two more header order changes
[exim.git] / src / src / tls-openssl.c
1 /* $Cambridge: exim/src/src/tls-openssl.c,v 1.22 2009/11/16 19:50:37 nm4 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25
26 /* Structure for collecting random data for seeding. */
27
28 typedef struct randstuff {
29 struct timeval tv;
30 pid_t p;
31 } randstuff;
32
33 /* Local static variables */
34
35 static BOOL verify_callback_called = FALSE;
36 static const uschar *sid_ctx = US"exim";
37
38 static SSL_CTX *ctx = NULL;
39 static SSL *ssl = NULL;
40
41 static char ssl_errstring[256];
42
43 static int ssl_session_timeout = 200;
44 static BOOL verify_optional = FALSE;
45
46
47
48
49
50 /*************************************************
51 * Handle TLS error *
52 *************************************************/
53
54 /* Called from lots of places when errors occur before actually starting to do
55 the TLS handshake, that is, while the session is still in clear. Always returns
56 DEFER for a server and FAIL for a client so that most calls can use "return
57 tls_error(...)" to do this processing and then give an appropriate return. A
58 single function is used for both server and client, because it is called from
59 some shared functions.
60
61 Argument:
62 prefix text to include in the logged error
63 host NULL if setting up a server;
64 the connected host if setting up a client
65 msg error message or NULL if we should ask OpenSSL
66
67 Returns: OK/DEFER/FAIL
68 */
69
70 static int
71 tls_error(uschar *prefix, host_item *host, uschar *msg)
72 {
73 if (msg == NULL)
74 {
75 ERR_error_string(ERR_get_error(), ssl_errstring);
76 msg = (uschar *)ssl_errstring;
77 }
78
79 if (host == NULL)
80 {
81 uschar *conn_info = smtp_get_connection_info();
82 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
83 conn_info += 5;
84 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
85 conn_info, prefix, msg);
86 return DEFER;
87 }
88 else
89 {
90 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
91 host->name, host->address, prefix, msg);
92 return FAIL;
93 }
94 }
95
96
97
98 /*************************************************
99 * Callback to generate RSA key *
100 *************************************************/
101
102 /*
103 Arguments:
104 s SSL connection
105 export not used
106 keylength keylength
107
108 Returns: pointer to generated key
109 */
110
111 static RSA *
112 rsa_callback(SSL *s, int export, int keylength)
113 {
114 RSA *rsa_key;
115 export = export; /* Shut picky compilers up */
116 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
117 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
118 if (rsa_key == NULL)
119 {
120 ERR_error_string(ERR_get_error(), ssl_errstring);
121 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
122 ssl_errstring);
123 return NULL;
124 }
125 return rsa_key;
126 }
127
128
129
130
131 /*************************************************
132 * Callback for verification *
133 *************************************************/
134
135 /* The SSL library does certificate verification if set up to do so. This
136 callback has the current yes/no state is in "state". If verification succeeded,
137 we set up the tls_peerdn string. If verification failed, what happens depends
138 on whether the client is required to present a verifiable certificate or not.
139
140 If verification is optional, we change the state to yes, but still log the
141 verification error. For some reason (it really would help to have proper
142 documentation of OpenSSL), this callback function then gets called again, this
143 time with state = 1. In fact, that's useful, because we can set up the peerdn
144 value, but we must take care not to set the private verified flag on the second
145 time through.
146
147 Note: this function is not called if the client fails to present a certificate
148 when asked. We get here only if a certificate has been received. Handling of
149 optional verification for this case is done when requesting SSL to verify, by
150 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
151
152 Arguments:
153 state current yes/no state as 1/0
154 x509ctx certificate information.
