e2e150c0a139c9ca4cec7f25c4ba3e16c03a8bf4
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23
24 /* Structure for collecting random data for seeding. */
25
26 typedef struct randstuff {
27 struct timeval tv;
28 pid_t p;
29 } randstuff;
30
31 /* Local static variables */
32
33 static BOOL verify_callback_called = FALSE;
34 static const uschar *sid_ctx = US"exim";
35
36 static SSL_CTX *ctx = NULL;
37 static SSL *ssl = NULL;
38
39 static char ssl_errstring[256];
40
41 static int ssl_session_timeout = 200;
42 static BOOL verify_optional = FALSE;
43
44
45
46
47
48 /*************************************************
49 * Handle TLS error *
50 *************************************************/
51
52 /* Called from lots of places when errors occur before actually starting to do
53 the TLS handshake, that is, while the session is still in clear. Always returns
54 DEFER for a server and FAIL for a client so that most calls can use "return
55 tls_error(...)" to do this processing and then give an appropriate return. A
56 single function is used for both server and client, because it is called from
57 some shared functions.
58
59 Argument:
60 prefix text to include in the logged error
61 host NULL if setting up a server;
62 the connected host if setting up a client
63 msg error message or NULL if we should ask OpenSSL
64
65 Returns: OK/DEFER/FAIL
66 */
67
68 static int
69 tls_error(uschar *prefix, host_item *host, uschar *msg)
70 {
71 if (msg == NULL)
72 {
73 ERR_error_string(ERR_get_error(), ssl_errstring);
74 msg = (uschar *)ssl_errstring;
75 }
76
77 if (host == NULL)
78 {
79 uschar *conn_info = smtp_get_connection_info();
80 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
81 conn_info += 5;
82 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
83 conn_info, prefix, msg);
84 return DEFER;
85 }
86 else
87 {
88 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
89 host->name, host->address, prefix, msg);
90 return FAIL;
91 }
92 }
93
94
95
96 /*************************************************
97 * Callback to generate RSA key *
98 *************************************************/
99
100 /*
101 Arguments:
102 s SSL connection
103 export not used
104 keylength keylength
105
106 Returns: pointer to generated key
107 */
108
109 static RSA *
110 rsa_callback(SSL *s, int export, int keylength)
111 {
112 RSA *rsa_key;
113 export = export; /* Shut picky compilers up */
114 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
115 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
116 if (rsa_key == NULL)
117 {
118 ERR_error_string(ERR_get_error(), ssl_errstring);
119 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
120 ssl_errstring);
121 return NULL;
122 }
123 return rsa_key;
124 }
125
126
127
128
129 /*************************************************
130 * Callback for verification *
131 *************************************************/
132
133 /* The SSL library does certificate verification if set up to do so. This
134 callback has the current yes/no state is in "state". If verification succeeded,
135 we set up the tls_peerdn string. If verification failed, what happens depends
136 on whether the client is required to present a verifiable certificate or not.
137
138 If verification is optional, we change the state to yes, but still log the
139 verification error. For some reason (it really would help to have proper
140 documentation of OpenSSL), this callback function then gets called again, this
141 time with state = 1. In fact, that's useful, because we can set up the peerdn
142 value, but we must take care not to set the private verified flag on the second
143 time through.
144
145 Note: this function is not called if the client fails to present a certificate
146 when asked. We get here only if a certificate has been received. Handling of
147 optional verification for this case is done when requesting SSL to verify, by
148 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
149
150 Arguments:
151 state current yes/no state as 1/0
152 x509ctx certificate information.
153
154 Returns: 1 if verified, 0 if not
155 */
156
157 static int
158 verify_callback(int state, X509_STORE_CTX *x509ctx)
159 {
160 static uschar txt[256];
161
162 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
163 CS txt, sizeof(txt));
164
165 if (state == 0)
166 {
167 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
168 x509ctx->error_depth,
169 X509_verify_cert_error_string(x509ctx->error),
170 txt);
171 tls_certificate_verified = FALSE;
172 verify_callback_called = TRUE;
173 if (!verify_optional) return 0; /* reject */
174 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
175 "tls_try_verify_hosts)\n");
176 return 1; /* accept */
177 }
178
179 if (x509ctx->error_depth != 0)
180 {
181 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
182 x509ctx->error_depth, txt);
183 }
184 else
185 {
186 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
187 verify_callback_called? "" : " authenticated", txt);
188 tls_peerdn = txt;
189 }
190
191 if (!verify_callback_called) tls_certificate_verified = TRUE;
192 verify_callback_called = TRUE;
193
194 return 1; /* accept */
195 }
196
197
198
199 /*************************************************
200 * Information callback *
201 *************************************************/
202
203 /* The SSL library functions call this from time to time to indicate what they
204 are doing. We copy the string to the debugging output when the level is high
205 enough.
