */
202
203 static int
204 verify_callback(int state, X509_STORE_CTX *x509ctx)
205 {
206 static uschar txt[256];
207
208 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211 if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225 if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230 else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
237 if (!verify_callback_called) tls_certificate_verified = TRUE;
238 verify_callback_called = TRUE;
239
240 return 1; /* accept */
241 }
242
243
244
245 /*************************************************
246 * Information callback *
247 *************************************************/
248
249 /* The SSL library functions call this from time to time to indicate what they
250 are doing. We copy the string to the debugging output when TLS debugging has
251 been requested.
252
253 Arguments:
254 s the SSL connection
255 where
256 ret
257
258 Returns: nothing
259 */
260
261 static void
262 info_callback(SSL *s, int where, int ret)
263 {
264 where = where;
265 ret = ret;
266 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267 }
268
269
270
271 /*************************************************
272 * Initialize for DH *
273 *************************************************/
274
275 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277 Arguments:
278 dhparam DH parameter file or fixed parameter identity string
279 host connected host, if client; NULL if server
280
281 Returns: TRUE if OK (nothing to set up, or setup worked)
282 */
283
284 static BOOL
285 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
286 {
287 BIO *bio;
288 DH *dh;
289 uschar *dhexpanded;
290 const char *pem;
291
292 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
295 if (dhexpanded == NULL || *dhexpanded == '\0')
296 {
297 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
298 }
299 else if (dhexpanded[0] == '/')
300 {
301 bio = BIO_new_file(CS dhexpanded, "r");
302 if (bio == NULL)
303 {
304 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
305 host, US strerror(errno));
306 return FALSE;
307 }
308 }
309 else
310 {
311 if (Ustrcmp(dhexpanded, "none") == 0)
312 {
313 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
314 return TRUE;
315 }
316
317 pem = std_dh_prime_named(dhexpanded);
318 if (!pem)
319 {
320 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
321 host, US strerror(errno));
322 return FALSE;
323 }
324 bio = BIO_new_mem_buf(CS pem, -1);
325 }
326
327 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
328 if (dh == NULL)
329 {
330 BIO_free(bio);
331 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
332 host, NULL);
333 return FALSE;
334 }
335
336 /* Even if it is larger, we silently return success rather than cause things
337 * to fail out, so that a too-large DH will not knock out all TLS; it's a
338 * debatable choice. */
339 if ((8*DH_size(dh)) > tls_dh_max_bits)
340 {
341 DEBUG(D_tls)
342 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
343 8*DH_size(dh), tls_dh_max_bits);
344 }
345 else
346 {
347 SSL_CTX_set_tmp_dh(sctx, dh);
348 DEBUG(D_tls)
349 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
350 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
351 }
352
353 DH_free(dh);
354 BIO_free(bio);
355
356 return TRUE;
357 }
358
359
360
361
362 #ifdef EXPERIMENTAL_OCSP
363 /*************************************************
364 * Load OCSP information into state *
365 *************************************************/
366
367 /* Called to load the OCSP response from the given file into memory, once
368 caller has determined this is needed. Checks validity. Debugs a message
369 if invalid.
370
371 ASSUMES: single response, for single cert.
372
373 Arguments:
374 sctx the SSL_CTX* to update
375 cbinfo various parts of session state
376 expanded the filename putatively holding an OCSP response
377
378 */
379
380 static void
381 ocsp_load_response(SSL_CTX *sctx,
382 tls_ext_ctx_cb *cbinfo,
383 const uschar *expanded)
384 {
385 BIO *bio;
386 OCSP_RESPONSE *resp;
387 OCSP_BASICRESP *basic_response;
388 OCSP_SINGLERESP *single_response;
389 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
390 X509_STORE *store;
391 unsigned long verify_flags;
392 int status, reason, i;
393
394 cbinfo->ocsp_file_expanded = string_copy(expanded);
395 if (cbinfo->ocsp_response)
396 {
397 OCSP_RESPONSE_free(cbinfo->ocsp_response);
398 cbinfo->ocsp_response = NULL;
399 }
400
401 bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
402 if (!bio)
403 {
404 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
405 cbinfo->ocsp_file_expanded);
406 return;
407 }
408
409 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
410 BIO_free(bio);
411 if (!resp)
412 {
413 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
414 return;
415 }
416
417 status = OCSP_response_status(resp);
418 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
419 {
420 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
421 OCSP_response_status_str(status), status);
422 return;
423 }
424
425 basic_response = OCSP_response_get1_basic(resp);
426 if (!basic_response)
427 {
428 DEBUG(D_tls)
429 debug_printf("OCSP response parse error: unable to extract basic response.\n");
430 return;
431 }
432
433 store = SSL_CTX_get_cert_store(sctx);
434 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
435
436 /* May need to expose ability to adjust those flags?
437 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
438 OCSP_TRUSTOTHER OCSP_NOINTERN */
439
440 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
441 if (i <= 0)
442 {
443 DEBUG(D_tls) {
444 ERR_error_string(ERR_get_error(), ssl_errstring);
445 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
446 }
447 return;
448 }
449
450 /* Here's the simplifying assumption: there's only one response, for the
451 one certificate we use, and nothing for anything else in a chain. If this
452 proves false, we need to extract a cert id from our issued cert
453 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
454 right cert in the stack and then calls OCSP_single_get0_status()).
