projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Make sure rc is initialised
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23
24 /* Structure for collecting random data for seeding. */
25
26 typedef struct randstuff {
27 struct timeval tv;
28 pid_t p;
29 } randstuff;
30
31 /* Local static variables */
32
33 static BOOL verify_callback_called = FALSE;
34 static const uschar *sid_ctx = US"exim";
35
36 static SSL_CTX *ctx = NULL;
37 static SSL *ssl = NULL;
38
39 static char ssl_errstring[256];
40
41 static int ssl_session_timeout = 200;
42 static BOOL verify_optional = FALSE;
43
44
45
46
47
48 /*************************************************
49 * Handle TLS error *
50 *************************************************/
51
52 /* Called from lots of places when errors occur before actually starting to do
53 the TLS handshake, that is, while the session is still in clear. Always returns
54 DEFER for a server and FAIL for a client so that most calls can use "return
55 tls_error(...)" to do this processing and then give an appropriate return. A
56 single function is used for both server and client, because it is called from
57 some shared functions.
58
59 Argument:
60 prefix text to include in the logged error
61 host NULL if setting up a server;
62 the connected host if setting up a client
63 msg error message or NULL if we should ask OpenSSL
64
65 Returns: OK/DEFER/FAIL
66 */
67
68 static int
69 tls_error(uschar *prefix, host_item *host, uschar *msg)
70 {
71 if (msg == NULL)
72 {
73 ERR_error_string(ERR_get_error(), ssl_errstring);
74 msg = (uschar *)ssl_errstring;
75 }
76
77 if (host == NULL)
78 {
79 uschar *conn_info = smtp_get_connection_info();
80 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
81 conn_info += 5;
82 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
83 conn_info, prefix, msg);
84 return DEFER;
85 }
86 else
87 {
88 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
89 host->name, host->address, prefix, msg);
90 return FAIL;
91 }
92 }
93
94
95
96 /*************************************************
97 * Callback to generate RSA key *
98 *************************************************/
99
100 /*
101 Arguments:
102 s SSL connection
103 export not used
104 keylength keylength
105
106 Returns: pointer to generated key
107 */
108
109 static RSA *
110 rsa_callback(SSL *s, int export, int keylength)
111 {
112 RSA *rsa_key;
113 export = export; /* Shut picky compilers up */
114 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
115 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
116 if (rsa_key == NULL)
117 {
118 ERR_error_string(ERR_get_error(), ssl_errstring);
119 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
120 ssl_errstring);
121 return NULL;
122 }
123 return rsa_key;
124 }
125
126
127
128
129 /*************************************************
130 * Callback for verification *
131 *************************************************/
132
133 /* The SSL library does certificate verification if set up to do so. This
134 callback has the current yes/no state is in "state". If verification succeeded,
135 we set up the tls_peerdn string. If verification failed, what happens depends
136 on whether the client is required to present a verifiable certificate or not.
137
138 If verification is optional, we change the state to yes, but still log the
139 verification error. For some reason (it really would help to have proper
140 documentation of OpenSSL), this callback function then gets called again, this
141 time with state = 1. In fact, that's useful, because we can set up the peerdn
142 value, but we must take care not to set the private verified flag on the second
143 time through.
144
145 Note: this function is not called if the client fails to present a certificate
146 when asked. We get here only if a certificate has been received. Handling of
147 optional verification for this case is done when requesting SSL to verify, by
148 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
149
150 Arguments:
151 state current yes/no state as 1/0
152 x509ctx certificate information.
153
154 Returns: 1 if verified, 0 if not
155 */
156
157 static int
158 verify_callback(int state, X509_STORE_CTX *x509ctx)
159 {
160 static uschar txt[256];
161
162 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
163 CS txt, sizeof(txt));
164
165 if (state == 0)
166 {
167 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
168 x509ctx->error_depth,
169 X509_verify_cert_error_string(x509ctx->error),
170 txt);
171 tls_certificate_verified = FALSE;
172 verify_callback_called = TRUE;
173 if (!verify_optional) return 0; /* reject */
174 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
175 "tls_try_verify_hosts)\n");
176 return 1; /* accept */
177 }
178
179 if (x509ctx->error_depth != 0)
180 {
181 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
182 x509ctx->error_depth, txt);
183 }
184 else
185 {
186 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
187 verify_callback_called? "" : " authenticated", txt);
188 tls_peerdn = txt;
189 }
190
191 if (!verify_callback_called) tls_certificate_verified = TRUE;
192 verify_callback_called = TRUE;
193
194 return 1; /* accept */
195 }
196
197
198
199 /*************************************************
200 * Information callback *
201 *************************************************/
202
203 /* The SSL library functions call this from time to time to indicate what they
204 are doing. We copy the string to the debugging output when the level is high
205 enough.
