a236bc0c68c0028497f80157c75750c2d150b3b5
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2019 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
27 #endif
28 #ifndef DISABLE_OCSP
29 # include <openssl/ocsp.h>
30 #endif
31 #ifdef SUPPORT_DANE
32 # include "danessl.h"
33 #endif
34
35
36 #ifndef DISABLE_OCSP
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
39 #endif
40
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
43 #endif
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
46 #endif
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
49 # define OPENSSL_AUTO_SHA256
50 #else
51 # define EXIM_HAVE_EPHEM_RSA_KEX
52 # define EXIM_HAVE_RAND_PSEUDO
53 #endif
54 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
55 # define EXIM_HAVE_SHA256
56 #endif
57
58 /* X509_check_host provides sane certificate hostname checking, but was added
59 to OpenSSL late, after other projects forked off the code-base. So in
60 addition to guarding against the base version number, beware that LibreSSL
61 does not (at this time) support this function.
62
63 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 opt to disentangle and ask a LibreSSL user to provide glue for a third
65 crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 into even twistier knots. If LibreSSL gains the same API, we can just
67 change this guard and punt the issue for a while longer. */
68
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # define EXIM_HAVE_OPENSSL_DH_BITS
73 # define EXIM_HAVE_OPENSSL_TLS_METHOD
74 # define EXIM_HAVE_OPENSSL_KEYLOG
75 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
76 # define EXIM_HAVE_SESSION_TICKET
77 # define EXIM_HAVE_OPESSL_TRACE
78 # define EXIM_HAVE_OPESSL_GET0_SERIAL
79 # ifndef DISABLE_OCSP
80 # define EXIM_HAVE_OCSP
81 # endif
82 # else
83 # define EXIM_NEED_OPENSSL_INIT
84 # endif
85 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
86 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
87 # define EXIM_HAVE_OPENSSL_CHECKHOST
88 # endif
89 #endif
90
91 #if !defined(LIBRESSL_VERSION_NUMBER) \
92 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
93 # if !defined(OPENSSL_NO_ECDH)
94 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
95 # define EXIM_HAVE_ECDH
96 # endif
97 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
98 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
99 # endif
100 # endif
101 #endif
102
103 #ifndef LIBRESSL_VERSION_NUMBER
104 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
105 # define OPENSSL_HAVE_KEYLOG_CB
106 # define OPENSSL_HAVE_NUM_TICKETS
107 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
108 # else
109 # define OPENSSL_BAD_SRVR_OURCERT
110 # endif
111 #endif
112
113 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
114 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
115 # define DISABLE_OCSP
116 #endif
117
118 #ifdef EXPERIMENTAL_TLS_RESUME
119 # if OPENSSL_VERSION_NUMBER < 0x0101010L
120 # error OpenSSL version too old for session-resumption
121 # endif
122 #endif
123
124 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
125 # include <openssl/x509v3.h>
126 #endif
127
128 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
129 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
130 # define SSL_CIPHER_get_id(c) (c->id)
131 # endif
132 # ifndef MACRO_PREDEF
133 # include "tls-cipher-stdname.c"
134 # endif
135 #endif
136
137 /*************************************************
138 * OpenSSL option parse *
139 *************************************************/
140
141 typedef struct exim_openssl_option {
142 uschar *name;
143 long value;
144 } exim_openssl_option;
145 /* We could use a macro to expand, but we need the ifdef and not all the
146 options document which version they were introduced in. Policylet: include
147 all options unless explicitly for DTLS, let the administrator choose which
148 to apply.
149
150 This list is current as of:
151 ==> 1.0.1b <==
152 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
153 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
154 Plus SSL_OP_NO_RENEGOTIATION for 1.1.1
155
156 XXX could we autobuild this list, as with predefined-macros?
157 Seems just parsing ssl.h for SSL_OP_.* would be enough.
158 Also allow a numeric literal?
159 */
160 static exim_openssl_option exim_openssl_options[] = {
161 /* KEEP SORTED ALPHABETICALLY! */
162 #ifdef SSL_OP_ALL
163 { US"all", (long) SSL_OP_ALL },
164 #endif
165 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
166 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
167 #endif
168 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
169 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
170 #endif
171 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
172 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
173 #endif
174 #ifdef SSL_OP_EPHEMERAL_RSA
175 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
176 #endif
177 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
178 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
179 #endif
180 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
181 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
182 #endif
183 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
184 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
185 #endif
186 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
187 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
188 #endif
189 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
190 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
191 #endif
192 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
193 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
194 #endif
195 #ifdef SSL_OP_NO_COMPRESSION
196 { US"no_compression", SSL_OP_NO_COMPRESSION },
197 #endif
198 #ifdef SSL_OP_NO_RENEGOTIATION
199 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
200 #endif
201 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
202 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
203 #endif
204 #ifdef SSL_OP_NO_SSLv2
205 { US"no_sslv2", SSL_OP_NO_SSLv2 },
206 #endif
207 #ifdef SSL_OP_NO_SSLv3
208 { US"no_sslv3", SSL_OP_NO_SSLv3 },
209 #endif
210 #ifdef SSL_OP_NO_TICKET
211 { US"no_ticket", SSL_OP_NO_TICKET },
212 #endif
213 #ifdef SSL_OP_NO_TLSv1
214 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
215 #endif
216 #ifdef SSL_OP_NO_TLSv1_1
217 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
218 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
219 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
220 #else
221 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
222 #endif
223 #endif
224 #ifdef SSL_OP_NO_TLSv1_2
225 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
226 #endif
227 #ifdef SSL_OP_NO_TLSv1_3
228 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
229 #endif
230 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
231 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
232 #endif
233 #ifdef SSL_OP_SINGLE_DH_USE
234 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
235 #endif
236 #ifdef SSL_OP_SINGLE_ECDH_USE
237 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
238 #endif
239 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
240 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
241 #endif
242 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
243 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
244 #endif
245 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
246 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
247 #endif
248 #ifdef SSL_OP_TLS_D5_BUG
249 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
250 #endif
251 #ifdef SSL_OP_TLS_ROLLBACK_BUG
252 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
253 #endif
254 };
255
256 #ifndef MACRO_PREDEF
257 static int exim_openssl_options_size = nelem(exim_openssl_options);
258 #endif
259
260 #ifdef MACRO_PREDEF
261 void
262 options_tls(void)
263 {
264 uschar buf[64];
265
266 for (struct exim_openssl_option * o = exim_openssl_options;
267 o < exim_openssl_options + nelem(exim_openssl_options); o++)
268 {
269 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
270 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
271
272 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
273 builtin_macro_create(buf);
274 }
275
276 # ifdef EXPERIMENTAL_TLS_RESUME
277 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
278 # endif
279 # ifdef SSL_OP_NO_TLSv1_3
280 builtin_macro_create(US"_HAVE_TLS1_3");
281 # endif
282 # ifdef OPENSSL_BAD_SRVR_OURCERT
283 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
284 # endif
285 # ifdef EXIM_HAVE_OCSP
286 builtin_macro_create(US"_HAVE_TLS_OCSP");
287 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
288 # endif
289 }
290 #else
291
292 /******************************************************************************/
293
294 /* Structure for collecting random data for seeding. */
295
296 typedef struct randstuff {
297 struct timeval tv;
298 pid_t p;
299 } randstuff;
300
301 /* Local static variables */
302
303 static BOOL client_verify_callback_called = FALSE;
304 static BOOL server_verify_callback_called = FALSE;
305 static const uschar *sid_ctx = US"exim";
306
307 /* We have three different contexts to care about.
308
309 Simple case: client, `client_ctx`
310 As a client, we can be doing a callout or cut-through delivery while receiving
311 a message. So we have a client context, which should have options initialised
312 from the SMTP Transport. We may also concurrently want to make TLS connections
313 to utility daemons, so client-contexts are allocated and passed around in call
314 args rather than using a gobal.
315
316 Server:
317 There are two cases: with and without ServerNameIndication from the client.
318 Given TLS SNI, we can be using different keys, certs and various other
319 configuration settings, because they're re-expanded with $tls_sni set. This
320 allows vhosting with TLS. This SNI is sent in the handshake.
321 A client might not send SNI, so we need a fallback, and an initial setup too.
322 So as a server, we start out using `server_ctx`.
323 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
324 `server_sni` from `server_ctx` and then initialise settings by re-expanding
325 configuration.
326 */
327
328 typedef struct {
329 SSL_CTX * ctx;
330 SSL * ssl;
331 gstring * corked;
332 } exim_openssl_client_tls_ctx;
333
334 static SSL_CTX *server_ctx = NULL;
335 static SSL *server_ssl = NULL;
336
337 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
338 static SSL_CTX *server_sni = NULL;
339 #endif
340
341 static char ssl_errstring[256];
342
343 static int ssl_session_timeout = 7200; /* Two hours */
344 static BOOL client_verify_optional = FALSE;
345 static BOOL server_verify_optional = FALSE;
346
347 static BOOL reexpand_tls_files_for_sni = FALSE;
348
349
350 typedef struct ocsp_resp {
351 struct ocsp_resp * next;
352 OCSP_RESPONSE * resp;
353 } ocsp_resplist;
354
355 typedef struct tls_ext_ctx_cb {
356 tls_support * tlsp;
357 uschar *certificate;
358 uschar *privatekey;
359 BOOL is_server;
360 #ifndef DISABLE_OCSP
361 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
362 union {
363 struct {
364 uschar *file;
365 const uschar *file_expanded;
366 ocsp_resplist *olist;
367 } server;
368 struct {
369 X509_STORE *verify_store; /* non-null if status requested */
370 BOOL verify_required;
371 } client;
372 } u_ocsp;
373 #endif
374 uschar *dhparam;
375 /* these are cached from first expand */
376 uschar *server_cipher_list;
377 /* only passed down to tls_error: */
378 host_item *host;
379 const uschar * verify_cert_hostnames;
380 #ifndef DISABLE_EVENT
381 uschar * event_action;
382 #endif
383 } tls_ext_ctx_cb;
384
385 /* should figure out a cleanup of API to handle state preserved per
386 implementation, for various reasons, which can be void * in the APIs.
387 For now, we hack around it. */
388 tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
389 tls_ext_ctx_cb *server_static_cbinfo = NULL;
390
391 static int
392 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
393 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
394
395 /* Callbacks */
396 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
397 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
398 #endif
399 #ifndef DISABLE_OCSP
400 static int tls_server_stapling_cb(SSL *s, void *arg);
401 #endif
402
403
404
405 /* Daemon-called, before every connection, key create/rotate */
406 #ifdef EXPERIMENTAL_TLS_RESUME
407 static void tk_init(void);
408 static int tls_exdata_idx = -1;
409 #endif
410
411 void
412 tls_daemon_init(void)
413 {
414 #ifdef EXPERIMENTAL_TLS_RESUME
415 tk_init();
416 #endif
417 return;
418 }
419
420
421 /*************************************************
422 * Handle TLS error *
423 *************************************************/
424
425 /* Called from lots of places when errors occur before actually starting to do
426 the TLS handshake, that is, while the session is still in clear. Always returns
427 DEFER for a server and FAIL for a client so that most calls can use "return
428 tls_error(...)" to do this processing and then give an appropriate return. A
429 single function is used for both server and client, because it is called from
430 some shared functions.
431
432 Argument:
433 prefix text to include in the logged error
434 host NULL if setting up a server;
435 the connected host if setting up a client
436 msg error message or NULL if we should ask OpenSSL
437 errstr pointer to output error message
438
439 Returns: OK/DEFER/FAIL
440 */
441
442 static int
443 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
444 {
445 if (!msg)
446 {
447 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
448 msg = US ssl_errstring;
449 }
450
451 msg = string_sprintf("(%s): %s", prefix, msg);
452 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
453 if (errstr) *errstr = msg;
454 return host ? FAIL : DEFER;
455 }
456
457
458
459 /*************************************************
460 * Callback to generate RSA key *
461 *************************************************/
462
463 /*
464 Arguments:
465 s SSL connection (not used)
466 export not used
467 keylength keylength
468
469 Returns: pointer to generated key
470 */
471
472 static RSA *
473 rsa_callback(SSL *s, int export, int keylength)
474 {
475 RSA *rsa_key;
476 #ifdef EXIM_HAVE_RSA_GENKEY_EX
477 BIGNUM *bn = BN_new();
478 #endif
479
480 export = export; /* Shut picky compilers up */
481 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
482
483 #ifdef EXIM_HAVE_RSA_GENKEY_EX
484 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
485 || !(rsa_key = RSA_new())
486 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
487 )
488 #else
489 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
490 #endif
491
492 {
493 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
494 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
495 ssl_errstring);
496 return NULL;
497 }
498 return rsa_key;
499 }
500
501
502
503 /* Extreme debug
504 #ifndef DISABLE_OCSP
505 void
506 x509_store_dump_cert_s_names(X509_STORE * store)
507 {
508 STACK_OF(X509_OBJECT) * roots= store->objs;
509 static uschar name[256];
510
511 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
512 {
513 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
514 if(tmp_obj->type == X509_LU_X509)
515 {
516 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
517 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
518 {
519 name[sizeof(name)-1] = '\0';
520 debug_printf(" %s\n", name);
521 }
522 }
523 }
524 }
525 #endif
526 */
527
528
529 #ifndef DISABLE_EVENT
530 static int
531 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
532 BOOL *calledp, const BOOL *optionalp, const uschar * what)
533 {
534 uschar * ev;
535 uschar * yield;
536 X509 * old_cert;
537
538 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
539 if (ev)
540 {
541 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
542 old_cert = tlsp->peercert;
543 tlsp->peercert = X509_dup(cert);
544 /* NB we do not bother setting peerdn */
545 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
546 {
547 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
548 "depth=%d cert=%s: %s",
549 tlsp == &tls_out ? deliver_host_address : sender_host_address,
550 what, depth, dn, yield);
551 *calledp = TRUE;
552 if (!*optionalp)
553 {
554 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
555 return 1; /* reject (leaving peercert set) */
556 }
557 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
558 "(host in tls_try_verify_hosts)\n");
559 tlsp->verify_override = TRUE;
560 }
561 X509_free(tlsp->peercert);
562 tlsp->peercert = old_cert;
563 }
564 return 0;
565 }
566 #endif
567
568 /*************************************************
569 * Callback for verification *
570 *************************************************/
571
572 /* The SSL library does certificate verification if set up to do so. This
573 callback has the current yes/no state is in "state". If verification succeeded,
574 we set the certificate-verified flag. If verification failed, what happens
575 depends on whether the client is required to present a verifiable certificate
576 or not.