206
207 Arguments:
208 s the SSL connection
209 where
210 ret
211
212 Returns: nothing
213 */
214
215 static void
216 info_callback(SSL *s, int where, int ret)
217 {
218 where = where;
219 ret = ret;
220 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
221 }
222
223
224
225 /*************************************************
226 * Initialize for DH *
227 *************************************************/
228
229 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
230
231 Arguments:
232 dhparam DH parameter file
233 host connected host, if client; NULL if server
234
235 Returns: TRUE if OK (nothing to set up, or setup worked)
236 */
237
238 static BOOL
239 init_dh(uschar *dhparam, host_item *host)
240 {
241 BOOL yield = TRUE;
242 BIO *bio;
243 DH *dh;
244 uschar *dhexpanded;
245
246 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
247 return FALSE;
248
249 if (dhexpanded == NULL) return TRUE;
250
251 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
252 {
253 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
254 host, (uschar *)strerror(errno));
255 yield = FALSE;
256 }
257 else
258 {
259 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
260 {
261 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
262 host, NULL);
263 yield = FALSE;
264 }
265 else
266 {
267 SSL_CTX_set_tmp_dh(ctx, dh);
268 DEBUG(D_tls)
269 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
270 dhexpanded, 8*DH_size(dh));
271 DH_free(dh);
272 }
273 BIO_free(bio);
274 }
275
276 return yield;
277 }
278
279
280
281
282 /*************************************************
283 * Initialize for TLS *
284 *************************************************/
285
286 /* Called from both server and client code, to do preliminary initialization of
287 the library.
288
289 Arguments:
290 host connected host, if client; NULL if server
291 dhparam DH parameter file
292 certificate certificate file
293 privatekey private key
294 addr address if client; NULL if server (for some randomness)
295
296 Returns: OK/DEFER/FAIL
297 */
298
299 static int
300 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
301 uschar *privatekey, address_item *addr)
302 {
303 long init_options;
304 BOOL okay;
305
306 SSL_load_error_strings(); /* basic set up */
307 OpenSSL_add_ssl_algorithms();
308
309 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
310 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
311 list of available digests. */
312 EVP_add_digest(EVP_sha256());
313 #endif
314
315 /* Create a context */
316
317 ctx = SSL_CTX_new((host == NULL)?
318 SSLv23_server_method() : SSLv23_client_method());
319
320 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
321
322 /* It turns out that we need to seed the random number generator this early in
323 order to get the full complement of ciphers to work. It took me roughly a day
324 of work to discover this by experiment.
325
326 On systems that have /dev/urandom, SSL may automatically seed itself from
327 there. Otherwise, we have to make something up as best we can. Double check
328 afterwards. */
329
330 if (!RAND_status())
331 {
332 randstuff r;
333 gettimeofday(&r.tv, NULL);
334 r.p = getpid();
335
336 RAND_seed((uschar *)(&r), sizeof(r));
337 RAND_seed((uschar *)big_buffer, big_buffer_size);
338 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
339
340 if (!RAND_status())
341 return tls_error(US"RAND_status", host,
342 US"unable to seed random number generator");
343 }
344
345 /* Set up the information callback, which outputs if debugging is at a suitable
346 level. */
347
348 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
349
350 /* Automatically re-try reads/writes after renegotiation. */
351 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
352
353 /* Apply administrator-supplied work-arounds.
354 Historically we applied just one requested option,
355 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
356 moved to an administrator-controlled list of options to specify and
357 grandfathered in the first one as the default value for "openssl_options".
