64dcab600183b448e86a2a734f8fde38d3e89bc4
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
27 #endif
28 #ifndef DISABLE_OCSP
29 # include <openssl/ocsp.h>
30 #endif
31 #ifdef EXPERIMENTAL_DANE
32 # include <danessl.h>
33 #endif
34
35
36 #ifndef DISABLE_OCSP
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
39 #endif
40
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
43 #endif
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
46 #endif
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
49 #else
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
52 #endif
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
55 #endif
56
57 /*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # endif
73 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
74 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
75 # define EXIM_HAVE_OPENSSL_CHECKHOST
76 # endif
77 #endif
78
79 #if !defined(LIBRESSL_VERSION_NUMBER) \
80 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
81 # if !defined(OPENSSL_NO_ECDH)
82 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
83 # define EXIM_HAVE_ECDH
84 # endif
85 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
86 # if OPENSSL_VERSION_NUMBER < 0x10100000L
87 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
88 # endif
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
90 # endif
91 # endif
92 #endif
93
94 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
95 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
96 # define DISABLE_OCSP
97 #endif
98
99 /* Structure for collecting random data for seeding. */
100
101 typedef struct randstuff {
102 struct timeval tv;
103 pid_t p;
104 } randstuff;
105
106 /* Local static variables */
107
108 static BOOL client_verify_callback_called = FALSE;
109 static BOOL server_verify_callback_called = FALSE;
110 static const uschar *sid_ctx = US"exim";
111
112 /* We have three different contexts to care about.
113
114 Simple case: client, `client_ctx`
115 As a client, we can be doing a callout or cut-through delivery while receiving
116 a message. So we have a client context, which should have options initialised
117 from the SMTP Transport.
118
119 Server:
120 There are two cases: with and without ServerNameIndication from the client.
121 Given TLS SNI, we can be using different keys, certs and various other
122 configuration settings, because they're re-expanded with $tls_sni set. This
123 allows vhosting with TLS. This SNI is sent in the handshake.
124 A client might not send SNI, so we need a fallback, and an initial setup too.
125 So as a server, we start out using `server_ctx`.
126 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
127 `server_sni` from `server_ctx` and then initialise settings by re-expanding
128 configuration.
129 */
130
131 static SSL_CTX *client_ctx = NULL;
132 static SSL_CTX *server_ctx = NULL;
133 static SSL *client_ssl = NULL;
134 static SSL *server_ssl = NULL;
135
136 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
137 static SSL_CTX *server_sni = NULL;
138 #endif
139
140 static char ssl_errstring[256];
141
142 static int ssl_session_timeout = 200;
143 static BOOL client_verify_optional = FALSE;
144 static BOOL server_verify_optional = FALSE;
145
146 static BOOL reexpand_tls_files_for_sni = FALSE;
147
148
149 typedef struct tls_ext_ctx_cb {
150 uschar *certificate;
151 uschar *privatekey;
152 #ifndef DISABLE_OCSP
153 BOOL is_server;
154 union {
155 struct {
156 uschar *file;
157 uschar *file_expanded;
158 OCSP_RESPONSE *response;
159 } server;
160 struct {
161 X509_STORE *verify_store; /* non-null if status requested */
162 BOOL verify_required;
163 } client;
164 } u_ocsp;
165 #endif
166 uschar *dhparam;
167 /* these are cached from first expand */
168 uschar *server_cipher_list;
169 /* only passed down to tls_error: */
170 host_item *host;
171 const uschar * verify_cert_hostnames;
172 #ifndef DISABLE_EVENT
173 uschar * event_action;
174 #endif
175 } tls_ext_ctx_cb;
176
177 /* should figure out a cleanup of API to handle state preserved per
178 implementation, for various reasons, which can be void * in the APIs.
179 For now, we hack around it. */
180 tls_ext_ctx_cb *client_static_cbinfo = NULL;
181 tls_ext_ctx_cb *server_static_cbinfo = NULL;
182
183 static int
184 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
185 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
186
187 /* Callbacks */
188 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
189 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
190 #endif
191 #ifndef DISABLE_OCSP
192 static int tls_server_stapling_cb(SSL *s, void *arg);
193 #endif
194
195
196 /*************************************************
197 * Handle TLS error *
198 *************************************************/
199
200 /* Called from lots of places when errors occur before actually starting to do
201 the TLS handshake, that is, while the session is still in clear. Always returns
202 DEFER for a server and FAIL for a client so that most calls can use "return
203 tls_error(...)" to do this processing and then give an appropriate return. A
204 single function is used for both server and client, because it is called from
205 some shared functions.
206
207 Argument:
208 prefix text to include in the logged error
209 host NULL if setting up a server;
210 the connected host if setting up a client
211 msg error message or NULL if we should ask OpenSSL
212
213 Returns: OK/DEFER/FAIL
214 */
215
216 static int
217 tls_error(uschar * prefix, const host_item * host, uschar * msg)
218 {
219 if (!msg)
220 {
221 ERR_error_string(ERR_get_error(), ssl_errstring);
222 msg = (uschar *)ssl_errstring;
223 }
224
225 if (host)
226 {
227 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
228 host->name, host->address, prefix, msg);
229 return FAIL;
230 }
231 else
232 {
233 uschar *conn_info = smtp_get_connection_info();
234 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
235 conn_info += 5;
236 /* I'd like to get separated H= here, but too hard for now */
237 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
238 conn_info, prefix, msg);
239 return DEFER;
240 }
241 }
242
243
244
245 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
246 /*************************************************
247 * Callback to generate RSA key *
248 *************************************************/
249
250 /*
251 Arguments:
252 s SSL connection
253 export not used
254 keylength keylength
255
256 Returns: pointer to generated key
257 */
258
259 static RSA *
260 rsa_callback(SSL *s, int export, int keylength)
261 {
262 RSA *rsa_key;
263 #ifdef EXIM_HAVE_RSA_GENKEY_EX
264 BIGNUM *bn = BN_new();
265 #endif
266
267 export = export; /* Shut picky compilers up */
268 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
269
270 #ifdef EXIM_HAVE_RSA_GENKEY_EX
271 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
272 || !(rsa_key = RSA_new())
273 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
274 )
275 #else
276 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
277 #endif
278
279 {
280 ERR_error_string(ERR_get_error(), ssl_errstring);
281 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
282 ssl_errstring);
283 return NULL;
284 }
285 return rsa_key;
286 }
287 #endif
288
289
290
291 /* Extreme debug
292 #ifndef DISABLE_OCSP
293 void
294 x509_store_dump_cert_s_names(X509_STORE * store)
295 {
296 STACK_OF(X509_OBJECT) * roots= store->objs;
297 int i;
298 static uschar name[256];
299
300 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
301 {
302 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
303 if(tmp_obj->type == X509_LU_X509)
304 {
305 X509 * current_cert= tmp_obj->data.x509;
306 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
307 name[sizeof(name)-1] = '\0';
308 debug_printf(" %s\n", name);
309 }
310 }
311 }
312 #endif
313 */
314
315
316 #ifndef DISABLE_EVENT
317 static int
318 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
319 BOOL *calledp, const BOOL *optionalp, const uschar * what)
320 {
321 uschar * ev;
322 uschar * yield;
323 X509 * old_cert;
324
325 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
326 if (ev)
327 {
328 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
329 old_cert = tlsp->peercert;
330 tlsp->peercert = X509_dup(cert);
331 /* NB we do not bother setting peerdn */
332 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
333 {
334 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
335 "depth=%d cert=%s: %s",
336 tlsp == &tls_out ? deliver_host_address : sender_host_address,
337 what, depth, dn, yield);
338 *calledp = TRUE;
339 if (!*optionalp)
340 {
341 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
342 return 1; /* reject (leaving peercert set) */
343 }
344 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
345 "(host in tls_try_verify_hosts)\n");
346 }
347 X509_free(tlsp->peercert);
348 tlsp->peercert = old_cert;
349 }
350 return 0;
351 }
352 #endif
353
354 /*************************************************
355 * Callback for verification *
356 *************************************************/
357
358 /* The SSL library does certificate verification if set up to do so. This
359 callback has the current yes/no state is in "state". If verification succeeded,
360 we set the certificate-verified flag. If verification failed, what happens
361 depends on whether the client is required to present a verifiable certificate
362 or not.
363
364 If verification is optional, we change the state to yes, but still log the
365 verification error. For some reason (it really would help to have proper
366 documentation of OpenSSL), this callback function then gets called again, this
367 time with state = 1. We must take care not to set the private verified flag on
368 the second time through.
369
370 Note: this function is not called if the client fails to present a certificate
371 when asked. We get here only if a certificate has been received. Handling of
372 optional verification for this case is done when requesting SSL to verify, by
373 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
374
375 May be called multiple times for different issues with a certificate, even
376 for a given "depth" in the certificate chain.
377
378 Arguments:
379 preverify_ok current yes/no state as 1/0
380 x509ctx certificate information.