206
207 Arguments:
208 s the SSL connection
209 where
210 ret
211
212 Returns: nothing
213 */
214
215 static void
216 info_callback(SSL *s, int where, int ret)
217 {
218 where = where;
219 ret = ret;
220 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
221 }
222
223
224
225 /*************************************************
226 * Initialize for DH *
227 *************************************************/
228
229 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
230
231 Arguments:
232 dhparam DH parameter file
233 host connected host, if client; NULL if server
234
235 Returns: TRUE if OK (nothing to set up, or setup worked)
236 */
237
238 static BOOL
239 init_dh(uschar *dhparam, host_item *host)
240 {
241 BOOL yield = TRUE;
242 BIO *bio;
243 DH *dh;
244 uschar *dhexpanded;
245
246 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
247 return FALSE;
248
249 if (dhexpanded == NULL) return TRUE;
250
251 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
252 {
253 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
254 host, (uschar *)strerror(errno));
255 yield = FALSE;
256 }
257 else
258 {
259 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
260 {
261 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
262 host, NULL);
263 yield = FALSE;
264 }
265 else
266 {
267 SSL_CTX_set_tmp_dh(ctx, dh);
268 DEBUG(D_tls)
269 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
270 dhexpanded, 8*DH_size(dh));
271 DH_free(dh);
272 }
273 BIO_free(bio);
274 }
275
276 return yield;
277 }
278
279
280
281
282 /*************************************************
283 * Initialize for TLS *
284 *************************************************/
285
286 /* Called from both server and client code, to do preliminary initialization of
287 the library.
288
289 Arguments:
290 host connected host, if client; NULL if server
291 dhparam DH parameter file
292 certificate certificate file
293 privatekey private key
294 addr address if client; NULL if server (for some randomness)
295
296 Returns: OK/DEFER/FAIL
297 */
298
299 static int
300 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
301 uschar *privatekey, address_item *addr)
302 {
303 long init_options;
304 BOOL okay;
305
306 SSL_load_error_strings(); /* basic set up */
307 OpenSSL_add_ssl_algorithms();
308
309 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
310 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
311 list of available digests. */
312 EVP_add_digest(EVP_sha256());
313 #endif
314
315 /* Create a context */
316
317 ctx = SSL_CTX_new((host == NULL)?
318 SSLv23_server_method() : SSLv23_client_method());
319
320 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
321
322 /* It turns out that we need to seed the random number generator this early in
323 order to get the full complement of ciphers to work. It took me roughly a day
324 of work to discover this by experiment.
325
326 On systems that have /dev/urandom, SSL may automatically seed itself from
327 there. Otherwise, we have to make something up as best we can. Double check
328 afterwards. */
329
330 if (!RAND_status())
331 {
332 randstuff r;
333 gettimeofday(&r.tv, NULL);
334 r.p = getpid();
335
336 RAND_seed((uschar *)(&r), sizeof(r));
337 RAND_seed((uschar *)big_buffer, big_buffer_size);
338 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
339
340 if (!RAND_status())
341 return tls_error(US"RAND_status", host,
342 US"unable to seed random number generator");
343 }
344
345 /* Set up the information callback, which outputs if debugging is at a suitable
346 level. */
347
348 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
349
350 /* Apply administrator-supplied work-arounds.
351 Historically we applied just one requested option,
352 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
353 moved to an administrator-controlled list of options to specify and
354 grandfathered in the first one as the default value for "openssl_options".