155
156 Returns: 1 if verified, 0 if not
157 */
158
159 static int
160 verify_callback(int state, X509_STORE_CTX *x509ctx)
161 {
162 static uschar txt[256];
163
164 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
165 CS txt, sizeof(txt));
166
167 if (state == 0)
168 {
169 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
170 x509ctx->error_depth,
171 X509_verify_cert_error_string(x509ctx->error),
172 txt);
173 tls_certificate_verified = FALSE;
174 verify_callback_called = TRUE;
175 if (!verify_optional) return 0; /* reject */
176 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
177 "tls_try_verify_hosts)\n");
178 return 1; /* accept */
179 }
180
181 if (x509ctx->error_depth != 0)
182 {
183 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
184 x509ctx->error_depth, txt);
185 }
186 else
187 {
188 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
189 verify_callback_called? "" : " authenticated", txt);
190 tls_peerdn = txt;
191 }
192
193 if (!verify_callback_called) tls_certificate_verified = TRUE;
194 verify_callback_called = TRUE;
195
196 return 1; /* accept */
197 }
198
199
200
201 /*************************************************
202 * Information callback *
203 *************************************************/
204
205 /* The SSL library functions call this from time to time to indicate what they
206 are doing. We copy the string to the debugging output when the level is high
207 enough.
208
209 Arguments:
210 s the SSL connection
211 where
212 ret
213
214 Returns: nothing
215 */
216
217 static void
218 info_callback(SSL *s, int where, int ret)
219 {
220 where = where;
221 ret = ret;
222 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
223 }
224
225
226
227 /*************************************************
228 * Initialize for DH *
229 *************************************************/
230
231 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
232
233 Arguments:
234 dhparam DH parameter file
235 host connected host, if client; NULL if server
236
237 Returns: TRUE if OK (nothing to set up, or setup worked)
238 */
239
240 static BOOL
241 init_dh(uschar *dhparam, host_item *host)
242 {
243 BOOL yield = TRUE;
244 BIO *bio;
245 DH *dh;
246 uschar *dhexpanded;
247
248 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
249 return FALSE;
250
251 if (dhexpanded == NULL) return TRUE;
252
253 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
254 {
255 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
256 host, (uschar *)strerror(errno));
257 yield = FALSE;
258 }
259 else
260 {
261 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
262 {
263 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
264 host, NULL);
265 yield = FALSE;
266 }
267 else
268 {
269 SSL_CTX_set_tmp_dh(ctx, dh);
270 DEBUG(D_tls)
271 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
272 dhexpanded, 8*DH_size(dh));
273 DH_free(dh);
274 }
275 BIO_free(bio);
276 }
277
278 return yield;
279 }
280
281
282
283
284 /*************************************************
285 * Initialize for TLS *
286 *************************************************/
287
288 /* Called from both server and client code, to do preliminary initialization of
289 the library.
290
291 Arguments:
292 host connected host, if client; NULL if server
293 dhparam DH parameter file
294 certificate certificate file
295 privatekey private key
296 addr address if client; NULL if server (for some randomness)
297
298 Returns: OK/DEFER/FAIL
299 */
300
301 static int
302 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
303 uschar *privatekey, address_item *addr)
304 {
305 SSL_load_error_strings(); /* basic set up */
306 OpenSSL_add_ssl_algorithms();
307
308 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
309 /* SHA256 is becoming ever moar popular. This makes sure it gets added to the
310 list of available digests. */
311 EVP_add_digest(EVP_sha256());
312 #endif
313
314 /* Create a context */
315
316 ctx = SSL_CTX_new((host == NULL)?
317 SSLv23_server_method() : SSLv23_client_method());
318
319 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
320
321 /* It turns out that we need to seed the random number generator this early in
322 order to get the full complement of ciphers to work. It took me roughly a day
323 of work to discover this by experiment.
324
325 On systems that have /dev/urandom, SSL may automatically seed itself from
326 there. Otherwise, we have to make something up as best we can. Double check
327 afterwards. */
328
329 if (!RAND_status())
330 {
331 randstuff r;
332 gettimeofday(&r.tv, NULL);
333 r.p = getpid();
334
335 RAND_seed((uschar *)(&r), sizeof(r));
336 RAND_seed((uschar *)big_buffer, big_buffer_size);
337 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
338
339 if (!RAND_status())
340 return tls_error(US"RAND_status", host,
341 US"unable to seed random number generator");
342 }
343
344 /* Set up the information callback, which outputs if debugging is at a suitable
345 level. */
346
347 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
348
349 /* The following patch was supplied by Robert Roselius */
350
351 #if OPENSSL_VERSION_NUMBER > 0x00906040L
352 /* Enable client-bug workaround.
