projects / exim.git / blob
? search:


de9c659a6ce8efdc67c682f38132b603efbf4afa
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #ifdef EXPERIMENTAL_OCSP
24 #include <openssl/ocsp.h>
25 #endif
26
27 #ifdef EXPERIMENTAL_OCSP
28 #define EXIM_OCSP_SKEW_SECONDS (300L)
29 #define EXIM_OCSP_MAX_AGE (-1L)
30 #endif
31
32 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33 #define EXIM_HAVE_OPENSSL_TLSEXT
34 #endif
35
36 /* Structure for collecting random data for seeding. */
37
38 typedef struct randstuff {
39 struct timeval tv;
40 pid_t p;
41 } randstuff;
42
43 /* Local static variables */
44
45 static BOOL verify_callback_called = FALSE;
46 static const uschar *sid_ctx = US"exim";
47
48 static SSL_CTX *ctx = NULL;
49 static SSL_CTX *ctx_sni = NULL;
50 static SSL *ssl = NULL;
51
52 static char ssl_errstring[256];
53
54 static int ssl_session_timeout = 200;
55 static BOOL verify_optional = FALSE;
56
57 static BOOL reexpand_tls_files_for_sni = FALSE;
58
59
60 typedef struct tls_ext_ctx_cb {
61 uschar *certificate;
62 uschar *privatekey;
63 #ifdef EXPERIMENTAL_OCSP
64 uschar *ocsp_file;
65 uschar *ocsp_file_expanded;
66 OCSP_RESPONSE *ocsp_response;
67 #endif
68 uschar *dhparam;
69 /* these are cached from first expand */
70 uschar *server_cipher_list;
71 /* only passed down to tls_error: */
72 host_item *host;
73 } tls_ext_ctx_cb;
74
75 /* should figure out a cleanup of API to handle state preserved per
76 implementation, for various reasons, which can be void * in the APIs.
77 For now, we hack around it. */
78 tls_ext_ctx_cb *static_cbinfo = NULL;
79
80 static int
81 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
82
83 /* Callbacks */
84 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
85 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
86 #endif
87 #ifdef EXPERIMENTAL_OCSP
88 static int tls_stapling_cb(SSL *s, void *arg);
89 #endif
90
91
92 /*************************************************
93 * Handle TLS error *
94 *************************************************/
95
96 /* Called from lots of places when errors occur before actually starting to do
97 the TLS handshake, that is, while the session is still in clear. Always returns
98 DEFER for a server and FAIL for a client so that most calls can use "return
99 tls_error(...)" to do this processing and then give an appropriate return. A
100 single function is used for both server and client, because it is called from
101 some shared functions.
102
103 Argument:
104 prefix text to include in the logged error
105 host NULL if setting up a server;
106 the connected host if setting up a client
107 msg error message or NULL if we should ask OpenSSL
108
109 Returns: OK/DEFER/FAIL
110 */
111
112 static int
113 tls_error(uschar *prefix, host_item *host, uschar *msg)
114 {
115 if (msg == NULL)
116 {
117 ERR_error_string(ERR_get_error(), ssl_errstring);
118 msg = (uschar *)ssl_errstring;
119 }
120
121 if (host == NULL)
122 {
123 uschar *conn_info = smtp_get_connection_info();
124 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
125 conn_info += 5;
126 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
127 conn_info, prefix, msg);
128 return DEFER;
129 }
130 else
131 {
132 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
133 host->name, host->address, prefix, msg);
134 return FAIL;
135 }
136 }
137
138
139
140 /*************************************************
141 * Callback to generate RSA key *
142 *************************************************/
143
144 /*
145 Arguments:
146 s SSL connection
147 export not used
148 keylength keylength
149
150 Returns: pointer to generated key
151 */
152
153 static RSA *
154 rsa_callback(SSL *s, int export, int keylength)
155 {
156 RSA *rsa_key;
157 export = export; /* Shut picky compilers up */
158 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
159 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
160 if (rsa_key == NULL)
161 {
162 ERR_error_string(ERR_get_error(), ssl_errstring);
163 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
164 ssl_errstring);
165 return NULL;
166 }
167 return rsa_key;
168 }
169
170
171
172
173 /*************************************************
174 * Callback for verification *
175 *************************************************/
176
177 /* The SSL library does certificate verification if set up to do so. This
178 callback has the current yes/no state is in "state". If verification succeeded,
179 we set up the tls_peerdn string. If verification failed, what happens depends
180 on whether the client is required to present a verifiable certificate or not.
181
182 If verification is optional, we change the state to yes, but still log the
183 verification error. For some reason (it really would help to have proper
184 documentation of OpenSSL), this callback function then gets called again, this
185 time with state = 1. In fact, that's useful, because we can set up the peerdn
186 value, but we must take care not to set the private verified flag on the second
187 time through.
188
189 Note: this function is not called if the client fails to present a certificate
190 when asked. We get here only if a certificate has been received. Handling of
191 optional verification for this case is done when requesting SSL to verify, by
192 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
193
194 Arguments:
195 state current yes/no state as 1/0
196 x509ctx certificate information.
