projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Support transport hosts_avoid_tls for cutthrough.
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
15
16
17 /* Heading stuff */
18
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
23 #ifdef EXPERIMENTAL_OCSP
24 #include <openssl/ocsp.h>
25 #endif
26
27 #ifdef EXPERIMENTAL_OCSP
28 #define EXIM_OCSP_SKEW_SECONDS (300L)
29 #define EXIM_OCSP_MAX_AGE (-1L)
30 #endif
31
32 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33 #define EXIM_HAVE_OPENSSL_TLSEXT
34 #endif
35
36 /* Structure for collecting random data for seeding. */
37
38 typedef struct randstuff {
39 struct timeval tv;
40 pid_t p;
41 } randstuff;
42
43 /* Local static variables */
44
45 static BOOL verify_callback_called = FALSE;
46 static const uschar *sid_ctx = US"exim";
47
48 static SSL_CTX *client_ctx = NULL;
49 static SSL_CTX *server_ctx = NULL;
50 static SSL *client_ssl = NULL;
51 static SSL *server_ssl = NULL;
52 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
53 static SSL_CTX *client_sni = NULL;
54 static SSL_CTX *server_sni = NULL;
55 #endif
56
57 static char ssl_errstring[256];
58
59 static int ssl_session_timeout = 200;
60 static BOOL verify_optional = FALSE;
61
62 static BOOL reexpand_tls_files_for_sni = FALSE;
63
64
65 typedef struct tls_ext_ctx_cb {
66 uschar *certificate;
67 uschar *privatekey;
68 #ifdef EXPERIMENTAL_OCSP
69 uschar *ocsp_file;
70 uschar *ocsp_file_expanded;
71 OCSP_RESPONSE *ocsp_response;
72 #endif
73 uschar *dhparam;
74 /* these are cached from first expand */
75 uschar *server_cipher_list;
76 /* only passed down to tls_error: */
77 host_item *host;
78 } tls_ext_ctx_cb;
79
80 /* should figure out a cleanup of API to handle state preserved per
81 implementation, for various reasons, which can be void * in the APIs.
82 For now, we hack around it. */
83 tls_ext_ctx_cb *client_static_cbinfo = NULL;
84 tls_ext_ctx_cb *server_static_cbinfo = NULL;
85
86 static int
87 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
88
89 /* Callbacks */
90 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
91 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
92 #endif
93 #ifdef EXPERIMENTAL_OCSP
94 static int tls_stapling_cb(SSL *s, void *arg);
95 #endif
96
97
98 /*************************************************
99 * Handle TLS error *
100 *************************************************/
101
102 /* Called from lots of places when errors occur before actually starting to do
103 the TLS handshake, that is, while the session is still in clear. Always returns
104 DEFER for a server and FAIL for a client so that most calls can use "return
105 tls_error(...)" to do this processing and then give an appropriate return. A
106 single function is used for both server and client, because it is called from
107 some shared functions.
108
109 Argument:
110 prefix text to include in the logged error
111 host NULL if setting up a server;
112 the connected host if setting up a client
113 msg error message or NULL if we should ask OpenSSL
114
115 Returns: OK/DEFER/FAIL
116 */
117
118 static int
119 tls_error(uschar *prefix, host_item *host, uschar *msg)
120 {
121 if (msg == NULL)
122 {
123 ERR_error_string(ERR_get_error(), ssl_errstring);
124 msg = (uschar *)ssl_errstring;
125 }
126
127 if (host == NULL)
128 {
129 uschar *conn_info = smtp_get_connection_info();
130 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
131 conn_info += 5;
132 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
133 conn_info, prefix, msg);
134 return DEFER;
135 }
136 else
137 {
138 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
139 host->name, host->address, prefix, msg);
140 return FAIL;
141 }
142 }
143
144
145
146 /*************************************************
147 * Callback to generate RSA key *
148 *************************************************/
149
150 /*
151 Arguments:
152 s SSL connection
153 export not used
154 keylength keylength
155
156 Returns: pointer to generated key
157 */
158
159 static RSA *
160 rsa_callback(SSL *s, int export, int keylength)
161 {
162 RSA *rsa_key;
163 export = export; /* Shut picky compilers up */
164 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
165 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
166 if (rsa_key == NULL)
167 {
168 ERR_error_string(ERR_get_error(), ssl_errstring);
169 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
170 ssl_errstring);
171 return NULL;
172 }
173 return rsa_key;
174 }
175
176
177
178
179 /*************************************************
180 * Callback for verification *
181 *************************************************/
182
183 /* The SSL library does certificate verification if set up to do so. This
184 callback has the current yes/no state is in "state". If verification succeeded,
185 we set up the tls_peerdn string. If verification failed, what happens depends
186 on whether the client is required to present a verifiable certificate or not.
187
188 If verification is optional, we change the state to yes, but still log the
189 verification error. For some reason (it really would help to have proper
190 documentation of OpenSSL), this callback function then gets called again, this
191 time with state = 1. In fact, that's useful, because we can set up the peerdn
192 value, but we must take care not to set the private verified flag on the second
193 time through.
194
195 Note: this function is not called if the client fails to present a certificate
196 when asked. We get here only if a certificate has been received. Handling of
197 optional verification for this case is done when requesting SSL to verify, by
198 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
199
200 Arguments:
201 state current yes/no state as 1/0
202 x509ctx certificate information.
203
204 Returns: 1 if verified, 0 if not
205 */
206
207 static int
208 verify_callback(int state, X509_STORE_CTX *x509ctx)
209 {
210 static uschar txt[256];
211
212 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
213 CS txt, sizeof(txt));
214
215 if (state == 0)
216 {
217 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
218 x509ctx->error_depth,
219 X509_verify_cert_error_string(x509ctx->error),
220 txt);
221 tls_in.certificate_verified = FALSE;
222 verify_callback_called = TRUE;
223 if (!verify_optional) return 0; /* reject */
224 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
225 "tls_try_verify_hosts)\n");
226 return 1; /* accept */
227 }
228
229 if (x509ctx->error_depth != 0)
230 {
231 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
232 x509ctx->error_depth, txt);
233 }
234 else
235 {
236 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
237 verify_callback_called? "" : " authenticated", txt);
238 tls_in.peerdn = txt;
239 }
240
241 if (!verify_callback_called) tls_in.certificate_verified = TRUE;
242 verify_callback_called = TRUE;
243
244 return 1; /* accept */
245 }
246
247
248
249 /*************************************************
250 * Information callback *
251 *************************************************/
252
253 /* The SSL library functions call this from time to time to indicate what they
254 are doing. We copy the string to the debugging output when TLS debugging has
255 been requested.