577
578 If verification is optional, we change the state to yes, but still log the
579 verification error. For some reason (it really would help to have proper
580 documentation of OpenSSL), this callback function then gets called again, this
581 time with state = 1. We must take care not to set the private verified flag on
582 the second time through.
583
584 Note: this function is not called if the client fails to present a certificate
585 when asked. We get here only if a certificate has been received. Handling of
586 optional verification for this case is done when requesting SSL to verify, by
587 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
588
589 May be called multiple times for different issues with a certificate, even
590 for a given "depth" in the certificate chain.
591
592 Arguments:
593 preverify_ok current yes/no state as 1/0
594 x509ctx certificate information.
595 tlsp per-direction (client vs. server) support data
596 calledp has-been-called flag
597 optionalp verification-is-optional flag
598
599 Returns: 0 if verification should fail, otherwise 1
600 */
601
602 static int
603 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
604 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
605 {
606 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
607 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
608 uschar dn[256];
609
610 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
611 {
612 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
613 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
614 tlsp == &tls_out ? deliver_host_address : sender_host_address);
615 return 0;
616 }
617 dn[sizeof(dn)-1] = '\0';
618
619 tlsp->verify_override = FALSE;
620 if (preverify_ok == 0)
621 {
622 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
623 *verify_mode, sender_host_address)
624 : US"";
625 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
626 tlsp == &tls_out ? deliver_host_address : sender_host_address,
627 extra, depth,
628 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
629 *calledp = TRUE;
630 if (!*optionalp)
631 {
632 if (!tlsp->peercert)
633 tlsp->peercert = X509_dup(cert); /* record failing cert */
634 return 0; /* reject */
635 }
636 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
637 "tls_try_verify_hosts)\n");
638 tlsp->verify_override = TRUE;
639 }
640
641 else if (depth != 0)
642 {
643 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
644 #ifndef DISABLE_OCSP
645 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
646 { /* client, wanting stapling */
647 /* Add the server cert's signing chain as the one
648 for the verification of the OCSP stapled information. */
649
650 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
651 cert))
652 ERR_clear_error();
653 sk_X509_push(client_static_cbinfo->verify_stack, cert);
654 }
655 #endif
656 #ifndef DISABLE_EVENT
657 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
658 return 0; /* reject, with peercert set */
659 #endif
660 }
661 else
662 {
663 const uschar * verify_cert_hostnames;
664
665 if ( tlsp == &tls_out
666 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
667 /* client, wanting hostname check */
668 {
669
670 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
671 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
672 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
673 # endif
674 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
675 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
676 # endif
677 int sep = 0;
678 const uschar * list = verify_cert_hostnames;
679 uschar * name;
680 int rc;
681 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
682 if ((rc = X509_check_host(cert, CCS name, 0,
683 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
684 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
685 NULL)))
686 {
687 if (rc < 0)
688 {
689 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
690 tlsp == &tls_out ? deliver_host_address : sender_host_address);
691 name = NULL;
692 }
693 break;
694 }
695 if (!name)
696 #else
697 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
698 #endif
699 {
700 uschar * extra = verify_mode
701 ? string_sprintf(" (during %c-verify for [%s])",
702 *verify_mode, sender_host_address)
703 : US"";
704 log_write(0, LOG_MAIN,
705 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
706 tlsp == &tls_out ? deliver_host_address : sender_host_address,
707 extra, dn, verify_cert_hostnames);
708 *calledp = TRUE;
709 if (!*optionalp)
710 {
711 if (!tlsp->peercert)
712 tlsp->peercert = X509_dup(cert); /* record failing cert */
713 return 0; /* reject */
714 }
715 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
716 "tls_try_verify_hosts)\n");
717 tlsp->verify_override = TRUE;
718 }
719 }
720
721 #ifndef DISABLE_EVENT
722 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
723 return 0; /* reject, with peercert set */
724 #endif
725
726 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
727 *calledp ? "" : " authenticated", dn);
728 *calledp = TRUE;
729 }
730
731 return 1; /* accept, at least for this level */
732 }
733
734 static int
735 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
736 {
737 return verify_callback(preverify_ok, x509ctx, &tls_out,
738 &client_verify_callback_called, &client_verify_optional);
739 }
740
741 static int
742 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
743 {
744 return verify_callback(preverify_ok, x509ctx, &tls_in,
745 &server_verify_callback_called, &server_verify_optional);
746 }
747
748
749 #ifdef SUPPORT_DANE
750
751 /* This gets called *by* the dane library verify callback, which interposes
752 itself.
753 */
754 static int
755 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
756 {
757 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
758 uschar dn[256];
759 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
760 #ifndef DISABLE_EVENT
761 BOOL dummy_called, optional = FALSE;
762 #endif
763
764 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
765 {
766 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
767 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
768 deliver_host_address);
769 return 0;
770 }
771 dn[sizeof(dn)-1] = '\0';
772
773 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
774 preverify_ok ? "ok":"BAD", depth, dn);
775
776 #ifndef DISABLE_EVENT
777 if (verify_event(&tls_out, cert, depth, dn,
778 &dummy_called, &optional, US"DANE"))
779 return 0; /* reject, with peercert set */
780 #endif
781
782 if (preverify_ok == 1)
783 {
784 tls_out.dane_verified = TRUE;
785 #ifndef DISABLE_OCSP
786 if (client_static_cbinfo->u_ocsp.client.verify_store)
787 { /* client, wanting stapling */
788 /* Add the server cert's signing chain as the one
789 for the verification of the OCSP stapled information. */
790
791 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
792 cert))
793 ERR_clear_error();
794 sk_X509_push(client_static_cbinfo->verify_stack, cert);
795 }
796 #endif
797 }
798 else
799 {
800 int err = X509_STORE_CTX_get_error(x509ctx);
801 DEBUG(D_tls)
802 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
803 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
804 preverify_ok = 1;
805 }
806 return preverify_ok;
807 }
808
809 #endif /*SUPPORT_DANE*/
810
811
812 /*************************************************
813 * Information callback *
814 *************************************************/
815
816 /* The SSL library functions call this from time to time to indicate what they
817 are doing. We copy the string to the debugging output when TLS debugging has
818 been requested.
819
820 Arguments:
821 s the SSL connection
822 where
823 ret
824
825 Returns: nothing
826 */
827
828 static void
829 info_callback(SSL *s, int where, int ret)
830 {
831 DEBUG(D_tls)
832 {
833 const uschar * str;
834
835 if (where & SSL_ST_CONNECT)
836 str = US"SSL_connect";
837 else if (where & SSL_ST_ACCEPT)
838 str = US"SSL_accept";
839 else
840 str = US"SSL info (undefined)";
841
842 if (where & SSL_CB_LOOP)
843 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
844 else if (where & SSL_CB_ALERT)
845 debug_printf("SSL3 alert %s:%s:%s\n",
846 str = where & SSL_CB_READ ? US"read" : US"write",
847 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
848 else if (where & SSL_CB_EXIT)
849 if (ret == 0)
850 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
851 else if (ret < 0)
852 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
853 else if (where & SSL_CB_HANDSHAKE_START)
854 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
855 else if (where & SSL_CB_HANDSHAKE_DONE)
856 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
857 }
858 }
859
860 #ifdef OPENSSL_HAVE_KEYLOG_CB
861 static void
862 keylog_callback(const SSL *ssl, const char *line)
863 {
864 char * filename;
865 FILE * fp;
866 DEBUG(D_tls) debug_printf("%.200s\n", line);
867 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
868 if (!(fp = fopen(filename, "a"))) return;
869 fprintf(fp, "%s\n", line);
870 fclose(fp);
871 }
872 #endif
873
874
875 #ifdef EXPERIMENTAL_TLS_RESUME
876 /* Manage the keysets used for encrypting the session tickets, on the server. */
877
878 typedef struct { /* Session ticket encryption key */
879 uschar name[16];
880
881 const EVP_CIPHER * aes_cipher;
882 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
883 const EVP_MD * hmac_hash;
884 uschar hmac_key[16];
885 time_t renew;
886 time_t expire;
887 } exim_stek;
888
889 static exim_stek exim_tk; /* current key */
890 static exim_stek exim_tk_old; /* previous key */
891
892 static void
893 tk_init(void)
894 {
895 time_t t = time(NULL);
896
897 if (exim_tk.name[0])
898 {
899 if (exim_tk.renew >= t) return;
900 exim_tk_old = exim_tk;
901 }
902
903 if (f.running_in_test_harness) ssl_session_timeout = 6;
904
905 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
906 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
907 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
908 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
909
910 exim_tk.name[0] = 'E';
911 exim_tk.aes_cipher = EVP_aes_256_cbc();
912 exim_tk.hmac_hash = EVP_sha256();
913 exim_tk.expire = t + ssl_session_timeout;
914 exim_tk.renew = t + ssl_session_timeout/2;
915 }
916
917 static exim_stek *
918 tk_current(void)
919 {
920 if (!exim_tk.name[0]) return NULL;
921 return &exim_tk;
922 }
923
924 static exim_stek *
925 tk_find(const uschar * name)
926 {
927 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
928 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
929 : NULL;
930 }
931
932 /* Callback for session tickets, on server */
933 static int
934 ticket_key_callback(SSL * ssl, uschar key_name[16],
935 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
936 {
937 tls_support * tlsp = server_static_cbinfo->tlsp;
938 exim_stek * key;
939
940 if (enc)
941 {
942 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
943 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
944
945 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
946 return -1; /* insufficient random */
947
948 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
949 return 0; /* key couldn't be created */
950 memcpy(key_name, key->name, 16);
951 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
952
953 /*XXX will want these dependent on the ssl session strength */
954 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
955 key->hmac_hash, NULL);
956 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
957
958 DEBUG(D_tls) debug_printf("ticket created\n");
959 return 1;
960 }
961 else
962 {
963 time_t now = time(NULL);
964
965 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
966 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
967
968 if (!(key = tk_find(key_name)) || key->expire < now)
969 {
970 DEBUG(D_tls)
971 {
972 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
973 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
974 }
975 return 0;
976 }
977
978 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
979 key->hmac_hash, NULL);
980 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
981
982 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
983
984 /* The ticket lifetime and renewal are the same as the STEK lifetime and
985 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
986 be better. To do that we'd have to encode ticket lifetime in the name as
987 we don't yet see the restored session. Could check posthandshake for TLS1.3
988 and trigger a new ticket then, but cannot do that for TLS1.2 */
989 return key->renew < now ? 2 : 1;
990 }
991 }
992 #endif
993
994
995
996 /*************************************************
997 * Initialize for DH *
998 *************************************************/
999
1000 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
1001
1002 Arguments:
1003 sctx The current SSL CTX (inbound or outbound)
1004 dhparam DH parameter file or fixed parameter identity string
1005 host connected host, if client; NULL if server
1006 errstr error string pointer
1007
1008 Returns: TRUE if OK (nothing to set up, or setup worked)
1009 */
1010
1011 static BOOL
1012 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
1013 {
1014 BIO *bio;
1015 DH *dh;
1016 uschar *dhexpanded;
1017 const char *pem;
1018 int dh_bitsize;
1019
1020 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
1021 return FALSE;
1022
1023 if (!dhexpanded || !*dhexpanded)
1024 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
1025 else if (dhexpanded[0] == '/')
1026 {
1027 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
1028 {
1029 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
1030 host, US strerror(errno), errstr);
1031 return FALSE;
1032 }
1033 }
1034 else
1035 {
1036 if (Ustrcmp(dhexpanded, "none") == 0)
1037 {
1038 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1039 return TRUE;
1040 }
1041
1042 if (!(pem = std_dh_prime_named(dhexpanded)))
1043 {
1044 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
1045 host, US strerror(errno), errstr);
1046 return FALSE;
1047 }
1048 bio = BIO_new_mem_buf(CS pem, -1);
1049 }
1050
1051 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1052 {
1053 BIO_free(bio);
1054 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1055 host, NULL, errstr);
1056 return FALSE;
1057 }
1058
1059 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1060 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1061 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1062 * If someone wants to dance at the edge, then they can raise the limit or use
1063 * current libraries. */
1064 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
1065 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1066 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1067 dh_bitsize = DH_bits(dh);
1068 #else
1069 dh_bitsize = 8 * DH_size(dh);
1070 #endif
1071
1072 /* Even if it is larger, we silently return success rather than cause things
1073 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1074 * debatable choice. */
1075 if (dh_bitsize > tls_dh_max_bits)
1076 {
1077 DEBUG(D_tls)
1078 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1079 dh_bitsize, tls_dh_max_bits);
1080 }
1081 else
1082 {
1083 SSL_CTX_set_tmp_dh(sctx, dh);
1084 DEBUG(D_tls)
1085 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1086 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1087 }
1088
1089 DH_free(dh);
1090 BIO_free(bio);
1091
1092 return TRUE;
1093 }
1094
1095
1096
1097
1098 /*************************************************
1099 * Initialize for ECDH *
1100 *************************************************/
1101
1102 /* Load parameters for ECDH encryption.