197
198 Returns: 1 if verified, 0 if not
199 */
200
201 static int
202 verify_callback(int state, X509_STORE_CTX *x509ctx)
203 {
204 static uschar txt[256];
205
206 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
207 CS txt, sizeof(txt));
208
209 if (state == 0)
210 {
211 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
212 x509ctx->error_depth,
213 X509_verify_cert_error_string(x509ctx->error),
214 txt);
215 tls_certificate_verified = FALSE;
216 verify_callback_called = TRUE;
217 if (!verify_optional) return 0; /* reject */
218 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
219 "tls_try_verify_hosts)\n");
220 return 1; /* accept */
221 }
222
223 if (x509ctx->error_depth != 0)
224 {
225 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
226 x509ctx->error_depth, txt);
227 }
228 else
229 {
230 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
231 verify_callback_called? "" : " authenticated", txt);
232 tls_peerdn = txt;
233 }
234
235 if (!verify_callback_called) tls_certificate_verified = TRUE;
236 verify_callback_called = TRUE;
237
238 return 1; /* accept */
239 }
240
241
242
243 /*************************************************
244 * Information callback *
245 *************************************************/
246
247 /* The SSL library functions call this from time to time to indicate what they
248 are doing. We copy the string to the debugging output when TLS debugging has
249 been requested.
250
251 Arguments:
252 s the SSL connection
253 where
254 ret
255
256 Returns: nothing
257 */
258
259 static void
260 info_callback(SSL *s, int where, int ret)
261 {
262 where = where;
263 ret = ret;
264 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
265 }
266
267
268
269 /*************************************************
270 * Initialize for DH *
271 *************************************************/
272
273 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
274
275 Arguments:
276 dhparam DH parameter file
277 host connected host, if client; NULL if server
278
279 Returns: TRUE if OK (nothing to set up, or setup worked)
280 */
281
282 static BOOL
283 init_dh(uschar *dhparam, host_item *host)
284 {
285 BOOL yield = TRUE;
286 BIO *bio;
287 DH *dh;
288 uschar *dhexpanded;
289
290 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
291 return FALSE;
292
293 if (dhexpanded == NULL) return TRUE;
294
295 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
296 {
297 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
298 host, (uschar *)strerror(errno));
299 yield = FALSE;
300 }
301 else
302 {
303 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
304 {
305 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
306 host, NULL);
307 yield = FALSE;
308 }
309 else
310 {
311 SSL_CTX_set_tmp_dh(ctx, dh);
312 DEBUG(D_tls)
313 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
314 dhexpanded, 8*DH_size(dh));
315 DH_free(dh);
316 }
317 BIO_free(bio);
318 }
319
320 return yield;
321 }
322
323
324
325
326 #ifdef EXPERIMENTAL_OCSP
327 /*************************************************
328 * Load OCSP information into state *
329 *************************************************/
330
331 /* Called to load the OCSP response from the given file into memory, once
332 caller has determined this is needed. Checks validity. Debugs a message
333 if invalid.
334
335 ASSUMES: single response, for single cert.
336
337 Arguments:
338 sctx the SSL_CTX* to update
339 cbinfo various parts of session state
340 expanded the filename putatively holding an OCSP response
341
342 */
343
344 static void
345 ocsp_load_response(SSL_CTX *sctx,
346 tls_ext_ctx_cb *cbinfo,
347 const uschar *expanded)
348 {
349 BIO *bio;
350 OCSP_RESPONSE *resp;
351 OCSP_BASICRESP *basic_response;
352 OCSP_SINGLERESP *single_response;
353 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
354 X509_STORE *store;
355 unsigned long verify_flags;
356 int status, reason, i;
357
358 cbinfo->ocsp_file_expanded = string_copy(expanded);
359 if (cbinfo->ocsp_response)
360 {
361 OCSP_RESPONSE_free(cbinfo->ocsp_response);
362 cbinfo->ocsp_response = NULL;
363 }
364
365 bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
366 if (!bio)
367 {
368 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
369 cbinfo->ocsp_file_expanded);
370 return;
371 }
372
373 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
374 BIO_free(bio);
375 if (!resp)
376 {
377 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
378 return;
379 }
380
381 status = OCSP_response_status(resp);
382 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
383 {
384 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
385 OCSP_response_status_str(status), status);
386 return;
387 }
388
389 basic_response = OCSP_response_get1_basic(resp);
390 if (!basic_response)
391 {
392 DEBUG(D_tls)
393 debug_printf("OCSP response parse error: unable to extract basic response.\n");
394 return;
395 }
396
397 store = SSL_CTX_get_cert_store(sctx);
398 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
399
400 /* May need to expose ability to adjust those flags?
401 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
402 OCSP_TRUSTOTHER OCSP_NOINTERN */
403
404 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
405 if (i <= 0)
406 {
407 DEBUG(D_tls) {
408 ERR_error_string(ERR_get_error(), ssl_errstring);
409 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
410 }
411 return;
412 }
413
414 /* Here's the simplifying assumption: there's only one response, for the
415 one certificate we use, and nothing for anything else in a chain. If this
416 proves false, we need to extract a cert id from our issued cert
417 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
418 right cert in the stack and then calls OCSP_single_get0_status()).
419
420 I'm hoping to avoid reworking a bunch more of how we handle state here. */
421 single_response = OCSP_resp_get0(basic_response, 0);
422 if (!single_response)
423 {
424 DEBUG(D_tls)
425 debug_printf("Unable to get first response from OCSP basic response.\n");
426 return;
427 }
428
429 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
430 /* how does this status differ from the one above? */
431 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
432 {
433 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
434 OCSP_response_status_str(status), status);
435 return;
436 }
437
438 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
439 {
440 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
441 return;
442 }
443
444 cbinfo->ocsp_response = resp;
445 }
446 #endif
447
448
449
450
451 /*************************************************
452 * Expand key and cert file specs *
453 *************************************************/
454
455 /* Called once during tls_init and possibly againt during TLS setup, for a
456 new context, if Server Name Indication was used and tls_sni was seen in
457 the certificate string.