256
257 Arguments:
258 s the SSL connection
259 where
260 ret
261
262 Returns: nothing
263 */
264
265 static void
266 info_callback(SSL *s, int where, int ret)
267 {
268 where = where;
269 ret = ret;
270 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
271 }
272
273
274
275 /*************************************************
276 * Initialize for DH *
277 *************************************************/
278
279 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
280
281 Arguments:
282 dhparam DH parameter file or fixed parameter identity string
283 host connected host, if client; NULL if server
284
285 Returns: TRUE if OK (nothing to set up, or setup worked)
286 */
287
288 static BOOL
289 <<<<<<< HEAD
290 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
291 =======
292 init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
293 >>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
294 {
295 BIO *bio;
296 DH *dh;
297 uschar *dhexpanded;
298 const char *pem;
299
300 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
301 return FALSE;
302
303 if (dhexpanded == NULL || *dhexpanded == '\0')
304 {
305 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
306 }
307 else if (dhexpanded[0] == '/')
308 {
309 bio = BIO_new_file(CS dhexpanded, "r");
310 if (bio == NULL)
311 {
312 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
313 host, US strerror(errno));
314 return FALSE;
315 }
316 }
317 else
318 {
319 if (Ustrcmp(dhexpanded, "none") == 0)
320 {
321 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
322 return TRUE;
323 }
324
325 pem = std_dh_prime_named(dhexpanded);
326 if (!pem)
327 {
328 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
329 host, US strerror(errno));
330 return FALSE;
331 }
332 bio = BIO_new_mem_buf(CS pem, -1);
333 }
334
335 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
336 if (dh == NULL)
337 {
338 BIO_free(bio);
339 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
340 host, NULL);
341 return FALSE;
342 }
343
344 /* Even if it is larger, we silently return success rather than cause things
345 * to fail out, so that a too-large DH will not knock out all TLS; it's a
346 * debatable choice. */
347 if ((8*DH_size(dh)) > tls_dh_max_bits)
348 {
349 DEBUG(D_tls)
350 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
351 8*DH_size(dh), tls_dh_max_bits);
352 }
353 else
354 {
355 SSL_CTX_set_tmp_dh(sctx, dh);
356 DEBUG(D_tls)
357 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
358 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
359 }
360
361 DH_free(dh);
362 BIO_free(bio);
363
364 return TRUE;
365 }
366
367
368
369
370 #ifdef EXPERIMENTAL_OCSP
371 /*************************************************
372 * Load OCSP information into state *
373 *************************************************/
374
375 /* Called to load the OCSP response from the given file into memory, once
376 caller has determined this is needed. Checks validity. Debugs a message
377 if invalid.
378
379 ASSUMES: single response, for single cert.
380
381 Arguments:
382 sctx the SSL_CTX* to update
383 cbinfo various parts of session state
384 expanded the filename putatively holding an OCSP response
385
386 */
387
388 static void
389 ocsp_load_response(SSL_CTX *sctx,
390 tls_ext_ctx_cb *cbinfo,
391 const uschar *expanded)
392 {
393 BIO *bio;
394 OCSP_RESPONSE *resp;
395 OCSP_BASICRESP *basic_response;
396 OCSP_SINGLERESP *single_response;
397 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
398 X509_STORE *store;
399 unsigned long verify_flags;
400 int status, reason, i;
401
402 cbinfo->ocsp_file_expanded = string_copy(expanded);
403 if (cbinfo->ocsp_response)
404 {
405 OCSP_RESPONSE_free(cbinfo->ocsp_response);
406 cbinfo->ocsp_response = NULL;
407 }
408
409 bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
410 if (!bio)
411 {
412 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
413 cbinfo->ocsp_file_expanded);
414 return;
415 }
416
417 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
418 BIO_free(bio);
419 if (!resp)
420 {
421 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
422 return;
423 }
424
425 status = OCSP_response_status(resp);
426 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
427 {
428 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
429 OCSP_response_status_str(status), status);
430 return;
431 }
432
433 basic_response = OCSP_response_get1_basic(resp);
434 if (!basic_response)
435 {
436 DEBUG(D_tls)
437 debug_printf("OCSP response parse error: unable to extract basic response.\n");
438 return;
439 }
440
441 store = SSL_CTX_get_cert_store(sctx);
442 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
443
444 /* May need to expose ability to adjust those flags?
445 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
446 OCSP_TRUSTOTHER OCSP_NOINTERN */
447
448 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
449 if (i <= 0)
450 {
451 DEBUG(D_tls) {
452 ERR_error_string(ERR_get_error(), ssl_errstring);
453 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
454 }
455 return;
456 }
457
458 /* Here's the simplifying assumption: there's only one response, for the
459 one certificate we use, and nothing for anything else in a chain. If this
460 proves false, we need to extract a cert id from our issued cert
461 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
462 right cert in the stack and then calls OCSP_single_get0_status()).
463
464 I'm hoping to avoid reworking a bunch more of how we handle state here. */
465 single_response = OCSP_resp_get0(basic_response, 0);
466 if (!single_response)
467 {
468 DEBUG(D_tls)
469 debug_printf("Unable to get first response from OCSP basic response.\n");
470 return;
471 }
472
473 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
474 /* how does this status differ from the one above? */
475 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
476 {
477 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
478 OCSP_response_status_str(status), status);
479 return;
480 }
481
482 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
483 {
484 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
485 return;
486 }
487
488 cbinfo->ocsp_response = resp;
489 }
490 #endif
491
492
493
494
495 /*************************************************
496 * Expand key and cert file specs *
497 *************************************************/
498
499 /* Called once during tls_init and possibly againt during TLS setup, for a
500 new context, if Server Name Indication was used and tls_sni was seen in
501 the certificate string.