455
456 I'm hoping to avoid reworking a bunch more of how we handle state here. */
457 single_response = OCSP_resp_get0(basic_response, 0);
458 if (!single_response)
459 {
460 DEBUG(D_tls)
461 debug_printf("Unable to get first response from OCSP basic response.\n");
462 return;
463 }
464
465 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
466 /* how does this status differ from the one above? */
467 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
468 {
469 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
470 OCSP_response_status_str(status), status);
471 return;
472 }
473
474 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
475 {
476 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
477 return;
478 }
479
480 cbinfo->ocsp_response = resp;
481 }
482 #endif
483
484
485
486
487 /*************************************************
488 * Expand key and cert file specs *
489 *************************************************/
490
491 /* Called once during tls_init and possibly againt during TLS setup, for a
492 new context, if Server Name Indication was used and tls_sni was seen in
493 the certificate string.
494
495 Arguments:
496 sctx the SSL_CTX* to update
497 cbinfo various parts of session state
498
499 Returns: OK/DEFER/FAIL
500 */
501
502 static int
503 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
504 {
505 uschar *expanded;
506
507 if (cbinfo->certificate == NULL)
508 return OK;
509
510 if (Ustrstr(cbinfo->certificate, US"tls_sni"))
511 reexpand_tls_files_for_sni = TRUE;
512
513 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
514 return DEFER;
515
516 if (expanded != NULL)
517 {
518 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
519 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
520 return tls_error(string_sprintf(
521 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
522 cbinfo->host, NULL);
523 }
524
525 if (cbinfo->privatekey != NULL &&
526 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
527 return DEFER;
528
529 /* If expansion was forced to fail, key_expanded will be NULL. If the result
530 of the expansion is an empty string, ignore it also, and assume the private
531 key is in the same file as the certificate. */
532
533 if (expanded != NULL && *expanded != 0)
534 {
535 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
536 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
537 return tls_error(string_sprintf(
538 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
539 }
540
541 #ifdef EXPERIMENTAL_OCSP
542 if (cbinfo->ocsp_file != NULL)
543 {
544 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
545 return DEFER;
546
547 if (expanded != NULL && *expanded != 0)
548 {
549 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
550 if (cbinfo->ocsp_file_expanded &&
551 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
552 {
553 DEBUG(D_tls)
554 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
555 } else {
556 ocsp_load_response(sctx, cbinfo, expanded);
557 }
558 }
559 }
560 #endif
561
562 return OK;
563 }
564
565
566
567
568 /*************************************************
569 * Callback to handle SNI *
570 *************************************************/
571
572 /* Called when acting as server during the TLS session setup if a Server Name
573 Indication extension was sent by the client.
574
575 API documentation is OpenSSL s_server.c implementation.
576
577 Arguments:
578 s SSL* of the current session
579 ad unknown (part of OpenSSL API) (unused)
580 arg Callback of "our" registered data
581
582 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
583 */
584
585 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
586 static int
587 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
588 {
589 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
590 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
591 int rc;
592 int old_pool = store_pool;
593
594 if (!servername)
595 return SSL_TLSEXT_ERR_OK;
596
597 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
598 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
599
600 /* Make the extension value available for expansion */
601 store_pool = POOL_PERM;
602 tls_sni = string_copy(US servername);
603 store_pool = old_pool;
604
605 if (!reexpand_tls_files_for_sni)
606 return SSL_TLSEXT_ERR_OK;
607
608 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
609 not confident that memcpy wouldn't break some internal reference counting.
610 Especially since there's a references struct member, which would be off. */
611
612 ctx_sni = SSL_CTX_new(SSLv23_server_method());
613 if (!ctx_sni)
614 {
615 ERR_error_string(ERR_get_error(), ssl_errstring);
616 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
617 return SSL_TLSEXT_ERR_NOACK;
618 }
619
620 /* Not sure how many of these are actually needed, since SSL object
621 already exists. Might even need this selfsame callback, for reneg? */
622
623 SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
624 SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
625 SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
626 SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
627 SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
628 SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
629 if (cbinfo->server_cipher_list)
630 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
631 #ifdef EXPERIMENTAL_OCSP
632 if (cbinfo->ocsp_file)
633 {
634 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
635 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
636 }
637 #endif
638
639 rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
640 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
641
642 /* do this after setup_certs, because this can require the certs for verifying
643 OCSP information. */
644 rc = tls_expand_session_files(ctx_sni, cbinfo);
645 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
646
647 rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
648 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
649
650 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
651 SSL_set_SSL_CTX(s, ctx_sni);
652
653 return SSL_TLSEXT_ERR_OK;
654 }
655 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
656
657
658
659
660 #ifdef EXPERIMENTAL_OCSP
661 /*************************************************
662 * Callback to handle OCSP Stapling *
663 *************************************************/
664
665 /* Called when acting as server during the TLS session setup if the client
666 requests OCSP information with a Certificate Status Request.
667
668 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
669 project.
670
671 */
672
673 static int
674 tls_stapling_cb(SSL *s, void *arg)
675 {
676 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
677 uschar *response_der;
678 int response_der_len;
679
680 DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
681 cbinfo->ocsp_response ? "have" : "lack");
682 if (!cbinfo->ocsp_response)
683 return SSL_TLSEXT_ERR_NOACK;
684
685 response_der = NULL;
686 response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
687 if (response_der_len <= 0)
688 return SSL_TLSEXT_ERR_NOACK;
689
690 SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
691 return SSL_TLSEXT_ERR_OK;
692 }
693
694 #endif /* EXPERIMENTAL_OCSP */
695
696
697
698
699 /*************************************************
700 * Initialize for TLS *
701 *************************************************/
702
703 /* Called from both server and client code, to do preliminary initialization of
704 the library.