458
459 Arguments:
460 sctx the SSL_CTX* to update
461 cbinfo various parts of session state
462
463 Returns: OK/DEFER/FAIL
464 */
465
466 static int
467 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
468 {
469 uschar *expanded;
470
471 if (cbinfo->certificate == NULL)
472 return OK;
473
474 if (Ustrstr(cbinfo->certificate, US"tls_sni"))
475 reexpand_tls_files_for_sni = TRUE;
476
477 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
478 return DEFER;
479
480 if (expanded != NULL)
481 {
482 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
483 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
484 return tls_error(string_sprintf(
485 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
486 cbinfo->host, NULL);
487 }
488
489 if (cbinfo->privatekey != NULL &&
490 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
491 return DEFER;
492
493 /* If expansion was forced to fail, key_expanded will be NULL. If the result
494 of the expansion is an empty string, ignore it also, and assume the private
495 key is in the same file as the certificate. */
496
497 if (expanded != NULL && *expanded != 0)
498 {
499 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
500 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
501 return tls_error(string_sprintf(
502 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
503 }
504
505 #ifdef EXPERIMENTAL_OCSP
506 if (cbinfo->ocsp_file != NULL)
507 {
508 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
509 return DEFER;
510
511 if (expanded != NULL && *expanded != 0)
512 {
513 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
514 if (cbinfo->ocsp_file_expanded &&
515 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
516 {
517 DEBUG(D_tls)
518 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
519 } else {
520 ocsp_load_response(sctx, cbinfo, expanded);
521 }
522 }
523 }
524 #endif
525
526 return OK;
527 }
528
529
530
531
532 /*************************************************
533 * Callback to handle SNI *
534 *************************************************/
535
536 /* Called when acting as server during the TLS session setup if a Server Name
537 Indication extension was sent by the client.
538
539 API documentation is OpenSSL s_server.c implementation.
540
541 Arguments:
542 s SSL* of the current session
543 ad unknown (part of OpenSSL API) (unused)
544 arg Callback of "our" registered data
545
546 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
547 */
548
549 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
550 static int
551 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
552 {
553 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
554 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
555 int rc;
556 int old_pool = store_pool;
557
558 if (!servername)
559 return SSL_TLSEXT_ERR_OK;
560
561 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
562 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
563
564 /* Make the extension value available for expansion */
565 store_pool = POOL_PERM;
566 tls_sni = string_copy(US servername);
567 store_pool = old_pool;
568
569 if (!reexpand_tls_files_for_sni)
570 return SSL_TLSEXT_ERR_OK;
571
572 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
573 not confident that memcpy wouldn't break some internal reference counting.
574 Especially since there's a references struct member, which would be off. */
575
576 ctx_sni = SSL_CTX_new(SSLv23_server_method());
577 if (!ctx_sni)
578 {
579 ERR_error_string(ERR_get_error(), ssl_errstring);
580 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
581 return SSL_TLSEXT_ERR_NOACK;
582 }
583
584 /* Not sure how many of these are actually needed, since SSL object
585 already exists. Might even need this selfsame callback, for reneg? */
586
587 SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
588 SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
589 SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
590 SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
591 SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
592 SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
593 if (cbinfo->server_cipher_list)
594 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
595 #ifdef EXPERIMENTAL_OCSP
596 if (cbinfo->ocsp_file)
597 {
598 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
599 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
600 }
601 #endif
602
603 rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
604 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
605
606 /* do this after setup_certs, because this can require the certs for verifying
607 OCSP information. */
608 rc = tls_expand_session_files(ctx_sni, cbinfo);
609 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
610
611 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
612 SSL_set_SSL_CTX(s, ctx_sni);
613
614 return SSL_TLSEXT_ERR_OK;
615 }
616 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
617
618
619
620
621 #ifdef EXPERIMENTAL_OCSP
622 /*************************************************
623 * Callback to handle OCSP Stapling *
624 *************************************************/
625
626 /* Called when acting as server during the TLS session setup if the client
627 requests OCSP information with a Certificate Status Request.
628
629 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
630 project.
631
632 */
633
634 static int
635 tls_stapling_cb(SSL *s, void *arg)
636 {
637 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
638 uschar *response_der;
639 int response_der_len;
640
641 DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
642 cbinfo->ocsp_response ? "have" : "lack");
643 if (!cbinfo->ocsp_response)
644 return SSL_TLSEXT_ERR_NOACK;
645
646 response_der = NULL;
647 response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
648 if (response_der_len <= 0)
649 return SSL_TLSEXT_ERR_NOACK;
650
651 SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
652 return SSL_TLSEXT_ERR_OK;
653 }
654
655 #endif /* EXPERIMENTAL_OCSP */
656
657
658
659
660 /*************************************************
661 * Initialize for TLS *
662 *************************************************/
663
664 /* Called from both server and client code, to do preliminary initialization of
665 the library.
666
667 Arguments:
668 host connected host, if client; NULL if server
669 dhparam DH parameter file
670 certificate certificate file
671 privatekey private key
672 addr address if client; NULL if server (for some randomness)
673
674 Returns: OK/DEFER/FAIL
675 */
676
677 static int
678 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
679 uschar *privatekey,
680 #ifdef EXPERIMENTAL_OCSP
681 uschar *ocsp_file,
682 #endif
683 address_item *addr)
684 {
685 long init_options;
686 int rc;
687 BOOL okay;
688 tls_ext_ctx_cb *cbinfo;
689
690 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
691 cbinfo->certificate = certificate;
692 cbinfo->privatekey = privatekey;
693 #ifdef EXPERIMENTAL_OCSP
694 cbinfo->ocsp_file = ocsp_file;
695 #endif
696 cbinfo->dhparam = dhparam;
697 cbinfo->host = host;
698
699 SSL_load_error_strings(); /* basic set up */
700 OpenSSL_add_ssl_algorithms();
701
702 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
703 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
704 list of available digests. */
705 EVP_add_digest(EVP_sha256());
706 #endif
707
708 /* Create a context */
709
710 ctx = SSL_CTX_new((host == NULL)?