502
503 Arguments:
504 sctx the SSL_CTX* to update
505 cbinfo various parts of session state
506
507 Returns: OK/DEFER/FAIL
508 */
509
510 static int
511 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
512 {
513 uschar *expanded;
514
515 if (cbinfo->certificate == NULL)
516 return OK;
517
518 if (Ustrstr(cbinfo->certificate, US"tls_sni"))
519 reexpand_tls_files_for_sni = TRUE;
520
521 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
522 return DEFER;
523
524 if (expanded != NULL)
525 {
526 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
527 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
528 return tls_error(string_sprintf(
529 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
530 cbinfo->host, NULL);
531 }
532
533 if (cbinfo->privatekey != NULL &&
534 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
535 return DEFER;
536
537 /* If expansion was forced to fail, key_expanded will be NULL. If the result
538 of the expansion is an empty string, ignore it also, and assume the private
539 key is in the same file as the certificate. */
540
541 if (expanded != NULL && *expanded != 0)
542 {
543 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
544 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
545 return tls_error(string_sprintf(
546 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
547 }
548
549 #ifdef EXPERIMENTAL_OCSP
550 if (cbinfo->ocsp_file != NULL)
551 {
552 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
553 return DEFER;
554
555 if (expanded != NULL && *expanded != 0)
556 {
557 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
558 if (cbinfo->ocsp_file_expanded &&
559 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
560 {
561 DEBUG(D_tls)
562 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
563 } else {
564 ocsp_load_response(sctx, cbinfo, expanded);
565 }
566 }
567 }
568 #endif
569
570 return OK;
571 }
572
573
574
575
576 /*************************************************
577 * Callback to handle SNI *
578 *************************************************/
579
580 /* Called when acting as server during the TLS session setup if a Server Name
581 Indication extension was sent by the client.
582
583 API documentation is OpenSSL s_server.c implementation.
584
585 Arguments:
586 s SSL* of the current session
587 ad unknown (part of OpenSSL API) (unused)
588 arg Callback of "our" registered data
589
590 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
591 */
592
593 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
594 static int
595 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
596 {
597 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
598 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
599 int rc;
600 int old_pool = store_pool;
601
602 if (!servername)
603 return SSL_TLSEXT_ERR_OK;
604
605 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
606 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
607
608 /* Make the extension value available for expansion */
609 store_pool = POOL_PERM;
610 tls_in.sni = string_copy(US servername);
611 store_pool = old_pool;
612
613 if (!reexpand_tls_files_for_sni)
614 return SSL_TLSEXT_ERR_OK;
615
616 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
617 not confident that memcpy wouldn't break some internal reference counting.
618 Especially since there's a references struct member, which would be off. */
619
620 server_sni = SSL_CTX_new(SSLv23_server_method());
621 if (!server_sni)
622 {
623 ERR_error_string(ERR_get_error(), ssl_errstring);
624 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
625 return SSL_TLSEXT_ERR_NOACK;
626 }
627
628 /* Not sure how many of these are actually needed, since SSL object
629 already exists. Might even need this selfsame callback, for reneg? */
630
631 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
632 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
633 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
634 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
635 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
636 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
637 if (cbinfo->server_cipher_list)
638 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
639 #ifdef EXPERIMENTAL_OCSP
640 if (cbinfo->ocsp_file)
641 {
642 SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
643 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
644 }
645 #endif
646
647 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
648 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
649
650 /* do this after setup_certs, because this can require the certs for verifying
651 OCSP information. */
652 rc = tls_expand_session_files(server_sni, cbinfo);
653 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
654
655 rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
656 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
657
658 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
659 SSL_set_SSL_CTX(s, server_sni);
660
661 return SSL_TLSEXT_ERR_OK;
662 }
663 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
664
665
666
667
668 #ifdef EXPERIMENTAL_OCSP
669 /*************************************************
670 * Callback to handle OCSP Stapling *
671 *************************************************/
672
673 /* Called when acting as server during the TLS session setup if the client
674 requests OCSP information with a Certificate Status Request.
675
676 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
677 project.
678
679 */
680
681 static int
682 tls_stapling_cb(SSL *s, void *arg)
683 {
684 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
685 uschar *response_der;
686 int response_der_len;
687
688 DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
689 cbinfo->ocsp_response ? "have" : "lack");
690 if (!cbinfo->ocsp_response)
691 return SSL_TLSEXT_ERR_NOACK;
692
693 response_der = NULL;
694 response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
695 if (response_der_len <= 0)
696 return SSL_TLSEXT_ERR_NOACK;
697
698 SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
699 return SSL_TLSEXT_ERR_OK;
700 }
701
702 #endif /* EXPERIMENTAL_OCSP */
703
704
705
706
707 /*************************************************
708 * Initialize for TLS *
709 *************************************************/
710
711 /* Called from both server and client code, to do preliminary initialization of
712 the library.
713
714 Arguments:
715 host connected host, if client; NULL if server
716 dhparam DH parameter file
717 certificate certificate file
718 privatekey private key
719 addr address if client; NULL if server (for some randomness)
720
721 Returns: OK/DEFER/FAIL
722 */
723
724 static int
725 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
726 uschar *privatekey,
727 #ifdef EXPERIMENTAL_OCSP
728 uschar *ocsp_file,
729 #endif
730 address_item *addr, tls_ext_ctx_cb ** cbp)
731 {
732 long init_options;
733 int rc;
734 BOOL okay;
735 tls_ext_ctx_cb *cbinfo;
736
737 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
738 cbinfo->certificate = certificate;
739 cbinfo->privatekey = privatekey;
740 #ifdef EXPERIMENTAL_OCSP
741 cbinfo->ocsp_file = ocsp_file;
742 #endif
743 cbinfo->dhparam = dhparam;
744 cbinfo->host = host;
745
746 SSL_load_error_strings(); /* basic set up */
747 OpenSSL_add_ssl_algorithms();
748
749 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
750 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
751 list of available digests. */
752 EVP_add_digest(EVP_sha256());
753 #endif
754
755 /* Create a context.
756 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
757 negotiation in the different methods; as far as I can tell, the only
758 *_{server,client}_method which allows negotiation is SSLv23, which exists even
759 when OpenSSL is built without SSLv2 support.
760 By disabling with openssl_options, we can let admins re-enable with the
761 existing knob. */
762
763 *ctxp = SSL_CTX_new((host == NULL)?