705
706 Arguments:
707 host connected host, if client; NULL if server
708 dhparam DH parameter file
709 certificate certificate file
710 privatekey private key
711 addr address if client; NULL if server (for some randomness)
712
713 Returns: OK/DEFER/FAIL
714 */
715
716 static int
717 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
718 uschar *privatekey,
719 #ifdef EXPERIMENTAL_OCSP
720 uschar *ocsp_file,
721 #endif
722 address_item *addr)
723 {
724 long init_options;
725 int rc;
726 BOOL okay;
727 tls_ext_ctx_cb *cbinfo;
728
729 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
730 cbinfo->certificate = certificate;
731 cbinfo->privatekey = privatekey;
732 #ifdef EXPERIMENTAL_OCSP
733 cbinfo->ocsp_file = ocsp_file;
734 #endif
735 cbinfo->dhparam = dhparam;
736 cbinfo->host = host;
737
738 SSL_load_error_strings(); /* basic set up */
739 OpenSSL_add_ssl_algorithms();
740
741 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
742 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
743 list of available digests. */
744 EVP_add_digest(EVP_sha256());
745 #endif
746
747 /* Create a context */
748
749 ctx = SSL_CTX_new((host == NULL)?
750 SSLv23_server_method() : SSLv23_client_method());
751
752 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
753
754 /* It turns out that we need to seed the random number generator this early in
755 order to get the full complement of ciphers to work. It took me roughly a day
756 of work to discover this by experiment.
757
758 On systems that have /dev/urandom, SSL may automatically seed itself from
759 there. Otherwise, we have to make something up as best we can. Double check
760 afterwards. */
761
762 if (!RAND_status())
763 {
764 randstuff r;
765 gettimeofday(&r.tv, NULL);
766 r.p = getpid();
767
768 RAND_seed((uschar *)(&r), sizeof(r));
769 RAND_seed((uschar *)big_buffer, big_buffer_size);
770 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
771
772 if (!RAND_status())
773 return tls_error(US"RAND_status", host,
774 US"unable to seed random number generator");
775 }
776
777 /* Set up the information callback, which outputs if debugging is at a suitable
778 level. */
779
780 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
781
782 /* Automatically re-try reads/writes after renegotiation. */
783 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
784
785 /* Apply administrator-supplied work-arounds.
786 Historically we applied just one requested option,
787 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
788 moved to an administrator-controlled list of options to specify and
789 grandfathered in the first one as the default value for "openssl_options".
790
791 No OpenSSL version number checks: the options we accept depend upon the
792 availability of the option value macros from OpenSSL. */
793
794 okay = tls_openssl_options_parse(openssl_options, &init_options);
795 if (!okay)
796 return tls_error(US"openssl_options parsing failed", host, NULL);
797
798 if (init_options)
799 {
800 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
801 if (!(SSL_CTX_set_options(ctx, init_options)))
802 return tls_error(string_sprintf(
803 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
804 }
805 else
806 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
807
808 /* Initialize with DH parameters if supplied */
809
810 if (!init_dh(ctx, dhparam, host)) return DEFER;
811
812 /* Set up certificate and key (and perhaps OCSP info) */
813
814 rc = tls_expand_session_files(ctx, cbinfo);
815 if (rc != OK) return rc;
816
817 /* If we need to handle SNI, do so */
818 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
819 if (host == NULL)
820 {
821 #ifdef EXPERIMENTAL_OCSP
822 /* We check ocsp_file, not ocsp_response, because we care about if
823 the option exists, not what the current expansion might be, as SNI might
824 change the certificate and OCSP file in use between now and the time the
825 callback is invoked. */
826 if (cbinfo->ocsp_file)
827 {
828 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
829 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
830 }
831 #endif
832 /* We always do this, so that $tls_sni is available even if not used in
833 tls_certificate */
834 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
835 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
836 }
837 #endif
838
839 /* Set up the RSA callback */
840
841 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
842
843 /* Finally, set the timeout, and we are done */
844
845 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
846 DEBUG(D_tls) debug_printf("Initialized TLS\n");
847
848 static_cbinfo = cbinfo;
849
850 return OK;
851 }
852
853
854
855
856 /*************************************************
857 * Get name of cipher in use *
858 *************************************************/
859
860 /* The answer is left in a static buffer, and tls_cipher is set to point
861 to it.