1103
1104 For now, we stick to NIST P-256 because: it's simple and easy to configure;
1105 it avoids any patent issues that might bite redistributors; despite events in
1106 the news and concerns over curve choices, we're not cryptographers, we're not
1107 pretending to be, and this is "good enough" to be better than no support,
1108 protecting against most adversaries. Given another year or two, there might
1109 be sufficient clarity about a "right" way forward to let us make an informed
1110 decision, instead of a knee-jerk reaction.
1111
1112 Longer-term, we should look at supporting both various named curves and
1113 external files generated with "openssl ecparam", much as we do for init_dh().
1114 We should also support "none" as a value, to explicitly avoid initialisation.
1115
1116 Patches welcome.
1117
1118 Arguments:
1119 sctx The current SSL CTX (inbound or outbound)
1120 host connected host, if client; NULL if server
1121 errstr error string pointer
1122
1123 Returns: TRUE if OK (nothing to set up, or setup worked)
1124 */
1125
1126 static BOOL
1127 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1128 {
1129 #ifdef OPENSSL_NO_ECDH
1130 return TRUE;
1131 #else
1132
1133 EC_KEY * ecdh;
1134 uschar * exp_curve;
1135 int nid;
1136 BOOL rv;
1137
1138 if (host) /* No ECDH setup for clients, only for servers */
1139 return TRUE;
1140
1141 # ifndef EXIM_HAVE_ECDH
1142 DEBUG(D_tls)
1143 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1144 return TRUE;
1145 # else
1146
1147 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1148 return FALSE;
1149 if (!exp_curve || !*exp_curve)
1150 return TRUE;
1151
1152 /* "auto" needs to be handled carefully.
1153 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1154 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1155 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1156 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1157 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1158 */
1159 if (Ustrcmp(exp_curve, "auto") == 0)
1160 {
1161 #if OPENSSL_VERSION_NUMBER < 0x10002000L
1162 DEBUG(D_tls) debug_printf(
1163 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1164 exp_curve = US"prime256v1";
1165 #else
1166 # if defined SSL_CTRL_SET_ECDH_AUTO
1167 DEBUG(D_tls) debug_printf(
1168 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1169 SSL_CTX_set_ecdh_auto(sctx, 1);
1170 return TRUE;
1171 # else
1172 DEBUG(D_tls) debug_printf(
1173 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1174 return TRUE;
1175 # endif
1176 #endif
1177 }
1178
1179 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1180 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1181 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1182 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1183 # endif
1184 )
1185 {
1186 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1187 host, NULL, errstr);
1188 return FALSE;
1189 }
1190
1191 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1192 {
1193 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1194 return FALSE;
1195 }
1196
1197 /* The "tmp" in the name here refers to setting a temporary key
1198 not to the stability of the interface. */
1199
1200 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1201 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1202 else
1203 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1204
1205 EC_KEY_free(ecdh);
1206 return !rv;
1207
1208 # endif /*EXIM_HAVE_ECDH*/
1209 #endif /*OPENSSL_NO_ECDH*/
1210 }
1211
1212
1213
1214
1215 #ifndef DISABLE_OCSP
1216 /*************************************************
1217 * Load OCSP information into state *
1218 *************************************************/
1219 /* Called to load the server OCSP response from the given file into memory, once
1220 caller has determined this is needed. Checks validity. Debugs a message
1221 if invalid.
1222
1223 ASSUMES: single response, for single cert.
1224
1225 Arguments:
1226 sctx the SSL_CTX* to update
1227 cbinfo various parts of session state
1228 filename the filename putatively holding an OCSP response
1229 is_pem file is PEM format; otherwise is DER
1230
1231 */
1232
1233 static void
1234 ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1235 const uschar * filename, BOOL is_pem)
1236 {
1237 BIO * bio;
1238 OCSP_RESPONSE * resp;
1239 OCSP_BASICRESP * basic_response;
1240 OCSP_SINGLERESP * single_response;
1241 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1242 STACK_OF(X509) * sk;
1243 unsigned long verify_flags;
1244 int status, reason, i;
1245
1246 DEBUG(D_tls)
1247 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1248
1249 if (!(bio = BIO_new_file(CS filename, "rb")))
1250 {
1251 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1252 filename);
1253 return;
1254 }
1255
1256 if (is_pem)
1257 {
1258 uschar * data, * freep;
1259 char * dummy;
1260 long len;
1261 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1262 {
1263 DEBUG(D_tls) debug_printf("Failed to read PEM file \"%s\"\n",
1264 filename);
1265 return;
1266 }
1267 debug_printf("read pem file\n");
1268 freep = data;
1269 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1270 OPENSSL_free(freep);
1271 }
1272 else
1273 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1274 BIO_free(bio);
1275
1276 if (!resp)
1277 {
1278 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1279 return;
1280 }
1281
1282 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1283 {
1284 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1285 OCSP_response_status_str(status), status);
1286 goto bad;
1287 }
1288
1289 #ifdef notdef
1290 {
1291 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1292 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1293 BIO_free(bp);
1294 }
1295 #endif
1296
1297 if (!(basic_response = OCSP_response_get1_basic(resp)))
1298 {
1299 DEBUG(D_tls)
1300 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1301 goto bad;
1302 }
1303
1304 sk = cbinfo->verify_stack;
1305 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1306
1307 /* May need to expose ability to adjust those flags?
1308 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1309 OCSP_TRUSTOTHER OCSP_NOINTERN */
1310
1311 /* This does a full verify on the OCSP proof before we load it for serving
1312 up; possibly overkill - just date-checks might be nice enough.
1313
1314 OCSP_basic_verify takes a "store" arg, but does not
1315 use it for the chain verification, which is all we do
1316 when OCSP_NOVERIFY is set. The content from the wire
1317 "basic_response" and a cert-stack "sk" are all that is used.
1318
1319 We have a stack, loaded in setup_certs() if tls_verify_certificates
1320 was a file (not a directory, or "system"). It is unfortunate we
1321 cannot used the connection context store, as that would neatly
1322 handle the "system" case too, but there seems to be no library
1323 function for getting a stack from a store.
1324 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1325 We do not free the stack since it could be needed a second time for
1326 SNI handling.
1327
1328 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1329 be a public interface into the OpenSSL library (there's no manual entry) -
1330 But what with? We also use OCSP_basic_verify in the client stapling callback.
1331 And there we NEED it; we must verify that status... unless the
1332 library does it for us anyway? */
1333
1334 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1335 {
1336 DEBUG(D_tls)
1337 {
1338 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1339 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1340 }
1341 goto bad;
1342 }
1343
1344 /* Here's the simplifying assumption: there's only one response, for the
1345 one certificate we use, and nothing for anything else in a chain. If this
1346 proves false, we need to extract a cert id from our issued cert
1347 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1348 right cert in the stack and then calls OCSP_single_get0_status()).
1349
1350 I'm hoping to avoid reworking a bunch more of how we handle state here.
1351
1352 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1353 */
1354
1355 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1356 {
1357 DEBUG(D_tls)
1358 debug_printf("Unable to get first response from OCSP basic response.\n");
1359 goto bad;
1360 }
1361
1362 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1363 if (status != V_OCSP_CERTSTATUS_GOOD)
1364 {
1365 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1366 OCSP_cert_status_str(status), status,
1367 OCSP_crl_reason_str(reason), reason);
1368 goto bad;
1369 }
1370
1371 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1372 {
1373 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1374 goto bad;
1375 }
1376
1377 supply_response:
1378 /* Add the resp to the list used by tls_server_stapling_cb() */
1379 {
1380 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1381 while (oentry = *op)
1382 op = &oentry->next;
1383 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1384 oentry->next = NULL;
1385 oentry->resp = resp;
1386 }
1387 return;
1388
1389 bad:
1390 if (f.running_in_test_harness)
1391 {
1392 extern char ** environ;
1393 if (environ) for (uschar ** p = USS environ; *p; p++)
1394 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1395 {
1396 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1397 goto supply_response;
1398 }
1399 }
1400 return;
1401 }
1402
1403
1404 static void
1405 ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1406 {
1407 for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1408 olist = olist->next)
1409 OCSP_RESPONSE_free(olist->resp);
1410 cbinfo->u_ocsp.server.olist = NULL;
1411 }
1412 #endif /*!DISABLE_OCSP*/
1413
1414
1415
1416
1417 /* Create and install a selfsigned certificate, for use in server mode */
1418
1419 static int
1420 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1421 {
1422 X509 * x509 = NULL;
1423 EVP_PKEY * pkey;
1424 RSA * rsa;
1425 X509_NAME * name;
1426 uschar * where;
1427
1428 where = US"allocating pkey";
1429 if (!(pkey = EVP_PKEY_new()))
1430 goto err;
1431
1432 where = US"allocating cert";
1433 if (!(x509 = X509_new()))
1434 goto err;
1435
1436 where = US"generating pkey";
1437 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1438 goto err;
1439
1440 where = US"assigning pkey";
1441 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1442 goto err;
1443
1444 X509_set_version(x509, 2); /* N+1 - version 3 */
1445 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1446 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1447 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1448 X509_set_pubkey(x509, pkey);
1449
1450 name = X509_get_subject_name(x509);
1451 X509_NAME_add_entry_by_txt(name, "C",
1452 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1453 X509_NAME_add_entry_by_txt(name, "O",
1454 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1455 X509_NAME_add_entry_by_txt(name, "CN",
1456 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1457 X509_set_issuer_name(x509, name);
1458
1459 where = US"signing cert";
1460 if (!X509_sign(x509, pkey, EVP_md5()))
1461 goto err;
1462
1463 where = US"installing selfsign cert";
1464 if (!SSL_CTX_use_certificate(sctx, x509))
1465 goto err;
1466
1467 where = US"installing selfsign key";
1468 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1469 goto err;
1470
1471 return OK;
1472
1473 err:
1474 (void) tls_error(where, NULL, NULL, errstr);
1475 if (x509) X509_free(x509);
1476 if (pkey) EVP_PKEY_free(pkey);
1477 return DEFER;
1478 }
1479
1480
1481
1482
1483 static int
1484 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1485 uschar ** errstr)
1486 {
1487 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1488 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1489 return tls_error(string_sprintf(
1490 "SSL_CTX_use_certificate_chain_file file=%s", file),
1491 cbinfo->host, NULL, errstr);
1492 return 0;
1493 }
1494
1495 static int
1496 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1497 uschar ** errstr)
1498 {
1499 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1500 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1501 return tls_error(string_sprintf(
1502 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1503 return 0;
1504 }
1505
1506
1507 /*************************************************
1508 * Expand key and cert file specs *
1509 *************************************************/
1510
1511 /* Called once during tls_init and possibly again during TLS setup, for a
1512 new context, if Server Name Indication was used and tls_sni was seen in
1513 the certificate string.