764 SSLv23_server_method() : SSLv23_client_method());
765
766 if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
767
768 /* It turns out that we need to seed the random number generator this early in
769 order to get the full complement of ciphers to work. It took me roughly a day
770 of work to discover this by experiment.
771
772 On systems that have /dev/urandom, SSL may automatically seed itself from
773 there. Otherwise, we have to make something up as best we can. Double check
774 afterwards. */
775
776 if (!RAND_status())
777 {
778 randstuff r;
779 gettimeofday(&r.tv, NULL);
780 r.p = getpid();
781
782 RAND_seed((uschar *)(&r), sizeof(r));
783 RAND_seed((uschar *)big_buffer, big_buffer_size);
784 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
785
786 if (!RAND_status())
787 return tls_error(US"RAND_status", host,
788 US"unable to seed random number generator");
789 }
790
791 /* Set up the information callback, which outputs if debugging is at a suitable
792 level. */
793
794 SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
795
796 /* Automatically re-try reads/writes after renegotiation. */
797 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
798
799 /* Apply administrator-supplied work-arounds.
800 Historically we applied just one requested option,
801 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
802 moved to an administrator-controlled list of options to specify and
803 grandfathered in the first one as the default value for "openssl_options".
804
805 No OpenSSL version number checks: the options we accept depend upon the
806 availability of the option value macros from OpenSSL. */
807
808 okay = tls_openssl_options_parse(openssl_options, &init_options);
809 if (!okay)
810 return tls_error(US"openssl_options parsing failed", host, NULL);
811
812 if (init_options)
813 {
814 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
815 if (!(SSL_CTX_set_options(*ctxp, init_options)))
816 return tls_error(string_sprintf(
817 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
818 }
819 else
820 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
821
822 /* Initialize with DH parameters if supplied */
823
824 <<<<<<< HEAD
825 if (!init_dh(ctx, dhparam, host)) return DEFER;
826 =======
827 if (!init_dh(*ctxp, dhparam, host)) return DEFER;
828 >>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
829
830 /* Set up certificate and key (and perhaps OCSP info) */
831
832 rc = tls_expand_session_files(*ctxp, cbinfo);
833 if (rc != OK) return rc;
834
835 /* If we need to handle SNI, do so */
836 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
837 if (host == NULL)
838 {
839 #ifdef EXPERIMENTAL_OCSP
840 /* We check ocsp_file, not ocsp_response, because we care about if
841 the option exists, not what the current expansion might be, as SNI might
842 change the certificate and OCSP file in use between now and the time the
843 callback is invoked. */
844 if (cbinfo->ocsp_file)
845 {
846 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
847 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
848 }
849 #endif
850 /* We always do this, so that $tls_sni is available even if not used in
851 tls_certificate */
852 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
853 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
854 }
855 #endif
856
857 /* Set up the RSA callback */
858
859 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
860
861 /* Finally, set the timeout, and we are done */
862
863 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
864 DEBUG(D_tls) debug_printf("Initialized TLS\n");
865
866 *cbp = cbinfo;
867
868 return OK;
869 }
870
871
872
873
874 /*************************************************
875 * Get name of cipher in use *
876 *************************************************/
877
878 /*
879 Argument: pointer to an SSL structure for the connection
880 buffer to use for answer
881 size of buffer
882 pointer to number of bits for cipher
883 Returns: nothing
884 */
885
886 static void
887 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
888 {
889 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
890 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
891 the accessor functions use const in the prototype. */
892 const SSL_CIPHER *c;
893 uschar *ver;
894
895 switch (ssl->session->ssl_version)
896 {
897 case SSL2_VERSION:
898 ver = US"SSLv2";
899 break;
900
901 case SSL3_VERSION:
902 ver = US"SSLv3";
903 break;
904
905 case TLS1_VERSION:
906 ver = US"TLSv1";
907 break;
908
909 #ifdef TLS1_1_VERSION
910 case TLS1_1_VERSION:
911 ver = US"TLSv1.1";
912 break;
913 #endif
914
915 #ifdef TLS1_2_VERSION
916 case TLS1_2_VERSION:
917 ver = US"TLSv1.2";
918 break;
919 #endif
920
921 default:
922 ver = US"UNKNOWN";
923 }
924
925 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
926 SSL_CIPHER_get_bits(c, bits);
927
928 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
929 SSL_CIPHER_get_name(c), *bits);
930
931 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
932 }
933
934
935
936
937
938 /*************************************************
939 * Set up for verifying certificates *
940 *************************************************/
941
942 /* Called by both client and server startup
943
944 Arguments:
945 sctx SSL_CTX* to initialise
946 certs certs file or NULL
947 crl CRL file or NULL
948 host NULL in a server; the remote host in a client
949 optional TRUE if called from a server for a host in tls_try_verify_hosts;
950 otherwise passed as FALSE
951
952 Returns: OK/DEFER/FAIL
953 */
954
955 static int
956 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
957 {
958 uschar *expcerts, *expcrl;
959
960 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
961 return DEFER;
962
963 if (expcerts != NULL)
964 {
965 struct stat statbuf;
966 if (!SSL_CTX_set_default_verify_paths(sctx))
967 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
968
969 if (Ustat(expcerts, &statbuf) < 0)
970 {
971 log_write(0, LOG_MAIN|LOG_PANIC,
972 "failed to stat %s for certificates", expcerts);
973 return DEFER;
974 }
975 else
976 {
977 uschar *file, *dir;
978 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
979 { file = NULL; dir = expcerts; }
980 else
981 { file = expcerts; dir = NULL; }
982
983 /* If a certificate file is empty, the next function fails with an
984 unhelpful error message. If we skip it, we get the correct behaviour (no
985 certificates are recognized, but the error message is still misleading (it
986 says no certificate was supplied.) But this is better. */
987
988 if ((file == NULL || statbuf.st_size > 0) &&
989 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
990 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
991
992 if (file != NULL)
993 {
994 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
995 }
996 }
997
998 /* Handle a certificate revocation list. */
999
1000 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1001
1002 /* This bit of code is now the version supplied by Lars Mainka. (I have
1003 * merely reformatted it into the Exim code style.)
1004
1005 * "From here I changed the code to add support for multiple crl's
1006 * in pem format in one file or to support hashed directory entries in
1007 * pem format instead of a file. This method now uses the library function
1008 * X509_STORE_load_locations to add the CRL location to the SSL context.