358
359 No OpenSSL version number checks: the options we accept depend upon the
360 availability of the option value macros from OpenSSL. */
361
362 okay = tls_openssl_options_parse(openssl_options, &init_options);
363 if (!okay)
364 return tls_error(US"openssl_options parsing failed", host, NULL);
365
366 if (init_options)
367 {
368 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
369 if (!(SSL_CTX_set_options(ctx, init_options)))
370 return tls_error(string_sprintf(
371 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
372 }
373 else
374 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
375
376 /* Initialize with DH parameters if supplied */
377
378 if (!init_dh(dhparam, host)) return DEFER;
379
380 /* Set up certificate and key */
381
382 if (certificate != NULL)
383 {
384 uschar *expanded;
385 if (!expand_check(certificate, US"tls_certificate", &expanded))
386 return DEFER;
387
388 if (expanded != NULL)
389 {
390 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
391 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
392 return tls_error(string_sprintf(
393 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
394 }
395
396 if (privatekey != NULL &&
397 !expand_check(privatekey, US"tls_privatekey", &expanded))
398 return DEFER;
399
400 /* If expansion was forced to fail, key_expanded will be NULL. If the result
401 of the expansion is an empty string, ignore it also, and assume the private
402 key is in the same file as the certificate. */
403
404 if (expanded != NULL && *expanded != 0)
405 {
406 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
407 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
408 return tls_error(string_sprintf(
409 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
410 }
411 }
412
413 /* Set up the RSA callback */
414
415 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
416
417 /* Finally, set the timeout, and we are done */
418
419 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
420 DEBUG(D_tls) debug_printf("Initialized TLS\n");
421 return OK;
422 }
423
424
425
426
427 /*************************************************
428 * Get name of cipher in use *
429 *************************************************/
430
431 /* The answer is left in a static buffer, and tls_cipher is set to point
432 to it.
433
434 Argument: pointer to an SSL structure for the connection
435 Returns: nothing
436 */
437
438 static void
439 construct_cipher_name(SSL *ssl)
440 {
441 static uschar cipherbuf[256];
442 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
443 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
444 the accessor functions use const in the prototype. */
445 const SSL_CIPHER *c;
446 uschar *ver;
447
448 switch (ssl->session->ssl_version)
449 {
450 case SSL2_VERSION:
451 ver = US"SSLv2";
452 break;
453
454 case SSL3_VERSION:
455 ver = US"SSLv3";
456 break;
457
458 case TLS1_VERSION:
459 ver = US"TLSv1";
460 break;
461
462 #ifdef TLS1_1_VERSION
463 case TLS1_1_VERSION:
464 ver = US"TLSv1.1";
465 break;
466 #endif
467
468 #ifdef TLS1_2_VERSION
469 case TLS1_2_VERSION:
470 ver = US"TLSv1.2";
471 break;
472 #endif
473
474 default:
475 ver = US"UNKNOWN";
476 }
477
478 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
479 SSL_CIPHER_get_bits(c, &tls_bits);
480
481 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
482 SSL_CIPHER_get_name(c), tls_bits);
483 tls_cipher = cipherbuf;
484
485 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
486 }
487
488
489
490
491
492 /*************************************************
493 * Set up for verifying certificates *
494 *************************************************/
495
496 /* Called by both client and server startup
497
498 Arguments:
499 certs certs file or NULL
500 crl CRL file or NULL
501 host NULL in a server; the remote host in a client
502 optional TRUE if called from a server for a host in tls_try_verify_hosts;
503 otherwise passed as FALSE
504
505 Returns: OK/DEFER/FAIL
506 */
507
508 static int
509 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
510 {
511 uschar *expcerts, *expcrl;
512
513 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
514 return DEFER;
515
516 if (expcerts != NULL)
517 {
518 struct stat statbuf;
519 if (!SSL_CTX_set_default_verify_paths(ctx))
520 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
521
522 if (Ustat(expcerts, &statbuf) < 0)
523 {
524 log_write(0, LOG_MAIN|LOG_PANIC,
525 "failed to stat %s for certificates", expcerts);
526 return DEFER;
527 }
528 else
529 {
530 uschar *file, *dir;
531 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
532 { file = NULL; dir = expcerts; }
533 else
534 { file = expcerts; dir = NULL; }
535
536 /* If a certificate file is empty, the next function fails with an
537 unhelpful error message. If we skip it, we get the correct behaviour (no
538 certificates are recognized, but the error message is still misleading (it
539 says no certificate was supplied.) But this is better. */
540
541 if ((file == NULL || statbuf.st_size > 0) &&
542 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
543 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
544
545 if (file != NULL)
546 {
547 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
548 }
549 }
550
551 /* Handle a certificate revocation list. */
552
553 #if OPENSSL_VERSION_NUMBER > 0x00907000L
554
555 /* This bit of code is now the version supplied by Lars Mainka. (I have
556 * merely reformatted it into the Exim code style.)
