projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add an openssl_options main configuration option, to allow administrators to
[exim.git] / src / src / tls-openssl.c
1 /* $Cambridge: exim/src/src/tls-openssl.c,v 1.23 2010/06/05 09:10:10 pdp Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25
26 /* Structure for collecting random data for seeding. */
27
28 typedef struct randstuff {
29 struct timeval tv;
30 pid_t p;
31 } randstuff;
32
33 /* Local static variables */
34
35 static BOOL verify_callback_called = FALSE;
36 static const uschar *sid_ctx = US"exim";
37
38 static SSL_CTX *ctx = NULL;
39 static SSL *ssl = NULL;
40
41 static char ssl_errstring[256];
42
43 static int ssl_session_timeout = 200;
44 static BOOL verify_optional = FALSE;
45
46
47
48
49
50 /*************************************************
51 * Handle TLS error *
52 *************************************************/
53
54 /* Called from lots of places when errors occur before actually starting to do
55 the TLS handshake, that is, while the session is still in clear. Always returns
56 DEFER for a server and FAIL for a client so that most calls can use "return
57 tls_error(...)" to do this processing and then give an appropriate return. A
58 single function is used for both server and client, because it is called from
59 some shared functions.
60
61 Argument:
62 prefix text to include in the logged error
63 host NULL if setting up a server;
64 the connected host if setting up a client
65 msg error message or NULL if we should ask OpenSSL
66
67 Returns: OK/DEFER/FAIL
68 */
69
70 static int
71 tls_error(uschar *prefix, host_item *host, uschar *msg)
72 {
73 if (msg == NULL)
74 {
75 ERR_error_string(ERR_get_error(), ssl_errstring);
76 msg = (uschar *)ssl_errstring;
77 }
78
79 if (host == NULL)
80 {
81 uschar *conn_info = smtp_get_connection_info();
82 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
83 conn_info += 5;
84 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
85 conn_info, prefix, msg);
86 return DEFER;
87 }
88 else
89 {
90 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
91 host->name, host->address, prefix, msg);
92 return FAIL;
93 }
94 }
95
96
97
98 /*************************************************
99 * Callback to generate RSA key *
100 *************************************************/
101
102 /*
103 Arguments:
104 s SSL connection
105 export not used
106 keylength keylength
107
108 Returns: pointer to generated key
109 */
110
111 static RSA *
112 rsa_callback(SSL *s, int export, int keylength)
113 {
114 RSA *rsa_key;
115 export = export; /* Shut picky compilers up */
116 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
117 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
118 if (rsa_key == NULL)
119 {
120 ERR_error_string(ERR_get_error(), ssl_errstring);
121 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
122 ssl_errstring);
123 return NULL;
124 }
125 return rsa_key;
126 }
127
128
129
130
131 /*************************************************
132 * Callback for verification *
133 *************************************************/
134
135 /* The SSL library does certificate verification if set up to do so. This
136 callback has the current yes/no state is in "state". If verification succeeded,
137 we set up the tls_peerdn string. If verification failed, what happens depends
138 on whether the client is required to present a verifiable certificate or not.
139
140 If verification is optional, we change the state to yes, but still log the
141 verification error. For some reason (it really would help to have proper
142 documentation of OpenSSL), this callback function then gets called again, this
143 time with state = 1. In fact, that's useful, because we can set up the peerdn
144 value, but we must take care not to set the private verified flag on the second
145 time through.
146
147 Note: this function is not called if the client fails to present a certificate
148 when asked. We get here only if a certificate has been received. Handling of
149 optional verification for this case is done when requesting SSL to verify, by
150 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
151
152 Arguments:
153 state current yes/no state as 1/0
154 x509ctx certificate information.
