* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* Portions Copyright (c) The OpenSSL Project 1999 */
# define EXIM_HAVE_SHA256
#endif
-/*
- * X509_check_host provides sane certificate hostname checking, but was added
- * to OpenSSL late, after other projects forked off the code-base. So in
- * addition to guarding against the base version number, beware that LibreSSL
- * does not (at this time) support this function.
- *
- * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
- * opt to disentangle and ask a LibreSSL user to provide glue for a third
- * crypto provider for libtls instead of continuing to tie the OpenSSL glue
- * into even twistier knots. If LibreSSL gains the same API, we can just
- * change this guard and punt the issue for a while longer.
- */
+/* X509_check_host provides sane certificate hostname checking, but was added
+to OpenSSL late, after other projects forked off the code-base. So in
+addition to guarding against the base version number, beware that LibreSSL
+does not (at this time) support this function.
+
+If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+opt to disentangle and ask a LibreSSL user to provide glue for a third
+crypto provider for libtls instead of continuing to tie the OpenSSL glue
+into even twistier knots. If LibreSSL gains the same API, we can just
+change this guard and punt the issue for a while longer. */
+
#ifndef LIBRESSL_VERSION_NUMBER
# if OPENSSL_VERSION_NUMBER >= 0x010100000L
# define EXIM_HAVE_OPENSSL_CHECKHOST
# define EXIM_HAVE_OPENSSL_DH_BITS
# define EXIM_HAVE_OPENSSL_TLS_METHOD
+# define EXIM_HAVE_OPENSSL_KEYLOG
+# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+# define EXIM_HAVE_SESSION_TICKET
+# define EXIM_HAVE_OPESSL_TRACE
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
# endif
#endif
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010101000L
+# define OPENSSL_HAVE_KEYLOG_CB
+# define OPENSSL_HAVE_NUM_TICKETS
+# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# endif
+#endif
+
#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
# define DISABLE_OCSP
#endif
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if OPENSSL_VERSION_NUMBER < 0x0101010L
+# error OpenSSL version too old for session-resumption
+# endif
+#endif
+
#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
# include <openssl/x509v3.h>
#endif
+#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+# define SSL_CIPHER_get_id(c) (c->id)
+# endif
+# ifndef MACRO_PREDEF
+# include "tls-cipher-stdname.c"
+# endif
+#endif
+
/*************************************************
* OpenSSL option parse *
*************************************************/
static exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
- { US"all", SSL_OP_ALL },
+ { US"all", (long) SSL_OP_ALL },
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
{ US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
void
options_tls(void)
{
-struct exim_openssl_option * o;
uschar buf[64];
-for (o = exim_openssl_options;
+for (struct exim_openssl_option * o = exim_openssl_options;
o < exim_openssl_options + nelem(exim_openssl_options); o++)
{
/* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
builtin_macro_create(buf);
}
+
+# ifdef EXPERIMENTAL_TLS_RESUME
+builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
+# endif
}
#else
typedef struct {
SSL_CTX * ctx;
SSL * ssl;
+ gstring * corked;
} exim_openssl_client_tls_ctx;
static SSL_CTX *server_ctx = NULL;
static char ssl_errstring[256];
-static int ssl_session_timeout = 200;
+static int ssl_session_timeout = 7200; /* Two hours */
static BOOL client_verify_optional = FALSE;
static BOOL server_verify_optional = FALSE;
typedef struct tls_ext_ctx_cb {
+ tls_support * tlsp;
uschar *certificate;
uschar *privatekey;
BOOL is_server;
/* should figure out a cleanup of API to handle state preserved per
implementation, for various reasons, which can be void * in the APIs.