1514
1515 Arguments:
1516 sctx the SSL_CTX* to update
1517 cbinfo various parts of session state
1518 errstr error string pointer
1519
1520 Returns: OK/DEFER/FAIL
1521 */
1522
1523 static int
1524 tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1525 uschar ** errstr)
1526 {
1527 uschar * expanded;
1528
1529 if (!cbinfo->certificate)
1530 {
1531 if (!cbinfo->is_server) /* client */
1532 return OK;
1533 /* server */
1534 if (tls_install_selfsign(sctx, errstr) != OK)
1535 return DEFER;
1536 }
1537 else
1538 {
1539 int err;
1540
1541 if ( !reexpand_tls_files_for_sni
1542 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1543 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1544 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1545 ) )
1546 reexpand_tls_files_for_sni = TRUE;
1547
1548 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1549 return DEFER;
1550
1551 if (expanded)
1552 if (cbinfo->is_server)
1553 {
1554 const uschar * file_list = expanded;
1555 int sep = 0;
1556 uschar * file;
1557 #ifndef DISABLE_OCSP
1558 const uschar * olist = cbinfo->u_ocsp.server.file;
1559 int osep = 0;
1560 uschar * ofile;
1561 BOOL fmt_pem = FALSE;
1562
1563 if (olist)
1564 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1565 return DEFER;
1566 if (olist && !*olist)
1567 olist = NULL;
1568
1569 if ( cbinfo->u_ocsp.server.file_expanded && olist
1570 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1571 {
1572 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1573 olist = NULL;
1574 }
1575 else
1576 {
1577 ocsp_free_response_list(cbinfo);
1578 cbinfo->u_ocsp.server.file_expanded = olist;
1579 }
1580 #endif
1581
1582 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1583 {
1584 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1585 return err;
1586
1587 #ifndef DISABLE_OCSP
1588 if (olist)
1589 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1590 {
1591 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1592 {
1593 fmt_pem = TRUE;
1594 ofile += 4;
1595 }
1596 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1597 {
1598 fmt_pem = FALSE;
1599 ofile += 4;
1600 }
1601 ocsp_load_response(sctx, cbinfo, ofile, fmt_pem);
1602 }
1603 else
1604 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1605 #endif
1606 }
1607 }
1608 else /* would there ever be a need for multiple client certs? */
1609 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1610 return err;
1611
1612 if ( cbinfo->privatekey
1613 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1614 return DEFER;
1615
1616 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1617 of the expansion is an empty string, ignore it also, and assume the private
1618 key is in the same file as the certificate. */
1619
1620 if (expanded && *expanded)
1621 if (cbinfo->is_server)
1622 {
1623 const uschar * file_list = expanded;
1624 int sep = 0;
1625 uschar * file;
1626
1627 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1628 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1629 return err;
1630 }
1631 else /* would there ever be a need for multiple client certs? */
1632 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1633 return err;
1634 }
1635
1636 return OK;
1637 }
1638
1639
1640
1641
1642 /*************************************************
1643 * Callback to handle SNI *
1644 *************************************************/
1645
1646 /* Called when acting as server during the TLS session setup if a Server Name
1647 Indication extension was sent by the client.
1648
1649 API documentation is OpenSSL s_server.c implementation.
1650
1651 Arguments:
1652 s SSL* of the current session
1653 ad unknown (part of OpenSSL API) (unused)
1654 arg Callback of "our" registered data
1655
1656 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1657
1658 XXX might need to change to using ClientHello callback,
1659 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1660 */
1661
1662 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1663 static int
1664 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1665 {
1666 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1667 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1668 int rc;
1669 int old_pool = store_pool;
1670 uschar * dummy_errstr;
1671
1672 if (!servername)
1673 return SSL_TLSEXT_ERR_OK;
1674
1675 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1676 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1677
1678 /* Make the extension value available for expansion */
1679 store_pool = POOL_PERM;
1680 tls_in.sni = string_copy_taint(US servername, TRUE);
1681 store_pool = old_pool;
1682
1683 if (!reexpand_tls_files_for_sni)
1684 return SSL_TLSEXT_ERR_OK;
1685
1686 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1687 not confident that memcpy wouldn't break some internal reference counting.
1688 Especially since there's a references struct member, which would be off. */
1689
1690 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1691 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1692 #else
1693 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1694 #endif
1695 {
1696 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1697 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1698 goto bad;
1699 }
1700
1701 /* Not sure how many of these are actually needed, since SSL object
1702 already exists. Might even need this selfsame callback, for reneg? */
1703
1704 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1705 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1706 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1707 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1708 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1709 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1710
1711 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1712 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1713 )
1714 goto bad;
1715
1716 if ( cbinfo->server_cipher_list
1717 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1718 goto bad;
1719
1720 #ifndef DISABLE_OCSP
1721 if (cbinfo->u_ocsp.server.file)
1722 {
1723 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1724 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1725 }
1726 #endif
1727
1728 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1729 verify_callback_server, &dummy_errstr)) != OK)
1730 goto bad;
1731
1732 /* do this after setup_certs, because this can require the certs for verifying
1733 OCSP information. */
1734 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1735 goto bad;
1736
1737 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1738 SSL_set_SSL_CTX(s, server_sni);
1739 return SSL_TLSEXT_ERR_OK;
1740
1741 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1742 }
1743 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1744
1745
1746
1747
1748 #ifndef DISABLE_OCSP
1749
1750 /*************************************************
1751 * Callback to handle OCSP Stapling *
1752 *************************************************/
1753
1754 /* Called when acting as server during the TLS session setup if the client
1755 requests OCSP information with a Certificate Status Request.
1756
1757 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1758 project.
1759
1760 */
1761
1762 static int
1763 tls_server_stapling_cb(SSL *s, void *arg)
1764 {
1765 const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1766 ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1767 uschar * response_der; /*XXX blob */
1768 int response_der_len;
1769
1770 DEBUG(D_tls)
1771 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1772 olist ? "have" : "lack");
1773
1774 tls_in.ocsp = OCSP_NOT_RESP;
1775 if (!olist)
1776 return SSL_TLSEXT_ERR_NOACK;
1777
1778 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
1779 {
1780 const X509 * cert_sent = SSL_get_certificate(s);
1781 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1782 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1783 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1784 uschar * chash;
1785 uint chash_len;
1786
1787 for (; olist; olist = olist->next)
1788 {
1789 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1790 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1791 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1792 ASN1_INTEGER * res_cert_serial;
1793 const BIGNUM * resp_bn;
1794 ASN1_OCTET_STRING * res_cert_iNameHash;
1795
1796
1797 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1798 (OCSP_CERTID *) cid);
1799 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1800
1801 DEBUG(D_tls)
1802 {
1803 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1804 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1805 }
1806
1807 if (BN_cmp(cert_bn, resp_bn) == 0)
1808 {
1809 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1810
1811 /*XXX TODO: check the rest of the list for duplicate matches.
1812 If any, need to also check the Issuer Name hash.
1813 Without this, we will provide the wrong status in the case of
1814 duplicate id. */
1815
1816 break;
1817 }
1818 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1819 }
1820 if (!olist)
1821 {
1822 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1823 return SSL_TLSEXT_ERR_NOACK;
1824 }
1825 }
1826 #else
1827 if (olist->next)
1828 {
1829 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1830 return SSL_TLSEXT_ERR_NOACK;
1831 }
1832 #endif
1833
1834 /*XXX could we do the i2d earlier, rather than during the callback? */
1835 response_der = NULL;
1836 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
1837 if (response_der_len <= 0)
1838 return SSL_TLSEXT_ERR_NOACK;
1839
1840 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1841 tls_in.ocsp = OCSP_VFIED;
1842 return SSL_TLSEXT_ERR_OK;
1843 }
1844
1845
1846 static void
1847 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1848 {
1849 BIO_printf(bp, "\t%s: ", str);
1850 ASN1_GENERALIZEDTIME_print(bp, time);
1851 BIO_puts(bp, "\n");
1852 }
1853
1854 static int
1855 tls_client_stapling_cb(SSL *s, void *arg)
1856 {
1857 tls_ext_ctx_cb * cbinfo = arg;
1858 const unsigned char * p;
1859 int len;
1860 OCSP_RESPONSE * rsp;
1861 OCSP_BASICRESP * bs;
1862 int i;
1863
1864 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
1865 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1866 if(!p)
1867 {
1868 /* Expect this when we requested ocsp but got none */
1869 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1870 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
1871 else
1872 DEBUG(D_tls) debug_printf(" null\n");
1873 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1874 }
1875
1876 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1877 {
1878 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
1879 if (LOGGING(tls_cipher))
1880 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1881 else
1882 DEBUG(D_tls) debug_printf(" parse error\n");
1883 return 0;
1884 }
1885
1886 if (!(bs = OCSP_response_get1_basic(rsp)))
1887 {
1888 tls_out.ocsp = OCSP_FAILED;
1889 if (LOGGING(tls_cipher))
1890 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1891 else
1892 DEBUG(D_tls) debug_printf(" error parsing response\n");
1893 OCSP_RESPONSE_free(rsp);
1894 return 0;
1895 }
1896
1897 /* We'd check the nonce here if we'd put one in the request. */
1898 /* However that would defeat cacheability on the server so we don't. */
1899
1900 /* This section of code reworked from OpenSSL apps source;
1901 The OpenSSL Project retains copyright:
1902 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1903 */
1904 {
1905 BIO * bp = NULL;
1906 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
1907 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1908 #endif
1909
1910 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1911
1912 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1913
1914 /* Use the chain that verified the server cert to verify the stapled info */
1915 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1916
1917 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1918 cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
1919 if (ERR_peek_error())
1920 {
1921 tls_out.ocsp = OCSP_FAILED;
1922 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1923 "Received TLS cert status response, itself unverifiable: %s",
1924 ERR_reason_error_string(ERR_peek_error()));
1925 BIO_printf(bp, "OCSP response verify failure\n");
1926 ERR_print_errors(bp);
1927 OCSP_RESPONSE_print(bp, rsp, 0);
1928 goto failed;
1929 }
1930 else
1931 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
1932 " in the root CA certificate; ignoring\n");
1933
1934 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
1935
1936 /*XXX So we have a good stapled OCSP status. How do we know
1937 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1938 OCSP_resp_find_status() which matches on a cert id, which presumably
1939 we should use. Making an id needs OCSP_cert_id_new(), which takes
1940 issuerName, issuerKey, serialNumber. Are they all in the cert?
1941
1942 For now, carry on blindly accepting the resp. */
1943
1944 for (int idx =
1945 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1946 OCSP_resp_count(bs) - 1;
1947 #else
1948 sk_OCSP_SINGLERESP_num(sresp) - 1;
1949 #endif
1950 idx >= 0; idx--)
1951 {
1952 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
1953 int status, reason;
1954 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1955
1956 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
1957 - but what happens with a GnuTLS-style input?
1958
1959 we could do with a debug label for each singleresp
1960 - it has a certID with a serialNumber, but I see no API to get that
1961 */
1962 status = OCSP_single_get0_status(single, &reason, &rev,
1963 &thisupd, &nextupd);
1964
1965 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1966 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1967 if (!OCSP_check_validity(thisupd, nextupd,
1968 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1969 {
1970 tls_out.ocsp = OCSP_FAILED;
1971 DEBUG(D_tls) ERR_print_errors(bp);
1972 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1973 goto failed;
1974 }
1975
1976 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1977 OCSP_cert_status_str(status));
1978 switch(status)
1979 {
1980 case V_OCSP_CERTSTATUS_GOOD:
1981 continue; /* the idx loop */
1982 case V_OCSP_CERTSTATUS_REVOKED:
1983 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1984 reason != -1 ? "; reason: " : "",
1985 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1986 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1987 break;
1988 default:
1989 log_write(0, LOG_MAIN,
1990 "Server certificate status unknown, in OCSP stapling");
1991 break;
1992 }
1993
1994 goto failed;
1995 }
1996
1997 i = 1;
1998 tls_out.ocsp = OCSP_VFIED;
1999 goto good;
2000
2001 failed:
2002 tls_out.ocsp = OCSP_FAILED;
2003 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2004 good:
2005 BIO_free(bp);
2006 }
2007
2008 OCSP_RESPONSE_free(rsp);
2009 return i;
2010 }
2011 #endif /*!DISABLE_OCSP*/
2012
2013
2014 /*************************************************
2015 * Initialize for TLS *
2016 *************************************************/
2017
2018 static void
2019 tls_openssl_init(void)
2020 {
2021 #ifdef EXIM_NEED_OPENSSL_INIT
2022 SSL_load_error_strings(); /* basic set up */
2023 OpenSSL_add_ssl_algorithms();
2024 #endif
2025
2026 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
2027 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2028 list of available digests. */
2029 EVP_add_digest(EVP_sha256());
2030 #endif
2031 }
2032
2033
2034
2035 /* Called from both server and client code, to do preliminary initialization
2036 of the library. We allocate and return a context structure.
2037
2038 Arguments:
2039 ctxp returned SSL context
2040 host connected host, if client; NULL if server
2041 dhparam DH parameter file
2042 certificate certificate file
2043 privatekey private key
2044 ocsp_file file of stapling info (server); flag for require ocsp (client)
2045 addr address if client; NULL if server (for some randomness)
2046 cbp place to put allocated callback context
2047 errstr error string pointer
2048
2049 Returns: OK/DEFER/FAIL
2050 */
2051
2052 static int
2053 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
2054 uschar *privatekey,
2055 #ifndef DISABLE_OCSP
2056 uschar *ocsp_file,
2057 #endif
2058 address_item *addr, tls_ext_ctx_cb ** cbp,
2059 tls_support * tlsp,
2060 uschar ** errstr)
2061 {
2062 SSL_CTX * ctx;
2063 long init_options;
2064 int rc;
2065 tls_ext_ctx_cb * cbinfo;
2066
2067 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
2068 cbinfo->tlsp = tlsp;
2069 cbinfo->certificate = certificate;
2070 cbinfo->privatekey = privatekey;
2071 cbinfo->is_server = host==NULL;
2072 #ifndef DISABLE_OCSP
2073 cbinfo->verify_stack = NULL;
2074 if (!host)
2075 {
2076 cbinfo->u_ocsp.server.file = ocsp_file;
2077 cbinfo->u_ocsp.server.file_expanded = NULL;
2078 cbinfo->u_ocsp.server.olist = NULL;
2079 }
2080 else
2081 cbinfo->u_ocsp.client.verify_store = NULL;
2082 #endif
2083 cbinfo->dhparam = dhparam;
2084 cbinfo->server_cipher_list = NULL;
2085 cbinfo->host = host;
2086 #ifndef DISABLE_EVENT
2087 cbinfo->event_action = NULL;
2088 #endif
2089
2090 tls_openssl_init();
2091
2092 /* Create a context.