353 Versions of OpenSSL as of 0.9.6d include a "CBC countermeasure" feature,
354 which causes problems with some clients (such as the Certicom SSL Plus
355 library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
356 disables the coutermeasure allowing Eudora to connect.
357 Some poppers and MTAs use SSL_OP_ALL, which enables all such bug
358 workarounds. */
359 /* XXX (Silently?) ignore failure here? XXX*/
360
361 if (!(SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
362 return tls_error(US"SSL_CTX_set_option", host, NULL);
363 #endif
364
365 /* Initialize with DH parameters if supplied */
366
367 if (!init_dh(dhparam, host)) return DEFER;
368
369 /* Set up certificate and key */
370
371 if (certificate != NULL)
372 {
373 uschar *expanded;
374 if (!expand_check(certificate, US"tls_certificate", &expanded))
375 return DEFER;
376
377 if (expanded != NULL)
378 {
379 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
380 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
381 return tls_error(string_sprintf(
382 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
383 }
384
385 if (privatekey != NULL &&
386 !expand_check(privatekey, US"tls_privatekey", &expanded))
387 return DEFER;
388
389 /* If expansion was forced to fail, key_expanded will be NULL. If the result
390 of the expansion is an empty string, ignore it also, and assume the private
391 key is in the same file as the certificate. */
392
393 if (expanded != NULL && *expanded != 0)
394 {
395 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
396 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
397 return tls_error(string_sprintf(
398 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
399 }
400 }
401
402 /* Set up the RSA callback */
403
404 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
405
406 /* Finally, set the timeout, and we are done */
407
408 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
409 DEBUG(D_tls) debug_printf("Initialized TLS\n");
410 return OK;
411 }
412
413
414
415
416 /*************************************************
417 * Get name of cipher in use *
418 *************************************************/
419
420 /* The answer is left in a static buffer, and tls_cipher is set to point
421 to it.
422
423 Argument: pointer to an SSL structure for the connection
424 Returns: nothing
425 */
426
427 static void
428 construct_cipher_name(SSL *ssl)
429 {
430 static uschar cipherbuf[256];
431 SSL_CIPHER *c;
432 uschar *ver;
433 int bits;
434
435 switch (ssl->session->ssl_version)
436 {
437 case SSL2_VERSION:
438 ver = US"SSLv2";
439 break;
440
441 case SSL3_VERSION:
442 ver = US"SSLv3";
443 break;
444
445 case TLS1_VERSION:
446 ver = US"TLSv1";
447 break;
448
449 default:
450 ver = US"UNKNOWN";
451 }
452
453 c = SSL_get_current_cipher(ssl);
454 SSL_CIPHER_get_bits(c, &bits);
455
456 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
457 SSL_CIPHER_get_name(c), bits);
458 tls_cipher = cipherbuf;
459
460 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
461 }
462
463
464
465
466
467 /*************************************************
468 * Set up for verifying certificates *
469 *************************************************/
470
471 /* Called by both client and server startup
472
473 Arguments:
474 certs certs file or NULL
475 crl CRL file or NULL
476 host NULL in a server; the remote host in a client
477 optional TRUE if called from a server for a host in tls_try_verify_hosts;
478 otherwise passed as FALSE
479
480 Returns: OK/DEFER/FAIL
481 */
482
483 static int
484 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
485 {
486 uschar *expcerts, *expcrl;
487
488 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
489 return DEFER;
490
491 if (expcerts != NULL)
492 {
493 struct stat statbuf;
494 if (!SSL_CTX_set_default_verify_paths(ctx))
495 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
496
497 if (Ustat(expcerts, &statbuf) < 0)
498 {
499 log_write(0, LOG_MAIN|LOG_PANIC,
500 "failed to stat %s for certificates", expcerts);
501 return DEFER;
502 }
503 else
504 {
505 uschar *file, *dir;
506 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
507 { file = NULL; dir = expcerts; }
508 else
509 { file = expcerts; dir = NULL; }
510
511 /* If a certificate file is empty, the next function fails with an
512 unhelpful error message. If we skip it, we get the correct behaviour (no
513 certificates are recognized, but the error message is still misleading (it
514 says no certificate was supplied.) But this is better. */
515
516 if ((file == NULL || statbuf.st_size > 0) &&
517 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
518 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
519
520 if (file != NULL)
521 {
522 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
523 }
524 }
525
526 /* Handle a certificate revocation list. */
527
528 #if OPENSSL_VERSION_NUMBER > 0x00907000L
529
530 /* This bit of code is now the version supplied by Lars Mainka. (I have
531 * merely reformatted it into the Exim code style.)