355
356 No OpenSSL version number checks: the options we accept depend upon the
357 availability of the option value macros from OpenSSL. */
358
359 okay = tls_openssl_options_parse(openssl_options, &init_options);
360 if (!okay)
361 return tls_error(US"openssl_options parsing failed", host, NULL);
362
363 if (init_options)
364 {
365 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
366 if (!(SSL_CTX_set_options(ctx, init_options)))
367 return tls_error(string_sprintf(
368 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
369 }
370 else
371 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
372
373 /* Initialize with DH parameters if supplied */
374
375 if (!init_dh(dhparam, host)) return DEFER;
376
377 /* Set up certificate and key */
378
379 if (certificate != NULL)
380 {
381 uschar *expanded;
382 if (!expand_check(certificate, US"tls_certificate", &expanded))
383 return DEFER;
384
385 if (expanded != NULL)
386 {
387 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
388 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
389 return tls_error(string_sprintf(
390 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
391 }
392
393 if (privatekey != NULL &&
394 !expand_check(privatekey, US"tls_privatekey", &expanded))
395 return DEFER;
396
397 /* If expansion was forced to fail, key_expanded will be NULL. If the result
398 of the expansion is an empty string, ignore it also, and assume the private
399 key is in the same file as the certificate. */
400
401 if (expanded != NULL && *expanded != 0)
402 {
403 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
404 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
405 return tls_error(string_sprintf(
406 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
407 }
408 }
409
410 /* Set up the RSA callback */
411
412 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
413
414 /* Finally, set the timeout, and we are done */
415
416 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
417 DEBUG(D_tls) debug_printf("Initialized TLS\n");
418 return OK;
419 }
420
421
422
423
424 /*************************************************
425 * Get name of cipher in use *
426 *************************************************/
427
428 /* The answer is left in a static buffer, and tls_cipher is set to point
429 to it.
430
431 Argument: pointer to an SSL structure for the connection
432 Returns: nothing
433 */
434
435 static void
436 construct_cipher_name(SSL *ssl)
437 {
438 static uschar cipherbuf[256];
439 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
440 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
441 the accessor functions use const in the prototype. */
442 const SSL_CIPHER *c;
443 uschar *ver;
444 int bits;
445
446 switch (ssl->session->ssl_version)
447 {
448 case SSL2_VERSION:
449 ver = US"SSLv2";
450 break;
451
452 case SSL3_VERSION:
453 ver = US"SSLv3";
454 break;
455
456 case TLS1_VERSION:
457 ver = US"TLSv1";
458 break;
459
460 default:
461 ver = US"UNKNOWN";
462 }
463
464 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
465 SSL_CIPHER_get_bits(c, &bits);
466
467 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
468 SSL_CIPHER_get_name(c), bits);
469 tls_cipher = cipherbuf;
470
471 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
472 }
473
474
475
476
477
478 /*************************************************
479 * Set up for verifying certificates *
480 *************************************************/
481
482 /* Called by both client and server startup
483
484 Arguments:
485 certs certs file or NULL
486 crl CRL file or NULL
487 host NULL in a server; the remote host in a client
488 optional TRUE if called from a server for a host in tls_try_verify_hosts;
489 otherwise passed as FALSE
490
491 Returns: OK/DEFER/FAIL
492 */
493
494 static int
495 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
496 {
497 uschar *expcerts, *expcrl;
498
499 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
500 return DEFER;
501
502 if (expcerts != NULL)
503 {
504 struct stat statbuf;
505 if (!SSL_CTX_set_default_verify_paths(ctx))
506 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
507
508 if (Ustat(expcerts, &statbuf) < 0)
509 {
510 log_write(0, LOG_MAIN|LOG_PANIC,
511 "failed to stat %s for certificates", expcerts);
512 return DEFER;
513 }
514 else
515 {
516 uschar *file, *dir;
517 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
518 { file = NULL; dir = expcerts; }
519 else
520 { file = expcerts; dir = NULL; }
521
522 /* If a certificate file is empty, the next function fails with an
523 unhelpful error message. If we skip it, we get the correct behaviour (no
524 certificates are recognized, but the error message is still misleading (it
525 says no certificate was supplied.) But this is better. */
526
527 if ((file == NULL || statbuf.st_size > 0) &&
528 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
529 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
530
531 if (file != NULL)
532 {
533 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
534 }
535 }
536
537 /* Handle a certificate revocation list. */
538
539 #if OPENSSL_VERSION_NUMBER > 0x00907000L
540
541 /* This bit of code is now the version supplied by Lars Mainka. (I have
542 * merely reformatted it into the Exim code style.)