155
156 Returns: 1 if verified, 0 if not
157 */
158
159 static int
160 verify_callback(int state, X509_STORE_CTX *x509ctx)
161 {
162 static uschar txt[256];
163
164 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
165 CS txt, sizeof(txt));
166
167 if (state == 0)
168 {
169 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
170 x509ctx->error_depth,
171 X509_verify_cert_error_string(x509ctx->error),
172 txt);
173 tls_certificate_verified = FALSE;
174 verify_callback_called = TRUE;
175 if (!verify_optional) return 0; /* reject */
176 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
177 "tls_try_verify_hosts)\n");
178 return 1; /* accept */
179 }
180
181 if (x509ctx->error_depth != 0)
182 {
183 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
184 x509ctx->error_depth, txt);
185 }
186 else
187 {
188 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
189 verify_callback_called? "" : " authenticated", txt);
190 tls_peerdn = txt;
191 }
192
193 if (!verify_callback_called) tls_certificate_verified = TRUE;
194 verify_callback_called = TRUE;
195
196 return 1; /* accept */
197 }
198
199
200
201 /*************************************************
202 * Information callback *
203 *************************************************/
204
205 /* The SSL library functions call this from time to time to indicate what they
206 are doing. We copy the string to the debugging output when the level is high
207 enough.
208
209 Arguments:
210 s the SSL connection
211 where
212 ret
213
214 Returns: nothing
215 */
216
217 static void
218 info_callback(SSL *s, int where, int ret)
219 {
220 where = where;
221 ret = ret;
222 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
223 }
224
225
226
227 /*************************************************
228 * Initialize for DH *
229 *************************************************/
230
231 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
232
233 Arguments:
234 dhparam DH parameter file
235 host connected host, if client; NULL if server
236
237 Returns: TRUE if OK (nothing to set up, or setup worked)
238 */
239
240 static BOOL
241 init_dh(uschar *dhparam, host_item *host)
242 {
243 BOOL yield = TRUE;
244 BIO *bio;
245 DH *dh;
246 uschar *dhexpanded;
247
248 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
249 return FALSE;
250
251 if (dhexpanded == NULL) return TRUE;
252
253 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
254 {
255 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
256 host, (uschar *)strerror(errno));
257 yield = FALSE;
258 }
259 else
260 {
261 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
262 {
263 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
264 host, NULL);
265 yield = FALSE;
266 }
267 else
268 {
269 SSL_CTX_set_tmp_dh(ctx, dh);
270 DEBUG(D_tls)
271 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
272 dhexpanded, 8*DH_size(dh));
273 DH_free(dh);
274 }
275 BIO_free(bio);
276 }
277
278 return yield;
279 }
280
281
282
283
284 /*************************************************
285 * Initialize for TLS *
286 *************************************************/
287
288 /* Called from both server and client code, to do preliminary initialization of
289 the library.
290
291 Arguments:
292 host connected host, if client; NULL if server
293 dhparam DH parameter file
294 certificate certificate file
295 privatekey private key
296 addr address if client; NULL if server (for some randomness)
297
298 Returns: OK/DEFER/FAIL
299 */
300
301 static int
302 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
303 uschar *privatekey, address_item *addr)
304 {
305 long init_options;
306 BOOL okay;
307
308 SSL_load_error_strings(); /* basic set up */
309 OpenSSL_add_ssl_algorithms();
310
311 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
312 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
313 list of available digests. */
314 EVP_add_digest(EVP_sha256());
315 #endif
316
317 /* Create a context */
318
319 ctx = SSL_CTX_new((host == NULL)?
320 SSLv23_server_method() : SSLv23_client_method());
321
322 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
323
324 /* It turns out that we need to seed the random number generator this early in
325 order to get the full complement of ciphers to work. It took me roughly a day
326 of work to discover this by experiment.
327
328 On systems that have /dev/urandom, SSL may automatically seed itself from
329 there. Otherwise, we have to make something up as best we can. Double check
330 afterwards. */
331
332 if (!RAND_status())
333 {
334 randstuff r;
335 gettimeofday(&r.tv, NULL);
336 r.p = getpid();
337
338 RAND_seed((uschar *)(&r), sizeof(r));
339 RAND_seed((uschar *)big_buffer, big_buffer_size);
340 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
341
342 if (!RAND_status())
343 return tls_error(US"RAND_status", host,
344 US"unable to seed random number generator");
345 }
346
347 /* Set up the information callback, which outputs if debugging is at a suitable
348 level. */
349
350 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
351
352 /* Apply administrator-supplied work-arounds.