557
558 * "From here I changed the code to add support for multiple crl's
559 * in pem format in one file or to support hashed directory entries in
560 * pem format instead of a file. This method now uses the library function
561 * X509_STORE_load_locations to add the CRL location to the SSL context.
562 * OpenSSL will then handle the verify against CA certs and CRLs by
563 * itself in the verify callback." */
564
565 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
566 if (expcrl != NULL && *expcrl != 0)
567 {
568 struct stat statbufcrl;
569 if (Ustat(expcrl, &statbufcrl) < 0)
570 {
571 log_write(0, LOG_MAIN|LOG_PANIC,
572 "failed to stat %s for certificates revocation lists", expcrl);
573 return DEFER;
574 }
575 else
576 {
577 /* is it a file or directory? */
578 uschar *file, *dir;
579 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
580 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
581 {
582 file = NULL;
583 dir = expcrl;
584 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
585 }
586 else
587 {
588 file = expcrl;
589 dir = NULL;
590 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
591 }
592 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
593 return tls_error(US"X509_STORE_load_locations", host, NULL);
594
595 /* setting the flags to check against the complete crl chain */
596
597 X509_STORE_set_flags(cvstore,
598 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
599 }
600 }
601
602 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
603
604 /* If verification is optional, don't fail if no certificate */
605
606 SSL_CTX_set_verify(ctx,
607 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
608 verify_callback);
609 }
610
611 return OK;
612 }
613
614
615
616 /*************************************************
617 * Start a TLS session in a server *
618 *************************************************/
619
620 /* This is called when Exim is running as a server, after having received
621 the STARTTLS command. It must respond to that command, and then negotiate
622 a TLS session.
623
624 Arguments:
625 require_ciphers allowed ciphers
626 ------------------------------------------------------
627 require_mac list of allowed MACs ) Not used
628 require_kx list of allowed key_exchange methods ) for
629 require_proto list of allowed protocols ) OpenSSL
630 ------------------------------------------------------
631
632 Returns: OK on success
633 DEFER for errors before the start of the negotiation
634 FAIL for errors during the negotation; the server can't
635 continue running.
636 */
637
638 int
639 tls_server_start(uschar *require_ciphers, uschar *require_mac,
640 uschar *require_kx, uschar *require_proto)
641 {
642 int rc;
643 uschar *expciphers;
644
645 /* Check for previous activation */
646
647 if (tls_active >= 0)
648 {
649 tls_error(US"STARTTLS received after TLS started", NULL, US"");
650 smtp_printf("554 Already in TLS\r\n");
651 return FAIL;
652 }
653
654 /* Initialize the SSL library. If it fails, it will already have logged
655 the error. */
656
657 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
658 if (rc != OK) return rc;
659
660 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
661 return FAIL;
662
663 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
664 are separated by underscores. So that I can use either form in my tests, and
665 also for general convenience, we turn underscores into hyphens here. */
666
667 if (expciphers != NULL)
668 {
669 uschar *s = expciphers;
670 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
671 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
672 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
673 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
674 }
675
676 /* If this is a host for which certificate verification is mandatory or
677 optional, set up appropriately. */
678
679 tls_certificate_verified = FALSE;
680 verify_callback_called = FALSE;
681
682 if (verify_check_host(&tls_verify_hosts) == OK)
683 {
684 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
685 if (rc != OK) return rc;
686 verify_optional = FALSE;
687 }
688 else if (verify_check_host(&tls_try_verify_hosts) == OK)
689 {
690 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
691 if (rc != OK) return rc;
692 verify_optional = TRUE;
693 }
694
695 /* Prepare for new connection */
696
697 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
698 SSL_clear(ssl);
699
700 /* Set context and tell client to go ahead, except in the case of TLS startup
701 on connection, where outputting anything now upsets the clients and tends to
702 make them disconnect. We need to have an explicit fflush() here, to force out
703 the response. Other smtp_printf() calls do not need it, because in non-TLS
704 mode, the fflush() happens when smtp_getc() is called. */
705
706 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
707 if (!tls_on_connect)
708 {