543
544 * "From here I changed the code to add support for multiple crl's
545 * in pem format in one file or to support hashed directory entries in
546 * pem format instead of a file. This method now uses the library function
547 * X509_STORE_load_locations to add the CRL location to the SSL context.
548 * OpenSSL will then handle the verify against CA certs and CRLs by
549 * itself in the verify callback." */
550
551 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
552 if (expcrl != NULL && *expcrl != 0)
553 {
554 struct stat statbufcrl;
555 if (Ustat(expcrl, &statbufcrl) < 0)
556 {
557 log_write(0, LOG_MAIN|LOG_PANIC,
558 "failed to stat %s for certificates revocation lists", expcrl);
559 return DEFER;
560 }
561 else
562 {
563 /* is it a file or directory? */
564 uschar *file, *dir;
565 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
566 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
567 {
568 file = NULL;
569 dir = expcrl;
570 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
571 }
572 else
573 {
574 file = expcrl;
575 dir = NULL;
576 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
577 }
578 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
579 return tls_error(US"X509_STORE_load_locations", host, NULL);
580
581 /* setting the flags to check against the complete crl chain */
582
583 X509_STORE_set_flags(cvstore,
584 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
585 }
586 }
587
588 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
589
590 /* If verification is optional, don't fail if no certificate */
591
592 SSL_CTX_set_verify(ctx,
593 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
594 verify_callback);
595 }
596
597 return OK;
598 }
599
600
601
602 /*************************************************
603 * Start a TLS session in a server *
604 *************************************************/
605
606 /* This is called when Exim is running as a server, after having received
607 the STARTTLS command. It must respond to that command, and then negotiate
608 a TLS session.
609
610 Arguments:
611 require_ciphers allowed ciphers
612 ------------------------------------------------------
613 require_mac list of allowed MACs ) Not used
614 require_kx list of allowed key_exchange methods ) for
615 require_proto list of allowed protocols ) OpenSSL
616 ------------------------------------------------------
617
618 Returns: OK on success
619 DEFER for errors before the start of the negotiation
620 FAIL for errors during the negotation; the server can't
621 continue running.
622 */
623
624 int
625 tls_server_start(uschar *require_ciphers, uschar *require_mac,
626 uschar *require_kx, uschar *require_proto)
627 {
628 int rc;
629 uschar *expciphers;
630
631 /* Check for previous activation */
632
633 if (tls_active >= 0)
634 {
635 tls_error(US"STARTTLS received after TLS started", NULL, US"");
636 smtp_printf("554 Already in TLS\r\n");
637 return FAIL;
638 }
639
640 /* Initialize the SSL library. If it fails, it will already have logged
641 the error. */
642
643 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
644 if (rc != OK) return rc;
645
646 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
647 return FAIL;
648
649 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
650 are separated by underscores. So that I can use either form in my tests, and
651 also for general convenience, we turn underscores into hyphens here. */
652
653 if (expciphers != NULL)
654 {
655 uschar *s = expciphers;
656 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
657 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
658 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
659 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
660 }
661
662 /* If this is a host for which certificate verification is mandatory or
663 optional, set up appropriately. */
664
665 tls_certificate_verified = FALSE;
666 verify_callback_called = FALSE;
667
668 if (verify_check_host(&tls_verify_hosts) == OK)
669 {
670 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
671 if (rc != OK) return rc;
672 verify_optional = FALSE;
673 }
674 else if (verify_check_host(&tls_try_verify_hosts) == OK)
675 {
676 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
677 if (rc != OK) return rc;
678 verify_optional = TRUE;
679 }
680
681 /* Prepare for new connection */
682
683 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
684 SSL_clear(ssl);
685
686 /* Set context and tell client to go ahead, except in the case of TLS startup
687 on connection, where outputting anything now upsets the clients and tends to
688 make them disconnect. We need to have an explicit fflush() here, to force out
689 the response. Other smtp_printf() calls do not need it, because in non-TLS
690 mode, the fflush() happens when smtp_getc() is called. */
691
692 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
693 if (!tls_on_connect)
694 {