381 tlsp per-direction (client vs. server) support data
382 calledp has-been-called flag
383 optionalp verification-is-optional flag
384
385 Returns: 0 if verification should fail, otherwise 1
386 */
387
388 static int
389 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
390 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
391 {
392 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
393 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
394 uschar dn[256];
395
396 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
397 dn[sizeof(dn)-1] = '\0';
398
399 if (preverify_ok == 0)
400 {
401 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
402 tlsp == &tls_out ? deliver_host_address : sender_host_address,
403 depth,
404 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
405 dn);
406 *calledp = TRUE;
407 if (!*optionalp)
408 {
409 if (!tlsp->peercert)
410 tlsp->peercert = X509_dup(cert); /* record failing cert */
411 return 0; /* reject */
412 }
413 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
414 "tls_try_verify_hosts)\n");
415 }
416
417 else if (depth != 0)
418 {
419 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
420 #ifndef DISABLE_OCSP
421 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
422 { /* client, wanting stapling */
423 /* Add the server cert's signing chain as the one
424 for the verification of the OCSP stapled information. */
425
426 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
427 cert))
428 ERR_clear_error();
429 }
430 #endif
431 #ifndef DISABLE_EVENT
432 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
433 return 0; /* reject, with peercert set */
434 #endif
435 }
436 else
437 {
438 const uschar * verify_cert_hostnames;
439
440 if ( tlsp == &tls_out
441 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
442 /* client, wanting hostname check */
443 {
444
445 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
446 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
447 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
448 # endif
449 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
450 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
451 # endif
452 int sep = 0;
453 const uschar * list = verify_cert_hostnames;
454 uschar * name;
455 int rc;
456 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
457 if ((rc = X509_check_host(cert, CCS name, 0,
458 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
459 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
460 NULL)))
461 {
462 if (rc < 0)
463 {
464 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
465 tlsp == &tls_out ? deliver_host_address : sender_host_address);
466 name = NULL;
467 }
468 break;
469 }
470 if (!name)
471 #else
472 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
473 #endif
474 {
475 log_write(0, LOG_MAIN,
476 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
477 tlsp == &tls_out ? deliver_host_address : sender_host_address,
478 dn);
479 *calledp = TRUE;
480 if (!*optionalp)
481 {
482 if (!tlsp->peercert)
483 tlsp->peercert = X509_dup(cert); /* record failing cert */
484 return 0; /* reject */
485 }
486 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
487 "tls_try_verify_hosts)\n");
488 }
489 }
490
491 #ifndef DISABLE_EVENT
492 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
493 return 0; /* reject, with peercert set */
494 #endif
495
496 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
497 *calledp ? "" : " authenticated", dn);
498 if (!*calledp) tlsp->certificate_verified = TRUE;
499 *calledp = TRUE;
500 }
501
502 return 1; /* accept, at least for this level */
503 }
504
505 static int
506 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
507 {
508 return verify_callback(preverify_ok, x509ctx, &tls_out,
509 &client_verify_callback_called, &client_verify_optional);
510 }
511
512 static int
513 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
514 {
515 return verify_callback(preverify_ok, x509ctx, &tls_in,
516 &server_verify_callback_called, &server_verify_optional);
517 }
518
519
520 #ifdef EXPERIMENTAL_DANE
521
522 /* This gets called *by* the dane library verify callback, which interposes
523 itself.
524 */
525 static int
526 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
527 {
528 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
529 uschar dn[256];
530 #ifndef DISABLE_EVENT
531 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
532 BOOL dummy_called, optional = FALSE;
533 #endif
534
535 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
536 dn[sizeof(dn)-1] = '\0';
537
538 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
539 preverify_ok ? "ok":"BAD", depth, dn);
540
541 #ifndef DISABLE_EVENT
542 if (verify_event(&tls_out, cert, depth, dn,
543 &dummy_called, &optional, US"DANE"))
544 return 0; /* reject, with peercert set */
545 #endif
546
547 if (preverify_ok == 1)
548 tls_out.dane_verified =
549 tls_out.certificate_verified = TRUE;
550 else
551 {
552 int err = X509_STORE_CTX_get_error(x509ctx);
553 DEBUG(D_tls)
554 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
555 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
556 preverify_ok = 1;
557 }
558 return preverify_ok;
559 }
560
561 #endif /*EXPERIMENTAL_DANE*/
562
563
564 /*************************************************
565 * Information callback *
566 *************************************************/
567
568 /* The SSL library functions call this from time to time to indicate what they
569 are doing. We copy the string to the debugging output when TLS debugging has
570 been requested.
571
572 Arguments:
573 s the SSL connection
574 where
575 ret
576
577 Returns: nothing
578 */
579
580 static void
581 info_callback(SSL *s, int where, int ret)
582 {
583 where = where;
584 ret = ret;
585 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
586 }
587
588
589
590 /*************************************************
591 * Initialize for DH *
592 *************************************************/
593
594 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
595
596 Arguments:
597 sctx The current SSL CTX (inbound or outbound)
598 dhparam DH parameter file or fixed parameter identity string
599 host connected host, if client; NULL if server
600
601 Returns: TRUE if OK (nothing to set up, or setup worked)
602 */
603
604 static BOOL
605 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
606 {
607 BIO *bio;
608 DH *dh;
609 uschar *dhexpanded;
610 const char *pem;
611
612 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
613 return FALSE;
614
615 if (!dhexpanded || !*dhexpanded)
616 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
617 else if (dhexpanded[0] == '/')
618 {
619 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
620 {
621 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
622 host, US strerror(errno));
623 return FALSE;
624 }
625 }
626 else
627 {
628 if (Ustrcmp(dhexpanded, "none") == 0)
629 {
630 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
631 return TRUE;
632 }
633
634 if (!(pem = std_dh_prime_named(dhexpanded)))
635 {
636 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
637 host, US strerror(errno));
638 return FALSE;
639 }
640 bio = BIO_new_mem_buf(CS pem, -1);
641 }
642
643 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
644 {
645 BIO_free(bio);
646 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
647 host, NULL);
648 return FALSE;
649 }
650
651 /* Even if it is larger, we silently return success rather than cause things
652 * to fail out, so that a too-large DH will not knock out all TLS; it's a
653 * debatable choice. */
654 if ((8*DH_size(dh)) > tls_dh_max_bits)
655 {
656 DEBUG(D_tls)
657 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
658 8*DH_size(dh), tls_dh_max_bits);
659 }
660 else
661 {
662 SSL_CTX_set_tmp_dh(sctx, dh);
663 DEBUG(D_tls)
664 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
665 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
666 }
667
668 DH_free(dh);
669 BIO_free(bio);
670
671 return TRUE;
672 }
673
674
675
676
677 /*************************************************
678 * Initialize for ECDH *
679 *************************************************/
680
681 /* Load parameters for ECDH encryption.
682
683 For now, we stick to NIST P-256 because: it's simple and easy to configure;
684 it avoids any patent issues that might bite redistributors; despite events in
685 the news and concerns over curve choices, we're not cryptographers, we're not
686 pretending to be, and this is "good enough" to be better than no support,
687 protecting against most adversaries. Given another year or two, there might
688 be sufficient clarity about a "right" way forward to let us make an informed
689 decision, instead of a knee-jerk reaction.
690
691 Longer-term, we should look at supporting both various named curves and
692 external files generated with "openssl ecparam", much as we do for init_dh().
693 We should also support "none" as a value, to explicitly avoid initialisation.
694
695 Patches welcome.
696
697 Arguments:
698 sctx The current SSL CTX (inbound or outbound)
699 host connected host, if client; NULL if server
700
701 Returns: TRUE if OK (nothing to set up, or setup worked)
702 */
703
704 static BOOL
705 init_ecdh(SSL_CTX * sctx, host_item * host)
706 {
707 #ifdef OPENSSL_NO_ECDH
708 return TRUE;
709 #else
710
711 EC_KEY * ecdh;
712 uschar * exp_curve;
713 int nid;
714 BOOL rv;
715
716 if (host) /* No ECDH setup for clients, only for servers */
717 return TRUE;
718
719 # ifndef EXIM_HAVE_ECDH
720 DEBUG(D_tls)
721 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
722 return TRUE;
723 # else
724
725 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
726 return FALSE;
727 if (!exp_curve || !*exp_curve)
728 return TRUE;
729
730 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
731 /* check if new enough library to support auto ECDH temp key parameter selection */
732 if (Ustrcmp(exp_curve, "auto") == 0)
733 {
734 DEBUG(D_tls) debug_printf(
735 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
736 SSL_CTX_set_ecdh_auto(sctx, 1);
737 return TRUE;
738 }
739 # endif
740
741 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
742 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
743 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
744 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
745 # endif
746 )
747 {
748 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
749 exp_curve),
750 host, NULL);
751 return FALSE;
752 }
753
754 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
755 {
756 tls_error(US"Unable to create ec curve", host, NULL);
757 return FALSE;
758 }
759
760 /* The "tmp" in the name here refers to setting a temporary key
761 not to the stability of the interface. */
762
763 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
764 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
765 else
766 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
767
768 EC_KEY_free(ecdh);
769 return !rv;
770
771 # endif /*EXIM_HAVE_ECDH*/
772 #endif /*OPENSSL_NO_ECDH*/
773 }
774
775
776
777
778 #ifndef DISABLE_OCSP
779 /*************************************************
780 * Load OCSP information into state *
781 *************************************************/
782
783 /* Called to load the server OCSP response from the given file into memory, once
784 caller has determined this is needed. Checks validity. Debugs a message
785 if invalid.