862
863 Argument: pointer to an SSL structure for the connection
864 Returns: nothing
865 */
866
867 static void
868 construct_cipher_name(SSL *ssl)
869 {
870 static uschar cipherbuf[256];
871 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
872 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
873 the accessor functions use const in the prototype. */
874 const SSL_CIPHER *c;
875 uschar *ver;
876
877 switch (ssl->session->ssl_version)
878 {
879 case SSL2_VERSION:
880 ver = US"SSLv2";
881 break;
882
883 case SSL3_VERSION:
884 ver = US"SSLv3";
885 break;
886
887 case TLS1_VERSION:
888 ver = US"TLSv1";
889 break;
890
891 #ifdef TLS1_1_VERSION
892 case TLS1_1_VERSION:
893 ver = US"TLSv1.1";
894 break;
895 #endif
896
897 #ifdef TLS1_2_VERSION
898 case TLS1_2_VERSION:
899 ver = US"TLSv1.2";
900 break;
901 #endif
902
903 default:
904 ver = US"UNKNOWN";
905 }
906
907 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
908 SSL_CIPHER_get_bits(c, &tls_bits);
909
910 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
911 SSL_CIPHER_get_name(c), tls_bits);
912 tls_cipher = cipherbuf;
913
914 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
915 }
916
917
918
919
920
921 /*************************************************
922 * Set up for verifying certificates *
923 *************************************************/
924
925 /* Called by both client and server startup
926
927 Arguments:
928 sctx SSL_CTX* to initialise
929 certs certs file or NULL
930 crl CRL file or NULL
931 host NULL in a server; the remote host in a client
932 optional TRUE if called from a server for a host in tls_try_verify_hosts;
933 otherwise passed as FALSE
934
935 Returns: OK/DEFER/FAIL
936 */
937
938 static int
939 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
940 {
941 uschar *expcerts, *expcrl;
942
943 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
944 return DEFER;
945
946 if (expcerts != NULL)
947 {
948 struct stat statbuf;
949 if (!SSL_CTX_set_default_verify_paths(sctx))
950 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
951
952 if (Ustat(expcerts, &statbuf) < 0)
953 {
954 log_write(0, LOG_MAIN|LOG_PANIC,
955 "failed to stat %s for certificates", expcerts);
956 return DEFER;
957 }
958 else
959 {
960 uschar *file, *dir;
961 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
962 { file = NULL; dir = expcerts; }
963 else
964 { file = expcerts; dir = NULL; }
965
966 /* If a certificate file is empty, the next function fails with an
967 unhelpful error message. If we skip it, we get the correct behaviour (no
968 certificates are recognized, but the error message is still misleading (it
969 says no certificate was supplied.) But this is better. */
970
971 if ((file == NULL || statbuf.st_size > 0) &&
972 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
973 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
974
975 if (file != NULL)
976 {
977 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
978 }
979 }
980
981 /* Handle a certificate revocation list. */
982
983 #if OPENSSL_VERSION_NUMBER > 0x00907000L
984
985 /* This bit of code is now the version supplied by Lars Mainka. (I have
986 * merely reformatted it into the Exim code style.)
987
988 * "From here I changed the code to add support for multiple crl's
989 * in pem format in one file or to support hashed directory entries in
990 * pem format instead of a file. This method now uses the library function
991 * X509_STORE_load_locations to add the CRL location to the SSL context.
992 * OpenSSL will then handle the verify against CA certs and CRLs by
993 * itself in the verify callback." */
994
995 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
996 if (expcrl != NULL && *expcrl != 0)
997 {
998 struct stat statbufcrl;
999 if (Ustat(expcrl, &statbufcrl) < 0)
1000 {
1001 log_write(0, LOG_MAIN|LOG_PANIC,
1002 "failed to stat %s for certificates revocation lists", expcrl);
1003 return DEFER;
1004 }
1005 else
1006 {
1007 /* is it a file or directory? */
1008 uschar *file, *dir;
1009 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1010 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1011 {
1012 file = NULL;
1013 dir = expcrl;
1014 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1015 }
1016 else
1017 {
1018 file = expcrl;
1019 dir = NULL;
1020 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1021 }
1022 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1023 return tls_error(US"X509_STORE_load_locations", host, NULL);
1024
1025 /* setting the flags to check against the complete crl chain */
1026
1027 X509_STORE_set_flags(cvstore,
1028 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1029 }
1030 }
1031
1032 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1033
1034 /* If verification is optional, don't fail if no certificate */
1035
1036 SSL_CTX_set_verify(sctx,
1037 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1038 verify_callback);
1039 }
1040
1041 return OK;
1042 }
1043
1044
1045
1046 /*************************************************
1047 * Start a TLS session in a server *
1048 *************************************************/
1049
1050 /* This is called when Exim is running as a server, after having received
1051 the STARTTLS command. It must respond to that command, and then negotiate
1052 a TLS session.
1053
1054 Arguments:
1055 require_ciphers allowed ciphers
1056
1057 Returns: OK on success
1058 DEFER for errors before the start of the negotiation
1059 FAIL for errors during the negotation; the server can't
1060 continue running.
1061 */
1062
1063 int
1064 tls_server_start(const uschar *require_ciphers)
1065 {
1066 int rc;
1067 uschar *expciphers;
1068 tls_ext_ctx_cb *cbinfo;
1069
1070 /* Check for previous activation */
1071
1072 if (tls_active >= 0)
1073 {
1074 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1075 smtp_printf("554 Already in TLS\r\n");
1076 return FAIL;
1077 }
1078
1079 /* Initialize the SSL library. If it fails, it will already have logged
1080 the error. */
1081
1082 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1083 #ifdef EXPERIMENTAL_OCSP
1084 tls_ocsp_file,
1085 #endif
1086 NULL);
1087 if (rc != OK) return rc;
1088 cbinfo = static_cbinfo;
1089
1090 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1091 return FAIL;
1092
1093 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1094 were historically separated by underscores. So that I can use either form in my
1095 tests, and also for general convenience, we turn underscores into hyphens here.