695 smtp_printf("220 TLS go ahead\r\n");
696 fflush(smtp_out);
697 }
698
699 /* Now negotiate the TLS session. We put our own timer on it, since it seems
700 that the OpenSSL library doesn't. */
701
702 SSL_set_wfd(ssl, fileno(smtp_out));
703 SSL_set_rfd(ssl, fileno(smtp_in));
704 SSL_set_accept_state(ssl);
705
706 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
707
708 sigalrm_seen = FALSE;
709 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
710 rc = SSL_accept(ssl);
711 alarm(0);
712
713 if (rc <= 0)
714 {
715 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
716 if (ERR_get_error() == 0)
717 log_write(0, LOG_MAIN,
718 "TLS client disconnected cleanly (rejected our certificate?)");
719 return FAIL;
720 }
721
722 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
723
724 /* TLS has been set up. Adjust the input functions to read via TLS,
725 and initialize things. */
726
727 construct_cipher_name(ssl);
728
729 DEBUG(D_tls)
730 {
731 uschar buf[2048];
732 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
733 debug_printf("Shared ciphers: %s\n", buf);
734 }
735
736
737 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
738 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
739 ssl_xfer_eof = ssl_xfer_error = 0;
740
741 receive_getc = tls_getc;
742 receive_ungetc = tls_ungetc;
743 receive_feof = tls_feof;
744 receive_ferror = tls_ferror;
745 receive_smtp_buffered = tls_smtp_buffered;
746
747 tls_active = fileno(smtp_out);
748 return OK;
749 }
750
751
752
753
754
755 /*************************************************
756 * Start a TLS session in a client *
757 *************************************************/
758
759 /* Called from the smtp transport after STARTTLS has been accepted.
760
761 Argument:
762 fd the fd of the connection
763 host connected host (for messages)
764 addr the first address
765 dhparam DH parameter file
766 certificate certificate file
767 privatekey private key file
768 verify_certs file for certificate verify
769 crl file containing CRL
770 require_ciphers list of allowed ciphers
771 ------------------------------------------------------
772 require_mac list of allowed MACs ) Not used
773 require_kx list of allowed key_exchange methods ) for
774 require_proto list of allowed protocols ) OpenSSL
775 ------------------------------------------------------
776 timeout startup timeout
777
778 Returns: OK on success
779 FAIL otherwise - note that tls_error() will not give DEFER
780 because this is not a server
781 */
782
783 int
784 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
785 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
786 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
787 uschar *require_proto, int timeout)
788 {
789 static uschar txt[256];
790 uschar *expciphers;
791 X509* server_cert;
792 int rc;
793
794 rc = tls_init(host, dhparam, certificate, privatekey, addr);
795 if (rc != OK) return rc;
796
797 tls_certificate_verified = FALSE;
798 verify_callback_called = FALSE;
799
800 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
801 return FAIL;
802
803 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
804 are separated by underscores. So that I can use either form in my tests, and
805 also for general convenience, we turn underscores into hyphens here. */
806
807 if (expciphers != NULL)
808 {
809 uschar *s = expciphers;
810 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
811 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
812 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
813 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
814 }
815
816 rc = setup_certs(verify_certs, crl, host, FALSE);
817 if (rc != OK) return rc;
818
819 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
820 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
821 SSL_set_fd(ssl, fd);
822 SSL_set_connect_state(ssl);
823
824 /* There doesn't seem to be a built-in timeout on connection. */
825
826 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
827 sigalrm_seen = FALSE;
828 alarm(timeout);
829 rc = SSL_connect(ssl);
830 alarm(0);
831
832 if (rc <= 0)
833 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
834
835 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
836
837 /* Beware anonymous ciphers which lead to server_cert being NULL */
838 server_cert = SSL_get_peer_certificate (ssl);
839 if (server_cert)
840 {
841 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
842 CS txt, sizeof(txt));
843 tls_peerdn = txt;
844 }
845 else
846 tls_peerdn = NULL;
847
848 construct_cipher_name(ssl); /* Sets tls_cipher */
849
850 tls_active = fd;
851 return OK;
852 }
853
854
855
856
857
858 /*************************************************
859 * TLS version of getc *
860 *************************************************/
861
862 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
863 it refills the buffer via the SSL reading function.