353 Historically we applied just one requested option,
354 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
355 moved to an administrator-controlled list of options to specify and
356 grandfathered in the first one as the default value for "openssl_options".
357
358 No OpenSSL version number checks: the options we accept depend upon the
359 availability of the option value macros from OpenSSL. */
360
361 okay = tls_openssl_options_parse(openssl_options, &init_options);
362 if (!okay)
363 return tls_error("openssl_options parsing failed", host, NULL);
364
365 if (init_options)
366 {
367 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
368 if (!(SSL_CTX_set_options(ctx, init_options)))
369 return tls_error(string_sprintf(
370 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
371 }
372 else
373 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
374
375 /* Initialize with DH parameters if supplied */
376
377 if (!init_dh(dhparam, host)) return DEFER;
378
379 /* Set up certificate and key */
380
381 if (certificate != NULL)
382 {
383 uschar *expanded;
384 if (!expand_check(certificate, US"tls_certificate", &expanded))
385 return DEFER;
386
387 if (expanded != NULL)
388 {
389 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
390 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
391 return tls_error(string_sprintf(
392 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
393 }
394
395 if (privatekey != NULL &&
396 !expand_check(privatekey, US"tls_privatekey", &expanded))
397 return DEFER;
398
399 /* If expansion was forced to fail, key_expanded will be NULL. If the result
400 of the expansion is an empty string, ignore it also, and assume the private
401 key is in the same file as the certificate. */
402
403 if (expanded != NULL && *expanded != 0)
404 {
405 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
406 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
407 return tls_error(string_sprintf(
408 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
409 }
410 }
411
412 /* Set up the RSA callback */
413
414 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
415
416 /* Finally, set the timeout, and we are done */
417
418 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
419 DEBUG(D_tls) debug_printf("Initialized TLS\n");
420 return OK;
421 }
422
423
424
425
426 /*************************************************
427 * Get name of cipher in use *
428 *************************************************/
429
430 /* The answer is left in a static buffer, and tls_cipher is set to point
431 to it.
432
433 Argument: pointer to an SSL structure for the connection
434 Returns: nothing
435 */
436
437 static void
438 construct_cipher_name(SSL *ssl)
439 {
440 static uschar cipherbuf[256];
441 SSL_CIPHER *c;
442 uschar *ver;
443 int bits;
444
445 switch (ssl->session->ssl_version)
446 {
447 case SSL2_VERSION:
448 ver = US"SSLv2";
449 break;
450
451 case SSL3_VERSION:
452 ver = US"SSLv3";
453 break;
454
455 case TLS1_VERSION:
456 ver = US"TLSv1";
457 break;
458
459 default:
460 ver = US"UNKNOWN";
461 }
462
463 c = SSL_get_current_cipher(ssl);
464 SSL_CIPHER_get_bits(c, &bits);
465
466 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
467 SSL_CIPHER_get_name(c), bits);
468 tls_cipher = cipherbuf;
469
470 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
471 }
472
473
474
475
476
477 /*************************************************
478 * Set up for verifying certificates *
479 *************************************************/
480
481 /* Called by both client and server startup
482
483 Arguments:
484 certs certs file or NULL
485 crl CRL file or NULL
486 host NULL in a server; the remote host in a client
487 optional TRUE if called from a server for a host in tls_try_verify_hosts;
488 otherwise passed as FALSE
489
490 Returns: OK/DEFER/FAIL
491 */
492
493 static int
494 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
495 {
496 uschar *expcerts, *expcrl;
497
498 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
499 return DEFER;
500
501 if (expcerts != NULL)
502 {
503 struct stat statbuf;
504 if (!SSL_CTX_set_default_verify_paths(ctx))
505 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
506
507 if (Ustat(expcerts, &statbuf) < 0)
508 {
509 log_write(0, LOG_MAIN|LOG_PANIC,
510 "failed to stat %s for certificates", expcerts);
511 return DEFER;
512 }
513 else
514 {
515 uschar *file, *dir;
516 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
517 { file = NULL; dir = expcerts; }
518 else
519 { file = expcerts; dir = NULL; }
520
521 /* If a certificate file is empty, the next function fails with an
522 unhelpful error message. If we skip it, we get the correct behaviour (no
523 certificates are recognized, but the error message is still misleading (it
524 says no certificate was supplied.) But this is better. */
525
526 if ((file == NULL || statbuf.st_size > 0) &&
527 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
528 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
529
530 if (file != NULL)
531 {
532 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
533 }
534 }
535
536 /* Handle a certificate revocation list. */
537
538 #if OPENSSL_VERSION_NUMBER > 0x00907000L
539
540 /* This bit of code is now the version supplied by Lars Mainka. (I have
541 * merely reformatted it into the Exim code style.)