For now, we hack around it. */
-tls_ext_ctx_cb *client_static_cbinfo = NULL;
+tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
tls_ext_ctx_cb *server_static_cbinfo = NULL;
static int
#endif
+
+/* Daemon-called, before every connection, key create/rotate */
+#ifdef EXPERIMENTAL_TLS_RESUME
+static void tk_init(void);
+static int tls_exdata_idx = -1;
+#endif
+
+void
+tls_daemon_init(void)
+{
+#ifdef EXPERIMENTAL_TLS_RESUME
+tk_init();
+#endif
+return;
+}
+
+
/*************************************************
* Handle TLS error *
*************************************************/
x509_store_dump_cert_s_names(X509_STORE * store)
{
STACK_OF(X509_OBJECT) * roots= store->objs;
-int i;
static uschar name[256];
-for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
+for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
{
X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
if(tmp_obj->type == X509_LU_X509)
}
DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
"(host in tls_try_verify_hosts)\n");
+ tlsp->verify_override = TRUE;
}
X509_free(tlsp->peercert);
tlsp->peercert = old_cert;
}
dn[sizeof(dn)-1] = '\0';
+tlsp->verify_override = FALSE;
if (preverify_ok == 0)
{
uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
}
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
+ tlsp->verify_override = TRUE;
}
else if (depth != 0)
tlsp->peercert = X509_dup(cert); /* record failing cert */
return 0; /* reject */
}
- DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+ DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
"tls_try_verify_hosts)\n");
+ tlsp->verify_override = TRUE;
}
}
DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
*calledp ? "" : " authenticated", dn);
- if (!*calledp) tlsp->certificate_verified = TRUE;
*calledp = TRUE;
}
if (preverify_ok == 1)
{
- tls_out.dane_verified = tls_out.certificate_verified = TRUE;
+ tls_out.dane_verified = TRUE;
#ifndef DISABLE_OCSP
if (client_static_cbinfo->u_ocsp.client.verify_store)
{ /* client, wanting stapling */
}
}
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+static void
+keylog_callback(const SSL *ssl, const char *line)
+{
+DEBUG(D_tls) debug_printf("%.200s\n", line);
+}
+#endif
+
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+/* Manage the keysets used for encrypting the session tickets, on the server. */
+
+typedef struct { /* Session ticket encryption key */
+ uschar name[16];
+
+ const EVP_CIPHER * aes_cipher;
+ uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
+ const EVP_MD * hmac_hash;
+ uschar hmac_key[16];
+ time_t renew;
+ time_t expire;
+} exim_stek;
+
+static exim_stek exim_tk; /* current key */
+static exim_stek exim_tk_old; /* previous key */
+
+static void
+tk_init(void)
+{
+time_t t = time(NULL);
+
+if (exim_tk.name[0])
+ {
+ if (exim_tk.renew >= t) return;
+ exim_tk_old = exim_tk;
+ }
+
+if (f.running_in_test_harness) ssl_session_timeout = 6;
+
+DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
+if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
+if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
+if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
+
+exim_tk.name[0] = 'E';
+exim_tk.aes_cipher = EVP_aes_256_cbc();
+exim_tk.hmac_hash = EVP_sha256();
+exim_tk.expire = t + ssl_session_timeout;
+exim_tk.renew = t + ssl_session_timeout/2;
+}
+
+static exim_stek *
+tk_current(void)
+{
+if (!exim_tk.name[0]) return NULL;
+return &exim_tk;
+}
+
+static exim_stek *
+tk_find(const uschar * name)
+{
+return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
+ : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
+ : NULL;
+}
+
+/* Callback for session tickets, on server */
+static int
+ticket_key_callback(SSL * ssl, uschar key_name[16],
+ uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
+{
+tls_support * tlsp = server_static_cbinfo->tlsp;
+exim_stek * key;
+
+if (enc)
+ {
+ DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
+ tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+
+ if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
+ return -1; /* insufficient random */
+
+ if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
+ return 0; /* key couldn't be created */
+ memcpy(key_name, key->name, 16);
+ DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
+
+ /*XXX will want these dependent on the ssl session strength */
+ HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
+ key->hmac_hash, NULL);
+ EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
+
+ DEBUG(D_tls) debug_printf("ticket created\n");
+ return 1;
+ }
+else
+ {
+ time_t now = time(NULL);
+
+ DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
+ tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+
+ if (!(key = tk_find(key_name)) || key->expire < now)
+ {
+ DEBUG(D_tls)
+ {
+ debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
+ if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
+ }
+ return 0;
+ }
+
+ HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
+ key->hmac_hash, NULL);
+ EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
+
+ DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
+
+ /* The ticket lifetime and renewal are the same as the STEK lifetime and
+ renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
+ be better. To do that we'd have to encode ticket lifetime in the name as
+ we don't yet see the restored session. Could check posthandshake for TLS1.3
+ and trigger a new ticket then, but cannot do that for TLS1.2 */
+ return key->renew < now ? 2 : 1;
+ }
+}
+#endif
+
/*************************************************
if (f.running_in_test_harness)
{
extern char ** environ;
- uschar ** p;
- if (environ) for (p = USS environ; *p; p++)
+ if (environ) for (uschar ** p = USS environ; *p; p++)
if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
{
DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
arg Callback of "our" registered data
Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
+
+XXX might need to change to using ClientHello callback,
+per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
*/
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
/* Make the extension value available for expansion */
store_pool = POOL_PERM;
-tls_in.sni = string_copy(US servername);
+tls_in.sni = string_copy_taint(US servername, TRUE);
store_pool = old_pool;
if (!reexpand_tls_files_for_sni)
return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
-if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
- {
- tls_out.ocsp = OCSP_FAILED;
+if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
+ {
+ tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
if (LOGGING(tls_cipher))
log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
else
DEBUG(D_tls) debug_printf(" parse error\n");
return 0;
- }
+ }
-if(!(bs = OCSP_response_get1_basic(rsp)))
+if (!(bs = OCSP_response_get1_basic(rsp)))
{
tls_out.ocsp = OCSP_FAILED;
if (LOGGING(tls_cipher))
#ifndef DISABLE_OCSP
uschar *ocsp_file, /*XXX stack, in server*/
#endif
- address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
+ address_item *addr, tls_ext_ctx_cb ** cbp,
+ tls_support * tlsp,
+ uschar ** errstr)
{
SSL_CTX * ctx;
long init_options;
tls_ext_ctx_cb * cbinfo;
cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
+cbinfo->tlsp = tlsp;
cbinfo->certificate = certificate;
cbinfo->privatekey = privatekey;
cbinfo->is_server = host==NULL;
/* Set up the information callback, which outputs if debugging is at a suitable
level. */
-DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+DEBUG(D_tls)
+ {
+ SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+ /* this needs a debug build of OpenSSL */
+ SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
+#endif
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+ SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
+#endif
+ }
/* Automatically re-try reads/writes after renegotiation. */
(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
if (!tls_openssl_options_parse(openssl_options, &init_options))
return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
+#ifdef EXPERIMENTAL_TLS_RESUME
+tlsp->resumption = RESUME_SUPPORTED;
+#endif
if (init_options)
{
+#ifdef EXPERIMENTAL_TLS_RESUME
+ /* Should the server offer session resumption? */
+ if (!host && verify_check_host(&tls_resumption_hosts) == OK)
+ {
+ DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
+ init_options &= ~SSL_OP_NO_TICKET;
+ tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
+ tlsp->host_resumable = TRUE;
+ }
+#endif
+
DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
if (!(SSL_CTX_set_options(ctx, init_options)))
return tls_error(string_sprintf(
SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
#endif
-/* Finally, set the timeout, and we are done */
+/* Finally, set the session cache timeout, and we are done.
+The period appears to be also used for (server-generated) session tickets */
SSL_CTX_set_timeout(ctx, ssl_session_timeout);
DEBUG(D_tls) debug_printf("Initialized TLS\n");
/*
Argument: pointer to an SSL structure for the connection
- buffer to use for answer
- size of buffer
pointer to number of bits for cipher
-Returns: nothing
+Returns: pointer to allocated string in perm-pool
*/
-static void
-construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
+static uschar *
+construct_cipher_name(SSL * ssl, int * bits)
{
+int pool = store_pool;
/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
const uschar * ver = CUS SSL_get_version(ssl);
const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
+uschar * s;
SSL_CIPHER_get_bits(c, bits);
-string_format(cipherbuf, bsize, "%s:%s:%u", ver,
- SSL_CIPHER_get_name(c), *bits);
+store_pool = POOL_PERM;
+s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
+store_pool = pool;
+DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
+return s;
+}
+
+
+/* Get IETF-standard name for ciphersuite.