709 smtp_printf("220 TLS go ahead\r\n");
710 fflush(smtp_out);
711 }
712
713 /* Now negotiate the TLS session. We put our own timer on it, since it seems
714 that the OpenSSL library doesn't. */
715
716 SSL_set_wfd(ssl, fileno(smtp_out));
717 SSL_set_rfd(ssl, fileno(smtp_in));
718 SSL_set_accept_state(ssl);
719
720 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
721
722 sigalrm_seen = FALSE;
723 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
724 rc = SSL_accept(ssl);
725 alarm(0);
726
727 if (rc <= 0)
728 {
729 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
730 if (ERR_get_error() == 0)
731 log_write(0, LOG_MAIN,
732 "TLS client disconnected cleanly (rejected our certificate?)");
733 return FAIL;
734 }
735
736 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
737
738 /* TLS has been set up. Adjust the input functions to read via TLS,
739 and initialize things. */
740
741 construct_cipher_name(ssl);
742
743 DEBUG(D_tls)
744 {
745 uschar buf[2048];
746 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
747 debug_printf("Shared ciphers: %s\n", buf);
748 }
749
750
751 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
752 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
753 ssl_xfer_eof = ssl_xfer_error = 0;
754
755 receive_getc = tls_getc;
756 receive_ungetc = tls_ungetc;
757 receive_feof = tls_feof;
758 receive_ferror = tls_ferror;
759 receive_smtp_buffered = tls_smtp_buffered;
760
761 tls_active = fileno(smtp_out);
762 return OK;
763 }
764
765
766
767
768
769 /*************************************************
770 * Start a TLS session in a client *
771 *************************************************/
772
773 /* Called from the smtp transport after STARTTLS has been accepted.
774
775 Argument:
776 fd the fd of the connection
777 host connected host (for messages)
778 addr the first address
779 dhparam DH parameter file
780 certificate certificate file
781 privatekey private key file
782 verify_certs file for certificate verify
783 crl file containing CRL
784 require_ciphers list of allowed ciphers
785 ------------------------------------------------------
786 require_mac list of allowed MACs ) Not used
787 require_kx list of allowed key_exchange methods ) for
788 require_proto list of allowed protocols ) OpenSSL
789 ------------------------------------------------------
790 timeout startup timeout
791
792 Returns: OK on success
793 FAIL otherwise - note that tls_error() will not give DEFER
794 because this is not a server
795 */
796
797 int
798 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
799 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
800 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
801 uschar *require_proto, int timeout)
802 {
803 static uschar txt[256];
804 uschar *expciphers;
805 X509* server_cert;
806 int rc;
807
808 rc = tls_init(host, dhparam, certificate, privatekey, addr);
809 if (rc != OK) return rc;
810
811 tls_certificate_verified = FALSE;
812 verify_callback_called = FALSE;
813
814 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
815 return FAIL;
816
817 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
818 are separated by underscores. So that I can use either form in my tests, and
819 also for general convenience, we turn underscores into hyphens here. */
820
821 if (expciphers != NULL)
822 {
823 uschar *s = expciphers;
824 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
825 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
826 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
827 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
828 }
829
830 rc = setup_certs(verify_certs, crl, host, FALSE);
831 if (rc != OK) return rc;
832
833 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
834 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
835 SSL_set_fd(ssl, fd);
836 SSL_set_connect_state(ssl);
837
838 /* There doesn't seem to be a built-in timeout on connection. */
839
840 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
841 sigalrm_seen = FALSE;
842 alarm(timeout);
843 rc = SSL_connect(ssl);
844 alarm(0);
845
846 if (rc <= 0)
847 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
848
849 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
850
851 /* Beware anonymous ciphers which lead to server_cert being NULL */
852 server_cert = SSL_get_peer_certificate (ssl);
853 if (server_cert)
854 {
855 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
856 CS txt, sizeof(txt));
857 tls_peerdn = txt;
858 }
859 else
860 tls_peerdn = NULL;
861
862 construct_cipher_name(ssl); /* Sets tls_cipher */
863
864 tls_active = fd;
865 return OK;
866 }
867
868
869
870
871
872 /*************************************************
873 * TLS version of getc *
874 *************************************************/
875
876 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
877 it refills the buffer via the SSL reading function.