542
543 * "From here I changed the code to add support for multiple crl's
544 * in pem format in one file or to support hashed directory entries in
545 * pem format instead of a file. This method now uses the library function
546 * X509_STORE_load_locations to add the CRL location to the SSL context.
547 * OpenSSL will then handle the verify against CA certs and CRLs by
548 * itself in the verify callback." */
549
550 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
551 if (expcrl != NULL && *expcrl != 0)
552 {
553 struct stat statbufcrl;
554 if (Ustat(expcrl, &statbufcrl) < 0)
555 {
556 log_write(0, LOG_MAIN|LOG_PANIC,
557 "failed to stat %s for certificates revocation lists", expcrl);
558 return DEFER;
559 }
560 else
561 {
562 /* is it a file or directory? */
563 uschar *file, *dir;
564 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
565 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
566 {
567 file = NULL;
568 dir = expcrl;
569 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
570 }
571 else
572 {
573 file = expcrl;
574 dir = NULL;
575 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
576 }
577 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
578 return tls_error(US"X509_STORE_load_locations", host, NULL);
579
580 /* setting the flags to check against the complete crl chain */
581
582 X509_STORE_set_flags(cvstore,
583 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
584 }
585 }
586
587 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
588
589 /* If verification is optional, don't fail if no certificate */
590
591 SSL_CTX_set_verify(ctx,
592 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
593 verify_callback);
594 }
595
596 return OK;
597 }
598
599
600
601 /*************************************************
602 * Start a TLS session in a server *
603 *************************************************/
604
605 /* This is called when Exim is running as a server, after having received
606 the STARTTLS command. It must respond to that command, and then negotiate
607 a TLS session.
608
609 Arguments:
610 require_ciphers allowed ciphers
611 ------------------------------------------------------
612 require_mac list of allowed MACs ) Not used
613 require_kx list of allowed key_exchange methods ) for
614 require_proto list of allowed protocols ) OpenSSL
615 ------------------------------------------------------
616
617 Returns: OK on success
618 DEFER for errors before the start of the negotiation
619 FAIL for errors during the negotation; the server can't
620 continue running.
621 */
622
623 int
624 tls_server_start(uschar *require_ciphers, uschar *require_mac,
625 uschar *require_kx, uschar *require_proto)
626 {
627 int rc;
628 uschar *expciphers;
629
630 /* Check for previous activation */
631
632 if (tls_active >= 0)
633 {
634 tls_error(US"STARTTLS received after TLS started", NULL, US"");
635 smtp_printf("554 Already in TLS\r\n");
636 return FAIL;
637 }
638
639 /* Initialize the SSL library. If it fails, it will already have logged
640 the error. */
641
642 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
643 if (rc != OK) return rc;
644
645 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
646 return FAIL;
647
648 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
649 are separated by underscores. So that I can use either form in my tests, and
650 also for general convenience, we turn underscores into hyphens here. */
651
652 if (expciphers != NULL)
653 {
654 uschar *s = expciphers;
655 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
656 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
657 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
658 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
659 }
660
661 /* If this is a host for which certificate verification is mandatory or
662 optional, set up appropriately. */
663
664 tls_certificate_verified = FALSE;
665 verify_callback_called = FALSE;
666
667 if (verify_check_host(&tls_verify_hosts) == OK)
668 {
669 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
670 if (rc != OK) return rc;
671 verify_optional = FALSE;
672 }
673 else if (verify_check_host(&tls_try_verify_hosts) == OK)
674 {
675 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
676 if (rc != OK) return rc;
677 verify_optional = TRUE;
678 }
679
680 /* Prepare for new connection */
681
682 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
683 SSL_clear(ssl);
684
685 /* Set context and tell client to go ahead, except in the case of TLS startup
686 on connection, where outputting anything now upsets the clients and tends to
687 make them disconnect. We need to have an explicit fflush() here, to force out
688 the response. Other smtp_printf() calls do not need it, because in non-TLS
689 mode, the fflush() happens when smtp_getc() is called. */
690