+Argument: pointer to an SSL structure for the connection
+Returns: pointer to string
+*/
-DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
+static const uschar *
+cipher_stdname_ssl(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
+#else
+ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
+return cipher_stdname(id >> 8, id & 0xff);
+#endif
}
{ DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
else
{
- peerdn[siz-1] = '\0';
- tlsp->peerdn = peerdn; /*XXX a static buffer... */
+ int oldpool = store_pool;
+
+ peerdn[siz-1] = '\0'; /* paranoia */
+ store_pool = POOL_PERM;
+ tlsp->peerdn = string_copy(peerdn);
+ store_pool = oldpool;
+
+ /* We used to set CV in the cert-verify callbacks (either plain or dane)
+ but they don't get called on session-resumption. So use the official
+ interface, which uses the resumed value. Unfortunately this claims verified
+ when it actually failed but we're in try-verify mode, due to us wanting the
+ knowlege that it failed so needing to have the callback and forcing a
+ permissive return. If we don't force it, the TLS startup is failed.
+ The extra bit of information is set in verify_override in the cb, stashed
+ for resumption next to the TLS session, and used here. */
+
+ if (!tlsp->verify_override)
+ tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
}
}
/* Load the list of CAs for which we will accept certs, for sending
to the client. This is only for the one-file tls_verify_certificates
variant.
- If a list isn't loaded into the server, but
- some verify locations are set, the server end appears to make
- a wildcard request for client certs.
+ If a list isn't loaded into the server, but some verify locations are set,
+ the server end appears to make a wildcard request for client certs.
Meanwhile, the client library as default behaviour *ignores* the list
we send over the wire - see man SSL_CTX_set_client_cert_cb.
Because of this, and that the dir variant is likely only used for
- the public-CA bundle (not for a private CA), not worth fixing.
- */
+ the public-CA bundle (not for a private CA), not worth fixing. */
+
if (file)
{
STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
uschar * expciphers;
tls_ext_ctx_cb * cbinfo;
static uschar peerdn[256];
-static uschar cipherbuf[256];
/* Check for previous activation */
#ifndef DISABLE_OCSP
tls_ocsp_file, /*XXX stack*/
#endif
- NULL, &server_static_cbinfo, errstr);
+ NULL, &server_static_cbinfo, &tls_in, errstr);
if (rc != OK) return rc;
cbinfo = server_static_cbinfo;
if (expciphers)
{
- uschar * s = expciphers;
- while (*s != 0) { if (*s == '_') *s = '-'; s++; }
+ for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
server_verify_optional = TRUE;
}
+#ifdef EXPERIMENTAL_TLS_RESUME
+SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
+/* despite working, appears to always return failure, so ignoring */
+#endif
+#ifdef OPENSSL_HAVE_NUM_TICKETS
+# ifdef EXPERIMENTAL_TLS_RESUME
+SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
+# else
+SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
+# endif
+#endif
+
+
/* Prepare for new connection */
if (!(server_ssl = SSL_new(server_ctx)))
DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
- anon-authentication ciphersuite negociated. */
+ anon-authentication ciphersuite negotiated. */
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+if (SSL_session_reused(server_ssl))
+ {
+ tls_in.resumption |= RESUME_USED;
+ DEBUG(D_tls) debug_printf("Session reused\n");
+ }
+#endif
/* TLS has been set up. Adjust the input functions to read via TLS,
and initialize things. */
peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
-construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
-tls_in.cipher = cipherbuf;
+tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
+tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
DEBUG(D_tls)
{
uschar buf[2048];
- if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
+ if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