1009 * OpenSSL will then handle the verify against CA certs and CRLs by
1010 * itself in the verify callback." */
1011
1012 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1013 if (expcrl != NULL && *expcrl != 0)
1014 {
1015 struct stat statbufcrl;
1016 if (Ustat(expcrl, &statbufcrl) < 0)
1017 {
1018 log_write(0, LOG_MAIN|LOG_PANIC,
1019 "failed to stat %s for certificates revocation lists", expcrl);
1020 return DEFER;
1021 }
1022 else
1023 {
1024 /* is it a file or directory? */
1025 uschar *file, *dir;
1026 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1027 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1028 {
1029 file = NULL;
1030 dir = expcrl;
1031 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1032 }
1033 else
1034 {
1035 file = expcrl;
1036 dir = NULL;
1037 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1038 }
1039 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1040 return tls_error(US"X509_STORE_load_locations", host, NULL);
1041
1042 /* setting the flags to check against the complete crl chain */
1043
1044 X509_STORE_set_flags(cvstore,
1045 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1046 }
1047 }
1048
1049 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1050
1051 /* If verification is optional, don't fail if no certificate */
1052
1053 SSL_CTX_set_verify(sctx,
1054 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1055 verify_callback);
1056 }
1057
1058 return OK;
1059 }
1060
1061
1062
1063 /*************************************************
1064 * Start a TLS session in a server *
1065 *************************************************/
1066
1067 /* This is called when Exim is running as a server, after having received
1068 the STARTTLS command. It must respond to that command, and then negotiate
1069 a TLS session.
1070
1071 Arguments:
1072 require_ciphers allowed ciphers
1073
1074 Returns: OK on success
1075 DEFER for errors before the start of the negotiation
1076 FAIL for errors during the negotation; the server can't
1077 continue running.
1078 */
1079
1080 int
1081 tls_server_start(const uschar *require_ciphers)
1082 {
1083 int rc;
1084 uschar *expciphers;
1085 tls_ext_ctx_cb *cbinfo;
1086 static uschar cipherbuf[256];
1087
1088 /* Check for previous activation */
1089
1090 if (tls_in.active >= 0)
1091 {
1092 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1093 smtp_printf("554 Already in TLS\r\n");
1094 return FAIL;
1095 }
1096
1097 /* Initialize the SSL library. If it fails, it will already have logged
1098 the error. */
1099
1100 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1101 #ifdef EXPERIMENTAL_OCSP
1102 tls_ocsp_file,
1103 #endif
1104 NULL, &server_static_cbinfo);
1105 if (rc != OK) return rc;
1106 cbinfo = server_static_cbinfo;
1107
1108 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1109 return FAIL;
1110
1111 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1112 were historically separated by underscores. So that I can use either form in my
1113 tests, and also for general convenience, we turn underscores into hyphens here.
1114 */
1115
1116 if (expciphers != NULL)
1117 {
1118 uschar *s = expciphers;
1119 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1120 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1121 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1122 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1123 cbinfo->server_cipher_list = expciphers;
1124 }
1125
1126 /* If this is a host for which certificate verification is mandatory or
1127 optional, set up appropriately. */
1128
1129 tls_in.certificate_verified = FALSE;
1130 verify_callback_called = FALSE;
1131
1132 if (verify_check_host(&tls_verify_hosts) == OK)
1133 {
1134 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
1135 if (rc != OK) return rc;
1136 verify_optional = FALSE;
1137 }
1138 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1139 {
1140 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
1141 if (rc != OK) return rc;
1142 verify_optional = TRUE;
1143 }
1144
1145 /* Prepare for new connection */
1146
1147 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1148
1149 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1150 *
1151 * With the SSL_clear(), we get strange interoperability bugs with
1152 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1153 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1154 *
1155 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1156 * session shutdown. In this case, we have a brand new object and there's no
1157 * obvious reason to immediately clear it. I'm guessing that this was
1158 * originally added because of incomplete initialisation which the clear fixed,
1159 * in some historic release.
1160 */
1161
1162 /* Set context and tell client to go ahead, except in the case of TLS startup
1163 on connection, where outputting anything now upsets the clients and tends to
1164 make them disconnect. We need to have an explicit fflush() here, to force out
1165 the response. Other smtp_printf() calls do not need it, because in non-TLS
1166 mode, the fflush() happens when smtp_getc() is called. */
1167
1168 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1169 if (!tls_in.on_connect)
1170 {
1171 smtp_printf("220 TLS go ahead\r\n");
1172 fflush(smtp_out);
1173 }
1174
1175 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1176 that the OpenSSL library doesn't. */
1177
1178 SSL_set_wfd(server_ssl, fileno(smtp_out));
1179 SSL_set_rfd(server_ssl, fileno(smtp_in));
1180 SSL_set_accept_state(server_ssl);
1181
1182 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1183
1184 sigalrm_seen = FALSE;
1185 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1186 rc = SSL_accept(server_ssl);
1187 alarm(0);
1188
1189 if (rc <= 0)
1190 {
1191 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1192 if (ERR_get_error() == 0)
1193 log_write(0, LOG_MAIN,
1194 "TLS client disconnected cleanly (rejected our certificate?)");
1195 return FAIL;
1196 }
1197
1198 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1199
1200 /* TLS has been set up. Adjust the input functions to read via TLS,
1201 and initialize things. */
1202
1203 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1204 tls_in.cipher = cipherbuf;
1205
1206 DEBUG(D_tls)
1207 {
1208 uschar buf[2048];
1209 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1210 debug_printf("Shared ciphers: %s\n", buf);
1211 }
1212
1213
1214 /* Only used by the server-side tls (tls_in), including tls_getc.
1215 Client-side (tls_out) reads (seem to?) go via
1216 smtp_read_response()/ip_recv().
1217 Hence no need to duplicate for _in and _out.
1218 */
1219 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1220 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1221 ssl_xfer_eof = ssl_xfer_error = 0;
1222
1223 receive_getc = tls_getc;
1224 receive_ungetc = tls_ungetc;
1225 receive_feof = tls_feof;
1226 receive_ferror = tls_ferror;
1227 receive_smtp_buffered = tls_smtp_buffered;
1228
1229 tls_in.active = fileno(smtp_out);
1230 return OK;
1231 }
1232
1233
1234
1235
1236
1237 /*************************************************
1238 * Start a TLS session in a client *
1239 *************************************************/
1240
1241 /* Called from the smtp transport after STARTTLS has been accepted.