691 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
692 if (!tls_on_connect)
693 {
694 smtp_printf("220 TLS go ahead\r\n");
695 fflush(smtp_out);
696 }
697
698 /* Now negotiate the TLS session. We put our own timer on it, since it seems
699 that the OpenSSL library doesn't. */
700
701 SSL_set_wfd(ssl, fileno(smtp_out));
702 SSL_set_rfd(ssl, fileno(smtp_in));
703 SSL_set_accept_state(ssl);
704
705 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
706
707 sigalrm_seen = FALSE;
708 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
709 rc = SSL_accept(ssl);
710 alarm(0);
711
712 if (rc <= 0)
713 {
714 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
715 if (ERR_get_error() == 0)
716 log_write(0, LOG_MAIN,
717 " => client disconnected cleanly (rejected our certificate?)\n");
718 return FAIL;
719 }
720
721 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
722
723 /* TLS has been set up. Adjust the input functions to read via TLS,
724 and initialize things. */
725
726 construct_cipher_name(ssl);
727
728 DEBUG(D_tls)
729 {
730 uschar buf[2048];
731 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
732 debug_printf("Shared ciphers: %s\n", buf);
733 }
734
735
736 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
737 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
738 ssl_xfer_eof = ssl_xfer_error = 0;
739
740 receive_getc = tls_getc;
741 receive_ungetc = tls_ungetc;
742 receive_feof = tls_feof;
743 receive_ferror = tls_ferror;
744 receive_smtp_buffered = tls_smtp_buffered;
745
746 tls_active = fileno(smtp_out);
747 return OK;
748 }
749
750
751
752
753
754 /*************************************************
755 * Start a TLS session in a client *
756 *************************************************/
757
758 /* Called from the smtp transport after STARTTLS has been accepted.
759
760 Argument:
761 fd the fd of the connection
762 host connected host (for messages)
763 addr the first address
764 dhparam DH parameter file
765 certificate certificate file
766 privatekey private key file
767 verify_certs file for certificate verify
768 crl file containing CRL
769 require_ciphers list of allowed ciphers
770 ------------------------------------------------------
771 require_mac list of allowed MACs ) Not used
772 require_kx list of allowed key_exchange methods ) for
773 require_proto list of allowed protocols ) OpenSSL
774 ------------------------------------------------------
775 timeout startup timeout
776
777 Returns: OK on success
778 FAIL otherwise - note that tls_error() will not give DEFER
779 because this is not a server
780 */
781
782 int
783 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
784 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
785 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
786 uschar *require_proto, int timeout)
787 {
788 static uschar txt[256];
789 uschar *expciphers;
790 X509* server_cert;
791 int rc;
792
793 rc = tls_init(host, dhparam, certificate, privatekey, addr);
794 if (rc != OK) return rc;
795
796 tls_certificate_verified = FALSE;
797 verify_callback_called = FALSE;
798
799 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
800 return FAIL;
801
802 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
803 are separated by underscores. So that I can use either form in my tests, and
804 also for general convenience, we turn underscores into hyphens here. */
805
806 if (expciphers != NULL)
807 {
808 uschar *s = expciphers;
809 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
810 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
811 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
812 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
813 }
814
815 rc = setup_certs(verify_certs, crl, host, FALSE);
816 if (rc != OK) return rc;
817
818 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
819 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
820 SSL_set_fd(ssl, fd);
821 SSL_set_connect_state(ssl);
822
823 /* There doesn't seem to be a built-in timeout on connection. */
824
825 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
826 sigalrm_seen = FALSE;
827 alarm(timeout);
828 rc = SSL_connect(ssl);
829 alarm(0);
830
831 if (rc <= 0)
832 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
833
834 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
835
836 server_cert = SSL_get_peer_certificate (ssl);
837 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
838 CS txt, sizeof(txt));
839 tls_peerdn = txt;
840
841 construct_cipher_name(ssl); /* Sets tls_cipher */
842
843 tls_active = fd;
844 return OK;
845 }
846
847
848
849
850
851 /*************************************************
852 * TLS version of getc *
853 *************************************************/
854
855 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
856 it refills the buffer via the SSL reading function.