864
865 Arguments: none
866 Returns: the next character or EOF
867 */
868
869 int
870 tls_getc(void)
871 {
872 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
873 {
874 int error;
875 int inbytes;
876
877 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
878 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
879
880 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
881 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
882 error = SSL_get_error(ssl, inbytes);
883 alarm(0);
884
885 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
886 closed down, not that the socket itself has been closed down. Revert to
887 non-SSL handling. */
888
889 if (error == SSL_ERROR_ZERO_RETURN)
890 {
891 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
892
893 receive_getc = smtp_getc;
894 receive_ungetc = smtp_ungetc;
895 receive_feof = smtp_feof;
896 receive_ferror = smtp_ferror;
897 receive_smtp_buffered = smtp_buffered;
898
899 SSL_free(ssl);
900 ssl = NULL;
901 tls_active = -1;
902 tls_cipher = NULL;
903 tls_peerdn = NULL;
904
905 return smtp_getc();
906 }
907
908 /* Handle genuine errors */
909
910 else if (error == SSL_ERROR_SSL)
911 {
912 ERR_error_string(ERR_get_error(), ssl_errstring);
913 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
914 ssl_xfer_error = 1;
915 return EOF;
916 }
917
918 else if (error != SSL_ERROR_NONE)
919 {
920 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
921 ssl_xfer_error = 1;
922 return EOF;
923 }
924 #ifndef DISABLE_DKIM
925 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
926 #endif
927 ssl_xfer_buffer_hwm = inbytes;
928 ssl_xfer_buffer_lwm = 0;
929 }
930
931 /* Something in the buffer; return next uschar */
932
933 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
934 }
935
936
937
938 /*************************************************
939 * Read bytes from TLS channel *
940 *************************************************/
941
942 /*
943 Arguments:
944 buff buffer of data
945 len size of buffer
946
947 Returns: the number of bytes read
948 -1 after a failed read
949 */
950
951 int
952 tls_read(uschar *buff, size_t len)
953 {
954 int inbytes;
955 int error;
956
957 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
958 (long)buff, (unsigned int)len);
959
960 inbytes = SSL_read(ssl, CS buff, len);
961 error = SSL_get_error(ssl, inbytes);
962
963 if (error == SSL_ERROR_ZERO_RETURN)
964 {
965 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
966 return -1;
967 }
968 else if (error != SSL_ERROR_NONE)
969 {
970 return -1;
971 }
972
973 return inbytes;
974 }
975
976
977
978
979
980 /*************************************************
981 * Write bytes down TLS channel *
982 *************************************************/
983
984 /*
985 Arguments:
986 buff buffer of data
987 len number of bytes
988
989 Returns: the number of bytes after a successful write,
990 -1 after a failed write
991 */
992
993 int
994 tls_write(const uschar *buff, size_t len)
995 {
996 int outbytes;
997 int error;
998 int left = len;
999
1000 DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
1001 while (left > 0)
1002 {
1003 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
1004 outbytes = SSL_write(ssl, CS buff, left);
1005 error = SSL_get_error(ssl, outbytes);
1006 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1007 switch (error)
1008 {
1009 case SSL_ERROR_SSL:
1010 ERR_error_string(ERR_get_error(), ssl_errstring);
1011 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1012 return -1;
1013
1014 case SSL_ERROR_NONE:
1015 left -= outbytes;
1016 buff += outbytes;
1017 break;
1018
1019 case SSL_ERROR_ZERO_RETURN:
1020 log_write(0, LOG_MAIN, "SSL channel closed on write");
1021 return -1;
1022
1023 default:
1024 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1025 return -1;
1026 }
1027 }
1028 return len;
1029 }
1030
1031
1032
1033 /*************************************************
1034 * Close down a TLS session *
1035 *************************************************/
1036
1037 /* This is also called from within a delivery subprocess forked from the
1038 daemon, to shut down the TLS library, without actually doing a shutdown (which
1039 would tamper with the SSL session in the parent process).