786
787 ASSUMES: single response, for single cert.
788
789 Arguments:
790 sctx the SSL_CTX* to update
791 cbinfo various parts of session state
792 expanded the filename putatively holding an OCSP response
793
794 */
795
796 static void
797 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
798 {
799 BIO *bio;
800 OCSP_RESPONSE *resp;
801 OCSP_BASICRESP *basic_response;
802 OCSP_SINGLERESP *single_response;
803 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
804 X509_STORE *store;
805 unsigned long verify_flags;
806 int status, reason, i;
807
808 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
809 if (cbinfo->u_ocsp.server.response)
810 {
811 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
812 cbinfo->u_ocsp.server.response = NULL;
813 }
814
815 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
816 if (!bio)
817 {
818 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
819 cbinfo->u_ocsp.server.file_expanded);
820 return;
821 }
822
823 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
824 BIO_free(bio);
825 if (!resp)
826 {
827 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
828 return;
829 }
830
831 status = OCSP_response_status(resp);
832 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
833 {
834 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
835 OCSP_response_status_str(status), status);
836 goto bad;
837 }
838
839 basic_response = OCSP_response_get1_basic(resp);
840 if (!basic_response)
841 {
842 DEBUG(D_tls)
843 debug_printf("OCSP response parse error: unable to extract basic response.\n");
844 goto bad;
845 }
846
847 store = SSL_CTX_get_cert_store(sctx);
848 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
849
850 /* May need to expose ability to adjust those flags?
851 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
852 OCSP_TRUSTOTHER OCSP_NOINTERN */
853
854 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
855 if (i <= 0)
856 {
857 DEBUG(D_tls) {
858 ERR_error_string(ERR_get_error(), ssl_errstring);
859 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
860 }
861 goto bad;
862 }
863
864 /* Here's the simplifying assumption: there's only one response, for the
865 one certificate we use, and nothing for anything else in a chain. If this
866 proves false, we need to extract a cert id from our issued cert
867 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
868 right cert in the stack and then calls OCSP_single_get0_status()).
869
870 I'm hoping to avoid reworking a bunch more of how we handle state here. */
871 single_response = OCSP_resp_get0(basic_response, 0);
872 if (!single_response)
873 {
874 DEBUG(D_tls)
875 debug_printf("Unable to get first response from OCSP basic response.\n");
876 goto bad;
877 }
878
879 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
880 if (status != V_OCSP_CERTSTATUS_GOOD)
881 {
882 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
883 OCSP_cert_status_str(status), status,
884 OCSP_crl_reason_str(reason), reason);
885 goto bad;
886 }
887
888 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
889 {
890 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
891 goto bad;
892 }
893
894 supply_response:
895 cbinfo->u_ocsp.server.response = resp;
896 return;
897
898 bad:
899 if (running_in_test_harness)
900 {
901 extern char ** environ;
902 uschar ** p;
903 if (environ) for (p = USS environ; *p != NULL; p++)
904 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
905 {
906 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
907 goto supply_response;
908 }
909 }
910 return;
911 }
912 #endif /*!DISABLE_OCSP*/
913
914
915
916
917 /* Create and install a selfsigned certificate, for use in server mode */
918
919 static int
920 tls_install_selfsign(SSL_CTX * sctx)
921 {
922 X509 * x509 = NULL;
923 EVP_PKEY * pkey;
924 RSA * rsa;
925 X509_NAME * name;
926 uschar * where;
927
928 where = US"allocating pkey";
929 if (!(pkey = EVP_PKEY_new()))
930 goto err;
931
932 where = US"allocating cert";
933 if (!(x509 = X509_new()))
934 goto err;
935
936 where = US"generating pkey";
937 /* deprecated, use RSA_generate_key_ex() */
938 if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
939 goto err;
940
941 where = US"assiging pkey";
942 if (!EVP_PKEY_assign_RSA(pkey, rsa))
943 goto err;
944
945 X509_set_version(x509, 2); /* N+1 - version 3 */
946 ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
947 X509_gmtime_adj(X509_get_notBefore(x509), 0);
948 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
949 X509_set_pubkey(x509, pkey);
950
951 name = X509_get_subject_name(x509);
952 X509_NAME_add_entry_by_txt(name, "C",
953 MBSTRING_ASC, CUS "UK", -1, -1, 0);
954 X509_NAME_add_entry_by_txt(name, "O",
955 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
956 X509_NAME_add_entry_by_txt(name, "CN",
957 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
958 X509_set_issuer_name(x509, name);
959
960 where = US"signing cert";
961 if (!X509_sign(x509, pkey, EVP_md5()))
962 goto err;
963
964 where = US"installing selfsign cert";
965 if (!SSL_CTX_use_certificate(sctx, x509))
966 goto err;
967
968 where = US"installing selfsign key";
969 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
970 goto err;
971
972 return OK;
973
974 err:
975 (void) tls_error(where, NULL, NULL);
976 if (x509) X509_free(x509);
977 if (pkey) EVP_PKEY_free(pkey);
978 return DEFER;
979 }
980
981
982
983
984 /*************************************************
985 * Expand key and cert file specs *
986 *************************************************/
987
988 /* Called once during tls_init and possibly again during TLS setup, for a
989 new context, if Server Name Indication was used and tls_sni was seen in
990 the certificate string.
991
992 Arguments:
993 sctx the SSL_CTX* to update
994 cbinfo various parts of session state
995
996 Returns: OK/DEFER/FAIL
997 */
998
999 static int
1000 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
1001 {
1002 uschar *expanded;
1003
1004 if (!cbinfo->certificate)
1005 {
1006 if (cbinfo->host) /* client */
1007 return OK;
1008 /* server */
1009 if (tls_install_selfsign(sctx) != OK)
1010 return DEFER;
1011 }
1012 else
1013 {
1014 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1015 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1016 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1017 )
1018 reexpand_tls_files_for_sni = TRUE;
1019
1020 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
1021 return DEFER;
1022
1023 if (expanded != NULL)
1024 {
1025 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1026 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1027 return tls_error(string_sprintf(
1028 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
1029 cbinfo->host, NULL);
1030 }
1031
1032 if (cbinfo->privatekey != NULL &&
1033 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
1034 return DEFER;
1035
1036 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1037 of the expansion is an empty string, ignore it also, and assume the private
1038 key is in the same file as the certificate. */
1039
1040 if (expanded && *expanded)
1041 {
1042 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1043 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1044 return tls_error(string_sprintf(
1045 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
1046 }
1047 }
1048
1049 #ifndef DISABLE_OCSP
1050 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1051 {
1052 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
1053 return DEFER;
1054
1055 if (expanded && *expanded)
1056 {
1057 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1058 if ( cbinfo->u_ocsp.server.file_expanded
1059 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1060 {
1061 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1062 }
1063 else
1064 {
1065 ocsp_load_response(sctx, cbinfo, expanded);
1066 }
1067 }
1068 }
1069 #endif
1070
1071 return OK;
1072 }
1073
1074
1075
1076
1077 /*************************************************
1078 * Callback to handle SNI *
1079 *************************************************/
1080
1081 /* Called when acting as server during the TLS session setup if a Server Name
1082 Indication extension was sent by the client.
1083
1084 API documentation is OpenSSL s_server.c implementation.
1085
1086 Arguments:
1087 s SSL* of the current session
1088 ad unknown (part of OpenSSL API) (unused)
1089 arg Callback of "our" registered data
1090
1091 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1092 */
1093
1094 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1095 static int
1096 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1097 {
1098 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1099 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1100 int rc;
1101 int old_pool = store_pool;
1102
1103 if (!servername)
1104 return SSL_TLSEXT_ERR_OK;
1105
1106 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1107 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1108
1109 /* Make the extension value available for expansion */
1110 store_pool = POOL_PERM;
1111 tls_in.sni = string_copy(US servername);
1112 store_pool = old_pool;
1113
1114 if (!reexpand_tls_files_for_sni)
1115 return SSL_TLSEXT_ERR_OK;
1116
1117 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1118 not confident that memcpy wouldn't break some internal reference counting.
1119 Especially since there's a references struct member, which would be off. */
1120
1121 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1122 {
1123 ERR_error_string(ERR_get_error(), ssl_errstring);
1124 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1125 return SSL_TLSEXT_ERR_NOACK;
1126 }
1127
1128 /* Not sure how many of these are actually needed, since SSL object
1129 already exists. Might even need this selfsame callback, for reneg? */
1130
1131 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1132 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1133 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1134 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1135 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1136 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1137
1138 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1139 || !init_ecdh(server_sni, NULL)
1140 )
1141 return SSL_TLSEXT_ERR_NOACK;
1142
1143 if (cbinfo->server_cipher_list)
1144 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1145 #ifndef DISABLE_OCSP
1146 if (cbinfo->u_ocsp.server.file)
1147 {
1148 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1149 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1150 }
1151 #endif
1152
1153 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1154 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1155
1156 /* do this after setup_certs, because this can require the certs for verifying
1157 OCSP information. */
1158 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1159 return SSL_TLSEXT_ERR_NOACK;
1160
1161 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1162 SSL_set_SSL_CTX(s, server_sni);
1163
1164 return SSL_TLSEXT_ERR_OK;
1165 }
1166 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1167
1168
1169
1170
1171 #ifndef DISABLE_OCSP
1172
1173 /*************************************************
1174 * Callback to handle OCSP Stapling *
1175 *************************************************/
1176
1177 /* Called when acting as server during the TLS session setup if the client
1178 requests OCSP information with a Certificate Status Request.
1179
1180 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1181 project.