878
879 Arguments: none
880 Returns: the next character or EOF
881 */
882
883 int
884 tls_getc(void)
885 {
886 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
887 {
888 int error;
889 int inbytes;
890
891 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
892 ssl_xfer_buffer, ssl_xfer_buffer_size);
893
894 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
895 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
896 error = SSL_get_error(ssl, inbytes);
897 alarm(0);
898
899 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
900 closed down, not that the socket itself has been closed down. Revert to
901 non-SSL handling. */
902
903 if (error == SSL_ERROR_ZERO_RETURN)
904 {
905 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
906
907 receive_getc = smtp_getc;
908 receive_ungetc = smtp_ungetc;
909 receive_feof = smtp_feof;
910 receive_ferror = smtp_ferror;
911 receive_smtp_buffered = smtp_buffered;
912
913 SSL_free(ssl);
914 ssl = NULL;
915 tls_active = -1;
916 tls_cipher = NULL;
917 tls_peerdn = NULL;
918
919 return smtp_getc();
920 }
921
922 /* Handle genuine errors */
923
924 else if (error == SSL_ERROR_SSL)
925 {
926 ERR_error_string(ERR_get_error(), ssl_errstring);
927 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
928 ssl_xfer_error = 1;
929 return EOF;
930 }
931
932 else if (error != SSL_ERROR_NONE)
933 {
934 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
935 ssl_xfer_error = 1;
936 return EOF;
937 }
938
939 #ifndef DISABLE_DKIM
940 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
941 #endif
942 ssl_xfer_buffer_hwm = inbytes;
943 ssl_xfer_buffer_lwm = 0;
944 }
945
946 /* Something in the buffer; return next uschar */
947
948 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
949 }
950
951
952
953 /*************************************************
954 * Read bytes from TLS channel *
955 *************************************************/
956
957 /*
958 Arguments:
959 buff buffer of data
960 len size of buffer
961
962 Returns: the number of bytes read
963 -1 after a failed read
964 */
965
966 int
967 tls_read(uschar *buff, size_t len)
968 {
969 int inbytes;
970 int error;
971
972 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
973 buff, (unsigned int)len);
974
975 inbytes = SSL_read(ssl, CS buff, len);
976 error = SSL_get_error(ssl, inbytes);
977
978 if (error == SSL_ERROR_ZERO_RETURN)
979 {
980 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
981 return -1;
982 }
983 else if (error != SSL_ERROR_NONE)
984 {
985 return -1;
986 }
987
988 return inbytes;
989 }
990
991
992
993
994
995 /*************************************************
996 * Write bytes down TLS channel *
997 *************************************************/
998
999 /*
1000 Arguments:
1001 buff buffer of data
1002 len number of bytes
1003
1004 Returns: the number of bytes after a successful write,
1005 -1 after a failed write
1006 */
1007
1008 int
1009 tls_write(const uschar *buff, size_t len)
1010 {
1011 int outbytes;
1012 int error;
1013 int left = len;
1014
1015 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1016 while (left > 0)
1017 {
1018 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1019 outbytes = SSL_write(ssl, CS buff, left);
1020 error = SSL_get_error(ssl, outbytes);
1021 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1022 switch (error)
1023 {
1024 case SSL_ERROR_SSL:
1025 ERR_error_string(ERR_get_error(), ssl_errstring);
1026 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1027 return -1;
1028
1029 case SSL_ERROR_NONE:
1030 left -= outbytes;
1031 buff += outbytes;
1032 break;
1033
1034 case SSL_ERROR_ZERO_RETURN:
1035 log_write(0, LOG_MAIN, "SSL channel closed on write");
1036 return -1;
1037
1038 default:
1039 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1040 return -1;
1041 }
1042 }
1043 return len;
1044 }
1045
1046
1047
1048 /*************************************************
1049 * Close down a TLS session *
1050 *************************************************/
1051
1052 /* This is also called from within a delivery subprocess forked from the
1053 daemon, to shut down the TLS library, without actually doing a shutdown (which
1054 would tamper with the SSL session in the parent process).