711 SSLv23_server_method() : SSLv23_client_method());
712
713 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
714
715 /* It turns out that we need to seed the random number generator this early in
716 order to get the full complement of ciphers to work. It took me roughly a day
717 of work to discover this by experiment.
718
719 On systems that have /dev/urandom, SSL may automatically seed itself from
720 there. Otherwise, we have to make something up as best we can. Double check
721 afterwards. */
722
723 if (!RAND_status())
724 {
725 randstuff r;
726 gettimeofday(&r.tv, NULL);
727 r.p = getpid();
728
729 RAND_seed((uschar *)(&r), sizeof(r));
730 RAND_seed((uschar *)big_buffer, big_buffer_size);
731 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
732
733 if (!RAND_status())
734 return tls_error(US"RAND_status", host,
735 US"unable to seed random number generator");
736 }
737
738 /* Set up the information callback, which outputs if debugging is at a suitable
739 level. */
740
741 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
742
743 /* Automatically re-try reads/writes after renegotiation. */
744 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
745
746 /* Apply administrator-supplied work-arounds.
747 Historically we applied just one requested option,
748 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
749 moved to an administrator-controlled list of options to specify and
750 grandfathered in the first one as the default value for "openssl_options".
751
752 No OpenSSL version number checks: the options we accept depend upon the
753 availability of the option value macros from OpenSSL. */
754
755 okay = tls_openssl_options_parse(openssl_options, &init_options);
756 if (!okay)
757 return tls_error(US"openssl_options parsing failed", host, NULL);
758
759 if (init_options)
760 {
761 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
762 if (!(SSL_CTX_set_options(ctx, init_options)))
763 return tls_error(string_sprintf(
764 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
765 }
766 else
767 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
768
769 /* Initialize with DH parameters if supplied */
770
771 if (!init_dh(dhparam, host)) return DEFER;
772
773 /* Set up certificate and key (and perhaps OCSP info) */
774
775 rc = tls_expand_session_files(ctx, cbinfo);
776 if (rc != OK) return rc;
777
778 /* If we need to handle SNI, do so */
779 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
780 if (host == NULL)
781 {
782 #ifdef EXPERIMENTAL_OCSP
783 /* We check ocsp_file, not ocsp_response, because we care about if
784 the option exists, not what the current expansion might be, as SNI might
785 change the certificate and OCSP file in use between now and the time the
786 callback is invoked. */
787 if (cbinfo->ocsp_file)
788 {
789 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
790 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
791 }
792 #endif
793 /* We always do this, so that $tls_sni is available even if not used in
794 tls_certificate */
795 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
796 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
797 }
798 #endif
799
800 /* Set up the RSA callback */
801
802 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
803
804 /* Finally, set the timeout, and we are done */
805
806 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
807 DEBUG(D_tls) debug_printf("Initialized TLS\n");
808
809 static_cbinfo = cbinfo;
810
811 return OK;
812 }
813
814
815
816
817 /*************************************************
818 * Get name of cipher in use *
819 *************************************************/
820
821 /* The answer is left in a static buffer, and tls_cipher is set to point
822 to it.
823
824 Argument: pointer to an SSL structure for the connection
825 Returns: nothing
826 */
827
828 static void
829 construct_cipher_name(SSL *ssl)
830 {
831 static uschar cipherbuf[256];
832 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
833 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
834 the accessor functions use const in the prototype. */
835 const SSL_CIPHER *c;
836 uschar *ver;
837
838 switch (ssl->session->ssl_version)
839 {
840 case SSL2_VERSION:
841 ver = US"SSLv2";
842 break;
843
844 case SSL3_VERSION:
845 ver = US"SSLv3";
846 break;
847
848 case TLS1_VERSION:
849 ver = US"TLSv1";
850 break;
851
852 #ifdef TLS1_1_VERSION
853 case TLS1_1_VERSION:
854 ver = US"TLSv1.1";
855 break;
856 #endif
857
858 #ifdef TLS1_2_VERSION
859 case TLS1_2_VERSION:
860 ver = US"TLSv1.2";
861 break;
862 #endif
863
864 default:
865 ver = US"UNKNOWN";
866 }
867
868 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
869 SSL_CIPHER_get_bits(c, &tls_bits);
870
871 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
872 SSL_CIPHER_get_name(c), tls_bits);
873 tls_cipher = cipherbuf;
874
875 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
876 }
877
878
879
880
881
882 /*************************************************
883 * Set up for verifying certificates *
884 *************************************************/
885
886 /* Called by both client and server startup
887
888 Arguments:
889 sctx SSL_CTX* to initialise
890 certs certs file or NULL
891 crl CRL file or NULL
892 host NULL in a server; the remote host in a client
893 optional TRUE if called from a server for a host in tls_try_verify_hosts;
894 otherwise passed as FALSE
895
896 Returns: OK/DEFER/FAIL
897 */
898
899 static int
900 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
901 {
902 uschar *expcerts, *expcrl;
903
904 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
905 return DEFER;
906
907 if (expcerts != NULL)
908 {
909 struct stat statbuf;
910 if (!SSL_CTX_set_default_verify_paths(sctx))
911 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
912
913 if (Ustat(expcerts, &statbuf) < 0)
914 {
915 log_write(0, LOG_MAIN|LOG_PANIC,
916 "failed to stat %s for certificates", expcerts);
917 return DEFER;
918 }
919 else
920 {
921 uschar *file, *dir;
922 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
923 { file = NULL; dir = expcerts; }
924 else
925 { file = expcerts; dir = NULL; }
926
927 /* If a certificate file is empty, the next function fails with an
928 unhelpful error message. If we skip it, we get the correct behaviour (no
929 certificates are recognized, but the error message is still misleading (it
930 says no certificate was supplied.) But this is better. */
931
932 if ((file == NULL || statbuf.st_size > 0) &&
933 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
934 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
935
936 if (file != NULL)
937 {
938 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
939 }
940 }
941
942 /* Handle a certificate revocation list. */
943
944 #if OPENSSL_VERSION_NUMBER > 0x00907000L
945
946 /* This bit of code is now the version supplied by Lars Mainka. (I have
947 * merely reformatted it into the Exim code style.)