2093 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2094 negotiation in the different methods; as far as I can tell, the only
2095 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2096 when OpenSSL is built without SSLv2 support.
2097 By disabling with openssl_options, we can let admins re-enable with the
2098 existing knob. */
2099
2100 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2101 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2102 #else
2103 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
2104 #endif
2105 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
2106
2107 /* It turns out that we need to seed the random number generator this early in
2108 order to get the full complement of ciphers to work. It took me roughly a day
2109 of work to discover this by experiment.
2110
2111 On systems that have /dev/urandom, SSL may automatically seed itself from
2112 there. Otherwise, we have to make something up as best we can. Double check
2113 afterwards. */
2114
2115 if (!RAND_status())
2116 {
2117 randstuff r;
2118 gettimeofday(&r.tv, NULL);
2119 r.p = getpid();
2120
2121 RAND_seed(US (&r), sizeof(r));
2122 RAND_seed(US big_buffer, big_buffer_size);
2123 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
2124
2125 if (!RAND_status())
2126 return tls_error(US"RAND_status", host,
2127 US"unable to seed random number generator", errstr);
2128 }
2129
2130 /* Set up the information callback, which outputs if debugging is at a suitable
2131 level. */
2132
2133 DEBUG(D_tls)
2134 {
2135 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
2136 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2137 /* this needs a debug build of OpenSSL */
2138 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2139 #endif
2140 #ifdef OPENSSL_HAVE_KEYLOG_CB
2141 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
2142 #endif
2143 }
2144
2145 /* Automatically re-try reads/writes after renegotiation. */
2146 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
2147
2148 /* Apply administrator-supplied work-arounds.
2149 Historically we applied just one requested option,
2150 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2151 moved to an administrator-controlled list of options to specify and
2152 grandfathered in the first one as the default value for "openssl_options".
2153
2154 No OpenSSL version number checks: the options we accept depend upon the
2155 availability of the option value macros from OpenSSL. */
2156
2157 if (!tls_openssl_options_parse(openssl_options, &init_options))
2158 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2159
2160 #ifdef EXPERIMENTAL_TLS_RESUME
2161 tlsp->resumption = RESUME_SUPPORTED;
2162 #endif
2163 if (init_options)
2164 {
2165 #ifdef EXPERIMENTAL_TLS_RESUME
2166 /* Should the server offer session resumption? */
2167 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2168 {
2169 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2170 init_options &= ~SSL_OP_NO_TICKET;
2171 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2172 tlsp->host_resumable = TRUE;
2173 }
2174 #endif
2175
2176 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
2177 if (!(SSL_CTX_set_options(ctx, init_options)))
2178 return tls_error(string_sprintf(
2179 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2180 }
2181 else
2182 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2183
2184 /* We'd like to disable session cache unconditionally, but foolish Outlook
2185 Express clients then give up the first TLS connection and make a second one
2186 (which works). Only when there is an IMAP service on the same machine.
2187 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2188 now, until we work out a decent way of presenting control to the config. It
2189 will never be used because we use a new context every time. */
2190 #ifdef notdef
2191 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2192 #endif
2193
2194 /* Initialize with DH parameters if supplied */
2195 /* Initialize ECDH temp key parameter selection */
2196
2197 if ( !init_dh(ctx, dhparam, host, errstr)
2198 || !init_ecdh(ctx, host, errstr)
2199 )
2200 return DEFER;
2201
2202 /* Set up certificate and key (and perhaps OCSP info) */
2203
2204 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2205 return rc;
2206
2207 /* If we need to handle SNI or OCSP, do so */
2208
2209 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2210 # ifndef DISABLE_OCSP
2211 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2212 {
2213 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2214 return FAIL;
2215 }
2216 # endif
2217
2218 if (!host) /* server */
2219 {
2220 # ifndef DISABLE_OCSP
2221 /* We check u_ocsp.server.file, not server.olist, because we care about if
2222 the option exists, not what the current expansion might be, as SNI might
2223 change the certificate and OCSP file in use between now and the time the
2224 callback is invoked. */
2225 if (cbinfo->u_ocsp.server.file)
2226 {
2227 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2228 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2229 }
2230 # endif
2231 /* We always do this, so that $tls_sni is available even if not used in
2232 tls_certificate */
2233 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2234 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2235 }
2236 # ifndef DISABLE_OCSP
2237 else /* client */
2238 if(ocsp_file) /* wanting stapling */
2239 {
2240 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2241 {
2242 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2243 return FAIL;
2244 }
2245 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2246 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2247 }
2248 # endif
2249 #endif
2250
2251 cbinfo->verify_cert_hostnames = NULL;
2252
2253 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
2254 /* Set up the RSA callback */
2255 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2256 #endif
2257
2258 /* Finally, set the session cache timeout, and we are done.
2259 The period appears to be also used for (server-generated) session tickets */
2260
2261 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2262 DEBUG(D_tls) debug_printf("Initialized TLS\n");
2263
2264 *cbp = cbinfo;
2265 *ctxp = ctx;
2266
2267 return OK;
2268 }
2269
2270
2271
2272
2273 /*************************************************
2274 * Get name of cipher in use *
2275 *************************************************/
2276
2277 /*
2278 Argument: pointer to an SSL structure for the connection
2279 pointer to number of bits for cipher
2280 Returns: pointer to allocated string in perm-pool
2281 */
2282
2283 static uschar *
2284 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
2285 {
2286 int pool = store_pool;
2287 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2288 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2289 the accessor functions use const in the prototype. */
2290
2291 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2292 uschar * s;
2293
2294 SSL_CIPHER_get_bits(c, bits);
2295
2296 store_pool = POOL_PERM;
2297 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2298 store_pool = pool;
2299 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2300 return s;
2301 }
2302
2303
2304 /* Get IETF-standard name for ciphersuite.
2305 Argument: pointer to an SSL structure for the connection
2306 Returns: pointer to string
2307 */
2308
2309 static const uschar *
2310 cipher_stdname_ssl(SSL * ssl)
2311 {
2312 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2313 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2314 #else
2315 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2316 return cipher_stdname(id >> 8, id & 0xff);
2317 #endif
2318 }
2319
2320
2321 static const uschar *
2322 tlsver_name(SSL * ssl)
2323 {
2324 uschar * s, * p;
2325 int pool = store_pool;
2326
2327 store_pool = POOL_PERM;
2328 s = string_copy(US SSL_get_version(ssl));
2329 store_pool = pool;
2330 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
2331 for (;; p++) if (!(*p = p[1])) break;
2332 return CUS s;
2333 }
2334
2335
2336 static void
2337 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2338 {
2339 /*XXX we might consider a list-of-certs variable for the cert chain.
2340 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2341 in list-handling functions, also consider the difference between the entire
2342 chain and the elements sent by the peer. */
2343
2344 tlsp->peerdn = NULL;
2345
2346 /* Will have already noted peercert on a verify fail; possibly not the leaf */
2347 if (!tlsp->peercert)
2348 tlsp->peercert = SSL_get_peer_certificate(ssl);
2349 /* Beware anonymous ciphers which lead to server_cert being NULL */
2350 if (tlsp->peercert)
2351 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2352 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2353 else
2354 {
2355 int oldpool = store_pool;
2356
2357 peerdn[siz-1] = '\0'; /* paranoia */
2358 store_pool = POOL_PERM;
2359 tlsp->peerdn = string_copy(peerdn);
2360 store_pool = oldpool;
2361
2362 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2363 but they don't get called on session-resumption. So use the official
2364 interface, which uses the resumed value. Unfortunately this claims verified
2365 when it actually failed but we're in try-verify mode, due to us wanting the
2366 knowlege that it failed so needing to have the callback and forcing a
2367 permissive return. If we don't force it, the TLS startup is failed.
2368 The extra bit of information is set in verify_override in the cb, stashed
2369 for resumption next to the TLS session, and used here. */
2370
2371 if (!tlsp->verify_override)
2372 tlsp->certificate_verified =
2373 #ifdef SUPPORT_DANE
2374 tlsp->dane_verified ||
2375 #endif
2376 SSL_get_verify_result(ssl) == X509_V_OK;
2377 }
2378 }
2379
2380
2381
2382
2383
2384 /*************************************************
2385 * Set up for verifying certificates *
2386 *************************************************/
2387
2388 #ifndef DISABLE_OCSP
2389 /* Load certs from file, return TRUE on success */
2390
2391 static BOOL
2392 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2393 {
2394 BIO * bp;
2395 X509 * x;
2396
2397 while (sk_X509_num(verify_stack) > 0)
2398 X509_free(sk_X509_pop(verify_stack));
2399
2400 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2401 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2402 sk_X509_push(verify_stack, x);
2403 BIO_free(bp);
2404 return TRUE;
2405 }
2406 #endif
2407
2408
2409
2410 /* Called by both client and server startup; on the server possibly
2411 repeated after a Server Name Indication.
2412
2413 Arguments:
2414 sctx SSL_CTX* to initialise
2415 certs certs file or NULL
2416 crl CRL file or NULL
2417 host NULL in a server; the remote host in a client
2418 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2419 otherwise passed as FALSE
2420 cert_vfy_cb Callback function for certificate verification
2421 errstr error string pointer
2422
2423 Returns: OK/DEFER/FAIL
2424 */
2425
2426 static int
2427 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2428 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2429 {
2430 uschar *expcerts, *expcrl;
2431
2432 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2433 return DEFER;
2434 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2435
2436 if (expcerts && *expcerts)
2437 {
2438 /* Tell the library to use its compiled-in location for the system default
2439 CA bundle. Then add the ones specified in the config, if any. */
2440
2441 if (!SSL_CTX_set_default_verify_paths(sctx))
2442 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2443
2444 if (Ustrcmp(expcerts, "system") != 0)
2445 {
2446 struct stat statbuf;
2447
2448 if (Ustat(expcerts, &statbuf) < 0)
2449 {
2450 log_write(0, LOG_MAIN|LOG_PANIC,
2451 "failed to stat %s for certificates", expcerts);
2452 return DEFER;
2453 }
2454 else
2455 {
2456 uschar *file, *dir;
2457 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2458 { file = NULL; dir = expcerts; }
2459 else
2460 {
2461 file = expcerts; dir = NULL;
2462 #ifndef DISABLE_OCSP
2463 /* In the server if we will be offering an OCSP proof, load chain from
2464 file for verifying the OCSP proof at load time. */
2465
2466 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2467 This is inconsistent with the need to verify the OCSP proof of the server cert.
2468 */
2469
2470 if ( !host
2471 && statbuf.st_size > 0
2472 && server_static_cbinfo->u_ocsp.server.file
2473 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2474 )
2475 {
2476 log_write(0, LOG_MAIN|LOG_PANIC,
2477 "failed to load cert chain from %s", file);
2478 return DEFER;
2479 }
2480 #endif
2481 }
2482
2483 /* If a certificate file is empty, the next function fails with an
2484 unhelpful error message. If we skip it, we get the correct behaviour (no
2485 certificates are recognized, but the error message is still misleading (it
2486 says no certificate was supplied). But this is better. */
2487
2488 if ( (!file || statbuf.st_size > 0)
2489 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2490 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2491
2492 /* Load the list of CAs for which we will accept certs, for sending
2493 to the client. This is only for the one-file tls_verify_certificates
2494 variant.
2495 If a list isn't loaded into the server, but some verify locations are set,
2496 the server end appears to make a wildcard request for client certs.
2497 Meanwhile, the client library as default behaviour *ignores* the list
2498 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2499 Because of this, and that the dir variant is likely only used for
2500 the public-CA bundle (not for a private CA), not worth fixing. */
2501
2502 if (file)
2503 {
2504 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2505
2506 SSL_CTX_set_client_CA_list(sctx, names);
2507 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2508 sk_X509_NAME_num(names));
2509 }
2510 }
2511 }
2512
2513 /* Handle a certificate revocation list. */
2514
2515 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2516
2517 /* This bit of code is now the version supplied by Lars Mainka. (I have
2518 merely reformatted it into the Exim code style.)