1182
1183 */
1184
1185 static int
1186 tls_server_stapling_cb(SSL *s, void *arg)
1187 {
1188 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1189 uschar *response_der;
1190 int response_der_len;
1191
1192 DEBUG(D_tls)
1193 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1194 cbinfo->u_ocsp.server.response ? "have" : "lack");
1195
1196 tls_in.ocsp = OCSP_NOT_RESP;
1197 if (!cbinfo->u_ocsp.server.response)
1198 return SSL_TLSEXT_ERR_NOACK;
1199
1200 response_der = NULL;
1201 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1202 &response_der);
1203 if (response_der_len <= 0)
1204 return SSL_TLSEXT_ERR_NOACK;
1205
1206 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1207 tls_in.ocsp = OCSP_VFIED;
1208 return SSL_TLSEXT_ERR_OK;
1209 }
1210
1211
1212 static void
1213 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1214 {
1215 BIO_printf(bp, "\t%s: ", str);
1216 ASN1_GENERALIZEDTIME_print(bp, time);
1217 BIO_puts(bp, "\n");
1218 }
1219
1220 static int
1221 tls_client_stapling_cb(SSL *s, void *arg)
1222 {
1223 tls_ext_ctx_cb * cbinfo = arg;
1224 const unsigned char * p;
1225 int len;
1226 OCSP_RESPONSE * rsp;
1227 OCSP_BASICRESP * bs;
1228 int i;
1229
1230 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1231 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1232 if(!p)
1233 {
1234 /* Expect this when we requested ocsp but got none */
1235 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1236 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1237 else
1238 DEBUG(D_tls) debug_printf(" null\n");
1239 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1240 }
1241
1242 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1243 {
1244 tls_out.ocsp = OCSP_FAILED;
1245 if (LOGGING(tls_cipher))
1246 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1247 else
1248 DEBUG(D_tls) debug_printf(" parse error\n");
1249 return 0;
1250 }
1251
1252 if(!(bs = OCSP_response_get1_basic(rsp)))
1253 {
1254 tls_out.ocsp = OCSP_FAILED;
1255 if (LOGGING(tls_cipher))
1256 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1257 else
1258 DEBUG(D_tls) debug_printf(" error parsing response\n");
1259 OCSP_RESPONSE_free(rsp);
1260 return 0;
1261 }
1262
1263 /* We'd check the nonce here if we'd put one in the request. */
1264 /* However that would defeat cacheability on the server so we don't. */
1265
1266 /* This section of code reworked from OpenSSL apps source;
1267 The OpenSSL Project retains copyright:
1268 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1269 */
1270 {
1271 BIO * bp = NULL;
1272 int status, reason;
1273 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1274
1275 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1276
1277 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1278
1279 /* Use the chain that verified the server cert to verify the stapled info */
1280 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1281
1282 if ((i = OCSP_basic_verify(bs, NULL,
1283 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1284 {
1285 tls_out.ocsp = OCSP_FAILED;
1286 if (LOGGING(tls_cipher))
1287 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1288 BIO_printf(bp, "OCSP response verify failure\n");
1289 ERR_print_errors(bp);
1290 goto failed;
1291 }
1292
1293 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1294
1295 /*XXX So we have a good stapled OCSP status. How do we know
1296 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1297 OCSP_resp_find_status() which matches on a cert id, which presumably
1298 we should use. Making an id needs OCSP_cert_id_new(), which takes
1299 issuerName, issuerKey, serialNumber. Are they all in the cert?
1300
1301 For now, carry on blindly accepting the resp. */
1302
1303 {
1304 OCSP_SINGLERESP * single;
1305
1306 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1307 if (OCSP_resp_count(bs) != 1)
1308 #else
1309 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1310 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1311 #endif
1312 {
1313 tls_out.ocsp = OCSP_FAILED;
1314 log_write(0, LOG_MAIN, "OCSP stapling "
1315 "with multiple responses not handled");
1316 goto failed;
1317 }
1318 single = OCSP_resp_get0(bs, 0);
1319 status = OCSP_single_get0_status(single, &reason, &rev,
1320 &thisupd, &nextupd);
1321 }
1322
1323 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1324 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1325 if (!OCSP_check_validity(thisupd, nextupd,
1326 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1327 {
1328 tls_out.ocsp = OCSP_FAILED;
1329 DEBUG(D_tls) ERR_print_errors(bp);
1330 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1331 }
1332 else
1333 {
1334 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1335 OCSP_cert_status_str(status));
1336 switch(status)
1337 {
1338 case V_OCSP_CERTSTATUS_GOOD:
1339 tls_out.ocsp = OCSP_VFIED;
1340 i = 1;
1341 goto good;
1342 case V_OCSP_CERTSTATUS_REVOKED:
1343 tls_out.ocsp = OCSP_FAILED;
1344 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1345 reason != -1 ? "; reason: " : "",
1346 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1347 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1348 break;
1349 default:
1350 tls_out.ocsp = OCSP_FAILED;
1351 log_write(0, LOG_MAIN,
1352 "Server certificate status unknown, in OCSP stapling");
1353 break;
1354 }
1355 }
1356 failed:
1357 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1358 good:
1359 BIO_free(bp);
1360 }
1361
1362 OCSP_RESPONSE_free(rsp);
1363 return i;
1364 }
1365 #endif /*!DISABLE_OCSP*/
1366
1367
1368 /*************************************************
1369 * Initialize for TLS *
1370 *************************************************/
1371
1372 /* Called from both server and client code, to do preliminary initialization
1373 of the library. We allocate and return a context structure.
1374
1375 Arguments:
1376 ctxp returned SSL context
1377 host connected host, if client; NULL if server
1378 dhparam DH parameter file
1379 certificate certificate file
1380 privatekey private key
1381 ocsp_file file of stapling info (server); flag for require ocsp (client)
1382 addr address if client; NULL if server (for some randomness)
1383 cbp place to put allocated callback context
1384
1385 Returns: OK/DEFER/FAIL
1386 */
1387
1388 static int
1389 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1390 uschar *privatekey,
1391 #ifndef DISABLE_OCSP
1392 uschar *ocsp_file,
1393 #endif
1394 address_item *addr, tls_ext_ctx_cb ** cbp)
1395 {
1396 long init_options;
1397 int rc;
1398 BOOL okay;
1399 tls_ext_ctx_cb * cbinfo;
1400
1401 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1402 cbinfo->certificate = certificate;
1403 cbinfo->privatekey = privatekey;
1404 #ifndef DISABLE_OCSP
1405 if ((cbinfo->is_server = host==NULL))
1406 {
1407 cbinfo->u_ocsp.server.file = ocsp_file;
1408 cbinfo->u_ocsp.server.file_expanded = NULL;
1409 cbinfo->u_ocsp.server.response = NULL;
1410 }
1411 else
1412 cbinfo->u_ocsp.client.verify_store = NULL;
1413 #endif
1414 cbinfo->dhparam = dhparam;
1415 cbinfo->server_cipher_list = NULL;
1416 cbinfo->host = host;
1417 #ifndef DISABLE_EVENT
1418 cbinfo->event_action = NULL;
1419 #endif
1420
1421 SSL_load_error_strings(); /* basic set up */
1422 OpenSSL_add_ssl_algorithms();
1423
1424 #ifdef EXIM_HAVE_SHA256
1425 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1426 list of available digests. */
1427 EVP_add_digest(EVP_sha256());
1428 #endif
1429
1430 /* Create a context.
1431 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1432 negotiation in the different methods; as far as I can tell, the only
1433 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1434 when OpenSSL is built without SSLv2 support.
1435 By disabling with openssl_options, we can let admins re-enable with the
1436 existing knob. */
1437
1438 *ctxp = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method());
1439
1440 if (!*ctxp) return tls_error(US"SSL_CTX_new", host, NULL);
1441
1442 /* It turns out that we need to seed the random number generator this early in
1443 order to get the full complement of ciphers to work. It took me roughly a day
1444 of work to discover this by experiment.
1445
1446 On systems that have /dev/urandom, SSL may automatically seed itself from
1447 there. Otherwise, we have to make something up as best we can. Double check
1448 afterwards. */
1449
1450 if (!RAND_status())
1451 {
1452 randstuff r;
1453 gettimeofday(&r.tv, NULL);
1454 r.p = getpid();
1455
1456 RAND_seed((uschar *)(&r), sizeof(r));
1457 RAND_seed((uschar *)big_buffer, big_buffer_size);
1458 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1459
1460 if (!RAND_status())
1461 return tls_error(US"RAND_status", host,
1462 US"unable to seed random number generator");
1463 }
1464
1465 /* Set up the information callback, which outputs if debugging is at a suitable
1466 level. */
1467
1468 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1469
1470 /* Automatically re-try reads/writes after renegotiation. */
1471 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1472
1473 /* Apply administrator-supplied work-arounds.
1474 Historically we applied just one requested option,
1475 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1476 moved to an administrator-controlled list of options to specify and
1477 grandfathered in the first one as the default value for "openssl_options".