1096 */
1097
1098 if (expciphers != NULL)
1099 {
1100 uschar *s = expciphers;
1101 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1102 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1103 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1104 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1105 cbinfo->server_cipher_list = expciphers;
1106 }
1107
1108 /* If this is a host for which certificate verification is mandatory or
1109 optional, set up appropriately. */
1110
1111 tls_certificate_verified = FALSE;
1112 verify_callback_called = FALSE;
1113
1114 if (verify_check_host(&tls_verify_hosts) == OK)
1115 {
1116 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
1117 if (rc != OK) return rc;
1118 verify_optional = FALSE;
1119 }
1120 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1121 {
1122 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
1123 if (rc != OK) return rc;
1124 verify_optional = TRUE;
1125 }
1126
1127 /* Prepare for new connection */
1128
1129 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1130
1131 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1132 *
1133 * With the SSL_clear(), we get strange interoperability bugs with
1134 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1135 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1136 *
1137 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1138 * session shutdown. In this case, we have a brand new object and there's no
1139 * obvious reason to immediately clear it. I'm guessing that this was
1140 * originally added because of incomplete initialisation which the clear fixed,
1141 * in some historic release.
1142 */
1143
1144 /* Set context and tell client to go ahead, except in the case of TLS startup
1145 on connection, where outputting anything now upsets the clients and tends to
1146 make them disconnect. We need to have an explicit fflush() here, to force out
1147 the response. Other smtp_printf() calls do not need it, because in non-TLS
1148 mode, the fflush() happens when smtp_getc() is called. */
1149
1150 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1151 if (!tls_on_connect)
1152 {
1153 smtp_printf("220 TLS go ahead\r\n");
1154 fflush(smtp_out);
1155 }
1156
1157 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1158 that the OpenSSL library doesn't. */
1159
1160 SSL_set_wfd(ssl, fileno(smtp_out));
1161 SSL_set_rfd(ssl, fileno(smtp_in));
1162 SSL_set_accept_state(ssl);
1163
1164 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1165
1166 sigalrm_seen = FALSE;
1167 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1168 rc = SSL_accept(ssl);
1169 alarm(0);
1170
1171 if (rc <= 0)
1172 {
1173 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1174 if (ERR_get_error() == 0)
1175 log_write(0, LOG_MAIN,
1176 "TLS client disconnected cleanly (rejected our certificate?)");
1177 return FAIL;
1178 }
1179
1180 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1181
1182 /* TLS has been set up. Adjust the input functions to read via TLS,
1183 and initialize things. */
1184
1185 construct_cipher_name(ssl);
1186
1187 DEBUG(D_tls)
1188 {
1189 uschar buf[2048];
1190 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1191 debug_printf("Shared ciphers: %s\n", buf);
1192 }
1193
1194
1195 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1196 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1197 ssl_xfer_eof = ssl_xfer_error = 0;
1198
1199 receive_getc = tls_getc;
1200 receive_ungetc = tls_ungetc;
1201 receive_feof = tls_feof;
1202 receive_ferror = tls_ferror;
1203 receive_smtp_buffered = tls_smtp_buffered;
1204
1205 tls_active = fileno(smtp_out);
1206 return OK;
1207 }
1208
1209
1210
1211
1212
1213 /*************************************************
1214 * Start a TLS session in a client *
1215 *************************************************/
1216
1217 /* Called from the smtp transport after STARTTLS has been accepted.
1218
1219 Argument:
1220 fd the fd of the connection
1221 host connected host (for messages)
1222 addr the first address
1223 dhparam DH parameter file
1224 certificate certificate file
1225 privatekey private key file
1226 sni TLS SNI to send to remote host
1227 verify_certs file for certificate verify
1228 crl file containing CRL
1229 require_ciphers list of allowed ciphers
1230 timeout startup timeout
1231
1232 Returns: OK on success
1233 FAIL otherwise - note that tls_error() will not give DEFER
1234 because this is not a server
1235 */
1236
1237 int
1238 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
1239 uschar *certificate, uschar *privatekey, uschar *sni,
1240 uschar *verify_certs, uschar *crl,
1241 uschar *require_ciphers, int timeout)
1242 {
1243 static uschar txt[256];
1244 uschar *expciphers;
1245 X509* server_cert;
1246 int rc;
1247
1248 rc = tls_init(host, dhparam, certificate, privatekey,
1249 #ifdef EXPERIMENTAL_OCSP
1250 NULL,
1251 #endif
1252 addr);
1253 if (rc != OK) return rc;
1254
1255 tls_certificate_verified = FALSE;
1256 verify_callback_called = FALSE;
1257
1258 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1259 return FAIL;
1260
1261 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1262 are separated by underscores. So that I can use either form in my tests, and
1263 also for general convenience, we turn underscores into hyphens here. */
1264
1265 if (expciphers != NULL)
1266 {
1267 uschar *s = expciphers;
1268 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1269 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1270 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1271 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1272 }
1273
1274 rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
1275 if (rc != OK) return rc;
1276
1277 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1278 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1279 SSL_set_fd(ssl, fd);
1280 SSL_set_connect_state(ssl);
1281
1282 if (sni)
1283 {
1284 if (!expand_check(sni, US"tls_sni", &tls_sni))
1285 return FAIL;
1286 if (!Ustrlen(tls_sni))
1287 tls_sni = NULL;
1288 else
1289 {
1290 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1291 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1292 SSL_set_tlsext_host_name(ssl, tls_sni);
1293 #else
1294 DEBUG(D_tls)
1295 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1296 tls_sni);
1297 #endif
1298 }
1299 }
1300
1301 /* There doesn't seem to be a built-in timeout on connection. */
1302
1303 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1304 sigalrm_seen = FALSE;
1305 alarm(timeout);
1306 rc = SSL_connect(ssl);
1307 alarm(0);
1308
1309 if (rc <= 0)
1310 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1311
1312 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1313
1314 /* Beware anonymous ciphers which lead to server_cert being NULL */
1315 server_cert = SSL_get_peer_certificate (ssl);
1316 if (server_cert)
1317 {
1318 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1319 CS txt, sizeof(txt));
1320 tls_peerdn = txt;
1321 }
1322 else
1323 tls_peerdn = NULL;
1324
1325 construct_cipher_name(ssl); /* Sets tls_cipher */
1326
1327 tls_active = fd;
1328 return OK;
1329 }
1330
1331
1332
1333
1334
1335 /*************************************************
1336 * TLS version of getc *
1337 *************************************************/
1338
1339 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1340 it refills the buffer via the SSL reading function.