948
949 * "From here I changed the code to add support for multiple crl's
950 * in pem format in one file or to support hashed directory entries in
951 * pem format instead of a file. This method now uses the library function
952 * X509_STORE_load_locations to add the CRL location to the SSL context.
953 * OpenSSL will then handle the verify against CA certs and CRLs by
954 * itself in the verify callback." */
955
956 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
957 if (expcrl != NULL && *expcrl != 0)
958 {
959 struct stat statbufcrl;
960 if (Ustat(expcrl, &statbufcrl) < 0)
961 {
962 log_write(0, LOG_MAIN|LOG_PANIC,
963 "failed to stat %s for certificates revocation lists", expcrl);
964 return DEFER;
965 }
966 else
967 {
968 /* is it a file or directory? */
969 uschar *file, *dir;
970 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
971 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
972 {
973 file = NULL;
974 dir = expcrl;
975 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
976 }
977 else
978 {
979 file = expcrl;
980 dir = NULL;
981 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
982 }
983 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
984 return tls_error(US"X509_STORE_load_locations", host, NULL);
985
986 /* setting the flags to check against the complete crl chain */
987
988 X509_STORE_set_flags(cvstore,
989 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
990 }
991 }
992
993 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
994
995 /* If verification is optional, don't fail if no certificate */
996
997 SSL_CTX_set_verify(sctx,
998 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
999 verify_callback);
1000 }
1001
1002 return OK;
1003 }
1004
1005
1006
1007 /*************************************************
1008 * Start a TLS session in a server *
1009 *************************************************/
1010
1011 /* This is called when Exim is running as a server, after having received
1012 the STARTTLS command. It must respond to that command, and then negotiate
1013 a TLS session.
1014
1015 Arguments:
1016 require_ciphers allowed ciphers
1017
1018 Returns: OK on success
1019 DEFER for errors before the start of the negotiation
1020 FAIL for errors during the negotation; the server can't
1021 continue running.
1022 */
1023
1024 int
1025 tls_server_start(const uschar *require_ciphers)
1026 {
1027 int rc;
1028 uschar *expciphers;
1029 tls_ext_ctx_cb *cbinfo;
1030
1031 /* Check for previous activation */
1032
1033 if (tls_active >= 0)
1034 {
1035 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1036 smtp_printf("554 Already in TLS\r\n");
1037 return FAIL;
1038 }
1039
1040 /* Initialize the SSL library. If it fails, it will already have logged
1041 the error. */
1042
1043 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1044 #ifdef EXPERIMENTAL_OCSP
1045 tls_ocsp_file,
1046 #endif
1047 NULL);
1048 if (rc != OK) return rc;
1049 cbinfo = static_cbinfo;
1050
1051 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1052 return FAIL;
1053
1054 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1055 were historically separated by underscores. So that I can use either form in my
1056 tests, and also for general convenience, we turn underscores into hyphens here.
1057 */
1058
1059 if (expciphers != NULL)
1060 {
1061 uschar *s = expciphers;
1062 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1063 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1064 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1065 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1066 cbinfo->server_cipher_list = expciphers;
1067 }
1068
1069 /* If this is a host for which certificate verification is mandatory or
1070 optional, set up appropriately. */
1071
1072 tls_certificate_verified = FALSE;
1073 verify_callback_called = FALSE;
1074
1075 if (verify_check_host(&tls_verify_hosts) == OK)
1076 {
1077 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
1078 if (rc != OK) return rc;
1079 verify_optional = FALSE;
1080 }
1081 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1082 {
1083 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
1084 if (rc != OK) return rc;
1085 verify_optional = TRUE;
1086 }
1087
1088 /* Prepare for new connection */
1089
1090 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1091
1092 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1093 *
1094 * With the SSL_clear(), we get strange interoperability bugs with
1095 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1096 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1097 *
1098 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1099 * session shutdown. In this case, we have a brand new object and there's no
1100 * obvious reason to immediately clear it. I'm guessing that this was
1101 * originally added because of incomplete initialisation which the clear fixed,
1102 * in some historic release.
1103 */
1104
1105 /* Set context and tell client to go ahead, except in the case of TLS startup
1106 on connection, where outputting anything now upsets the clients and tends to
1107 make them disconnect. We need to have an explicit fflush() here, to force out
1108 the response. Other smtp_printf() calls do not need it, because in non-TLS
1109 mode, the fflush() happens when smtp_getc() is called. */
1110
1111 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1112 if (!tls_on_connect)
1113 {
1114 smtp_printf("220 TLS go ahead\r\n");
1115 fflush(smtp_out);
1116 }
1117
1118 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1119 that the OpenSSL library doesn't. */
1120
1121 SSL_set_wfd(ssl, fileno(smtp_out));
1122 SSL_set_rfd(ssl, fileno(smtp_in));
1123 SSL_set_accept_state(ssl);
1124
1125 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1126
1127 sigalrm_seen = FALSE;
1128 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1129 rc = SSL_accept(ssl);
1130 alarm(0);
1131
1132 if (rc <= 0)
1133 {
1134 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1135 if (ERR_get_error() == 0)
1136 log_write(0, LOG_MAIN,
1137 "TLS client disconnected cleanly (rejected our certificate?)");
1138 return FAIL;
1139 }
1140
1141 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1142
1143 /* TLS has been set up. Adjust the input functions to read via TLS,
1144 and initialize things. */
1145
1146 construct_cipher_name(ssl);
1147
1148 DEBUG(D_tls)
1149 {
1150 uschar buf[2048];
1151 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1152 debug_printf("Shared ciphers: %s\n", buf);
1153 }
1154
1155
1156 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1157 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1158 ssl_xfer_eof = ssl_xfer_error = 0;
1159
1160 receive_getc = tls_getc;
1161 receive_ungetc = tls_ungetc;
1162 receive_feof = tls_feof;
1163 receive_ferror = tls_ferror;
1164 receive_smtp_buffered = tls_smtp_buffered;
1165
1166 tls_active = fileno(smtp_out);
1167 return OK;
1168 }
1169
1170
1171
1172
1173
1174 /*************************************************
1175 * Start a TLS session in a client *
1176 *************************************************/
1177
1178 /* Called from the smtp transport after STARTTLS has been accepted.