857
858 Arguments: none
859 Returns: the next character or EOF
860 */
861
862 int
863 tls_getc(void)
864 {
865 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
866 {
867 int error;
868 int inbytes;
869
870 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
871 (long)ssl_xfer_buffer, ssl_xfer_buffer_size);
872
873 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
874 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
875 error = SSL_get_error(ssl, inbytes);
876 alarm(0);
877
878 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
879 closed down, not that the socket itself has been closed down. Revert to
880 non-SSL handling. */
881
882 if (error == SSL_ERROR_ZERO_RETURN)
883 {
884 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
885
886 receive_getc = smtp_getc;
887 receive_ungetc = smtp_ungetc;
888 receive_feof = smtp_feof;
889 receive_ferror = smtp_ferror;
890 receive_smtp_buffered = smtp_buffered;
891
892 SSL_free(ssl);
893 ssl = NULL;
894 tls_active = -1;
895 tls_cipher = NULL;
896 tls_peerdn = NULL;
897
898 return smtp_getc();
899 }
900
901 /* Handle genuine errors */
902
903 else if (error != SSL_ERROR_NONE)
904 {
905 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
906 ssl_xfer_error = 1;
907 return EOF;
908 }
909 #ifndef DISABLE_DKIM
910 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
911 #endif
912 ssl_xfer_buffer_hwm = inbytes;
913 ssl_xfer_buffer_lwm = 0;
914 }
915
916 /* Something in the buffer; return next uschar */
917
918 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
919 }
920
921
922
923 /*************************************************
924 * Read bytes from TLS channel *
925 *************************************************/
926
927 /*
928 Arguments:
929 buff buffer of data
930 len size of buffer
931
932 Returns: the number of bytes read
933 -1 after a failed read
934 */
935
936 int
937 tls_read(uschar *buff, size_t len)
938 {
939 int inbytes;
940 int error;
941
942 DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
943 (long)buff, (unsigned int)len);
944
945 inbytes = SSL_read(ssl, CS buff, len);
946 error = SSL_get_error(ssl, inbytes);
947
948 if (error == SSL_ERROR_ZERO_RETURN)
949 {
950 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
951 return -1;
952 }
953 else if (error != SSL_ERROR_NONE)
954 {
955 return -1;
956 }
957
958 return inbytes;
959 }
960
961
962
963
964
965 /*************************************************
966 * Write bytes down TLS channel *
967 *************************************************/
968
969 /*
970 Arguments:
971 buff buffer of data
972 len number of bytes
973
974 Returns: the number of bytes after a successful write,
975 -1 after a failed write
976 */
977
978 int
979 tls_write(const uschar *buff, size_t len)
980 {
981 int outbytes;
982 int error;
983 int left = len;
984
985 DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left);
986 while (left > 0)
987 {
988 DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left);
989 outbytes = SSL_write(ssl, CS buff, left);
990 error = SSL_get_error(ssl, outbytes);
991 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
992 switch (error)
993 {
994 case SSL_ERROR_SSL:
995 ERR_error_string(ERR_get_error(), ssl_errstring);
996 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
997 return -1;
998
999 case SSL_ERROR_NONE:
1000 left -= outbytes;
1001 buff += outbytes;
1002 break;
1003
1004 case SSL_ERROR_ZERO_RETURN:
1005 log_write(0, LOG_MAIN, "SSL channel closed on write");
1006 return -1;
1007
1008 default:
1009 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1010 return -1;
1011 }
1012 }
1013 return len;
1014 }
1015
1016
1017
1018 /*************************************************
1019 * Close down a TLS session *
1020 *************************************************/
1021
1022 /* This is also called from within a delivery subprocess forked from the
1023 daemon, to shut down the TLS library, without actually doing a shutdown (which
1024 would tamper with the SSL session in the parent process).