1341
1342 Arguments: none
1343 Returns: the next character or EOF
1344 */
1345
1346 int
1347 tls_getc(void)
1348 {
1349 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1350 {
1351 int error;
1352 int inbytes;
1353
1354 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1355 ssl_xfer_buffer, ssl_xfer_buffer_size);
1356
1357 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1358 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1359 error = SSL_get_error(ssl, inbytes);
1360 alarm(0);
1361
1362 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1363 closed down, not that the socket itself has been closed down. Revert to
1364 non-SSL handling. */
1365
1366 if (error == SSL_ERROR_ZERO_RETURN)
1367 {
1368 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1369
1370 receive_getc = smtp_getc;
1371 receive_ungetc = smtp_ungetc;
1372 receive_feof = smtp_feof;
1373 receive_ferror = smtp_ferror;
1374 receive_smtp_buffered = smtp_buffered;
1375
1376 SSL_free(ssl);
1377 ssl = NULL;
1378 tls_active = -1;
1379 tls_bits = 0;
1380 tls_cipher = NULL;
1381 tls_peerdn = NULL;
1382 tls_sni = NULL;
1383
1384 return smtp_getc();
1385 }
1386
1387 /* Handle genuine errors */
1388
1389 else if (error == SSL_ERROR_SSL)
1390 {
1391 ERR_error_string(ERR_get_error(), ssl_errstring);
1392 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1393 ssl_xfer_error = 1;
1394 return EOF;
1395 }
1396
1397 else if (error != SSL_ERROR_NONE)
1398 {
1399 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1400 ssl_xfer_error = 1;
1401 return EOF;
1402 }
1403
1404 #ifndef DISABLE_DKIM
1405 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1406 #endif
1407 ssl_xfer_buffer_hwm = inbytes;
1408 ssl_xfer_buffer_lwm = 0;
1409 }
1410
1411 /* Something in the buffer; return next uschar */
1412
1413 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1414 }
1415
1416
1417
1418 /*************************************************
1419 * Read bytes from TLS channel *
1420 *************************************************/
1421
1422 /*
1423 Arguments:
1424 buff buffer of data
1425 len size of buffer
1426
1427 Returns: the number of bytes read
1428 -1 after a failed read
1429 */
1430
1431 int
1432 tls_read(uschar *buff, size_t len)
1433 {
1434 int inbytes;
1435 int error;
1436
1437 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1438 buff, (unsigned int)len);
1439
1440 inbytes = SSL_read(ssl, CS buff, len);
1441 error = SSL_get_error(ssl, inbytes);
1442
1443 if (error == SSL_ERROR_ZERO_RETURN)
1444 {
1445 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1446 return -1;
1447 }
1448 else if (error != SSL_ERROR_NONE)
1449 {
1450 return -1;
1451 }
1452
1453 return inbytes;
1454 }
1455
1456
1457
1458
1459
1460 /*************************************************
1461 * Write bytes down TLS channel *
1462 *************************************************/
1463
1464 /*
1465 Arguments:
1466 buff buffer of data
1467 len number of bytes
1468
1469 Returns: the number of bytes after a successful write,
1470 -1 after a failed write
1471 */
1472
1473 int
1474 tls_write(const uschar *buff, size_t len)
1475 {
1476 int outbytes;
1477 int error;
1478 int left = len;
1479
1480 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1481 while (left > 0)
1482 {
1483 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1484 outbytes = SSL_write(ssl, CS buff, left);
1485 error = SSL_get_error(ssl, outbytes);
1486 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1487 switch (error)
1488 {
1489 case SSL_ERROR_SSL:
1490 ERR_error_string(ERR_get_error(), ssl_errstring);
1491 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1492 return -1;
1493
1494 case SSL_ERROR_NONE:
1495 left -= outbytes;
1496 buff += outbytes;
1497 break;
1498
1499 case SSL_ERROR_ZERO_RETURN:
1500 log_write(0, LOG_MAIN, "SSL channel closed on write");
1501 return -1;
1502
1503 default:
1504 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1505 return -1;
1506 }
1507 }
1508 return len;
1509 }
1510
1511
1512
1513 /*************************************************
1514 * Close down a TLS session *
1515 *************************************************/
1516
1517 /* This is also called from within a delivery subprocess forked from the
1518 daemon, to shut down the TLS library, without actually doing a shutdown (which
1519 would tamper with the SSL session in the parent process).