1179
1180 Argument:
1181 fd the fd of the connection
1182 host connected host (for messages)
1183 addr the first address
1184 dhparam DH parameter file
1185 certificate certificate file
1186 privatekey private key file
1187 sni TLS SNI to send to remote host
1188 verify_certs file for certificate verify
1189 crl file containing CRL
1190 require_ciphers list of allowed ciphers
1191 timeout startup timeout
1192
1193 Returns: OK on success
1194 FAIL otherwise - note that tls_error() will not give DEFER
1195 because this is not a server
1196 */
1197
1198 int
1199 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
1200 uschar *certificate, uschar *privatekey, uschar *sni,
1201 uschar *verify_certs, uschar *crl,
1202 uschar *require_ciphers, int timeout)
1203 {
1204 static uschar txt[256];
1205 uschar *expciphers;
1206 X509* server_cert;
1207 int rc;
1208
1209 rc = tls_init(host, dhparam, certificate, privatekey,
1210 #ifdef EXPERIMENTAL_OCSP
1211 NULL,
1212 #endif
1213 addr);
1214 if (rc != OK) return rc;
1215
1216 tls_certificate_verified = FALSE;
1217 verify_callback_called = FALSE;
1218
1219 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1220 return FAIL;
1221
1222 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1223 are separated by underscores. So that I can use either form in my tests, and
1224 also for general convenience, we turn underscores into hyphens here. */
1225
1226 if (expciphers != NULL)
1227 {
1228 uschar *s = expciphers;
1229 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1230 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1231 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1232 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1233 }
1234
1235 rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
1236 if (rc != OK) return rc;
1237
1238 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1239 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1240 SSL_set_fd(ssl, fd);
1241 SSL_set_connect_state(ssl);
1242
1243 if (sni)
1244 {
1245 if (!expand_check(sni, US"tls_sni", &tls_sni))
1246 return FAIL;
1247 if (!Ustrlen(tls_sni))
1248 tls_sni = NULL;
1249 else
1250 {
1251 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1252 SSL_set_tlsext_host_name(ssl, tls_sni);
1253 }
1254 }
1255
1256 /* There doesn't seem to be a built-in timeout on connection. */
1257
1258 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1259 sigalrm_seen = FALSE;
1260 alarm(timeout);
1261 rc = SSL_connect(ssl);
1262 alarm(0);
1263
1264 if (rc <= 0)
1265 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1266
1267 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1268
1269 /* Beware anonymous ciphers which lead to server_cert being NULL */
1270 server_cert = SSL_get_peer_certificate (ssl);
1271 if (server_cert)
1272 {
1273 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1274 CS txt, sizeof(txt));
1275 tls_peerdn = txt;
1276 }
1277 else
1278 tls_peerdn = NULL;
1279
1280 construct_cipher_name(ssl); /* Sets tls_cipher */
1281
1282 tls_active = fd;
1283 return OK;
1284 }
1285
1286
1287
1288
1289
1290 /*************************************************
1291 * TLS version of getc *
1292 *************************************************/
1293
1294 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1295 it refills the buffer via the SSL reading function.