1478
1479 No OpenSSL version number checks: the options we accept depend upon the
1480 availability of the option value macros from OpenSSL. */
1481
1482 okay = tls_openssl_options_parse(openssl_options, &init_options);
1483 if (!okay)
1484 return tls_error(US"openssl_options parsing failed", host, NULL);
1485
1486 if (init_options)
1487 {
1488 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1489 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1490 return tls_error(string_sprintf(
1491 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1492 }
1493 else
1494 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1495
1496 /* Initialize with DH parameters if supplied */
1497 /* Initialize ECDH temp key parameter selection */
1498
1499 if ( !init_dh(*ctxp, dhparam, host)
1500 || !init_ecdh(*ctxp, host)
1501 )
1502 return DEFER;
1503
1504 /* Set up certificate and key (and perhaps OCSP info) */
1505
1506 if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
1507 return rc;
1508
1509 /* If we need to handle SNI, do so */
1510 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1511 if (host == NULL) /* server */
1512 {
1513 # ifndef DISABLE_OCSP
1514 /* We check u_ocsp.server.file, not server.response, because we care about if
1515 the option exists, not what the current expansion might be, as SNI might
1516 change the certificate and OCSP file in use between now and the time the
1517 callback is invoked. */
1518 if (cbinfo->u_ocsp.server.file)
1519 {
1520 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1521 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1522 }
1523 # endif
1524 /* We always do this, so that $tls_sni is available even if not used in
1525 tls_certificate */
1526 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1527 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1528 }
1529 # ifndef DISABLE_OCSP
1530 else /* client */
1531 if(ocsp_file) /* wanting stapling */
1532 {
1533 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1534 {
1535 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1536 return FAIL;
1537 }
1538 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1539 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1540 }
1541 # endif
1542 #endif
1543
1544 cbinfo->verify_cert_hostnames = NULL;
1545
1546 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1547 /* Set up the RSA callback */
1548 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1549 #endif
1550
1551 /* Finally, set the timeout, and we are done */
1552
1553 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1554 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1555
1556 *cbp = cbinfo;
1557
1558 return OK;
1559 }
1560
1561
1562
1563
1564 /*************************************************
1565 * Get name of cipher in use *
1566 *************************************************/
1567
1568 /*
1569 Argument: pointer to an SSL structure for the connection
1570 buffer to use for answer
1571 size of buffer
1572 pointer to number of bits for cipher
1573 Returns: nothing
1574 */
1575
1576 static void
1577 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1578 {
1579 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1580 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1581 the accessor functions use const in the prototype. */
1582 const SSL_CIPHER *c;
1583 const uschar *ver;
1584
1585 ver = (const uschar *)SSL_get_version(ssl);
1586
1587 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1588 SSL_CIPHER_get_bits(c, bits);
1589
1590 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1591 SSL_CIPHER_get_name(c), *bits);
1592
1593 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1594 }
1595
1596
1597 static void
1598 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1599 {
1600 /*XXX we might consider a list-of-certs variable for the cert chain.
1601 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1602 in list-handling functions, also consider the difference between the entire
1603 chain and the elements sent by the peer. */
1604
1605 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1606 if (!tlsp->peercert)
1607 tlsp->peercert = SSL_get_peer_certificate(ssl);
1608 /* Beware anonymous ciphers which lead to server_cert being NULL */
1609 if (tlsp->peercert)
1610 {
1611 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1612 peerdn[bsize-1] = '\0';
1613 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1614 }
1615 else
1616 tlsp->peerdn = NULL;
1617 }
1618
1619
1620
1621
1622
1623 /*************************************************
1624 * Set up for verifying certificates *
1625 *************************************************/
1626
1627 /* Called by both client and server startup
1628
1629 Arguments:
1630 sctx SSL_CTX* to initialise
1631 certs certs file or NULL
1632 crl CRL file or NULL
1633 host NULL in a server; the remote host in a client
1634 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1635 otherwise passed as FALSE
1636 cert_vfy_cb Callback function for certificate verification
1637
1638 Returns: OK/DEFER/FAIL
1639 */
1640
1641 static int
1642 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1643 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1644 {
1645 uschar *expcerts, *expcrl;
1646
1647 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1648 return DEFER;
1649
1650 if (expcerts && *expcerts)
1651 {
1652 /* Tell the library to use its compiled-in location for the system default
1653 CA bundle. Then add the ones specified in the config, if any. */
1654
1655 if (!SSL_CTX_set_default_verify_paths(sctx))
1656 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1657
1658 if (Ustrcmp(expcerts, "system") != 0)
1659 {
1660 struct stat statbuf;
1661
1662 if (Ustat(expcerts, &statbuf) < 0)
1663 {
1664 log_write(0, LOG_MAIN|LOG_PANIC,
1665 "failed to stat %s for certificates", expcerts);
1666 return DEFER;
1667 }
1668 else
1669 {
1670 uschar *file, *dir;
1671 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1672 { file = NULL; dir = expcerts; }
1673 else
1674 { file = expcerts; dir = NULL; }
1675
1676 /* If a certificate file is empty, the next function fails with an
1677 unhelpful error message. If we skip it, we get the correct behaviour (no
1678 certificates are recognized, but the error message is still misleading (it
1679 says no certificate was supplied.) But this is better. */
1680
1681 if ( (!file || statbuf.st_size > 0)
1682 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1683 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1684
1685 /* Load the list of CAs for which we will accept certs, for sending
1686 to the client. This is only for the one-file tls_verify_certificates
1687 variant.
1688 If a list isn't loaded into the server, but
1689 some verify locations are set, the server end appears to make
1690 a wildcard reqest for client certs.
1691 Meanwhile, the client library as default behaviour *ignores* the list
1692 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1693 Because of this, and that the dir variant is likely only used for
1694 the public-CA bundle (not for a private CA), not worth fixing.
1695 */
1696 if (file)
1697 {
1698 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1699
1700 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1701 sk_X509_NAME_num(names));
1702 SSL_CTX_set_client_CA_list(sctx, names);
1703 }
1704 }
1705 }
1706
1707 /* Handle a certificate revocation list. */
1708
1709 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1710
1711 /* This bit of code is now the version supplied by Lars Mainka. (I have
1712 merely reformatted it into the Exim code style.)
1713
1714 "From here I changed the code to add support for multiple crl's
1715 in pem format in one file or to support hashed directory entries in
1716 pem format instead of a file. This method now uses the library function
1717 X509_STORE_load_locations to add the CRL location to the SSL context.
1718 OpenSSL will then handle the verify against CA certs and CRLs by
1719 itself in the verify callback." */
1720
1721 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1722 if (expcrl && *expcrl)
1723 {
1724 struct stat statbufcrl;
1725 if (Ustat(expcrl, &statbufcrl) < 0)
1726 {
1727 log_write(0, LOG_MAIN|LOG_PANIC,
1728 "failed to stat %s for certificates revocation lists", expcrl);
1729 return DEFER;
1730 }
1731 else
1732 {
1733 /* is it a file or directory? */
1734 uschar *file, *dir;
1735 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1736 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1737 {
1738 file = NULL;
1739 dir = expcrl;
1740 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1741 }
1742 else
1743 {
1744 file = expcrl;
1745 dir = NULL;
1746 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1747 }
1748 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1749 return tls_error(US"X509_STORE_load_locations", host, NULL);
1750
1751 /* setting the flags to check against the complete crl chain */
1752
1753 X509_STORE_set_flags(cvstore,
1754 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1755 }
1756 }
1757
1758 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1759
1760 /* If verification is optional, don't fail if no certificate */
1761
1762 SSL_CTX_set_verify(sctx,
1763 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1764 cert_vfy_cb);
1765 }
1766
1767 return OK;
1768 }
1769
1770
1771
1772 /*************************************************
1773 * Start a TLS session in a server *
1774 *************************************************/
1775
1776 /* This is called when Exim is running as a server, after having received
1777 the STARTTLS command. It must respond to that command, and then negotiate
1778 a TLS session.
1779
1780 Arguments:
1781 require_ciphers allowed ciphers
1782
1783 Returns: OK on success
1784 DEFER for errors before the start of the negotiation
1785 FAIL for errors during the negotation; the server can't
1786 continue running.
1787 */
1788
1789 int
1790 tls_server_start(const uschar *require_ciphers)
1791 {
1792 int rc;
1793 uschar *expciphers;
1794 tls_ext_ctx_cb *cbinfo;
1795 static uschar peerdn[256];
1796 static uschar cipherbuf[256];
1797
1798 /* Check for previous activation */
1799
1800 if (tls_in.active >= 0)
1801 {
1802 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1803 smtp_printf("554 Already in TLS\r\n");
1804 return FAIL;
1805 }
1806
1807 /* Initialize the SSL library. If it fails, it will already have logged
1808 the error. */
1809
1810 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1811 #ifndef DISABLE_OCSP
1812 tls_ocsp_file,
1813 #endif
1814 NULL, &server_static_cbinfo);
1815 if (rc != OK) return rc;
1816 cbinfo = server_static_cbinfo;
1817
1818 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1819 return FAIL;
1820
1821 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1822 were historically separated by underscores. So that I can use either form in my
1823 tests, and also for general convenience, we turn underscores into hyphens here.
1824 */
1825
1826 if (expciphers != NULL)
1827 {
1828 uschar *s = expciphers;
1829 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1830 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1831 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1832 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1833 cbinfo->server_cipher_list = expciphers;
1834 }
1835
1836 /* If this is a host for which certificate verification is mandatory or
1837 optional, set up appropriately. */
1838
1839 tls_in.certificate_verified = FALSE;
1840 #ifdef EXPERIMENTAL_DANE
1841 tls_in.dane_verified = FALSE;
1842 #endif
1843 server_verify_callback_called = FALSE;
1844
1845 if (verify_check_host(&tls_verify_hosts) == OK)
1846 {
1847 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1848 FALSE, verify_callback_server);
1849 if (rc != OK) return rc;
1850 server_verify_optional = FALSE;
1851 }
1852 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1853 {
1854 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1855 TRUE, verify_callback_server);
1856 if (rc != OK) return rc;
1857 server_verify_optional = TRUE;
1858 }
1859
1860 /* Prepare for new connection */
1861
1862 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1863
1864 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1865 *
1866 * With the SSL_clear(), we get strange interoperability bugs with
1867 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1868 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1869 *
1870 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1871 * session shutdown. In this case, we have a brand new object and there's no
1872 * obvious reason to immediately clear it. I'm guessing that this was
1873 * originally added because of incomplete initialisation which the clear fixed,
1874 * in some historic release.