1055
1056 Arguments: TRUE if SSL_shutdown is to be called
1057 Returns: nothing
1058 */
1059
1060 void
1061 tls_close(BOOL shutdown)
1062 {
1063 if (tls_active < 0) return; /* TLS was not active */
1064
1065 if (shutdown)
1066 {
1067 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1068 SSL_shutdown(ssl);
1069 }
1070
1071 SSL_free(ssl);
1072 ssl = NULL;
1073
1074 tls_active = -1;
1075 }
1076
1077
1078
1079
1080 /*************************************************
1081 * Report the library versions. *
1082 *************************************************/
1083
1084 /* There have historically been some issues with binary compatibility in
1085 OpenSSL libraries; if Exim (like many other applications) is built against
1086 one version of OpenSSL but the run-time linker picks up another version,
1087 it can result in serious failures, including crashing with a SIGSEGV. So
1088 report the version found by the compiler and the run-time version.
1089
1090 Arguments: a FILE* to print the results to
1091 Returns: nothing
1092 */
1093
1094 void
1095 tls_version_report(FILE *f)
1096 {
1097 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1098 " Runtime: %s\n",
1099 OPENSSL_VERSION_TEXT,
1100 SSLeay_version(SSLEAY_VERSION));
1101 }
1102
1103
1104
1105
1106 /*************************************************
1107 * Pseudo-random number generation *
1108 *************************************************/
1109
1110 /* Pseudo-random number generation. The result is not expected to be
1111 cryptographically strong but not so weak that someone will shoot themselves
1112 in the foot using it as a nonce in input in some email header scheme or
1113 whatever weirdness they'll twist this into. The result should handle fork()
1114 and avoid repeating sequences. OpenSSL handles that for us.
1115
1116 Arguments:
1117 max range maximum
1118 Returns a random number in range [0, max-1]
1119 */
1120
1121 int
1122 pseudo_random_number(int max)
1123 {
1124 unsigned int r;
1125 int i, needed_len;
1126 uschar *p;
1127 uschar smallbuf[sizeof(r)];
1128
1129 if (max <= 1)
1130 return 0;
1131
1132 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1133 if (!RAND_status())
1134 {
1135 randstuff r;
1136 gettimeofday(&r.tv, NULL);
1137 r.p = getpid();
1138
1139 RAND_seed((uschar *)(&r), sizeof(r));
1140 }
1141 /* We're after pseudo-random, not random; if we still don't have enough data
1142 in the internal PRNG then our options are limited. We could sleep and hope
1143 for entropy to come along (prayer technique) but if the system is so depleted
1144 in the first place then something is likely to just keep taking it. Instead,
1145 we'll just take whatever little bit of pseudo-random we can still manage to
1146 get. */
1147
1148 needed_len = sizeof(r);
1149 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1150 asked for a number less than 10. */
1151 for (r = max, i = 0; r; ++i)
1152 r >>= 1;
1153 i = (i + 7) / 8;
1154 if (i < needed_len)
1155 needed_len = i;
1156
1157 /* We do not care if crypto-strong */
1158 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1159 r = 0;
1160 for (p = smallbuf; needed_len; --needed_len, ++p)
1161 {
1162 r *= 256;
1163 r += *p;
1164 }
1165
1166 /* We don't particularly care about weighted results; if someone wants
1167 smooth distribution and cares enough then they should submit a patch then. */
1168 return r % max;
1169 }
1170
1171
1172
1173
1174 /*************************************************
1175 * OpenSSL option parse *
1176 *************************************************/
1177
1178 /* Parse one option for tls_openssl_options_parse below
1179
1180 Arguments:
1181 name one option name
1182 value place to store a value for it
1183 Returns success or failure in parsing
1184 */
1185
1186 struct exim_openssl_option {
1187 uschar *name;
1188 long value;
1189 };
1190 /* We could use a macro to expand, but we need the ifdef and not all the
1191 options document which version they were introduced in. Policylet: include
1192 all options unless explicitly for DTLS, let the administrator choose which
1193 to apply.