1242
1243 Argument:
1244 fd the fd of the connection
1245 host connected host (for messages)
1246 addr the first address
1247 dhparam DH parameter file
1248 certificate certificate file
1249 privatekey private key file
1250 sni TLS SNI to send to remote host
1251 verify_certs file for certificate verify
1252 crl file containing CRL
1253 require_ciphers list of allowed ciphers
1254 dh_min_bits minimum number of bits acceptable in server's DH prime
1255 (unused in OpenSSL)
1256 timeout startup timeout
1257
1258 Returns: OK on success
1259 FAIL otherwise - note that tls_error() will not give DEFER
1260 because this is not a server
1261 */
1262
1263 int
1264 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
1265 uschar *certificate, uschar *privatekey, uschar *sni,
1266 uschar *verify_certs, uschar *crl,
1267 uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
1268 {
1269 static uschar txt[256];
1270 uschar *expciphers;
1271 X509* server_cert;
1272 int rc;
1273 static uschar cipherbuf[256];
1274
1275 rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
1276 #ifdef EXPERIMENTAL_OCSP
1277 NULL,
1278 #endif
1279 addr, &client_static_cbinfo);
1280 if (rc != OK) return rc;
1281
1282 tls_out.certificate_verified = FALSE;
1283 verify_callback_called = FALSE;
1284
1285 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1286 return FAIL;
1287
1288 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1289 are separated by underscores. So that I can use either form in my tests, and
1290 also for general convenience, we turn underscores into hyphens here. */
1291
1292 if (expciphers != NULL)
1293 {
1294 uschar *s = expciphers;
1295 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1296 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1297 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
1298 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1299 }
1300
1301 rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE);
1302 if (rc != OK) return rc;
1303
1304 if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
1305 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1306 SSL_set_fd(client_ssl, fd);
1307 SSL_set_connect_state(client_ssl);
1308
1309 if (sni)
1310 {
1311 if (!expand_check(sni, US"tls_sni", &tls_out.sni))
1312 return FAIL;
1313 if (!Ustrlen(tls_out.sni))
1314 tls_out.sni = NULL;
1315 else
1316 {
1317 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1318 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1319 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
1320 #else
1321 DEBUG(D_tls)
1322 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1323 tls_sni);
1324 #endif
1325 }
1326 }
1327
1328 /* There doesn't seem to be a built-in timeout on connection. */
1329
1330 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1331 sigalrm_seen = FALSE;
1332 alarm(timeout);
1333 rc = SSL_connect(client_ssl);
1334 alarm(0);
1335
1336 if (rc <= 0)
1337 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1338
1339 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1340
1341 /* Beware anonymous ciphers which lead to server_cert being NULL */
1342 server_cert = SSL_get_peer_certificate (client_ssl);
1343 if (server_cert)
1344 {
1345 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1346 CS txt, sizeof(txt));
1347 tls_out.peerdn = txt;
1348 }
1349 else
1350 tls_out.peerdn = NULL;
1351
1352 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1353 tls_out.cipher = cipherbuf;
1354
1355 tls_out.active = fd;
1356 return OK;
1357 }
1358
1359
1360
1361
1362
1363 /*************************************************
1364 * TLS version of getc *
1365 *************************************************/
1366
1367 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
1368 it refills the buffer via the SSL reading function.
1369
1370 Arguments: none
1371 Returns: the next character or EOF
1372
1373 Only used by the server-side TLS.
1374 */
1375
1376 int
1377 tls_getc(void)
1378 {
1379 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1380 {
1381 int error;
1382 int inbytes;
1383
1384 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
1385 ssl_xfer_buffer, ssl_xfer_buffer_size);
1386
1387 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1388 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1389 error = SSL_get_error(server_ssl, inbytes);
1390 alarm(0);
1391
1392 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1393 closed down, not that the socket itself has been closed down. Revert to
1394 non-SSL handling. */
1395
1396 if (error == SSL_ERROR_ZERO_RETURN)
1397 {
1398 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1399
1400 receive_getc = smtp_getc;
1401 receive_ungetc = smtp_ungetc;
1402 receive_feof = smtp_feof;
1403 receive_ferror = smtp_ferror;
1404 receive_smtp_buffered = smtp_buffered;
1405
1406 SSL_free(server_ssl);
1407 server_ssl = NULL;
1408 tls_in.active = -1;
1409 tls_in.bits = 0;
1410 tls_in.cipher = NULL;
1411 tls_in.peerdn = NULL;
1412 tls_in.sni = NULL;
1413
1414 return smtp_getc();
1415 }
1416
1417 /* Handle genuine errors */
1418
1419 else if (error == SSL_ERROR_SSL)
1420 {
1421 ERR_error_string(ERR_get_error(), ssl_errstring);
1422 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
1423 ssl_xfer_error = 1;
1424 return EOF;
1425 }
1426
1427 else if (error != SSL_ERROR_NONE)
1428 {
1429 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1430 ssl_xfer_error = 1;
1431 return EOF;
1432 }
1433
1434 #ifndef DISABLE_DKIM
1435 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1436 #endif
1437 ssl_xfer_buffer_hwm = inbytes;
1438 ssl_xfer_buffer_lwm = 0;
1439 }
1440
1441 /* Something in the buffer; return next uschar */
1442
1443 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1444 }
1445
1446
1447
1448 /*************************************************
1449 * Read bytes from TLS channel *
1450 *************************************************/
1451
1452 /*
1453 Arguments:
1454 buff buffer of data
1455 len size of buffer
1456
1457 Returns: the number of bytes read
1458 -1 after a failed read
1459
1460 Only used by the client-side TLS.
1461 */
1462
1463 int
1464 tls_read(uschar *buff, size_t len)
1465 {
1466 int inbytes;
1467 int error;
1468
1469 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
1470 buff, (unsigned int)len);
1471
1472 inbytes = SSL_read(client_ssl, CS buff, len);
1473 error = SSL_get_error(client_ssl, inbytes);
1474
1475 if (error == SSL_ERROR_ZERO_RETURN)
1476 {
1477 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1478 return -1;
1479 }
1480 else if (error != SSL_ERROR_NONE)
1481 {
1482 return -1;
1483 }
1484
1485 return inbytes;