1040
1041 Arguments: TRUE if SSL_shutdown is to be called
1042 Returns: nothing
1043 */
1044
1045 void
1046 tls_close(BOOL shutdown)
1047 {
1048 if (tls_active < 0) return; /* TLS was not active */
1049
1050 if (shutdown)
1051 {
1052 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1053 SSL_shutdown(ssl);
1054 }
1055
1056 SSL_free(ssl);
1057 ssl = NULL;
1058
1059 tls_active = -1;
1060 }
1061
1062
1063
1064
1065 /*************************************************
1066 * Report the library versions. *
1067 *************************************************/
1068
1069 /* There have historically been some issues with binary compatibility in
1070 OpenSSL libraries; if Exim (like many other applications) is built against
1071 one version of OpenSSL but the run-time linker picks up another version,
1072 it can result in serious failures, including crashing with a SIGSEGV. So
1073 report the version found by the compiler and the run-time version.
1074
1075 Arguments: a FILE* to print the results to
1076 Returns: nothing
1077 */
1078
1079 void
1080 tls_version_report(FILE *f)
1081 {
1082 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1083 " Runtime: %s\n",
1084 OPENSSL_VERSION_TEXT,
1085 SSLeay_version(SSLEAY_VERSION));
1086 }
1087
1088
1089
1090
1091 /*************************************************
1092 * Pseudo-random number generation *
1093 *************************************************/
1094
1095 /* Pseudo-random number generation. The result is not expected to be
1096 cryptographically strong but not so weak that someone will shoot themselves
1097 in the foot using it as a nonce in input in some email header scheme or
1098 whatever weirdness they'll twist this into. The result should handle fork()
1099 and avoid repeating sequences. OpenSSL handles that for us.
1100
1101 Arguments:
1102 max range maximum
1103 Returns a random number in range [0, max-1]
1104 */
1105
1106 int
1107 pseudo_random_number(int max)
1108 {
1109 unsigned int r;
1110 int i, needed_len;
1111 uschar *p;
1112 uschar smallbuf[sizeof(r)];
1113
1114 if (max <= 1)
1115 return 0;
1116
1117 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1118 if (!RAND_status())
1119 {
1120 randstuff r;
1121 gettimeofday(&r.tv, NULL);
1122 r.p = getpid();
1123
1124 RAND_seed((uschar *)(&r), sizeof(r));
1125 }
1126 /* We're after pseudo-random, not random; if we still don't have enough data
1127 in the internal PRNG then our options are limited. We could sleep and hope
1128 for entropy to come along (prayer technique) but if the system is so depleted
1129 in the first place then something is likely to just keep taking it. Instead,
1130 we'll just take whatever little bit of pseudo-random we can still manage to
1131 get. */
1132
1133 needed_len = sizeof(r);
1134 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1135 asked for a number less than 10. */
1136 for (r = max, i = 0; r; ++i)
1137 r >>= 1;
1138 i = (i + 7) / 8;
1139 if (i < needed_len)
1140 needed_len = i;
1141
1142 /* We do not care if crypto-strong */
1143 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1144 r = 0;
1145 for (p = smallbuf; needed_len; --needed_len, ++p)
1146 {
1147 r *= 256;
1148 r += *p;
1149 }
1150
1151 /* We don't particularly care about weighted results; if someone wants
1152 smooth distribution and cares enough then they should submit a patch then. */
1153 return r % max;
1154 }
1155
1156
1157
1158
1159 /*************************************************
1160 * OpenSSL option parse *
1161 *************************************************/
1162
1163 /* Parse one option for tls_openssl_options_parse below
1164
1165 Arguments:
1166 name one option name
1167 value place to store a value for it
1168 Returns success or failure in parsing
1169 */
1170
1171 struct exim_openssl_option {
1172 uschar *name;
1173 long value;
1174 };
1175 /* We could use a macro to expand, but we need the ifdef and not all the
1176 options document which version they were introduced in. Policylet: include
1177 all options unless explicitly for DTLS, let the administrator choose which
1178 to apply.