1194
1195 This list is current as of:
1196 ==> 1.0.1b <== */
1197 static struct exim_openssl_option exim_openssl_options[] = {
1198 /* KEEP SORTED ALPHABETICALLY! */
1199 #ifdef SSL_OP_ALL
1200 { US"all", SSL_OP_ALL },
1201 #endif
1202 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1203 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1204 #endif
1205 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1206 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1207 #endif
1208 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1209 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1210 #endif
1211 #ifdef SSL_OP_EPHEMERAL_RSA
1212 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1213 #endif
1214 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1215 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1216 #endif
1217 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1218 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1219 #endif
1220 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1221 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1222 #endif
1223 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1224 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1225 #endif
1226 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1227 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1228 #endif
1229 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1230 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1231 #endif
1232 #ifdef SSL_OP_NO_COMPRESSION
1233 { US"no_compression", SSL_OP_NO_COMPRESSION },
1234 #endif
1235 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1236 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1237 #endif
1238 #ifdef SSL_OP_NO_SSLv2
1239 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1240 #endif
1241 #ifdef SSL_OP_NO_SSLv3
1242 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1243 #endif
1244 #ifdef SSL_OP_NO_TICKET
1245 { US"no_ticket", SSL_OP_NO_TICKET },
1246 #endif
1247 #ifdef SSL_OP_NO_TLSv1
1248 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1249 #endif
1250 #ifdef SSL_OP_NO_TLSv1_1
1251 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1252 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1253 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1254 #else
1255 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1256 #endif
1257 #endif
1258 #ifdef SSL_OP_NO_TLSv1_2
1259 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1260 #endif
1261 #ifdef SSL_OP_SINGLE_DH_USE
1262 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1263 #endif
1264 #ifdef SSL_OP_SINGLE_ECDH_USE
1265 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1266 #endif
1267 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1268 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1269 #endif
1270 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1271 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1272 #endif
1273 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1274 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1275 #endif
1276 #ifdef SSL_OP_TLS_D5_BUG
1277 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1278 #endif
1279 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1280 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1281 #endif
1282 };
1283 static int exim_openssl_options_size =
1284 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1285
1286
1287 static BOOL
1288 tls_openssl_one_option_parse(uschar *name, long *value)
1289 {
1290 int first = 0;
1291 int last = exim_openssl_options_size;
1292 while (last > first)
1293 {
1294 int middle = (first + last)/2;
1295 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1296 if (c == 0)
1297 {
1298 *value = exim_openssl_options[middle].value;
1299 return TRUE;
1300 }
1301 else if (c > 0)
1302 first = middle + 1;
1303 else
1304 last = middle;
1305 }
1306 return FALSE;
1307 }
1308
1309
1310
1311
1312 /*************************************************
1313 * OpenSSL option parsing logic *
1314 *************************************************/
1315
1316 /* OpenSSL has a number of compatibility options which an administrator might
1317 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1318 we look like log_selector.
1319
1320 Arguments:
1321 option_spec the administrator-supplied string of options
1322 results ptr to long storage for the options bitmap
1323 Returns success or failure
1324 */
1325
1326 BOOL
1327 tls_openssl_options_parse(uschar *option_spec, long *results)
1328 {
1329 long result, item;
1330 uschar *s, *end;
1331 uschar keep_c;
1332 BOOL adding, item_parsed;
1333
1334 result = 0L;
1335 /* We grandfather in as default the one option which we used to set always. */
1336 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1337 result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1338 #endif
1339
1340 if (option_spec == NULL)
1341 {
1342 *results = result;
1343 return TRUE;
1344 }
1345
1346 for (s=option_spec; *s != '\0'; /**/)
1347 {
1348 while (isspace(*s)) ++s;
1349 if (*s == '\0')
1350 break;
1351 if (*s != '+' && *s != '-')
1352 {
1353 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1354 "+ or - expected but found \"%s\"\n", s);
1355 return FALSE;
1356 }
1357 adding = *s++ == '+';
1358 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1359 keep_c = *end;
1360 *end = '\0';
1361 item_parsed = tls_openssl_one_option_parse(s, &item);
1362 if (!item_parsed)
1363 {
1364 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1365 return FALSE;
1366 }
1367 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1368 adding ? "adding" : "removing", result, item, s);
1369 if (adding)
1370 result |= item;
1371 else
1372 result &= ~item;
1373 *end = keep_c;
1374 s = end;
1375 }
1376
1377 *results = result;
1378 return TRUE;
1379 }
1380
1381 /* End of tls-openssl.c */