1025
1026 Arguments: TRUE if SSL_shutdown is to be called
1027 Returns: nothing
1028 */
1029
1030 void
1031 tls_close(BOOL shutdown)
1032 {
1033 if (tls_active < 0) return; /* TLS was not active */
1034
1035 if (shutdown)
1036 {
1037 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1038 SSL_shutdown(ssl);
1039 }
1040
1041 SSL_free(ssl);
1042 ssl = NULL;
1043
1044 tls_active = -1;
1045 }
1046
1047
1048
1049
1050 /*************************************************
1051 * Report the library versions. *
1052 *************************************************/
1053
1054 /* There have historically been some issues with binary compatibility in
1055 OpenSSL libraries; if Exim (like many other applications) is built against
1056 one version of OpenSSL but the run-time linker picks up another version,
1057 it can result in serious failures, including crashing with a SIGSEGV. So
1058 report the version found by the compiler and the run-time version.
1059
1060 Arguments: a FILE* to print the results to
1061 Returns: nothing
1062 */
1063
1064 void
1065 tls_version_report(FILE *f)
1066 {
1067 fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
1068 fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
1069 }
1070
1071
1072
1073
1074 /*************************************************
1075 * Pseudo-random number generation *
1076 *************************************************/
1077
1078 /* Pseudo-random number generation. The result is not expected to be
1079 cryptographically strong but not so weak that someone will shoot themselves
1080 in the foot using it as a nonce in input in some email header scheme or
1081 whatever weirdness they'll twist this into. The result should handle fork()
1082 and avoid repeating sequences. OpenSSL handles that for us.
1083
1084 Arguments:
1085 max range maximum
1086 Returns a random number in range [0, max-1]
1087 */
1088
1089 int
1090 pseudo_random_number(int max)
1091 {
1092 unsigned int r;
1093 int i, needed_len;
1094 uschar *p;
1095 uschar smallbuf[sizeof(r)];
1096
1097 if (max <= 1)
1098 return 0;
1099
1100 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1101 if (!RAND_status())
1102 {
1103 randstuff r;
1104 gettimeofday(&r.tv, NULL);
1105 r.p = getpid();
1106
1107 RAND_seed((uschar *)(&r), sizeof(r));
1108 }
1109 /* We're after pseudo-random, not random; if we still don't have enough data
1110 in the internal PRNG then our options are limited. We could sleep and hope
1111 for entropy to come along (prayer technique) but if the system is so depleted
1112 in the first place then something is likely to just keep taking it. Instead,
1113 we'll just take whatever little bit of pseudo-random we can still manage to
1114 get. */
1115
1116 needed_len = sizeof(r);
1117 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1118 asked for a number less than 10. */
1119 for (r = max, i = 0; r; ++i)
1120 r >>= 1;
1121 i = (i + 7) / 8;
1122 if (i < needed_len)
1123 needed_len = i;
1124
1125 /* We do not care if crypto-strong */
1126 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1127 r = 0;
1128 for (p = smallbuf; needed_len; --needed_len, ++p)
1129 {
1130 r *= 256;
1131 r += *p;
1132 }
1133
1134 /* We don't particularly care about weighted results; if someone wants
1135 smooth distribution and cares enough then they should submit a patch then. */
1136 return r % max;
1137 }
1138
1139
1140
1141
1142 /*************************************************
1143 * OpenSSL option parse *
1144 *************************************************/
1145
1146 /* Parse one option for tls_openssl_options_parse below
1147
1148 Arguments:
1149 name one option name
1150 value place to store a value for it
1151 Returns success or failure in parsing
1152 */
1153
1154 struct exim_openssl_option {
1155 uschar *name;
1156 long value;
1157 };
1158 /* We could use a macro to expand, but we need the ifdef and not all the
1159 options document which version they were introduced in. Policylet: include
1160 all options unless explicitly for DTLS, let the administrator choose which
1161 to apply.