2519
2520 "From here I changed the code to add support for multiple crl's
2521 in pem format in one file or to support hashed directory entries in
2522 pem format instead of a file. This method now uses the library function
2523 X509_STORE_load_locations to add the CRL location to the SSL context.
2524 OpenSSL will then handle the verify against CA certs and CRLs by
2525 itself in the verify callback." */
2526
2527 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2528 if (expcrl && *expcrl)
2529 {
2530 struct stat statbufcrl;
2531 if (Ustat(expcrl, &statbufcrl) < 0)
2532 {
2533 log_write(0, LOG_MAIN|LOG_PANIC,
2534 "failed to stat %s for certificates revocation lists", expcrl);
2535 return DEFER;
2536 }
2537 else
2538 {
2539 /* is it a file or directory? */
2540 uschar *file, *dir;
2541 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2542 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2543 {
2544 file = NULL;
2545 dir = expcrl;
2546 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2547 }
2548 else
2549 {
2550 file = expcrl;
2551 dir = NULL;
2552 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2553 }
2554 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2555 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2556
2557 /* setting the flags to check against the complete crl chain */
2558
2559 X509_STORE_set_flags(cvstore,
2560 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2561 }
2562 }
2563
2564 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2565
2566 /* If verification is optional, don't fail if no certificate */
2567
2568 SSL_CTX_set_verify(sctx,
2569 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2570 cert_vfy_cb);
2571 }
2572
2573 return OK;
2574 }
2575
2576
2577
2578 /*************************************************
2579 * Start a TLS session in a server *
2580 *************************************************/
2581
2582 /* This is called when Exim is running as a server, after having received
2583 the STARTTLS command. It must respond to that command, and then negotiate
2584 a TLS session.
2585
2586 Arguments:
2587 require_ciphers allowed ciphers
2588 errstr pointer to error message
2589
2590 Returns: OK on success
2591 DEFER for errors before the start of the negotiation
2592 FAIL for errors during the negotiation; the server can't
2593 continue running.
2594 */
2595
2596 int
2597 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2598 {
2599 int rc;
2600 uschar * expciphers;
2601 tls_ext_ctx_cb * cbinfo;
2602 static uschar peerdn[256];
2603
2604 /* Check for previous activation */
2605
2606 if (tls_in.active.sock >= 0)
2607 {
2608 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2609 smtp_printf("554 Already in TLS\r\n", FALSE);
2610 return FAIL;
2611 }
2612
2613 /* Initialize the SSL library. If it fails, it will already have logged
2614 the error. */
2615
2616 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2617 #ifndef DISABLE_OCSP
2618 tls_ocsp_file,
2619 #endif
2620 NULL, &server_static_cbinfo, &tls_in, errstr);
2621 if (rc != OK) return rc;
2622 cbinfo = server_static_cbinfo;
2623
2624 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2625 return FAIL;
2626
2627 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2628 were historically separated by underscores. So that I can use either form in my
2629 tests, and also for general convenience, we turn underscores into hyphens here.
2630
2631 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2632 for TLS 1.3 . Since we do not call it at present we get the default list:
2633 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2634 */
2635
2636 if (expciphers)
2637 {
2638 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2639 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2640 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2641 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2642 cbinfo->server_cipher_list = expciphers;
2643 }
2644
2645 /* If this is a host for which certificate verification is mandatory or
2646 optional, set up appropriately. */
2647
2648 tls_in.certificate_verified = FALSE;
2649 #ifdef SUPPORT_DANE
2650 tls_in.dane_verified = FALSE;
2651 #endif
2652 server_verify_callback_called = FALSE;
2653
2654 if (verify_check_host(&tls_verify_hosts) == OK)
2655 {
2656 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2657 FALSE, verify_callback_server, errstr);
2658 if (rc != OK) return rc;
2659 server_verify_optional = FALSE;
2660 }
2661 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2662 {
2663 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2664 TRUE, verify_callback_server, errstr);
2665 if (rc != OK) return rc;
2666 server_verify_optional = TRUE;
2667 }
2668
2669 #ifdef EXPERIMENTAL_TLS_RESUME
2670 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2671 /* despite working, appears to always return failure, so ignoring */
2672 #endif
2673 #ifdef OPENSSL_HAVE_NUM_TICKETS
2674 # ifdef EXPERIMENTAL_TLS_RESUME
2675 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2676 # else
2677 SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2678 # endif
2679 #endif
2680
2681
2682 /* Prepare for new connection */
2683
2684 if (!(server_ssl = SSL_new(server_ctx)))
2685 return tls_error(US"SSL_new", NULL, NULL, errstr);
2686
2687 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2688 *
2689 * With the SSL_clear(), we get strange interoperability bugs with
2690 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2691 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2692 *
2693 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2694 * session shutdown. In this case, we have a brand new object and there's no
2695 * obvious reason to immediately clear it. I'm guessing that this was
2696 * originally added because of incomplete initialisation which the clear fixed,
2697 * in some historic release.
2698 */
2699
2700 /* Set context and tell client to go ahead, except in the case of TLS startup
2701 on connection, where outputting anything now upsets the clients and tends to
2702 make them disconnect. We need to have an explicit fflush() here, to force out
2703 the response. Other smtp_printf() calls do not need it, because in non-TLS
2704 mode, the fflush() happens when smtp_getc() is called. */
2705
2706 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2707 if (!tls_in.on_connect)
2708 {
2709 smtp_printf("220 TLS go ahead\r\n", FALSE);
2710 fflush(smtp_out);
2711 }
2712
2713 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2714 that the OpenSSL library doesn't. */
2715
2716 SSL_set_wfd(server_ssl, fileno(smtp_out));
2717 SSL_set_rfd(server_ssl, fileno(smtp_in));
2718 SSL_set_accept_state(server_ssl);
2719
2720 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2721
2722 sigalrm_seen = FALSE;
2723 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2724 rc = SSL_accept(server_ssl);
2725 ALARM_CLR(0);
2726
2727 if (rc <= 0)
2728 {
2729 int error = SSL_get_error(server_ssl, rc);
2730 switch(error)
2731 {
2732 case SSL_ERROR_NONE:
2733 break;
2734
2735 case SSL_ERROR_ZERO_RETURN:
2736 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2737 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2738
2739 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2740 SSL_shutdown(server_ssl);
2741
2742 tls_close(NULL, TLS_NO_SHUTDOWN);
2743 return FAIL;
2744
2745 /* Handle genuine errors */
2746 case SSL_ERROR_SSL:
2747 {
2748 uschar * s = US"SSL_accept";
2749 unsigned long e = ERR_peek_error();
2750 if (ERR_GET_REASON(e) == SSL_R_WRONG_VERSION_NUMBER)
2751 s = string_sprintf("%s (%s)", s, SSL_get_version(server_ssl));
2752 (void) tls_error(s, NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2753 return FAIL;
2754 }
2755
2756 default:
2757 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2758 if (error == SSL_ERROR_SYSCALL)
2759 {
2760 if (!errno)
2761 {
2762 *errstr = US"SSL_accept: TCP connection closed by peer";
2763 return FAIL;
2764 }
2765 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2766 }
2767 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2768 return FAIL;
2769 }
2770 }
2771
2772 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2773 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2774 anon-authentication ciphersuite negotiated. */
2775
2776 #ifdef EXPERIMENTAL_TLS_RESUME
2777 if (SSL_session_reused(server_ssl))
2778 {
2779 tls_in.resumption |= RESUME_USED;
2780 DEBUG(D_tls) debug_printf("Session reused\n");
2781 }
2782 #endif
2783
2784 /* TLS has been set up. Record data for the connection,
2785 adjust the input functions to read via TLS, and initialize things. */
2786
2787 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2788
2789 tls_in.ver = tlsver_name(server_ssl);
2790 tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits);
2791 tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2792
2793 DEBUG(D_tls)
2794 {
2795 uschar buf[2048];
2796 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2797 debug_printf("Shared ciphers: %s\n", buf);
2798
2799 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2800 {
2801 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2802 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2803 BIO_free(bp);
2804 }
2805 #endif
2806
2807 #ifdef EXIM_HAVE_SESSION_TICKET
2808 {
2809 SSL_SESSION * ss = SSL_get_session(server_ssl);
2810 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
2811 debug_printf("The session has a ticket, life %lu seconds\n",
2812 SSL_SESSION_get_ticket_lifetime_hint(ss));
2813 }
2814 #endif
2815 }
2816
2817 /* Record the certificate we presented */
2818 {
2819 X509 * crt = SSL_get_certificate(server_ssl);
2820 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2821 }
2822
2823 /* Channel-binding info for authenticators
2824 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */
2825 {
2826 uschar c, * s;
2827 size_t len = SSL_get_peer_finished(server_ssl, &c, 0);
2828 int old_pool = store_pool;
2829
2830 SSL_get_peer_finished(server_ssl, s = store_get((int)len, FALSE), len);
2831 store_pool = POOL_PERM;
2832 tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE);
2833 store_pool = old_pool;
2834 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
2835 }
2836
2837 /* Only used by the server-side tls (tls_in), including tls_getc.
2838 Client-side (tls_out) reads (seem to?) go via
2839 smtp_read_response()/ip_recv().
2840 Hence no need to duplicate for _in and _out.
2841 */
2842 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2843 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2844 ssl_xfer_eof = ssl_xfer_error = FALSE;
2845
2846 receive_getc = tls_getc;
2847 receive_getbuf = tls_getbuf;
2848 receive_get_cache = tls_get_cache;
2849 receive_ungetc = tls_ungetc;
2850 receive_feof = tls_feof;
2851 receive_ferror = tls_ferror;
2852 receive_smtp_buffered = tls_smtp_buffered;
2853
2854 tls_in.active.sock = fileno(smtp_out);
2855 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2856 return OK;
2857 }
2858
2859
2860
2861
2862 static int
2863 tls_client_basic_ctx_init(SSL_CTX * ctx,
2864 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2865 uschar ** errstr)
2866 {
2867 int rc;
2868 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2869 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2870 the specified host patterns if one of them is defined */
2871
2872 if ( ( !ob->tls_verify_hosts
2873 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2874 )
2875 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2876 )
2877 client_verify_optional = FALSE;
2878 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2879 client_verify_optional = TRUE;
2880 else
2881 return OK;
2882
2883 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2884 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2885 errstr)) != OK)
2886 return rc;
2887
2888 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2889 {
2890 cbinfo->verify_cert_hostnames =
2891 #ifdef SUPPORT_I18N
2892 string_domain_utf8_to_alabel(host->name, NULL);
2893 #else
2894 host->name;
2895 #endif
2896 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2897 cbinfo->verify_cert_hostnames);
2898 }
2899 return OK;
2900 }
2901
2902
2903 #ifdef SUPPORT_DANE
2904 static int
2905 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2906 {
2907 dns_scan dnss;
2908 const char * hostnames[2] = { CS host->name, NULL };
2909 int found = 0;
2910
2911 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2912 return tls_error(US"hostnames load", host, NULL, errstr);
2913
2914 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2915 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2916 ) if (rr->type == T_TLSA && rr->size > 3)
2917 {
2918 const uschar * p = rr->data;
2919 uint8_t usage, selector, mtype;
2920 const char * mdname;
2921
2922 usage = *p++;
2923
2924 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2925 if (usage != 2 && usage != 3) continue;
2926
2927 selector = *p++;
2928 mtype = *p++;
2929
2930 switch (mtype)
2931 {
2932 default: continue; /* Only match-types 0, 1, 2 are supported */
2933 case 0: mdname = NULL; break;
2934 case 1: mdname = "sha256"; break;
2935 case 2: mdname = "sha512"; break;
2936 }
2937
2938 found++;
2939 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2940 {
2941 default:
2942 return tls_error(US"tlsa load", host, NULL, errstr);
2943 case 0: /* action not taken */
2944 case 1: break;
2945 }
2946
2947 tls_out.tlsa_usage |= 1<<usage;
2948 }
2949
2950 if (found)
2951 return OK;
2952
2953 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2954 return DEFER;
2955 }
2956 #endif /*SUPPORT_DANE*/
2957
2958
2959
2960 #ifdef EXPERIMENTAL_TLS_RESUME
2961 /* On the client, get any stashed session for the given IP from hints db
2962 and apply it to the ssl-connection for attempted resumption. */
2963
2964 static void
2965 tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2966 {
2967 tlsp->resumption |= RESUME_SUPPORTED;
2968 if (tlsp->host_resumable)
2969 {
2970 dbdata_tls_session * dt;
2971 int len;
2972 open_db dbblock, * dbm_file;
2973
2974 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2975 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2976 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2977 {
2978 /* key for the db is the IP */
2979 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2980 {
2981 SSL_SESSION * ss = NULL;
2982 const uschar * sess_asn1 = dt->session;
2983
2984 len -= sizeof(dbdata_tls_session);
2985 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2986 {
2987 DEBUG(D_tls)
2988 {
2989 ERR_error_string_n(ERR_get_error(),
2990 ssl_errstring, sizeof(ssl_errstring));
2991 debug_printf("decoding session: %s\n", ssl_errstring);
2992 }
2993 }
2994 #ifdef EXIM_HAVE_SESSION_TICKET
2995 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
2996 < time(NULL))
2997 {
2998 DEBUG(D_tls) debug_printf("session expired\n");
2999 dbfn_delete(dbm_file, key);
3000 }
3001 #endif
3002 else if (!SSL_set_session(ssl, ss))
3003 {
3004 DEBUG(D_tls)
3005 {
3006 ERR_error_string_n(ERR_get_error(),
3007 ssl_errstring, sizeof(ssl_errstring));
3008 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3009 }
3010 }
3011 else
3012 {
3013 DEBUG(D_tls) debug_printf("good session\n");
3014 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3015 tlsp->verify_override = dt->verify_override;
3016 tlsp->ocsp = dt->ocsp;
3017 }
3018 }
3019 else
3020 DEBUG(D_tls) debug_printf("no session record\n");
3021 dbfn_close(dbm_file);
3022 }
3023 }
3024 }
3025
3026
3027 /* On the client, save the session for later resumption */
3028
3029 static int
3030 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3031 {
3032 tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3033 tls_support * tlsp;
3034
3035 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3036
3037 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3038
3039 # ifdef OPENSSL_HAVE_NUM_TICKETS
3040 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3041 # endif
3042 {
3043 int len = i2d_SSL_SESSION(ss, NULL);
3044 int dlen = sizeof(dbdata_tls_session) + len;
3045 dbdata_tls_session * dt = store_get(dlen, TRUE);
3046 uschar * s = dt->session;
3047 open_db dbblock, * dbm_file;
3048
3049 DEBUG(D_tls) debug_printf("session is resumable\n");
3050 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3051
3052 dt->verify_override = tlsp->verify_override;
3053 dt->ocsp = tlsp->ocsp;
3054 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3055
3056 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3057 {
3058 const uschar * key = cbinfo->host->address;
3059 dbfn_delete(dbm_file, key);
3060 dbfn_write(dbm_file, key, dt, dlen);
3061 dbfn_close(dbm_file);
3062 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3063 (unsigned)dlen);
3064 }
3065 }
3066 return 1;
3067 }
3068
3069
3070 static void
3071 tls_client_ctx_resume_prehandshake(
3072 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
3073 smtp_transport_options_block * ob, host_item * host)
3074 {
3075 /* Should the client request a session resumption ticket? */
3076 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
3077 {
3078 tlsp->host_resumable = TRUE;
3079
3080 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3081 SSL_SESS_CACHE_CLIENT
3082 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3083 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
3084 }
3085 }
3086
3087 static BOOL
3088 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
3089 host_item * host, uschar ** errstr)
3090 {
3091 if (tlsp->host_resumable)
3092 {
3093 DEBUG(D_tls)
3094 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3095 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3096
3097 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3098 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
3099 {
3100 tls_error(US"set ex_data", host, NULL, errstr);
3101 return FALSE;
3102 }
3103 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3104 }
3105
3106 tlsp->resumption = RESUME_SUPPORTED;
3107 /* Pick up a previous session, saved on an old ticket */
3108 tls_retrieve_session(tlsp, ssl, host->address);
3109 return TRUE;
3110 }
3111
3112 static void
3113 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3114 tls_support * tlsp)
3115 {
3116 if (SSL_session_reused(exim_client_ctx->ssl))
3117 {
3118 DEBUG(D_tls) debug_printf("The session was reused\n");
3119 tlsp->resumption |= RESUME_USED;
3120 }
3121 }
3122 #endif /* EXPERIMENTAL_TLS_RESUME */
3123
3124
3125 /*************************************************
3126 * Start a TLS session in a client *
3127 *************************************************/
3128
3129 /* Called from the smtp transport after STARTTLS has been accepted.