debug_printf("Shared ciphers: %s\n", buf);
+
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+ {
+ BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
+ SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
+ BIO_free(bp);
+ }
+#endif
+
+#ifdef EXIM_HAVE_SESSION_TICKET
+ {
+ SSL_SESSION * ss = SSL_get_session(server_ssl);
+ if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
+ debug_printf("The session has a ticket, life %lu seconds\n",
+ SSL_SESSION_get_ticket_lifetime_hint(ss));
+ }
+#endif
}
/* Record the certificate we presented */
static int
dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
{
-dns_record * rr;
dns_scan dnss;
const char * hostnames[2] = { CS host->name, NULL };
int found = 0;
if (DANESSL_init(ssl, NULL, hostnames) != 1)
return tls_error(US"hostnames load", host, NULL, errstr);
-for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
- rr;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
) if (rr->type == T_TLSA && rr->size > 3)
{
+#ifdef EXPERIMENTAL_TLS_RESUME
+/* On the client, get any stashed session for the given IP from hints db
+and apply it to the ssl-connection for attempted resumption. */
+
+static void
+tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
+{
+tlsp->resumption |= RESUME_SUPPORTED;
+if (tlsp->host_resumable)
+ {
+ dbdata_tls_session * dt;
+ int len;
+ open_db dbblock, * dbm_file;
+
+ tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+ DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
+ if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
+ {
+ /* key for the db is the IP */
+ if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
+ {
+ SSL_SESSION * ss = NULL;
+ const uschar * sess_asn1 = dt->session;
+
+ len -= sizeof(dbdata_tls_session);
+ if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
+ {
+ DEBUG(D_tls)
+ {
+ ERR_error_string_n(ERR_get_error(),
+ ssl_errstring, sizeof(ssl_errstring));
+ debug_printf("decoding session: %s\n", ssl_errstring);
+ }
+ }
+#ifdef EXIM_HAVE_SESSION_TICKET
+ else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
+ < time(NULL))
+ {
+ DEBUG(D_tls) debug_printf("session expired\n");
+ dbfn_delete(dbm_file, key);
+ }
+#endif
+ else if (!SSL_set_session(ssl, ss))
+ {
+ DEBUG(D_tls)
+ {
+ ERR_error_string_n(ERR_get_error(),
+ ssl_errstring, sizeof(ssl_errstring));
+ debug_printf("applying session to ssl: %s\n", ssl_errstring);
+ }
+ }
+ else
+ {
+ DEBUG(D_tls) debug_printf("good session\n");
+ tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+ tlsp->verify_override = dt->verify_override;
+ tlsp->ocsp = dt->ocsp;
+ }
+ }
+ else
+ DEBUG(D_tls) debug_printf("no session record\n");
+ dbfn_close(dbm_file);
+ }
+ }
+}
+
+
+/* On the client, save the session for later resumption */
+
+static int
+tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
+{
+tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
+tls_support * tlsp;
+
+DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
+
+if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
+
+# ifdef OPENSSL_HAVE_NUM_TICKETS
+if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
+# endif
+ {
+ int len = i2d_SSL_SESSION(ss, NULL);
+ int dlen = sizeof(dbdata_tls_session) + len;
+ dbdata_tls_session * dt = store_get(dlen, TRUE);
+ uschar * s = dt->session;
+ open_db dbblock, * dbm_file;
+
+ DEBUG(D_tls) debug_printf("session is resumable\n");
+ tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
+
+ dt->verify_override = tlsp->verify_override;
+ dt->ocsp = tlsp->ocsp;
+ (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
+
+ if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+ {
+ const uschar * key = cbinfo->host->address;
+ dbfn_delete(dbm_file, key);
+ dbfn_write(dbm_file, key, dt, dlen);
+ dbfn_close(dbm_file);
+ DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
+ (unsigned)dlen);
+ }
+ }
+return 1;
+}
+
+
+static void
+tls_client_ctx_resume_prehandshake(
+ exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
+ smtp_transport_options_block * ob, host_item * host)
+{