1486 }
1487
1488
1489
1490
1491
1492 /*************************************************
1493 * Write bytes down TLS channel *
1494 *************************************************/
1495
1496 /*
1497 Arguments:
1498 is_server channel specifier
1499 buff buffer of data
1500 len number of bytes
1501
1502 Returns: the number of bytes after a successful write,
1503 -1 after a failed write
1504
1505 Used by both server-side and client-side TLS.
1506 */
1507
1508 int
1509 tls_write(BOOL is_server, const uschar *buff, size_t len)
1510 {
1511 int outbytes;
1512 int error;
1513 int left = len;
1514 SSL *ssl = is_server ? server_ssl : client_ssl;
1515
1516 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1517 while (left > 0)
1518 {
1519 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1520 outbytes = SSL_write(ssl, CS buff, left);
1521 error = SSL_get_error(ssl, outbytes);
1522 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1523 switch (error)
1524 {
1525 case SSL_ERROR_SSL:
1526 ERR_error_string(ERR_get_error(), ssl_errstring);
1527 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1528 return -1;
1529
1530 case SSL_ERROR_NONE:
1531 left -= outbytes;
1532 buff += outbytes;
1533 break;
1534
1535 case SSL_ERROR_ZERO_RETURN:
1536 log_write(0, LOG_MAIN, "SSL channel closed on write");
1537 return -1;
1538
1539 case SSL_ERROR_SYSCALL:
1540 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
1541 sender_fullhost ? sender_fullhost : US"<unknown>",
1542 strerror(errno));
1543
1544 default:
1545 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1546 return -1;
1547 }
1548 }
1549 return len;
1550 }
1551
1552
1553
1554 /*************************************************
1555 * Close down a TLS session *
1556 *************************************************/
1557
1558 /* This is also called from within a delivery subprocess forked from the
1559 daemon, to shut down the TLS library, without actually doing a shutdown (which
1560 would tamper with the SSL session in the parent process).
1561
1562 Arguments: TRUE if SSL_shutdown is to be called
1563 Returns: nothing
1564
1565 Used by both server-side and client-side TLS.
1566 */
1567
1568 void
1569 tls_close(BOOL is_server, BOOL shutdown)
1570 {
1571 SSL **sslp = is_server ? &server_ssl : &client_ssl;
1572
1573 if (*fdp < 0) return; /* TLS was not active */
1574
1575 if (shutdown)
1576 {
1577 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1578 SSL_shutdown(*sslp);
1579 }
1580
1581 SSL_free(*sslp);
1582 *sslp = NULL;
1583
1584 *fdp = -1;
1585 }
1586
1587
1588
1589
1590 /*************************************************
1591 * Let tls_require_ciphers be checked at startup *
1592 *************************************************/
1593
1594 /* The tls_require_ciphers option, if set, must be something which the
1595 library can parse.
1596
1597 Returns: NULL on success, or error message
1598 */
1599
1600 uschar *
1601 tls_validate_require_cipher(void)
1602 {
1603 SSL_CTX *ctx;
1604 uschar *s, *expciphers, *err;
1605
1606 /* this duplicates from tls_init(), we need a better "init just global
1607 state, for no specific purpose" singleton function of our own */
1608
1609 SSL_load_error_strings();
1610 OpenSSL_add_ssl_algorithms();
1611 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1612 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1613 list of available digests. */
1614 EVP_add_digest(EVP_sha256());
1615 #endif
1616
1617 if (!(tls_require_ciphers && *tls_require_ciphers))
1618 return NULL;
1619
1620 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1621 return US"failed to expand tls_require_ciphers";
1622
1623 if (!(expciphers && *expciphers))
1624 return NULL;
1625
1626 /* normalisation ripped from above */
1627 s = expciphers;
1628 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1629
1630 err = NULL;
1631
1632 ctx = SSL_CTX_new(SSLv23_server_method());
1633 if (!ctx)
1634 {
1635 ERR_error_string(ERR_get_error(), ssl_errstring);
1636 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1637 }
1638
1639 DEBUG(D_tls)
1640 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1641
1642 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1643 {
1644 ERR_error_string(ERR_get_error(), ssl_errstring);
1645 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1646 }
1647
1648 SSL_CTX_free(ctx);
1649
1650 return err;
1651 }
1652
1653
1654
1655
1656 /*************************************************
1657 * Report the library versions. *
1658 *************************************************/
1659
1660 /* There have historically been some issues with binary compatibility in
1661 OpenSSL libraries; if Exim (like many other applications) is built against
1662 one version of OpenSSL but the run-time linker picks up another version,
1663 it can result in serious failures, including crashing with a SIGSEGV. So
1664 report the version found by the compiler and the run-time version.
1665
1666 Arguments: a FILE* to print the results to
1667 Returns: nothing
1668 */
1669
1670 void
1671 tls_version_report(FILE *f)
1672 {
1673 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1674 " Runtime: %s\n",
1675 OPENSSL_VERSION_TEXT,
1676 SSLeay_version(SSLEAY_VERSION));
1677 }
1678
1679
1680
1681
1682 /*************************************************
1683 * Random number generation *
1684 *************************************************/
1685
1686 /* Pseudo-random number generation. The result is not expected to be
1687 cryptographically strong but not so weak that someone will shoot themselves
1688 in the foot using it as a nonce in input in some email header scheme or
1689 whatever weirdness they'll twist this into. The result should handle fork()
1690 and avoid repeating sequences. OpenSSL handles that for us.