1875 */
1876
1877 /* Set context and tell client to go ahead, except in the case of TLS startup
1878 on connection, where outputting anything now upsets the clients and tends to
1879 make them disconnect. We need to have an explicit fflush() here, to force out
1880 the response. Other smtp_printf() calls do not need it, because in non-TLS
1881 mode, the fflush() happens when smtp_getc() is called. */
1882
1883 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1884 if (!tls_in.on_connect)
1885 {
1886 smtp_printf("220 TLS go ahead\r\n");
1887 fflush(smtp_out);
1888 }
1889
1890 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1891 that the OpenSSL library doesn't. */
1892
1893 SSL_set_wfd(server_ssl, fileno(smtp_out));
1894 SSL_set_rfd(server_ssl, fileno(smtp_in));
1895 SSL_set_accept_state(server_ssl);
1896
1897 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1898
1899 sigalrm_seen = FALSE;
1900 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1901 rc = SSL_accept(server_ssl);
1902 alarm(0);
1903
1904 if (rc <= 0)
1905 {
1906 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1907 if (ERR_get_error() == 0)
1908 log_write(0, LOG_MAIN,
1909 "TLS client disconnected cleanly (rejected our certificate?)");
1910 return FAIL;
1911 }
1912
1913 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1914
1915 /* TLS has been set up. Adjust the input functions to read via TLS,
1916 and initialize things. */
1917
1918 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1919
1920 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1921 tls_in.cipher = cipherbuf;
1922
1923 DEBUG(D_tls)
1924 {
1925 uschar buf[2048];
1926 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1927 debug_printf("Shared ciphers: %s\n", buf);
1928 }
1929
1930 /* Record the certificate we presented */
1931 {
1932 X509 * crt = SSL_get_certificate(server_ssl);
1933 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1934 }
1935
1936 /* Only used by the server-side tls (tls_in), including tls_getc.
1937 Client-side (tls_out) reads (seem to?) go via
1938 smtp_read_response()/ip_recv().
1939 Hence no need to duplicate for _in and _out.
1940 */
1941 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1942 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1943 ssl_xfer_eof = ssl_xfer_error = 0;
1944
1945 receive_getc = tls_getc;
1946 receive_get_cache = tls_get_cache;
1947 receive_ungetc = tls_ungetc;
1948 receive_feof = tls_feof;
1949 receive_ferror = tls_ferror;
1950 receive_smtp_buffered = tls_smtp_buffered;
1951
1952 tls_in.active = fileno(smtp_out);
1953 return OK;
1954 }
1955
1956
1957
1958
1959 static int
1960 tls_client_basic_ctx_init(SSL_CTX * ctx,
1961 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1962 )
1963 {
1964 int rc;
1965 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1966 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1967 the specified host patterns if one of them is defined */
1968
1969 if ( ( !ob->tls_verify_hosts
1970 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1971 )
1972 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1973 )
1974 client_verify_optional = FALSE;
1975 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1976 client_verify_optional = TRUE;
1977 else
1978 return OK;
1979
1980 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1981 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1982 return rc;
1983
1984 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1985 {
1986 cbinfo->verify_cert_hostnames =
1987 #ifdef SUPPORT_I18N
1988 string_domain_utf8_to_alabel(host->name, NULL);
1989 #else
1990 host->name;
1991 #endif
1992 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1993 cbinfo->verify_cert_hostnames);
1994 }
1995 return OK;
1996 }
1997
1998
1999 #ifdef EXPERIMENTAL_DANE
2000 static int
2001 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
2002 {
2003 dns_record * rr;
2004 dns_scan dnss;
2005 const char * hostnames[2] = { CS host->name, NULL };
2006 int found = 0;
2007
2008 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2009 return tls_error(US"hostnames load", host, NULL);
2010
2011 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2012 rr;
2013 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2014 ) if (rr->type == T_TLSA)
2015 {
2016 uschar * p = rr->data;
2017 uint8_t usage, selector, mtype;
2018 const char * mdname;
2019
2020 usage = *p++;
2021
2022 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2023 if (usage != 2 && usage != 3) continue;
2024
2025 selector = *p++;
2026 mtype = *p++;
2027
2028 switch (mtype)
2029 {
2030 default: continue; /* Only match-types 0, 1, 2 are supported */
2031 case 0: mdname = NULL; break;
2032 case 1: mdname = "sha256"; break;
2033 case 2: mdname = "sha512"; break;
2034 }
2035
2036 found++;
2037 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2038 {
2039 default:
2040 return tls_error(US"tlsa load", host, NULL);
2041 case 0: /* action not taken */
2042 case 1: break;
2043 }
2044
2045 tls_out.tlsa_usage |= 1<<usage;
2046 }
2047
2048 if (found)
2049 return OK;
2050
2051 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2052 return DEFER;
2053 }
2054 #endif /*EXPERIMENTAL_DANE*/
2055
2056
2057
2058 /*************************************************
2059 * Start a TLS session in a client *
2060 *************************************************/
2061
2062 /* Called from the smtp transport after STARTTLS has been accepted.
2063
2064 Argument:
2065 fd the fd of the connection
2066 host connected host (for messages)
2067 addr the first address
2068 tb transport (always smtp)
2069 tlsa_dnsa tlsa lookup, if DANE, else null
2070
2071 Returns: OK on success
2072 FAIL otherwise - note that tls_error() will not give DEFER
2073 because this is not a server
2074 */
2075
2076 int
2077 tls_client_start(int fd, host_item *host, address_item *addr,
2078 transport_instance *tb
2079 #ifdef EXPERIMENTAL_DANE
2080 , dns_answer * tlsa_dnsa
2081 #endif
2082 )
2083 {
2084 smtp_transport_options_block * ob =
2085 (smtp_transport_options_block *)tb->options_block;
2086 static uschar peerdn[256];
2087 uschar * expciphers;
2088 int rc;
2089 static uschar cipherbuf[256];
2090
2091 #ifndef DISABLE_OCSP
2092 BOOL request_ocsp = FALSE;
2093 BOOL require_ocsp = FALSE;
2094 #endif
2095
2096 #ifdef EXPERIMENTAL_DANE
2097 tls_out.tlsa_usage = 0;
2098 #endif
2099
2100 #ifndef DISABLE_OCSP
2101 {
2102 # ifdef EXPERIMENTAL_DANE
2103 if ( tlsa_dnsa
2104 && ob->hosts_request_ocsp[0] == '*'
2105 && ob->hosts_request_ocsp[1] == '\0'
2106 )
2107 {
2108 /* Unchanged from default. Use a safer one under DANE */
2109 request_ocsp = TRUE;
2110 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2111 " {= {4}{$tls_out_tlsa_usage}} } "
2112 " {*}{}}";
2113 }
2114 # endif
2115
2116 if ((require_ocsp =
2117 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2118 request_ocsp = TRUE;
2119 else
2120 # ifdef EXPERIMENTAL_DANE
2121 if (!request_ocsp)
2122 # endif
2123 request_ocsp =
2124 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2125 }
2126 #endif
2127
2128 rc = tls_init(&client_ctx, host, NULL,
2129 ob->tls_certificate, ob->tls_privatekey,
2130 #ifndef DISABLE_OCSP
2131 (void *)(long)request_ocsp,
2132 #endif
2133 addr, &client_static_cbinfo);
2134 if (rc != OK) return rc;
2135
2136 tls_out.certificate_verified = FALSE;
2137 client_verify_callback_called = FALSE;
2138
2139 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2140 &expciphers))
2141 return FAIL;
2142
2143 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2144 are separated by underscores. So that I can use either form in my tests, and
2145 also for general convenience, we turn underscores into hyphens here. */
2146
2147 if (expciphers != NULL)
2148 {
2149 uschar *s = expciphers;
2150 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2151 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2152 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2153 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2154 }
2155
2156 #ifdef EXPERIMENTAL_DANE
2157 if (tlsa_dnsa)
2158 {
2159 SSL_CTX_set_verify(client_ctx,
2160 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2161 verify_callback_client_dane);
2162
2163 if (!DANESSL_library_init())
2164 return tls_error(US"library init", host, NULL);
2165 if (DANESSL_CTX_init(client_ctx) <= 0)
2166 return tls_error(US"context init", host, NULL);
2167 }
2168 else
2169
2170 #endif
2171
2172 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2173 != OK)
2174 return rc;
2175
2176 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2177 return tls_error(US"SSL_new", host, NULL);
2178 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2179 SSL_set_fd(client_ssl, fd);
2180 SSL_set_connect_state(client_ssl);
2181
2182 if (ob->tls_sni)
2183 {
2184 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2185 return FAIL;
2186 if (tls_out.sni == NULL)
2187 {
2188 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2189 }
2190 else if (!Ustrlen(tls_out.sni))
2191 tls_out.sni = NULL;
2192 else
2193 {
2194 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2195 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2196 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2197 #else
2198 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2199 tls_out.sni);
2200 #endif
2201 }
2202 }
2203
2204 #ifdef EXPERIMENTAL_DANE
2205 if (tlsa_dnsa)
2206 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2207 return rc;
2208 #endif
2209
2210 #ifndef DISABLE_OCSP
2211 /* Request certificate status at connection-time. If the server
2212 does OCSP stapling we will get the callback (set in tls_init()) */
2213 # ifdef EXPERIMENTAL_DANE
2214 if (request_ocsp)
2215 {
2216 const uschar * s;
2217 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2218 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2219 )
2220 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2221 this means we avoid the OCSP request, we wasted the setup
2222 cost in tls_init(). */
2223 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2224 request_ocsp = require_ocsp
2225 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2226 }
2227 }
2228 # endif
2229
2230 if (request_ocsp)
2231 {
2232 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2233 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2234 tls_out.ocsp = OCSP_NOT_RESP;
2235 }
2236 #endif
2237
2238 #ifndef DISABLE_EVENT
2239 client_static_cbinfo->event_action = tb->event_action;
2240 #endif
2241
2242 /* There doesn't seem to be a built-in timeout on connection. */
2243
2244 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2245 sigalrm_seen = FALSE;
2246 alarm(ob->command_timeout);
2247 rc = SSL_connect(client_ssl);
2248 alarm(0);
2249
2250 #ifdef EXPERIMENTAL_DANE
2251 if (tlsa_dnsa)
2252 DANESSL_cleanup(client_ssl);
2253 #endif
2254
2255 if (rc <= 0)
2256 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2257
2258 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2259
2260 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2261
2262 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2263 tls_out.cipher = cipherbuf;
2264
2265 /* Record the certificate we presented */
2266 {
2267 X509 * crt = SSL_get_certificate(client_ssl);
2268 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2269 }
2270
2271 tls_out.active = fd;
2272 return OK;
2273 }
2274
2275
2276
2277
2278
2279 /*************************************************
2280 * TLS version of getc *
2281 *************************************************/
2282
2283 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2284 it refills the buffer via the SSL reading function.