1179
1180 This list is current as of:
1181 ==> 1.0.0c <== */
1182 static struct exim_openssl_option exim_openssl_options[] = {
1183 /* KEEP SORTED ALPHABETICALLY! */
1184 #ifdef SSL_OP_ALL
1185 { US"all", SSL_OP_ALL },
1186 #endif
1187 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1188 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1189 #endif
1190 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1191 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1192 #endif
1193 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1194 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1195 #endif
1196 #ifdef SSL_OP_EPHEMERAL_RSA
1197 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1198 #endif
1199 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1200 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1201 #endif
1202 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1203 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1204 #endif
1205 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1206 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1207 #endif
1208 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1209 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1210 #endif
1211 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1212 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1213 #endif
1214 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1215 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1216 #endif
1217 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1218 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1219 #endif
1220 #ifdef SSL_OP_NO_SSLv2
1221 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1222 #endif
1223 #ifdef SSL_OP_NO_SSLv3
1224 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1225 #endif
1226 #ifdef SSL_OP_NO_TICKET
1227 { US"no_ticket", SSL_OP_NO_TICKET },
1228 #endif
1229 #ifdef SSL_OP_NO_TLSv1
1230 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1231 #endif
1232 #ifdef SSL_OP_SINGLE_DH_USE
1233 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1234 #endif
1235 #ifdef SSL_OP_SINGLE_ECDH_USE
1236 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1237 #endif
1238 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1239 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1240 #endif
1241 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1242 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1243 #endif
1244 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1245 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1246 #endif
1247 #ifdef SSL_OP_TLS_D5_BUG
1248 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1249 #endif
1250 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1251 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1252 #endif
1253 };
1254 static int exim_openssl_options_size =
1255 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1256
1257 static BOOL
1258 tls_openssl_one_option_parse(uschar *name, long *value)
1259 {
1260 int first = 0;
1261 int last = exim_openssl_options_size;
1262 while (last > first)
1263 {
1264 int middle = (first + last)/2;
1265 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1266 if (c == 0)
1267 {
1268 *value = exim_openssl_options[middle].value;
1269 return TRUE;
1270 }
1271 else if (c > 0)
1272 first = middle + 1;
1273 else
1274 last = middle;
1275 }
1276 return FALSE;
1277 }
1278
1279
1280
1281
1282 /*************************************************
1283 * OpenSSL option parsing logic *
1284 *************************************************/
1285
1286 /* OpenSSL has a number of compatibility options which an administrator might
1287 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1288 we look like log_selector.
1289
1290 Arguments:
1291 option_spec the administrator-supplied string of options
1292 results ptr to long storage for the options bitmap
1293 Returns success or failure
1294 */
1295
1296 BOOL
1297 tls_openssl_options_parse(uschar *option_spec, long *results)
1298 {
1299 long result, item;
1300 uschar *s, *end;
1301 uschar keep_c;
1302 BOOL adding, item_parsed;
1303
1304 result = 0L;
1305 /* We grandfather in as default the one option which we used to set always. */
1306 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1307 result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1308 #endif
1309
1310 if (option_spec == NULL)
1311 {
1312 *results = result;
1313 return TRUE;
1314 }
1315
1316 for (s=option_spec; *s != '\0'; /**/)
1317 {
1318 while (isspace(*s)) ++s;
1319 if (*s == '\0')
1320 break;
1321 if (*s != '+' && *s != '-')
1322 {
1323 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1324 "+ or - expected but found \"%s\"\n", s);
1325 return FALSE;
1326 }
1327 adding = *s++ == '+';
1328 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1329 keep_c = *end;
1330 *end = '\0';
1331 item_parsed = tls_openssl_one_option_parse(s, &item);
1332 if (!item_parsed)
1333 {
1334 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1335 return FALSE;
1336 }
1337 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1338 adding ? "adding" : "removing", result, item, s);
1339 if (adding)
1340 result |= item;
1341 else
1342 result &= ~item;
1343 *end = keep_c;
1344 s = end;
1345 }
1346
1347 *results = result;
1348 return TRUE;
1349 }
1350
1351 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.