532
533 * "From here I changed the code to add support for multiple crl's
534 * in pem format in one file or to support hashed directory entries in
535 * pem format instead of a file. This method now uses the library function
536 * X509_STORE_load_locations to add the CRL location to the SSL context.
537 * OpenSSL will then handle the verify against CA certs and CRLs by
538 * itself in the verify callback." */
539
540 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
541 if (expcrl != NULL && *expcrl != 0)
542 {
543 struct stat statbufcrl;
544 if (Ustat(expcrl, &statbufcrl) < 0)
545 {
546 log_write(0, LOG_MAIN|LOG_PANIC,
547 "failed to stat %s for certificates revocation lists", expcrl);
548 return DEFER;
549 }
550 else
551 {
552 /* is it a file or directory? */
553 uschar *file, *dir;
554 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
555 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
556 {
557 file = NULL;
558 dir = expcrl;
559 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
560 }
561 else
562 {
563 file = expcrl;
564 dir = NULL;
565 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
566 }
567 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
568 return tls_error(US"X509_STORE_load_locations", host, NULL);
569
570 /* setting the flags to check against the complete crl chain */
571
572 X509_STORE_set_flags(cvstore,
573 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
574 }
575 }
576
577 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
578
579 /* If verification is optional, don't fail if no certificate */
580
581 SSL_CTX_set_verify(ctx,
582 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
583 verify_callback);
584 }
585
586 return OK;
587 }
588
589
590
591 /*************************************************
592 * Start a TLS session in a server *
593 *************************************************/
594
595 /* This is called when Exim is running as a server, after having received
596 the STARTTLS command. It must respond to that command, and then negotiate
597 a TLS session.
598
599 Arguments:
600 require_ciphers allowed ciphers
601 ------------------------------------------------------
602 require_mac list of allowed MACs ) Not used
603 require_kx list of allowed key_exchange methods ) for
604 require_proto list of allowed protocols ) OpenSSL
605 ------------------------------------------------------
606
607 Returns: OK on success
608 DEFER for errors before the start of the negotiation
609 FAIL for errors during the negotation; the server can't
610 continue running.