1691
1692 Arguments:
1693 max range maximum
1694 Returns a random number in range [0, max-1]
1695 */
1696
1697 int
1698 vaguely_random_number(int max)
1699 {
1700 unsigned int r;
1701 int i, needed_len;
1702 uschar *p;
1703 uschar smallbuf[sizeof(r)];
1704
1705 if (max <= 1)
1706 return 0;
1707
1708 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1709 if (!RAND_status())
1710 {
1711 randstuff r;
1712 gettimeofday(&r.tv, NULL);
1713 r.p = getpid();
1714
1715 RAND_seed((uschar *)(&r), sizeof(r));
1716 }
1717 /* We're after pseudo-random, not random; if we still don't have enough data
1718 in the internal PRNG then our options are limited. We could sleep and hope
1719 for entropy to come along (prayer technique) but if the system is so depleted
1720 in the first place then something is likely to just keep taking it. Instead,
1721 we'll just take whatever little bit of pseudo-random we can still manage to
1722 get. */
1723
1724 needed_len = sizeof(r);
1725 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1726 asked for a number less than 10. */
1727 for (r = max, i = 0; r; ++i)
1728 r >>= 1;
1729 i = (i + 7) / 8;
1730 if (i < needed_len)
1731 needed_len = i;
1732
1733 /* We do not care if crypto-strong */
1734 i = RAND_pseudo_bytes(smallbuf, needed_len);
1735 if (i < 0)
1736 {
1737 DEBUG(D_all)
1738 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1739 return vaguely_random_number_fallback(max);
1740 }
1741
1742 r = 0;
1743 for (p = smallbuf; needed_len; --needed_len, ++p)
1744 {
1745 r *= 256;
1746 r += *p;
1747 }
1748
1749 /* We don't particularly care about weighted results; if someone wants
1750 smooth distribution and cares enough then they should submit a patch then. */
1751 return r % max;
1752 }
1753
1754
1755
1756
1757 /*************************************************
1758 * OpenSSL option parse *
1759 *************************************************/
1760
1761 /* Parse one option for tls_openssl_options_parse below
1762
1763 Arguments:
1764 name one option name
1765 value place to store a value for it
1766 Returns success or failure in parsing
1767 */
1768
1769 struct exim_openssl_option {
1770 uschar *name;
1771 long value;
1772 };
1773 /* We could use a macro to expand, but we need the ifdef and not all the
1774 options document which version they were introduced in. Policylet: include
1775 all options unless explicitly for DTLS, let the administrator choose which
1776 to apply.
1777
1778 This list is current as of:
1779 ==> 1.0.1b <== */
1780 static struct exim_openssl_option exim_openssl_options[] = {
1781 /* KEEP SORTED ALPHABETICALLY! */
1782 #ifdef SSL_OP_ALL
1783 { US"all", SSL_OP_ALL },
1784 #endif
1785 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1786 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1787 #endif
1788 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1789 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1790 #endif
1791 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1792 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1793 #endif
1794 #ifdef SSL_OP_EPHEMERAL_RSA
1795 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1796 #endif
1797 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1798 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1799 #endif
1800 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1801 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1802 #endif
1803 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1804 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1805 #endif
1806 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1807 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1808 #endif
1809 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1810 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1811 #endif
1812 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1813 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1814 #endif
1815 #ifdef SSL_OP_NO_COMPRESSION
1816 { US"no_compression", SSL_OP_NO_COMPRESSION },
1817 #endif
1818 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1819 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1820 #endif
1821 #ifdef SSL_OP_NO_SSLv2
1822 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1823 #endif
1824 #ifdef SSL_OP_NO_SSLv3
1825 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1826 #endif
1827 #ifdef SSL_OP_NO_TICKET
1828 { US"no_ticket", SSL_OP_NO_TICKET },
1829 #endif
1830 #ifdef SSL_OP_NO_TLSv1
1831 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1832 #endif
1833 #ifdef SSL_OP_NO_TLSv1_1
1834 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1835 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1836 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1837 #else
1838 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1839 #endif
1840 #endif
1841 #ifdef SSL_OP_NO_TLSv1_2
1842 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1843 #endif
1844 #ifdef SSL_OP_SINGLE_DH_USE
1845 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1846 #endif
1847 #ifdef SSL_OP_SINGLE_ECDH_USE
1848 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1849 #endif
1850 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1851 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1852 #endif
1853 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1854 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1855 #endif
1856 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1857 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1858 #endif
1859 #ifdef SSL_OP_TLS_D5_BUG
1860 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1861 #endif
1862 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1863 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1864 #endif
1865 };
1866 static int exim_openssl_options_size =
1867 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1868
1869
1870 static BOOL
1871 tls_openssl_one_option_parse(uschar *name, long *value)
1872 {
1873 int first = 0;
1874 int last = exim_openssl_options_size;
1875 while (last > first)
1876 {
1877 int middle = (first + last)/2;
1878 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1879 if (c == 0)
1880 {
1881 *value = exim_openssl_options[middle].value;
1882 return TRUE;
1883 }
1884 else if (c > 0)
1885 first = middle + 1;
1886 else
1887 last = middle;
1888 }
1889 return FALSE;
1890 }
1891
1892
1893
1894
1895 /*************************************************
1896 * OpenSSL option parsing logic *
1897 *************************************************/
1898
1899 /* OpenSSL has a number of compatibility options which an administrator might
1900 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1901 we look like log_selector.
1902
1903 Arguments:
1904 option_spec the administrator-supplied string of options
1905 results ptr to long storage for the options bitmap
1906 Returns success or failure
1907 */
1908
1909 BOOL
1910 tls_openssl_options_parse(uschar *option_spec, long *results)
1911 {
1912 long result, item;
1913 uschar *s, *end;
1914 uschar keep_c;
1915 BOOL adding, item_parsed;
1916
1917 result = 0L;
1918 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1919 * from default because it increases BEAST susceptibility. */
1920 #ifdef SSL_OP_NO_SSLv2
1921 result |= SSL_OP_NO_SSLv2;
1922 #endif
1923
1924 if (option_spec == NULL)
1925 {
1926 *results = result;
1927 return TRUE;
1928 }
1929
1930 for (s=option_spec; *s != '\0'; /**/)
1931 {
1932 while (isspace(*s)) ++s;
1933 if (*s == '\0')
1934 break;
1935 if (*s != '+' && *s != '-')
1936 {
1937 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1938 "+ or - expected but found \"%s\"\n", s);
1939 return FALSE;
1940 }
1941 adding = *s++ == '+';
1942 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1943 keep_c = *end;
1944 *end = '\0';
1945 item_parsed = tls_openssl_one_option_parse(s, &item);
1946 if (!item_parsed)
1947 {
1948 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1949 return FALSE;
1950 }
1951 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1952 adding ? "adding" : "removing", result, item, s);
1953 if (adding)
1954 result |= item;
1955 else
1956 result &= ~item;
1957 *end = keep_c;
1958 s = end;
1959 }
1960
1961 *results = result;
1962 return TRUE;
1963 }
1964
1965 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.