3130
3131 Arguments:
3132 cctx connection context
3133 conn_args connection details
3134 cookie datum for randomness; can be NULL
3135 tlsp record details of TLS channel configuration here; must be non-NULL
3136 errstr error string pointer
3137
3138 Returns: TRUE for success with TLS session context set in connection context,
3139 FALSE on error
3140 */
3141
3142 BOOL
3143 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3144 void * cookie, tls_support * tlsp, uschar ** errstr)
3145 {
3146 host_item * host = conn_args->host; /* for msgs and option-tests */
3147 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3148 smtp_transport_options_block * ob = tb
3149 ? (smtp_transport_options_block *)tb->options_block
3150 : &smtp_transport_option_defaults;
3151 exim_openssl_client_tls_ctx * exim_client_ctx;
3152 uschar * expciphers;
3153 int rc;
3154 static uschar peerdn[256];
3155
3156 #ifndef DISABLE_OCSP
3157 BOOL request_ocsp = FALSE;
3158 BOOL require_ocsp = FALSE;
3159 #endif
3160
3161 rc = store_pool;
3162 store_pool = POOL_PERM;
3163 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
3164 exim_client_ctx->corked = NULL;
3165 store_pool = rc;
3166
3167 #ifdef SUPPORT_DANE
3168 tlsp->tlsa_usage = 0;
3169 #endif
3170
3171 #ifndef DISABLE_OCSP
3172 {
3173 # ifdef SUPPORT_DANE
3174 if ( conn_args->dane
3175 && ob->hosts_request_ocsp[0] == '*'
3176 && ob->hosts_request_ocsp[1] == '\0'
3177 )
3178 {
3179 /* Unchanged from default. Use a safer one under DANE */
3180 request_ocsp = TRUE;
3181 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3182 " {= {4}{$tls_out_tlsa_usage}} } "
3183 " {*}{}}";
3184 }
3185 # endif
3186
3187 if ((require_ocsp =
3188 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
3189 request_ocsp = TRUE;
3190 else
3191 # ifdef SUPPORT_DANE
3192 if (!request_ocsp)
3193 # endif
3194 request_ocsp =
3195 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3196 }
3197 #endif
3198
3199 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
3200 ob->tls_certificate, ob->tls_privatekey,
3201 #ifndef DISABLE_OCSP
3202 (void *)(long)request_ocsp,
3203 #endif
3204 cookie, &client_static_cbinfo, tlsp, errstr);
3205 if (rc != OK) return FALSE;
3206
3207 tlsp->certificate_verified = FALSE;
3208 client_verify_callback_called = FALSE;
3209
3210 expciphers = NULL;
3211 #ifdef SUPPORT_DANE
3212 if (conn_args->dane)
3213 {
3214 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3215 other failures should be treated as problems. */
3216 if (ob->dane_require_tls_ciphers &&
3217 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3218 &expciphers, errstr))
3219 return FALSE;
3220 if (expciphers && *expciphers == '\0')
3221 expciphers = NULL;
3222 }
3223 #endif
3224 if (!expciphers &&
3225 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3226 &expciphers, errstr))
3227 return FALSE;
3228
3229 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3230 are separated by underscores. So that I can use either form in my tests, and
3231 also for general convenience, we turn underscores into hyphens here. */
3232
3233 if (expciphers)
3234 {
3235 uschar *s = expciphers;
3236 while (*s) { if (*s == '_') *s = '-'; s++; }
3237 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
3238 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3239 {
3240 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
3241 return FALSE;
3242 }
3243 }
3244
3245 #ifdef SUPPORT_DANE
3246 if (conn_args->dane)
3247 {
3248 SSL_CTX_set_verify(exim_client_ctx->ctx,
3249 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3250 verify_callback_client_dane);
3251
3252 if (!DANESSL_library_init())
3253 {
3254 tls_error(US"library init", host, NULL, errstr);
3255 return FALSE;
3256 }
3257 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3258 {
3259 tls_error(US"context init", host, NULL, errstr);
3260 return FALSE;
3261 }
3262 }
3263 else
3264
3265 #endif
3266
3267 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3268 client_static_cbinfo, errstr) != OK)
3269 return FALSE;
3270
3271 #ifdef EXPERIMENTAL_TLS_RESUME
3272 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3273 #endif
3274
3275
3276 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3277 {
3278 tls_error(US"SSL_new", host, NULL, errstr);
3279 return FALSE;
3280 }
3281 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
3282
3283 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3284 SSL_set_connect_state(exim_client_ctx->ssl);
3285
3286 if (ob->tls_sni)
3287 {
3288 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3289 return FALSE;
3290 if (!tlsp->sni)
3291 {
3292 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3293 }
3294 else if (!Ustrlen(tlsp->sni))
3295 tlsp->sni = NULL;
3296 else
3297 {
3298 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3299 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3300 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3301 #else
3302 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3303 tlsp->sni);
3304 #endif
3305 }
3306 }
3307
3308 #ifdef SUPPORT_DANE
3309 if (conn_args->dane)
3310 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3311 return FALSE;
3312 #endif
3313
3314 #ifndef DISABLE_OCSP
3315 /* Request certificate status at connection-time. If the server
3316 does OCSP stapling we will get the callback (set in tls_init()) */
3317 # ifdef SUPPORT_DANE
3318 if (request_ocsp)
3319 {
3320 const uschar * s;
3321 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3322 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3323 )
3324 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3325 this means we avoid the OCSP request, we wasted the setup
3326 cost in tls_init(). */
3327 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3328 request_ocsp = require_ocsp
3329 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3330 }
3331 }
3332 # endif
3333
3334 if (request_ocsp)
3335 {
3336 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3337 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3338 tlsp->ocsp = OCSP_NOT_RESP;
3339 }
3340 #endif
3341
3342 #ifdef EXPERIMENTAL_TLS_RESUME
3343 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3344 errstr))
3345 return FALSE;
3346 #endif
3347
3348 #ifndef DISABLE_EVENT
3349 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3350 #endif
3351
3352 /* There doesn't seem to be a built-in timeout on connection. */
3353
3354 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3355 sigalrm_seen = FALSE;
3356 ALARM(ob->command_timeout);
3357 rc = SSL_connect(exim_client_ctx->ssl);
3358 ALARM_CLR(0);
3359
3360 #ifdef SUPPORT_DANE
3361 if (conn_args->dane)
3362 DANESSL_cleanup(exim_client_ctx->ssl);
3363 #endif
3364
3365 if (rc <= 0)
3366 {
3367 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3368 return FALSE;
3369 }
3370
3371 DEBUG(D_tls)
3372 {
3373 debug_printf("SSL_connect succeeded\n");
3374 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3375 {
3376 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3377 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3378 BIO_free(bp);
3379 }
3380 #endif
3381 }
3382
3383 #ifdef EXPERIMENTAL_TLS_RESUME
3384 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3385 #endif
3386
3387 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3388
3389 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
3390 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
3391 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3392
3393 /* Record the certificate we presented */
3394 {
3395 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3396 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3397 }
3398
3399 /*XXX will this work with continued-TLS? */
3400 /* Channel-binding info for authenticators */
3401 {
3402 uschar c, * s;
3403 size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0);
3404 int old_pool = store_pool;
3405
3406 SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len);
3407 store_pool = POOL_PERM;
3408 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE);
3409 store_pool = old_pool;
3410 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n");
3411 }
3412
3413 tlsp->active.sock = cctx->sock;
3414 tlsp->active.tls_ctx = exim_client_ctx;
3415 cctx->tls_ctx = exim_client_ctx;
3416 return TRUE;
3417 }
3418
3419
3420
3421
3422
3423 static BOOL
3424 tls_refill(unsigned lim)
3425 {
3426 int error;
3427 int inbytes;
3428
3429 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3430 ssl_xfer_buffer, ssl_xfer_buffer_size);
3431
3432 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3433 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3434 MIN(ssl_xfer_buffer_size, lim));
3435 error = SSL_get_error(server_ssl, inbytes);
3436 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3437
3438 if (had_command_timeout) /* set by signal handler */
3439 smtp_command_timeout_exit(); /* does not return */
3440 if (had_command_sigterm)
3441 smtp_command_sigterm_exit();
3442 if (had_data_timeout)
3443 smtp_data_timeout_exit();
3444 if (had_data_sigint)
3445 smtp_data_sigint_exit();
3446
3447 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3448 closed down, not that the socket itself has been closed down. Revert to
3449 non-SSL handling. */
3450
3451 switch(error)
3452 {
3453 case SSL_ERROR_NONE:
3454 break;
3455
3456 case SSL_ERROR_ZERO_RETURN:
3457 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3458
3459 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3460 SSL_shutdown(server_ssl);
3461
3462 tls_close(NULL, TLS_NO_SHUTDOWN);
3463 return FALSE;
3464
3465 /* Handle genuine errors */
3466 case SSL_ERROR_SSL:
3467 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3468 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3469 ssl_xfer_error = TRUE;
3470 return FALSE;
3471
3472 default:
3473 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3474 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3475 debug_printf(" - syscall %s\n", strerror(errno));
3476 ssl_xfer_error = TRUE;
3477 return FALSE;
3478 }
3479
3480 #ifndef DISABLE_DKIM
3481 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3482 #endif
3483 ssl_xfer_buffer_hwm = inbytes;
3484 ssl_xfer_buffer_lwm = 0;
3485 return TRUE;
3486 }
3487
3488
3489 /*************************************************
3490 * TLS version of getc *
3491 *************************************************/
3492
3493 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3494 it refills the buffer via the SSL reading function.