2285
2286 Arguments: none
2287 Returns: the next character or EOF
2288
2289 Only used by the server-side TLS.
2290 */
2291
2292 int
2293 tls_getc(void)
2294 {
2295 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2296 {
2297 int error;
2298 int inbytes;
2299
2300 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2301 ssl_xfer_buffer, ssl_xfer_buffer_size);
2302
2303 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2304 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2305 error = SSL_get_error(server_ssl, inbytes);
2306 alarm(0);
2307
2308 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2309 closed down, not that the socket itself has been closed down. Revert to
2310 non-SSL handling. */
2311
2312 if (error == SSL_ERROR_ZERO_RETURN)
2313 {
2314 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2315
2316 receive_getc = smtp_getc;
2317 receive_get_cache = smtp_get_cache;
2318 receive_ungetc = smtp_ungetc;
2319 receive_feof = smtp_feof;
2320 receive_ferror = smtp_ferror;
2321 receive_smtp_buffered = smtp_buffered;
2322
2323 SSL_free(server_ssl);
2324 server_ssl = NULL;
2325 tls_in.active = -1;
2326 tls_in.bits = 0;
2327 tls_in.cipher = NULL;
2328 tls_in.peerdn = NULL;
2329 tls_in.sni = NULL;
2330
2331 return smtp_getc();
2332 }
2333
2334 /* Handle genuine errors */
2335
2336 else if (error == SSL_ERROR_SSL)
2337 {
2338 ERR_error_string(ERR_get_error(), ssl_errstring);
2339 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2340 ssl_xfer_error = 1;
2341 return EOF;
2342 }
2343
2344 else if (error != SSL_ERROR_NONE)
2345 {
2346 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2347 ssl_xfer_error = 1;
2348 return EOF;
2349 }
2350
2351 #ifndef DISABLE_DKIM
2352 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2353 #endif
2354 ssl_xfer_buffer_hwm = inbytes;
2355 ssl_xfer_buffer_lwm = 0;
2356 }
2357
2358 /* Something in the buffer; return next uschar */
2359
2360 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2361 }
2362
2363 void
2364 tls_get_cache()
2365 {
2366 #ifndef DISABLE_DKIM
2367 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2368 if (n > 0)
2369 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2370 #endif
2371 }
2372
2373
2374
2375 /*************************************************
2376 * Read bytes from TLS channel *
2377 *************************************************/
2378
2379 /*
2380 Arguments:
2381 buff buffer of data
2382 len size of buffer
2383
2384 Returns: the number of bytes read
2385 -1 after a failed read
2386
2387 Only used by the client-side TLS.
2388 */
2389
2390 int
2391 tls_read(BOOL is_server, uschar *buff, size_t len)
2392 {
2393 SSL *ssl = is_server ? server_ssl : client_ssl;
2394 int inbytes;
2395 int error;
2396
2397 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2398 buff, (unsigned int)len);
2399
2400 inbytes = SSL_read(ssl, CS buff, len);
2401 error = SSL_get_error(ssl, inbytes);
2402
2403 if (error == SSL_ERROR_ZERO_RETURN)
2404 {
2405 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2406 return -1;
2407 }
2408 else if (error != SSL_ERROR_NONE)
2409 {
2410 return -1;
2411 }
2412
2413 return inbytes;
2414 }
2415
2416
2417
2418
2419
2420 /*************************************************
2421 * Write bytes down TLS channel *
2422 *************************************************/
2423
2424 /*
2425 Arguments:
2426 is_server channel specifier
2427 buff buffer of data
2428 len number of bytes
2429
2430 Returns: the number of bytes after a successful write,
2431 -1 after a failed write
2432
2433 Used by both server-side and client-side TLS.
2434 */
2435
2436 int
2437 tls_write(BOOL is_server, const uschar *buff, size_t len)
2438 {
2439 int outbytes;
2440 int error;
2441 int left = len;
2442 SSL *ssl = is_server ? server_ssl : client_ssl;
2443
2444 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2445 while (left > 0)
2446 {
2447 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2448 outbytes = SSL_write(ssl, CS buff, left);
2449 error = SSL_get_error(ssl, outbytes);
2450 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2451 switch (error)
2452 {
2453 case SSL_ERROR_SSL:
2454 ERR_error_string(ERR_get_error(), ssl_errstring);
2455 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2456 return -1;
2457
2458 case SSL_ERROR_NONE:
2459 left -= outbytes;
2460 buff += outbytes;
2461 break;
2462
2463 case SSL_ERROR_ZERO_RETURN:
2464 log_write(0, LOG_MAIN, "SSL channel closed on write");
2465 return -1;
2466
2467 case SSL_ERROR_SYSCALL:
2468 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2469 sender_fullhost ? sender_fullhost : US"<unknown>",
2470 strerror(errno));
2471 return -1;
2472
2473 default:
2474 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2475 return -1;
2476 }
2477 }
2478 return len;
2479 }
2480
2481
2482
2483 /*************************************************
2484 * Close down a TLS session *
2485 *************************************************/
2486
2487 /* This is also called from within a delivery subprocess forked from the
2488 daemon, to shut down the TLS library, without actually doing a shutdown (which
2489 would tamper with the SSL session in the parent process).
2490
2491 Arguments: TRUE if SSL_shutdown is to be called
2492 Returns: nothing
2493
2494 Used by both server-side and client-side TLS.
2495 */
2496
2497 void
2498 tls_close(BOOL is_server, BOOL shutdown)
2499 {
2500 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2501 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2502
2503 if (*fdp < 0) return; /* TLS was not active */
2504
2505 if (shutdown)
2506 {
2507 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2508 SSL_shutdown(*sslp);
2509 }
2510
2511 SSL_free(*sslp);
2512 *sslp = NULL;
2513
2514 *fdp = -1;
2515 }
2516
2517
2518
2519
2520 /*************************************************
2521 * Let tls_require_ciphers be checked at startup *
2522 *************************************************/
2523
2524 /* The tls_require_ciphers option, if set, must be something which the
2525 library can parse.
2526
2527 Returns: NULL on success, or error message
2528 */
2529
2530 uschar *
2531 tls_validate_require_cipher(void)
2532 {
2533 SSL_CTX *ctx;
2534 uschar *s, *expciphers, *err;
2535
2536 /* this duplicates from tls_init(), we need a better "init just global
2537 state, for no specific purpose" singleton function of our own */
2538
2539 SSL_load_error_strings();
2540 OpenSSL_add_ssl_algorithms();
2541 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2542 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2543 list of available digests. */
2544 EVP_add_digest(EVP_sha256());
2545 #endif
2546
2547 if (!(tls_require_ciphers && *tls_require_ciphers))
2548 return NULL;
2549
2550 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2551 return US"failed to expand tls_require_ciphers";
2552
2553 if (!(expciphers && *expciphers))
2554 return NULL;
2555
2556 /* normalisation ripped from above */
2557 s = expciphers;
2558 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2559
2560 err = NULL;
2561
2562 ctx = SSL_CTX_new(SSLv23_server_method());
2563 if (!ctx)
2564 {
2565 ERR_error_string(ERR_get_error(), ssl_errstring);
2566 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2567 }
2568
2569 DEBUG(D_tls)
2570 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2571
2572 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2573 {
2574 ERR_error_string(ERR_get_error(), ssl_errstring);
2575 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2576 }
2577
2578 SSL_CTX_free(ctx);
2579
2580 return err;
2581 }
2582
2583
2584
2585
2586 /*************************************************
2587 * Report the library versions. *
2588 *************************************************/
2589
2590 /* There have historically been some issues with binary compatibility in
2591 OpenSSL libraries; if Exim (like many other applications) is built against
2592 one version of OpenSSL but the run-time linker picks up another version,
2593 it can result in serious failures, including crashing with a SIGSEGV. So
2594 report the version found by the compiler and the run-time version.