1296
1297 Arguments: none
1298 Returns: the next character or EOF
1299 */
1300
1301 int
1302 tls_getc(void)
1303 {
1304 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1305 {
1306 int error;
1307 int inbytes;
1308
1309 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1310 ssl_xfer_buffer, ssl_xfer_buffer_size);
1311
1312 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1313 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1314 error = SSL_get_error(ssl, inbytes);
1315 alarm(0);
1316
1317 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1318 closed down, not that the socket itself has been closed down. Revert to
1319 non-SSL handling. */
1320
1321 if (error == SSL_ERROR_ZERO_RETURN)
1322 {
1323 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1324
1325 receive_getc = smtp_getc;
1326 receive_ungetc = smtp_ungetc;
1327 receive_feof = smtp_feof;
1328 receive_ferror = smtp_ferror;
1329 receive_smtp_buffered = smtp_buffered;
1330
1331 SSL_free(ssl);
1332 ssl = NULL;
1333 tls_active = -1;
1334 tls_bits = 0;
1335 tls_cipher = NULL;
1336 tls_peerdn = NULL;
1337 tls_sni = NULL;
1338
1339 return smtp_getc();
1340 }
1341
1342 /* Handle genuine errors */
1343
1344 else if (error == SSL_ERROR_SSL)
1345 {
1346 ERR_error_string(ERR_get_error(), ssl_errstring);
1347 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1348 ssl_xfer_error = 1;
1349 return EOF;
1350 }
1351
1352 else if (error != SSL_ERROR_NONE)
1353 {
1354 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1355 ssl_xfer_error = 1;
1356 return EOF;
1357 }
1358
1359 #ifndef DISABLE_DKIM
1360 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1361 #endif
1362 ssl_xfer_buffer_hwm = inbytes;
1363 ssl_xfer_buffer_lwm = 0;
1364 }
1365
1366 /* Something in the buffer; return next uschar */
1367
1368 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1369 }
1370
1371
1372
1373 /*************************************************
1374 * Read bytes from TLS channel *
1375 *************************************************/
1376
1377 /*
1378 Arguments:
1379 buff buffer of data
1380 len size of buffer
1381
1382 Returns: the number of bytes read
1383 -1 after a failed read
1384 */
1385
1386 int
1387 tls_read(uschar *buff, size_t len)
1388 {
1389 int inbytes;
1390 int error;
1391
1392 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1393 buff, (unsigned int)len);
1394
1395 inbytes = SSL_read(ssl, CS buff, len);
1396 error = SSL_get_error(ssl, inbytes);
1397
1398 if (error == SSL_ERROR_ZERO_RETURN)
1399 {
1400 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1401 return -1;
1402 }
1403 else if (error != SSL_ERROR_NONE)
1404 {
1405 return -1;
1406 }
1407
1408 return inbytes;
1409 }
1410
1411
1412
1413
1414
1415 /*************************************************
1416 * Write bytes down TLS channel *
1417 *************************************************/
1418
1419 /*
1420 Arguments:
1421 buff buffer of data
1422 len number of bytes
1423
1424 Returns: the number of bytes after a successful write,
1425 -1 after a failed write
1426 */
1427
1428 int
1429 tls_write(const uschar *buff, size_t len)
1430 {
1431 int outbytes;
1432 int error;
1433 int left = len;
1434
1435 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1436 while (left > 0)
1437 {
1438 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1439 outbytes = SSL_write(ssl, CS buff, left);
1440 error = SSL_get_error(ssl, outbytes);
1441 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1442 switch (error)
1443 {
1444 case SSL_ERROR_SSL:
1445 ERR_error_string(ERR_get_error(), ssl_errstring);
1446 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1447 return -1;
1448
1449 case SSL_ERROR_NONE:
1450 left -= outbytes;
1451 buff += outbytes;
1452 break;
1453
1454 case SSL_ERROR_ZERO_RETURN:
1455 log_write(0, LOG_MAIN, "SSL channel closed on write");
1456 return -1;
1457
1458 default:
1459 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1460 return -1;
1461 }
1462 }
1463 return len;
1464 }
1465
1466
1467
1468 /*************************************************
1469 * Close down a TLS session *
1470 *************************************************/
1471
1472 /* This is also called from within a delivery subprocess forked from the
1473 daemon, to shut down the TLS library, without actually doing a shutdown (which
1474 would tamper with the SSL session in the parent process).
1475
1476 Arguments: TRUE if SSL_shutdown is to be called
1477 Returns: nothing
1478 */
1479
1480 void
1481 tls_close(BOOL shutdown)
1482 {
1483 if (tls_active < 0) return; /* TLS was not active */
1484
1485 if (shutdown)
1486 {
1487 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1488 SSL_shutdown(ssl);
1489 }
1490
1491 SSL_free(ssl);
1492 ssl = NULL;
1493
1494 tls_active = -1;
1495 }
1496
1497
1498
1499
1500 /*************************************************
1501 * Report the library versions. *
1502 *************************************************/
1503
1504 /* There have historically been some issues with binary compatibility in
1505 OpenSSL libraries; if Exim (like many other applications) is built against
1506 one version of OpenSSL but the run-time linker picks up another version,
1507 it can result in serious failures, including crashing with a SIGSEGV. So
1508 report the version found by the compiler and the run-time version.
1509
1510 Arguments: a FILE* to print the results to
1511 Returns: nothing
1512 */
1513
1514 void
1515 tls_version_report(FILE *f)
1516 {
1517 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1518 " Runtime: %s\n",
1519 OPENSSL_VERSION_TEXT,
1520 SSLeay_version(SSLEAY_VERSION));
1521 }
1522
1523
1524
1525
1526 /*************************************************
1527 * Random number generation *
1528 *************************************************/
1529
1530 /* Pseudo-random number generation. The result is not expected to be
1531 cryptographically strong but not so weak that someone will shoot themselves
1532 in the foot using it as a nonce in input in some email header scheme or
1533 whatever weirdness they'll twist this into. The result should handle fork()
1534 and avoid repeating sequences. OpenSSL handles that for us.