611 */
612
613 int
614 tls_server_start(uschar *require_ciphers, uschar *require_mac,
615 uschar *require_kx, uschar *require_proto)
616 {
617 int rc;
618 uschar *expciphers;
619
620 /* Check for previous activation */
621
622 if (tls_active >= 0)
623 {
624 tls_error(US"STARTTLS received after TLS started", NULL, US"");
625 smtp_printf("554 Already in TLS\r\n");
626 return FAIL;
627 }
628
629 /* Initialize the SSL library. If it fails, it will already have logged
630 the error. */
631
632 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
633 if (rc != OK) return rc;
634
635 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
636 return FAIL;
637
638 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
639 are separated by underscores. So that I can use either form in my tests, and
640 also for general convenience, we turn underscores into hyphens here. */
641
642 if (expciphers != NULL)
643 {
644 uschar *s = expciphers;
645 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
646 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
647 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
648 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
649 }
650
651 /* If this is a host for which certificate verification is mandatory or
652 optional, set up appropriately. */
653
654 tls_certificate_verified = FALSE;
655 verify_callback_called = FALSE;
656
657 if (verify_check_host(&tls_verify_hosts) == OK)
658 {
659 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
660 if (rc != OK) return rc;
661 verify_optional = FALSE;
662 }
663 else if (verify_check_host(&tls_try_verify_hosts) == OK)
664 {
665 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
666 if (rc != OK) return rc;
667 verify_optional = TRUE;
668 }
669
670 /* Prepare for new connection */
671
672 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
673 SSL_clear(ssl);
674
675 /* Set context and tell client to go ahead, except in the case of TLS startup
676 on connection, where outputting anything now upsets the clients and tends to
677 make them disconnect. We need to have an explicit fflush() here, to force out
678 the response. Other smtp_printf() calls do not need it, because in non-TLS
679 mode, the fflush() happens when smtp_getc() is called. */
680
681 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
682 if (!tls_on_connect)
683 {
684 smtp_printf("220 TLS go ahead\r\n");
685 fflush(smtp_out);
686 }
687
688 /* Now negotiate the TLS session. We put our own timer on it, since it seems
689 that the OpenSSL library doesn't. */
690
691 SSL_set_wfd(ssl, fileno(smtp_out));
692 SSL_set_rfd(ssl, fileno(smtp_in));
693 SSL_set_accept_state(ssl);
694
695 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
696
697 sigalrm_seen = FALSE;
698 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
699 rc = SSL_accept(ssl);
700 alarm(0);
701
702 if (rc <= 0)
703 {
704 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
705 return FAIL;
706 }
707
708 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
709
710 /* TLS has been set up. Adjust the input functions to read via TLS,
711 and initialize things. */
712
713 construct_cipher_name(ssl);
714
715 DEBUG(D_tls)
716 {
717 uschar buf[2048];
718 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
719 debug_printf("Shared ciphers: %s\n", buf);
720 }
721
722
723 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
724 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
725 ssl_xfer_eof = ssl_xfer_error = 0;
726
727 receive_getc = tls_getc;
728 receive_ungetc = tls_ungetc;
729 receive_feof = tls_feof;
730 receive_ferror = tls_ferror;
731 receive_smtp_buffered = tls_smtp_buffered;
732
733 tls_active = fileno(smtp_out);
734 return OK;
735 }
736
737
738
739
740
741 /*************************************************
742 * Start a TLS session in a client *
743 *************************************************/
744
745 /* Called from the smtp transport after STARTTLS has been accepted.
746
747 Argument:
748 fd the fd of the connection
749 host connected host (for messages)
750 addr the first address
751 dhparam DH parameter file
752 certificate certificate file
753 privatekey private key file
754 verify_certs file for certificate verify
755 crl file containing CRL
756 require_ciphers list of allowed ciphers
757 ------------------------------------------------------
758 require_mac list of allowed MACs ) Not used
759 require_kx list of allowed key_exchange methods ) for
760 require_proto list of allowed protocols ) OpenSSL
761 ------------------------------------------------------
762 timeout startup timeout
763
764 Returns: OK on success
765 FAIL otherwise - note that tls_error() will not give DEFER
766 because this is not a server
767 */
768
769 int
770 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
771 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
772 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
773 uschar *require_proto, int timeout)
774 {
775 static uschar txt[256];
776 uschar *expciphers;
777 X509* server_cert;
778 int rc;
779
780 rc = tls_init(host, dhparam, certificate, privatekey, addr);
781 if (rc != OK) return rc;
782
783 tls_certificate_verified = FALSE;
784 verify_callback_called = FALSE;
785
786 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
787 return FAIL;
788
789 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
790 are separated by underscores. So that I can use either form in my tests, and
791 also for general convenience, we turn underscores into hyphens here. */
792
793 if (expciphers != NULL)
794 {
795 uschar *s = expciphers;
796 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
797 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
798 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
799 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
800 }
801
802 rc = setup_certs(verify_certs, crl, host, FALSE);
803 if (rc != OK) return rc;
804
805 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
806 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
807 SSL_set_fd(ssl, fd);
808 SSL_set_connect_state(ssl);
809
810 /* There doesn't seem to be a built-in timeout on connection. */
811
812 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
813 sigalrm_seen = FALSE;
814 alarm(timeout);
815 rc = SSL_connect(ssl);
816 alarm(0);
817
818 if (rc <= 0)
819 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
820
821 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
822
823 server_cert = SSL_get_peer_certificate (ssl);
824 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
825 CS txt, sizeof(txt));
826 tls_peerdn = txt;
827
828 construct_cipher_name(ssl); /* Sets tls_cipher */
829
830 tls_active = fd;
831 return OK;
832 }
833
834
835
836
837
838 /*************************************************
839 * TLS version of getc *
840 *************************************************/
841
842 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
843 it refills the buffer via the SSL reading function.