1520
1521 Arguments: TRUE if SSL_shutdown is to be called
1522 Returns: nothing
1523 */
1524
1525 void
1526 tls_close(BOOL shutdown)
1527 {
1528 if (tls_active < 0) return; /* TLS was not active */
1529
1530 if (shutdown)
1531 {
1532 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1533 SSL_shutdown(ssl);
1534 }
1535
1536 SSL_free(ssl);
1537 ssl = NULL;
1538
1539 tls_active = -1;
1540 }
1541
1542
1543
1544
1545 /*************************************************
1546 * Let tls_require_ciphers be checked at startup *
1547 *************************************************/
1548
1549 /* The tls_require_ciphers option, if set, must be something which the
1550 library can parse.
1551
1552 Returns: NULL on success, or error message
1553 */
1554
1555 uschar *
1556 tls_validate_require_cipher(void)
1557 {
1558 SSL_CTX *ctx;
1559 uschar *s, *expciphers, *err;
1560
1561 /* this duplicates from tls_init(), we need a better "init just global
1562 state, for no specific purpose" singleton function of our own */
1563
1564 SSL_load_error_strings();
1565 OpenSSL_add_ssl_algorithms();
1566 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1567 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1568 list of available digests. */
1569 EVP_add_digest(EVP_sha256());
1570 #endif
1571
1572 if (!(tls_require_ciphers && *tls_require_ciphers))
1573 return NULL;
1574
1575 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1576 return US"failed to expand tls_require_ciphers";
1577
1578 if (!(expciphers && *expciphers))
1579 return NULL;
1580
1581 /* normalisation ripped from above */
1582 s = expciphers;
1583 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1584
1585 err = NULL;
1586
1587 ctx = SSL_CTX_new(SSLv23_server_method());
1588 if (!ctx)
1589 {
1590 ERR_error_string(ERR_get_error(), ssl_errstring);
1591 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1592 }
1593
1594 DEBUG(D_tls)
1595 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1596
1597 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1598 {
1599 ERR_error_string(ERR_get_error(), ssl_errstring);
1600 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1601 }
1602
1603 SSL_CTX_free(ctx);
1604
1605 return err;
1606 }
1607
1608
1609
1610
1611 /*************************************************
1612 * Report the library versions. *
1613 *************************************************/
1614
1615 /* There have historically been some issues with binary compatibility in
1616 OpenSSL libraries; if Exim (like many other applications) is built against
1617 one version of OpenSSL but the run-time linker picks up another version,
1618 it can result in serious failures, including crashing with a SIGSEGV. So
1619 report the version found by the compiler and the run-time version.
1620
1621 Arguments: a FILE* to print the results to
1622 Returns: nothing
1623 */
1624
1625 void
1626 tls_version_report(FILE *f)
1627 {
1628 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1629 " Runtime: %s\n",
1630 OPENSSL_VERSION_TEXT,
1631 SSLeay_version(SSLEAY_VERSION));
1632 }
1633
1634
1635
1636
1637 /*************************************************
1638 * Random number generation *
1639 *************************************************/
1640
1641 /* Pseudo-random number generation. The result is not expected to be
1642 cryptographically strong but not so weak that someone will shoot themselves
1643 in the foot using it as a nonce in input in some email header scheme or
1644 whatever weirdness they'll twist this into. The result should handle fork()
1645 and avoid repeating sequences. OpenSSL handles that for us.
1646
1647 Arguments:
1648 max range maximum
1649 Returns a random number in range [0, max-1]
1650 */
1651
1652 int
1653 vaguely_random_number(int max)
1654 {
1655 unsigned int r;
1656 int i, needed_len;
1657 uschar *p;
1658 uschar smallbuf[sizeof(r)];
1659
1660 if (max <= 1)
1661 return 0;
1662
1663 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1664 if (!RAND_status())
1665 {
1666 randstuff r;
1667 gettimeofday(&r.tv, NULL);
1668 r.p = getpid();
1669
1670 RAND_seed((uschar *)(&r), sizeof(r));
1671 }
1672 /* We're after pseudo-random, not random; if we still don't have enough data
1673 in the internal PRNG then our options are limited. We could sleep and hope
1674 for entropy to come along (prayer technique) but if the system is so depleted
1675 in the first place then something is likely to just keep taking it. Instead,
1676 we'll just take whatever little bit of pseudo-random we can still manage to
1677 get. */
1678
1679 needed_len = sizeof(r);
1680 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1681 asked for a number less than 10. */
1682 for (r = max, i = 0; r; ++i)
1683 r >>= 1;
1684 i = (i + 7) / 8;
1685 if (i < needed_len)
1686 needed_len = i;
1687
1688 /* We do not care if crypto-strong */
1689 i = RAND_pseudo_bytes(smallbuf, needed_len);
1690 if (i < 0)
1691 {
1692 DEBUG(D_all)
1693 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1694 return vaguely_random_number_fallback(max);
1695 }
1696
1697 r = 0;
1698 for (p = smallbuf; needed_len; --needed_len, ++p)
1699 {
1700 r *= 256;
1701 r += *p;
1702 }
1703
1704 /* We don't particularly care about weighted results; if someone wants
1705 smooth distribution and cares enough then they should submit a patch then. */
1706 return r % max;
1707 }
1708
1709
1710
1711
1712 /*************************************************
1713 * OpenSSL option parse *
1714 *************************************************/
1715
1716 /* Parse one option for tls_openssl_options_parse below
1717
1718 Arguments:
1719 name one option name
1720 value place to store a value for it
1721 Returns success or failure in parsing
1722 */
1723
1724 struct exim_openssl_option {
1725 uschar *name;
1726 long value;
1727 };
1728 /* We could use a macro to expand, but we need the ifdef and not all the
1729 options document which version they were introduced in. Policylet: include
1730 all options unless explicitly for DTLS, let the administrator choose which
1731 to apply.