1535
1536 Arguments:
1537 max range maximum
1538 Returns a random number in range [0, max-1]
1539 */
1540
1541 int
1542 vaguely_random_number(int max)
1543 {
1544 unsigned int r;
1545 int i, needed_len;
1546 uschar *p;
1547 uschar smallbuf[sizeof(r)];
1548
1549 if (max <= 1)
1550 return 0;
1551
1552 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1553 if (!RAND_status())
1554 {
1555 randstuff r;
1556 gettimeofday(&r.tv, NULL);
1557 r.p = getpid();
1558
1559 RAND_seed((uschar *)(&r), sizeof(r));
1560 }
1561 /* We're after pseudo-random, not random; if we still don't have enough data
1562 in the internal PRNG then our options are limited. We could sleep and hope
1563 for entropy to come along (prayer technique) but if the system is so depleted
1564 in the first place then something is likely to just keep taking it. Instead,
1565 we'll just take whatever little bit of pseudo-random we can still manage to
1566 get. */
1567
1568 needed_len = sizeof(r);
1569 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1570 asked for a number less than 10. */
1571 for (r = max, i = 0; r; ++i)
1572 r >>= 1;
1573 i = (i + 7) / 8;
1574 if (i < needed_len)
1575 needed_len = i;
1576
1577 /* We do not care if crypto-strong */
1578 i = RAND_pseudo_bytes(smallbuf, needed_len);
1579 if (i < 0)
1580 {
1581 DEBUG(D_all)
1582 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1583 return vaguely_random_number_fallback(max);
1584 }
1585
1586 r = 0;
1587 for (p = smallbuf; needed_len; --needed_len, ++p)
1588 {
1589 r *= 256;
1590 r += *p;
1591 }
1592
1593 /* We don't particularly care about weighted results; if someone wants
1594 smooth distribution and cares enough then they should submit a patch then. */
1595 return r % max;
1596 }
1597
1598
1599
1600
1601 /*************************************************
1602 * OpenSSL option parse *
1603 *************************************************/
1604
1605 /* Parse one option for tls_openssl_options_parse below
1606
1607 Arguments:
1608 name one option name
1609 value place to store a value for it
1610 Returns success or failure in parsing
1611 */
1612
1613 struct exim_openssl_option {
1614 uschar *name;
1615 long value;
1616 };
1617 /* We could use a macro to expand, but we need the ifdef and not all the
1618 options document which version they were introduced in. Policylet: include
1619 all options unless explicitly for DTLS, let the administrator choose which
1620 to apply.
1621
1622 This list is current as of:
1623 ==> 1.0.1b <== */
1624 static struct exim_openssl_option exim_openssl_options[] = {
1625 /* KEEP SORTED ALPHABETICALLY! */
1626 #ifdef SSL_OP_ALL
1627 { US"all", SSL_OP_ALL },
1628 #endif
1629 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1630 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1631 #endif
1632 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1633 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1634 #endif
1635 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1636 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1637 #endif
1638 #ifdef SSL_OP_EPHEMERAL_RSA
1639 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1640 #endif
1641 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1642 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1643 #endif
1644 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1645 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1646 #endif
1647 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1648 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1649 #endif
1650 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1651 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1652 #endif
1653 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1654 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1655 #endif
1656 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1657 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1658 #endif
1659 #ifdef SSL_OP_NO_COMPRESSION
1660 { US"no_compression", SSL_OP_NO_COMPRESSION },
1661 #endif
1662 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1663 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1664 #endif
1665 #ifdef SSL_OP_NO_SSLv2
1666 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1667 #endif
1668 #ifdef SSL_OP_NO_SSLv3
1669 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1670 #endif
1671 #ifdef SSL_OP_NO_TICKET
1672 { US"no_ticket", SSL_OP_NO_TICKET },
1673 #endif
1674 #ifdef SSL_OP_NO_TLSv1
1675 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1676 #endif
1677 #ifdef SSL_OP_NO_TLSv1_1
1678 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1679 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1680 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1681 #else
1682 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1683 #endif
1684 #endif
1685 #ifdef SSL_OP_NO_TLSv1_2
1686 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1687 #endif
1688 #ifdef SSL_OP_SINGLE_DH_USE
1689 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1690 #endif
1691 #ifdef SSL_OP_SINGLE_ECDH_USE
1692 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1693 #endif
1694 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1695 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1696 #endif
1697 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1698 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1699 #endif
1700 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1701 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1702 #endif
1703 #ifdef SSL_OP_TLS_D5_BUG
1704 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1705 #endif
1706 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1707 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1708 #endif
1709 };
1710 static int exim_openssl_options_size =
1711 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1712
1713
1714 static BOOL
1715 tls_openssl_one_option_parse(uschar *name, long *value)
1716 {
1717 int first = 0;
1718 int last = exim_openssl_options_size;
1719 while (last > first)
1720 {
1721 int middle = (first + last)/2;
1722 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1723 if (c == 0)
1724 {
1725 *value = exim_openssl_options[middle].value;
1726 return TRUE;
1727 }
1728 else if (c > 0)
1729 first = middle + 1;
1730 else
1731 last = middle;
1732 }
1733 return FALSE;
1734 }
1735
1736
1737
1738
1739 /*************************************************
1740 * OpenSSL option parsing logic *
1741 *************************************************/
1742
1743 /* OpenSSL has a number of compatibility options which an administrator might
1744 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1745 we look like log_selector.
1746
1747 Arguments:
1748 option_spec the administrator-supplied string of options
1749 results ptr to long storage for the options bitmap
1750 Returns success or failure
1751 */
1752
1753 BOOL
1754 tls_openssl_options_parse(uschar *option_spec, long *results)
1755 {
1756 long result, item;
1757 uschar *s, *end;
1758 uschar keep_c;
1759 BOOL adding, item_parsed;
1760
1761 result = 0L;
1762 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1763 * from default because it increases BEAST susceptibility. */
1764
1765 if (option_spec == NULL)
1766 {
1767 *results = result;
1768 return TRUE;
1769 }
1770
1771 for (s=option_spec; *s != '\0'; /**/)
1772 {
1773 while (isspace(*s)) ++s;
1774 if (*s == '\0')
1775 break;
1776 if (*s != '+' && *s != '-')
1777 {
1778 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1779 "+ or - expected but found \"%s\"\n", s);
1780 return FALSE;
1781 }
1782 adding = *s++ == '+';
1783 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1784 keep_c = *end;
1785 *end = '\0';
1786 item_parsed = tls_openssl_one_option_parse(s, &item);
1787 if (!item_parsed)
1788 {
1789 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1790 return FALSE;
1791 }
1792 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1793 adding ? "adding" : "removing", result, item, s);
1794 if (adding)
1795 result |= item;
1796 else
1797 result &= ~item;
1798 *end = keep_c;
1799 s = end;
1800 }
1801
1802 *results = result;
1803 return TRUE;
1804 }
1805
1806 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.