844
845 Arguments: none
846 Returns: the next character or EOF
847 */
848
849 int
850 tls_getc(void)
851 {
852 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
853 {
854 int error;
855 int inbytes;
856
857 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
858 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
859
860 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
861 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
862 error = SSL_get_error(ssl, inbytes);
863 alarm(0);
864
865 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
866 closed down, not that the socket itself has been closed down. Revert to
867 non-SSL handling. */
868
869 if (error == SSL_ERROR_ZERO_RETURN)
870 {
871 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
872
873 receive_getc = smtp_getc;
874 receive_ungetc = smtp_ungetc;
875 receive_feof = smtp_feof;
876 receive_ferror = smtp_ferror;
877 receive_smtp_buffered = smtp_buffered;
878
879 SSL_free(ssl);
880 ssl = NULL;
881 tls_active = -1;
882 tls_cipher = NULL;
883 tls_peerdn = NULL;
884
885 return smtp_getc();
886 }
887
888 /* Handle genuine errors */
889
890 else if (error != SSL_ERROR_NONE)
891 {
892 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
893 ssl_xfer_error = 1;
894 return EOF;
895 }
896 #ifndef DISABLE_DKIM
897 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
898 #endif
899 ssl_xfer_buffer_hwm = inbytes;
900 ssl_xfer_buffer_lwm = 0;
901 }
902
903 /* Something in the buffer; return next uschar */
904
905 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
906 }
907
908
909
910 /*************************************************
911 * Read bytes from TLS channel *
912 *************************************************/
913
914 /*
915 Arguments:
916 buff buffer of data
917 len size of buffer
918
919 Returns: the number of bytes read
920 -1 after a failed read
921 */
922
923 int
924 tls_read(uschar *buff, size_t len)
925 {
926 int inbytes;
927 int error;
928
929 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
930 (long)buff, (unsigned int)len);
931
932 inbytes = SSL_read(ssl, CS buff, len);
933 error = SSL_get_error(ssl, inbytes);
934
935 if (error == SSL_ERROR_ZERO_RETURN)
936 {
937 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
938 return -1;
939 }
940 else if (error != SSL_ERROR_NONE)
941 {
942 return -1;
943 }
944
945 return inbytes;
946 }
947
948
949
950
951
952 /*************************************************
953 * Write bytes down TLS channel *
954 *************************************************/
955
956 /*
957 Arguments:
958 buff buffer of data
959 len number of bytes
960
961 Returns: the number of bytes after a successful write,
962 -1 after a failed write
963 */
964
965 int
966 tls_write(const uschar *buff, size_t len)
967 {
968 int outbytes;
969 int error;
970 int left = len;
971
972 DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
973 while (left > 0)
974 {
975 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
976 outbytes = SSL_write(ssl, CS buff, left);
977 error = SSL_get_error(ssl, outbytes);
978 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
979 switch (error)
980 {
981 case SSL_ERROR_SSL:
982 ERR_error_string(ERR_get_error(), ssl_errstring);
983 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
984 return -1;
985
986 case SSL_ERROR_NONE:
987 left -= outbytes;
988 buff += outbytes;
989 break;
990
991 case SSL_ERROR_ZERO_RETURN:
992 log_write(0, LOG_MAIN, "SSL channel closed on write");
993 return -1;
994
995 default:
996 log_write(0, LOG_MAIN, "SSL_write error %d", error);
997 return -1;
998 }
999 }
1000 return len;
1001 }
1002
1003
1004
1005 /*************************************************
1006 * Close down a TLS session *
1007 *************************************************/
1008
1009 /* This is also called from within a delivery subprocess forked from the
1010 daemon, to shut down the TLS library, without actually doing a shutdown (which
1011 would tamper with the SSL session in the parent process).