1732
1733 This list is current as of:
1734 ==> 1.0.1b <== */
1735 static struct exim_openssl_option exim_openssl_options[] = {
1736 /* KEEP SORTED ALPHABETICALLY! */
1737 #ifdef SSL_OP_ALL
1738 { US"all", SSL_OP_ALL },
1739 #endif
1740 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1741 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1742 #endif
1743 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1744 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1745 #endif
1746 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1747 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1748 #endif
1749 #ifdef SSL_OP_EPHEMERAL_RSA
1750 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1751 #endif
1752 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1753 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1754 #endif
1755 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1756 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1757 #endif
1758 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1759 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1760 #endif
1761 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1762 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1763 #endif
1764 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1765 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1766 #endif
1767 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1768 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1769 #endif
1770 #ifdef SSL_OP_NO_COMPRESSION
1771 { US"no_compression", SSL_OP_NO_COMPRESSION },
1772 #endif
1773 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1774 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1775 #endif
1776 #ifdef SSL_OP_NO_SSLv2
1777 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1778 #endif
1779 #ifdef SSL_OP_NO_SSLv3
1780 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1781 #endif
1782 #ifdef SSL_OP_NO_TICKET
1783 { US"no_ticket", SSL_OP_NO_TICKET },
1784 #endif
1785 #ifdef SSL_OP_NO_TLSv1
1786 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1787 #endif
1788 #ifdef SSL_OP_NO_TLSv1_1
1789 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1790 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1791 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1792 #else
1793 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1794 #endif
1795 #endif
1796 #ifdef SSL_OP_NO_TLSv1_2
1797 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1798 #endif
1799 #ifdef SSL_OP_SINGLE_DH_USE
1800 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1801 #endif
1802 #ifdef SSL_OP_SINGLE_ECDH_USE
1803 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1804 #endif
1805 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1806 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1807 #endif
1808 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1809 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1810 #endif
1811 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1812 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1813 #endif
1814 #ifdef SSL_OP_TLS_D5_BUG
1815 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1816 #endif
1817 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1818 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1819 #endif
1820 };
1821 static int exim_openssl_options_size =
1822 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1823
1824
1825 static BOOL
1826 tls_openssl_one_option_parse(uschar *name, long *value)
1827 {
1828 int first = 0;
1829 int last = exim_openssl_options_size;
1830 while (last > first)
1831 {
1832 int middle = (first + last)/2;
1833 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1834 if (c == 0)
1835 {
1836 *value = exim_openssl_options[middle].value;
1837 return TRUE;
1838 }
1839 else if (c > 0)
1840 first = middle + 1;
1841 else
1842 last = middle;
1843 }
1844 return FALSE;
1845 }
1846
1847
1848
1849
1850 /*************************************************
1851 * OpenSSL option parsing logic *
1852 *************************************************/
1853
1854 /* OpenSSL has a number of compatibility options which an administrator might
1855 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1856 we look like log_selector.
1857
1858 Arguments:
1859 option_spec the administrator-supplied string of options
1860 results ptr to long storage for the options bitmap
1861 Returns success or failure
1862 */
1863
1864 BOOL
1865 tls_openssl_options_parse(uschar *option_spec, long *results)
1866 {
1867 long result, item;
1868 uschar *s, *end;
1869 uschar keep_c;
1870 BOOL adding, item_parsed;
1871
1872 result = 0L;
1873 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1874 * from default because it increases BEAST susceptibility. */
1875
1876 if (option_spec == NULL)
1877 {
1878 *results = result;
1879 return TRUE;
1880 }
1881
1882 for (s=option_spec; *s != '\0'; /**/)
1883 {
1884 while (isspace(*s)) ++s;
1885 if (*s == '\0')
1886 break;
1887 if (*s != '+' && *s != '-')
1888 {
1889 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1890 "+ or - expected but found \"%s\"\n", s);
1891 return FALSE;
1892 }
1893 adding = *s++ == '+';
1894 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1895 keep_c = *end;
1896 *end = '\0';
1897 item_parsed = tls_openssl_one_option_parse(s, &item);
1898 if (!item_parsed)
1899 {
1900 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1901 return FALSE;
1902 }
1903 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1904 adding ? "adding" : "removing", result, item, s);
1905 if (adding)
1906 result |= item;
1907 else
1908 result &= ~item;
1909 *end = keep_c;
1910 s = end;
1911 }
1912
1913 *results = result;
1914 return TRUE;
1915 }
1916
1917 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.