1162
1163 This list is current as of:
1164 ==> 0.9.8n <== */
1165 static struct exim_openssl_option exim_openssl_options[] = {
1166 /* KEEP SORTED ALPHABETICALLY! */
1167 #ifdef SSL_OP_ALL
1168 { "all", SSL_OP_ALL },
1169 #endif
1170 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1171 { "allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1172 #endif
1173 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1174 { "cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1175 #endif
1176 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1177 { "dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1178 #endif
1179 #ifdef SSL_OP_EPHEMERAL_RSA
1180 { "ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1181 #endif
1182 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1183 { "legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1184 #endif
1185 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1186 { "microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1187 #endif
1188 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1189 { "microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1190 #endif
1191 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1192 { "msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1193 #endif
1194 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1195 { "netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1196 #endif
1197 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1198 { "netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1199 #endif
1200 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1201 { "no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1202 #endif
1203 #ifdef SSL_OP_SINGLE_DH_USE
1204 { "single_dh_use", SSL_OP_SINGLE_DH_USE },
1205 #endif
1206 #ifdef SSL_OP_SINGLE_ECDH_USE
1207 { "single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1208 #endif
1209 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1210 { "ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1211 #endif
1212 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1213 { "sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1214 #endif
1215 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1216 { "tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1217 #endif
1218 #ifdef SSL_OP_TLS_D5_BUG
1219 { "tls_d5_bug", SSL_OP_TLS_D5_BUG },
1220 #endif
1221 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1222 { "tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1223 #endif
1224 };
1225 static int exim_openssl_options_size =
1226 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1227
1228 static BOOL
1229 tls_openssl_one_option_parse(uschar *name, long *value)
1230 {
1231 int first = 0;
1232 int last = exim_openssl_options_size;
1233 while (last > first)
1234 {
1235 int middle = (first + last)/2;
1236 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1237 if (c == 0)
1238 {
1239 *value = exim_openssl_options[middle].value;
1240 return TRUE;
1241 }
1242 else if (c > 0)
1243 first = middle + 1;
1244 else
1245 last = middle;
1246 }
1247 return FALSE;
1248 }
1249
1250
1251
1252
1253 /*************************************************
1254 * OpenSSL option parsing logic *
1255 *************************************************/
1256
1257 /* OpenSSL has a number of compatibility options which an administrator might
1258 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1259 we look like log_selector.
1260
1261 Arguments:
1262 option_spec the administrator-supplied string of options
1263 results ptr to long storage for the options bitmap
1264 Returns success or failure
1265 */
1266
1267 BOOL
1268 tls_openssl_options_parse(uschar *option_spec, long *results)
1269 {
1270 long result, item;
1271 uschar *s, *end;
1272 uschar keep_c;
1273 BOOL adding, item_parsed;
1274
1275 /* We grandfather in as default the one option which we used to set always. */
1276 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1277 result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1278 #else
1279 result = 0L;
1280 #endif
1281
1282 if (option_spec == NULL)
1283 {
1284 *results = result;
1285 return TRUE;
1286 }
1287
1288 for (s=option_spec; *s != '\0'; /**/)
1289 {
1290 while (isspace(*s)) ++s;
1291 if (*s == '\0')
1292 break;
1293 if (*s != '+' && *s != '-')
1294 {
1295 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1296 "+ or - expected but found \"%s\"", s);
1297 return FALSE;
1298 }
1299 adding = *s++ == '+';
1300 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1301 keep_c = *end;
1302 *end = '\0';
1303 item_parsed = tls_openssl_one_option_parse(s, &item);
1304 if (!item_parsed)
1305 {
1306 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s);
1307 return FALSE;
1308 }
1309 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1310 adding ? "adding" : "removing", result, item, s);
1311 if (adding)
1312 result |= item;
1313 else
1314 result &= ~item;
1315 *end = keep_c;
1316 s = end;
1317 }
1318
1319 *results = result;
1320 return TRUE;
1321 }
1322
1323 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.