1012
1013 Arguments: TRUE if SSL_shutdown is to be called
1014 Returns: nothing
1015 */
1016
1017 void
1018 tls_close(BOOL shutdown)
1019 {
1020 if (tls_active < 0) return; /* TLS was not active */
1021
1022 if (shutdown)
1023 {
1024 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1025 SSL_shutdown(ssl);
1026 }
1027
1028 SSL_free(ssl);
1029 ssl = NULL;
1030
1031 tls_active = -1;
1032 }
1033
1034
1035
1036
1037 /*************************************************
1038 * Report the library versions. *
1039 *************************************************/
1040
1041 /* There have historically been some issues with binary compatibility in
1042 OpenSSL libraries; if Exim (like many other applications) is built against
1043 one version of OpenSSL but the run-time linker picks up another version,
1044 it can result in serious failures, including crashing with a SIGSEGV. So
1045 report the version found by the compiler and the run-time version.
1046
1047 Arguments: a FILE* to print the results to
1048 Returns: nothing
1049 */
1050
1051 void
1052 tls_version_report(FILE *f)
1053 {
1054 fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
1055 fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
1056 }
1057
1058
1059
1060
1061 /*************************************************
1062 * Pseudo-random number generation *
1063 *************************************************/
1064
1065 /* Pseudo-random number generation. The result is not expected to be
1066 cryptographically strong but not so weak that someone will shoot themselves
1067 in the foot using it as a nonce in input in some email header scheme or
1068 whatever weirdness they'll twist this into. The result should handle fork()
1069 and avoid repeating sequences. OpenSSL handles that for us.
1070
1071 Arguments:
1072 max range maximum
1073 Returns a random number in range [0, max-1]
1074 */
1075
1076 int
1077 pseudo_random_number(int max)
1078 {
1079 unsigned int r;
1080 int i, needed_len;
1081 uschar *p;
1082 uschar smallbuf[sizeof(r)];
1083
1084 if (max <= 1)
1085 return 0;
1086
1087 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1088 if (!RAND_status())
1089 {
1090 randstuff r;
1091 gettimeofday(&r.tv, NULL);
1092 r.p = getpid();
1093
1094 RAND_seed((uschar *)(&r), sizeof(r));
1095 }
1096 /* We're after pseudo-random, not random; if we still don't have enough data
1097 in the internal PRNG then our options are limited. We could sleep and hope
1098 for entropy to come along (prayer technique) but if the system is so depleted
1099 in the first place then something is likely to just keep taking it. Instead,
1100 we'll just take whatever little bit of pseudo-random we can still manage to
1101 get. */
1102
1103 needed_len = sizeof(r);
1104 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1105 asked for a number less than 10. */
1106 for (r = max, i = 0; r; ++i)
1107 r >>= 1;
1108 i = (i + 7) / 8;
1109 if (i < needed_len)
1110 needed_len = i;
1111
1112 /* We do not care if crypto-strong */
1113 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1114 r = 0;
1115 for (p = smallbuf; needed_len; --needed_len, ++p)
1116 {
1117 r *= 256;
1118 r += *p;
1119 }
1120
1121 /* We don't particularly care about weighted results; if someone wants
1122 smooth distribution and cares enough then they should submit a patch then. */
1123 return r % max;
1124 }
1125
1126 /* End of tls-openssl.c */