2595
2596 Note: some OS vendors backport security fixes without changing the version
2597 number/string, and the version date remains unchanged. The _build_ date
2598 will change, so we can more usefully assist with version diagnosis by also
2599 reporting the build date.
2600
2601 Arguments: a FILE* to print the results to
2602 Returns: nothing
2603 */
2604
2605 void
2606 tls_version_report(FILE *f)
2607 {
2608 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2609 " Runtime: %s\n"
2610 " : %s\n",
2611 OPENSSL_VERSION_TEXT,
2612 SSLeay_version(SSLEAY_VERSION),
2613 SSLeay_version(SSLEAY_BUILT_ON));
2614 /* third line is 38 characters for the %s and the line is 73 chars long;
2615 the OpenSSL output includes a "built on: " prefix already. */
2616 }
2617
2618
2619
2620
2621 /*************************************************
2622 * Random number generation *
2623 *************************************************/
2624
2625 /* Pseudo-random number generation. The result is not expected to be
2626 cryptographically strong but not so weak that someone will shoot themselves
2627 in the foot using it as a nonce in input in some email header scheme or
2628 whatever weirdness they'll twist this into. The result should handle fork()
2629 and avoid repeating sequences. OpenSSL handles that for us.
2630
2631 Arguments:
2632 max range maximum
2633 Returns a random number in range [0, max-1]
2634 */
2635
2636 int
2637 vaguely_random_number(int max)
2638 {
2639 unsigned int r;
2640 int i, needed_len;
2641 static pid_t pidlast = 0;
2642 pid_t pidnow;
2643 uschar *p;
2644 uschar smallbuf[sizeof(r)];
2645
2646 if (max <= 1)
2647 return 0;
2648
2649 pidnow = getpid();
2650 if (pidnow != pidlast)
2651 {
2652 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2653 is unique for each thread", this doesn't apparently apply across processes,
2654 so our own warning from vaguely_random_number_fallback() applies here too.
2655 Fix per PostgreSQL. */
2656 if (pidlast != 0)
2657 RAND_cleanup();
2658 pidlast = pidnow;
2659 }
2660
2661 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2662 if (!RAND_status())
2663 {
2664 randstuff r;
2665 gettimeofday(&r.tv, NULL);
2666 r.p = getpid();
2667
2668 RAND_seed((uschar *)(&r), sizeof(r));
2669 }
2670 /* We're after pseudo-random, not random; if we still don't have enough data
2671 in the internal PRNG then our options are limited. We could sleep and hope
2672 for entropy to come along (prayer technique) but if the system is so depleted
2673 in the first place then something is likely to just keep taking it. Instead,
2674 we'll just take whatever little bit of pseudo-random we can still manage to
2675 get. */
2676
2677 needed_len = sizeof(r);
2678 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2679 asked for a number less than 10. */
2680 for (r = max, i = 0; r; ++i)
2681 r >>= 1;
2682 i = (i + 7) / 8;
2683 if (i < needed_len)
2684 needed_len = i;
2685
2686 #ifdef EXIM_HAVE_RAND_PSEUDO
2687 /* We do not care if crypto-strong */
2688 i = RAND_pseudo_bytes(smallbuf, needed_len);
2689 #else
2690 i = RAND_bytes(smallbuf, needed_len);
2691 #endif
2692
2693 if (i < 0)
2694 {
2695 DEBUG(D_all)
2696 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2697 return vaguely_random_number_fallback(max);
2698 }
2699
2700 r = 0;
2701 for (p = smallbuf; needed_len; --needed_len, ++p)
2702 {
2703 r *= 256;
2704 r += *p;
2705 }
2706
2707 /* We don't particularly care about weighted results; if someone wants
2708 smooth distribution and cares enough then they should submit a patch then. */
2709 return r % max;
2710 }
2711
2712
2713
2714
2715 /*************************************************
2716 * OpenSSL option parse *
2717 *************************************************/
2718
2719 /* Parse one option for tls_openssl_options_parse below
2720
2721 Arguments:
2722 name one option name
2723 value place to store a value for it
2724 Returns success or failure in parsing
2725 */
2726
2727 struct exim_openssl_option {
2728 uschar *name;
2729 long value;
2730 };
2731 /* We could use a macro to expand, but we need the ifdef and not all the
2732 options document which version they were introduced in. Policylet: include
2733 all options unless explicitly for DTLS, let the administrator choose which
2734 to apply.
2735
2736 This list is current as of:
2737 ==> 1.0.1b <==
2738 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2739 */
2740 static struct exim_openssl_option exim_openssl_options[] = {
2741 /* KEEP SORTED ALPHABETICALLY! */
2742 #ifdef SSL_OP_ALL
2743 { US"all", SSL_OP_ALL },
2744 #endif
2745 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2746 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2747 #endif
2748 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2749 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2750 #endif
2751 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2752 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2753 #endif
2754 #ifdef SSL_OP_EPHEMERAL_RSA
2755 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2756 #endif
2757 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2758 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2759 #endif
2760 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2761 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2762 #endif
2763 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2764 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2765 #endif
2766 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2767 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2768 #endif
2769 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2770 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2771 #endif
2772 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2773 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2774 #endif
2775 #ifdef SSL_OP_NO_COMPRESSION
2776 { US"no_compression", SSL_OP_NO_COMPRESSION },
2777 #endif
2778 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2779 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2780 #endif
2781 #ifdef SSL_OP_NO_SSLv2
2782 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2783 #endif
2784 #ifdef SSL_OP_NO_SSLv3
2785 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2786 #endif
2787 #ifdef SSL_OP_NO_TICKET
2788 { US"no_ticket", SSL_OP_NO_TICKET },
2789 #endif
2790 #ifdef SSL_OP_NO_TLSv1
2791 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2792 #endif
2793 #ifdef SSL_OP_NO_TLSv1_1
2794 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2795 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2796 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2797 #else
2798 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2799 #endif
2800 #endif
2801 #ifdef SSL_OP_NO_TLSv1_2
2802 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2803 #endif
2804 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2805 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2806 #endif
2807 #ifdef SSL_OP_SINGLE_DH_USE
2808 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2809 #endif
2810 #ifdef SSL_OP_SINGLE_ECDH_USE
2811 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2812 #endif
2813 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2814 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2815 #endif
2816 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2817 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2818 #endif
2819 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2820 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2821 #endif
2822 #ifdef SSL_OP_TLS_D5_BUG
2823 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2824 #endif
2825 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2826 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2827 #endif
2828 };
2829 static int exim_openssl_options_size =
2830 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2831
2832
2833 static BOOL
2834 tls_openssl_one_option_parse(uschar *name, long *value)
2835 {
2836 int first = 0;
2837 int last = exim_openssl_options_size;
2838 while (last > first)
2839 {
2840 int middle = (first + last)/2;
2841 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2842 if (c == 0)
2843 {
2844 *value = exim_openssl_options[middle].value;
2845 return TRUE;
2846 }
2847 else if (c > 0)
2848 first = middle + 1;
2849 else
2850 last = middle;
2851 }
2852 return FALSE;
2853 }
2854
2855
2856
2857
2858 /*************************************************
2859 * OpenSSL option parsing logic *
2860 *************************************************/
2861
2862 /* OpenSSL has a number of compatibility options which an administrator might
2863 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2864 we look like log_selector.
2865
2866 Arguments:
2867 option_spec the administrator-supplied string of options
2868 results ptr to long storage for the options bitmap
2869 Returns success or failure
2870 */
2871
2872 BOOL
2873 tls_openssl_options_parse(uschar *option_spec, long *results)
2874 {
2875 long result, item;
2876 uschar *s, *end;
2877 uschar keep_c;
2878 BOOL adding, item_parsed;
2879
2880 result = 0L;
2881 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2882 * from default because it increases BEAST susceptibility. */
2883 #ifdef SSL_OP_NO_SSLv2
2884 result |= SSL_OP_NO_SSLv2;
2885 #endif
2886 #ifdef SSL_OP_SINGLE_DH_USE
2887 result |= SSL_OP_SINGLE_DH_USE;
2888 #endif
2889
2890 if (option_spec == NULL)
2891 {
2892 *results = result;
2893 return TRUE;
2894 }
2895
2896 for (s=option_spec; *s != '\0'; /**/)
2897 {
2898 while (isspace(*s)) ++s;
2899 if (*s == '\0')
2900 break;
2901 if (*s != '+' && *s != '-')
2902 {
2903 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2904 "+ or - expected but found \"%s\"\n", s);
2905 return FALSE;
2906 }
2907 adding = *s++ == '+';
2908 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2909 keep_c = *end;
2910 *end = '\0';
2911 item_parsed = tls_openssl_one_option_parse(s, &item);
2912 *end = keep_c;
2913 if (!item_parsed)
2914 {
2915 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2916 return FALSE;
2917 }
2918 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2919 adding ? "adding" : "removing", result, item, s);
2920 if (adding)
2921 result |= item;
2922 else
2923 result &= ~item;
2924 s = end;
2925 }
2926
2927 *results = result;
2928 return TRUE;
2929 }
2930
2931 /* vi: aw ai sw=2
2932 */
2933 /* End of tls-openssl.c */