3495
3496 Arguments: lim Maximum amount to read/buffer
3497 Returns: the next character or EOF
3498
3499 Only used by the server-side TLS.
3500 */
3501
3502 int
3503 tls_getc(unsigned lim)
3504 {
3505 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3506 if (!tls_refill(lim))
3507 return ssl_xfer_error ? EOF : smtp_getc(lim);
3508
3509 /* Something in the buffer; return next uschar */
3510
3511 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3512 }
3513
3514 uschar *
3515 tls_getbuf(unsigned * len)
3516 {
3517 unsigned size;
3518 uschar * buf;
3519
3520 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3521 if (!tls_refill(*len))
3522 {
3523 if (!ssl_xfer_error) return smtp_getbuf(len);
3524 *len = 0;
3525 return NULL;
3526 }
3527
3528 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3529 size = *len;
3530 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3531 ssl_xfer_buffer_lwm += size;
3532 *len = size;
3533 return buf;
3534 }
3535
3536
3537 void
3538 tls_get_cache()
3539 {
3540 #ifndef DISABLE_DKIM
3541 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3542 if (n > 0)
3543 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3544 #endif
3545 }
3546
3547
3548 BOOL
3549 tls_could_read(void)
3550 {
3551 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3552 }
3553
3554
3555 /*************************************************
3556 * Read bytes from TLS channel *
3557 *************************************************/
3558
3559 /*
3560 Arguments:
3561 ct_ctx client context pointer, or NULL for the one global server context
3562 buff buffer of data
3563 len size of buffer
3564
3565 Returns: the number of bytes read
3566 -1 after a failed read, including EOF
3567
3568 Only used by the client-side TLS.
3569 */
3570
3571 int
3572 tls_read(void * ct_ctx, uschar *buff, size_t len)
3573 {
3574 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3575 int inbytes;
3576 int error;
3577
3578 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3579 buff, (unsigned int)len);
3580
3581 inbytes = SSL_read(ssl, CS buff, len);
3582 error = SSL_get_error(ssl, inbytes);
3583
3584 if (error == SSL_ERROR_ZERO_RETURN)
3585 {
3586 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3587 return -1;
3588 }
3589 else if (error != SSL_ERROR_NONE)
3590 return -1;
3591
3592 return inbytes;
3593 }
3594
3595
3596
3597
3598
3599 /*************************************************
3600 * Write bytes down TLS channel *
3601 *************************************************/
3602
3603 /*
3604 Arguments:
3605 ct_ctx client context pointer, or NULL for the one global server context
3606 buff buffer of data
3607 len number of bytes
3608 more further data expected soon
3609
3610 Returns: the number of bytes after a successful write,
3611 -1 after a failed write
3612
3613 Used by both server-side and client-side TLS. Calling with len zero and more unset
3614 will flush buffered writes; buff can be null for this case.
3615 */
3616
3617 int
3618 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3619 {
3620 size_t olen = len;
3621 int outbytes, error;
3622 SSL * ssl = ct_ctx
3623 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3624 static gstring * server_corked = NULL;
3625 gstring ** corkedp = ct_ctx
3626 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3627 gstring * corked = *corkedp;
3628
3629 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3630 buff, (unsigned long)len, more ? ", more" : "");
3631
3632 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3633 "more" is notified. This hack is only ok if small amounts are involved AND only
3634 one stream does it, in one context (i.e. no store reset). Currently it is used
3635 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3636 We support callouts done by the server process by using a separate client
3637 context for the stashed information. */
3638 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3639 a store reset there, so use POOL_PERM. */
3640 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3641
3642 if ((more || corked))
3643 {
3644 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
3645
3646 #ifndef DISABLE_PIPE_CONNECT
3647 int save_pool = store_pool;
3648 store_pool = POOL_PERM;
3649 #endif
3650
3651 corked = string_catn(corked, buff, len);
3652
3653 #ifndef DISABLE_PIPE_CONNECT
3654 store_pool = save_pool;
3655 #endif
3656
3657 if (more)
3658 {
3659 *corkedp = corked;
3660 return len;
3661 }
3662 buff = CUS corked->s;
3663 len = corked->ptr;
3664 *corkedp = NULL;
3665 }
3666
3667 for (int left = len; left > 0;)
3668 {
3669 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3670 outbytes = SSL_write(ssl, CS buff, left);
3671 error = SSL_get_error(ssl, outbytes);
3672 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3673 switch (error)
3674 {
3675 case SSL_ERROR_NONE: /* the usual case */
3676 left -= outbytes;
3677 buff += outbytes;
3678 break;
3679
3680 case SSL_ERROR_SSL:
3681 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3682 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3683 return -1;
3684
3685 case SSL_ERROR_ZERO_RETURN:
3686 log_write(0, LOG_MAIN, "SSL channel closed on write");
3687 return -1;
3688
3689 case SSL_ERROR_SYSCALL:
3690 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3691 sender_fullhost ? sender_fullhost : US"<unknown>",
3692 strerror(errno));
3693 return -1;
3694
3695 default:
3696 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3697 return -1;
3698 }
3699 }
3700 return olen;
3701 }
3702
3703
3704
3705 /*************************************************
3706 * Close down a TLS session *
3707 *************************************************/
3708
3709 /* This is also called from within a delivery subprocess forked from the
3710 daemon, to shut down the TLS library, without actually doing a shutdown (which
3711 would tamper with the SSL session in the parent process).
3712
3713 Arguments:
3714 ct_ctx client TLS context pointer, or NULL for the one global server context
3715 shutdown 1 if TLS close-alert is to be sent,
3716 2 if also response to be waited for
3717
3718 Returns: nothing
3719
3720 Used by both server-side and client-side TLS.
3721 */
3722
3723 void
3724 tls_close(void * ct_ctx, int shutdown)
3725 {
3726 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3727 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3728 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3729 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3730
3731 if (*fdp < 0) return; /* TLS was not active */
3732
3733 if (shutdown)
3734 {
3735 int rc;
3736 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3737 shutdown > 1 ? " (with response-wait)" : "");
3738
3739 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3740 && shutdown > 1)
3741 {
3742 ALARM(2);
3743 rc = SSL_shutdown(*sslp); /* wait for response */
3744 ALARM_CLR(0);
3745 }
3746
3747 if (rc < 0) DEBUG(D_tls)
3748 {
3749 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3750 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3751 }
3752 }
3753
3754 if (!o_ctx) /* server side */
3755 {
3756 #ifndef DISABLE_OCSP
3757 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3758 server_static_cbinfo->verify_stack = NULL;
3759 #endif
3760
3761 receive_getc = smtp_getc;
3762 receive_getbuf = smtp_getbuf;
3763 receive_get_cache = smtp_get_cache;
3764 receive_ungetc = smtp_ungetc;
3765 receive_feof = smtp_feof;
3766 receive_ferror = smtp_ferror;
3767 receive_smtp_buffered = smtp_buffered;
3768 tls_in.active.tls_ctx = NULL;
3769 tls_in.sni = NULL;
3770 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3771 }
3772
3773 SSL_CTX_free(*ctxp);
3774 SSL_free(*sslp);
3775 *ctxp = NULL;
3776 *sslp = NULL;
3777 *fdp = -1;
3778 }
3779
3780
3781
3782
3783 /*************************************************
3784 * Let tls_require_ciphers be checked at startup *
3785 *************************************************/
3786
3787 /* The tls_require_ciphers option, if set, must be something which the
3788 library can parse.
3789
3790 Returns: NULL on success, or error message
3791 */
3792
3793 uschar *
3794 tls_validate_require_cipher(void)
3795 {
3796 SSL_CTX *ctx;
3797 uschar *s, *expciphers, *err;
3798
3799 tls_openssl_init();
3800
3801 if (!(tls_require_ciphers && *tls_require_ciphers))
3802 return NULL;
3803
3804 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3805 &err))
3806 return US"failed to expand tls_require_ciphers";
3807
3808 if (!(expciphers && *expciphers))
3809 return NULL;
3810
3811 /* normalisation ripped from above */
3812 s = expciphers;
3813 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3814
3815 err = NULL;
3816
3817 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3818 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3819 #else
3820 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3821 #endif
3822 {
3823 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3824 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3825 }
3826
3827 DEBUG(D_tls)
3828 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3829
3830 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3831 {
3832 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3833 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3834 expciphers, ssl_errstring);
3835 }
3836
3837 SSL_CTX_free(ctx);
3838
3839 return err;
3840 }
3841
3842
3843
3844
3845 /*************************************************
3846 * Report the library versions. *
3847 *************************************************/
3848
3849 /* There have historically been some issues with binary compatibility in
3850 OpenSSL libraries; if Exim (like many other applications) is built against
3851 one version of OpenSSL but the run-time linker picks up another version,
3852 it can result in serious failures, including crashing with a SIGSEGV. So
3853 report the version found by the compiler and the run-time version.
3854
3855 Note: some OS vendors backport security fixes without changing the version
3856 number/string, and the version date remains unchanged. The _build_ date
3857 will change, so we can more usefully assist with version diagnosis by also
3858 reporting the build date.
3859
3860 Arguments: a FILE* to print the results to
3861 Returns: nothing
3862 */
3863
3864 void
3865 tls_version_report(FILE *f)
3866 {
3867 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3868 " Runtime: %s\n"
3869 " : %s\n",
3870 OPENSSL_VERSION_TEXT,
3871 SSLeay_version(SSLEAY_VERSION),
3872 SSLeay_version(SSLEAY_BUILT_ON));
3873 /* third line is 38 characters for the %s and the line is 73 chars long;
3874 the OpenSSL output includes a "built on: " prefix already. */
3875 }
3876
3877
3878
3879
3880 /*************************************************
3881 * Random number generation *
3882 *************************************************/
3883
3884 /* Pseudo-random number generation. The result is not expected to be
3885 cryptographically strong but not so weak that someone will shoot themselves
3886 in the foot using it as a nonce in input in some email header scheme or
3887 whatever weirdness they'll twist this into. The result should handle fork()
3888 and avoid repeating sequences. OpenSSL handles that for us.
3889
3890 Arguments:
3891 max range maximum
3892 Returns a random number in range [0, max-1]
3893 */
3894
3895 int
3896 vaguely_random_number(int max)
3897 {
3898 unsigned int r;
3899 int i, needed_len;
3900 static pid_t pidlast = 0;
3901 pid_t pidnow;
3902 uschar smallbuf[sizeof(r)];
3903
3904 if (max <= 1)
3905 return 0;
3906
3907 pidnow = getpid();
3908 if (pidnow != pidlast)
3909 {
3910 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3911 is unique for each thread", this doesn't apparently apply across processes,
3912 so our own warning from vaguely_random_number_fallback() applies here too.
3913 Fix per PostgreSQL. */
3914 if (pidlast != 0)
3915 RAND_cleanup();
3916 pidlast = pidnow;
3917 }
3918
3919 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3920 if (!RAND_status())
3921 {
3922 randstuff r;
3923 gettimeofday(&r.tv, NULL);
3924 r.p = getpid();
3925
3926 RAND_seed(US (&r), sizeof(r));
3927 }
3928 /* We're after pseudo-random, not random; if we still don't have enough data
3929 in the internal PRNG then our options are limited. We could sleep and hope
3930 for entropy to come along (prayer technique) but if the system is so depleted
3931 in the first place then something is likely to just keep taking it. Instead,
3932 we'll just take whatever little bit of pseudo-random we can still manage to
3933 get. */
3934
3935 needed_len = sizeof(r);
3936 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3937 asked for a number less than 10. */
3938 for (r = max, i = 0; r; ++i)
3939 r >>= 1;
3940 i = (i + 7) / 8;
3941 if (i < needed_len)
3942 needed_len = i;
3943
3944 #ifdef EXIM_HAVE_RAND_PSEUDO
3945 /* We do not care if crypto-strong */
3946 i = RAND_pseudo_bytes(smallbuf, needed_len);
3947 #else
3948 i = RAND_bytes(smallbuf, needed_len);
3949 #endif
3950
3951 if (i < 0)
3952 {
3953 DEBUG(D_all)
3954 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3955 return vaguely_random_number_fallback(max);
3956 }
3957
3958 r = 0;
3959 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3960 r = 256 * r + *p;
3961
3962 /* We don't particularly care about weighted results; if someone wants
3963 smooth distribution and cares enough then they should submit a patch then. */
3964 return r % max;
3965 }
3966
3967
3968
3969
3970 /*************************************************
3971 * OpenSSL option parse *
3972 *************************************************/
3973
3974 /* Parse one option for tls_openssl_options_parse below
3975
3976 Arguments:
3977 name one option name
3978 value place to store a value for it
3979 Returns success or failure in parsing
3980 */
3981
3982
3983
3984 static BOOL
3985 tls_openssl_one_option_parse(uschar *name, long *value)
3986 {
3987 int first = 0;
3988 int last = exim_openssl_options_size;
3989 while (last > first)
3990 {
3991 int middle = (first + last)/2;
3992 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3993 if (c == 0)
3994 {
3995 *value = exim_openssl_options[middle].value;
3996 return TRUE;
3997 }
3998 else if (c > 0)
3999 first = middle + 1;
4000 else
4001 last = middle;
4002 }
4003 return FALSE;
4004 }
4005
4006
4007
4008
4009 /*************************************************
4010 * OpenSSL option parsing logic *
4011 *************************************************/
4012
4013 /* OpenSSL has a number of compatibility options which an administrator might
4014 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
4015 we look like log_selector.
4016
4017 Arguments:
4018 option_spec the administrator-supplied string of options
4019 results ptr to long storage for the options bitmap
4020 Returns success or failure
4021 */