+/* Should the client request a session resumption ticket? */
+if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
+ {
+ tlsp->host_resumable = TRUE;
+
+ SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
+ SSL_SESS_CACHE_CLIENT
+ | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
+ SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
+ }
+}
+
+static BOOL
+tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
+ host_item * host, uschar ** errstr)
+{
+if (tlsp->host_resumable)
+ {
+ DEBUG(D_tls)
+ debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
+ SSL_clear_options(ssl, SSL_OP_NO_TICKET);
+
+ tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
+ if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
+ {
+ tls_error(US"set ex_data", host, NULL, errstr);
+ return FALSE;
+ }
+ debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
+ }
+
+tlsp->resumption = RESUME_SUPPORTED;
+/* Pick up a previous session, saved on an old ticket */
+tls_retrieve_session(tlsp, ssl, host->address);
+return TRUE;
+}
+
+static void
+tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
+ tls_support * tlsp)
+{
+if (SSL_session_reused(exim_client_ctx->ssl))
+ {
+ DEBUG(D_tls) debug_printf("The session was reused\n");
+ tlsp->resumption |= RESUME_USED;
+ }
+}
+#endif /* EXPERIMENTAL_TLS_RESUME */
+
+
/*************************************************
* Start a TLS session in a client *
*************************************************/
/* Called from the smtp transport after STARTTLS has been accepted.
-Argument:
- fd the fd of the connection
- host connected host (for messages and option-tests)
- addr the first address (for some randomness; can be NULL)
- tb transport (always smtp)
- tlsa_dnsa tlsa lookup, if DANE, else null
- tlsp record details of channel configuration here; must be non-NULL
- errstr error string pointer
-
-Returns: Pointer to TLS session context, or NULL on error
+Arguments:
+ cctx connection context
+ conn_args connection details
+ cookie datum for randomness; can be NULL
+ tlsp record details of TLS channel configuration here; must be non-NULL
+ errstr error string pointer
+
+Returns: TRUE for success with TLS session context set in connection context,
+ FALSE on error
*/
-void *
-tls_client_start(int fd, host_item *host, address_item *addr,
- transport_instance * tb,
-#ifdef SUPPORT_DANE
- dns_answer * tlsa_dnsa,
-#endif
- tls_support * tlsp, uschar ** errstr)
+BOOL
+tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
+ void * cookie, tls_support * tlsp, uschar ** errstr)
{
+host_item * host = conn_args->host; /* for msgs and option-tests */
+transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
smtp_transport_options_block * ob = tb
? (smtp_transport_options_block *)tb->options_block
: &smtp_transport_option_defaults;
exim_openssl_client_tls_ctx * exim_client_ctx;
-static uschar peerdn[256];
uschar * expciphers;
int rc;
-static uschar cipherbuf[256];
+static uschar peerdn[256];
#ifndef DISABLE_OCSP
BOOL request_ocsp = FALSE;
rc = store_pool;
store_pool = POOL_PERM;
-exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
+exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
+exim_client_ctx->corked = NULL;
store_pool = rc;
#ifdef SUPPORT_DANE
#ifndef DISABLE_OCSP
{
# ifdef SUPPORT_DANE
- if ( tlsa_dnsa
+ if ( conn_args->dane
&& ob->hosts_request_ocsp[0] == '*'
&& ob->hosts_request_ocsp[1] == '\0'
)
#ifndef DISABLE_OCSP
(void *)(long)request_ocsp,
#endif
- addr, &client_static_cbinfo, errstr);
-if (rc != OK) return NULL;
+ cookie, &client_static_cbinfo, tlsp, errstr);
+if (rc != OK) return FALSE;
tlsp->certificate_verified = FALSE;
client_verify_callback_called = FALSE;
expciphers = NULL;
#ifdef SUPPORT_DANE
-if (tlsa_dnsa)
+if (conn_args->dane)
{
/* We fall back to tls_require_ciphers if unset, empty or forced failure, but
other failures should be treated as problems. */
if (ob->dane_require_tls_ciphers &&
!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
&expciphers, errstr))
- return NULL;
+ return FALSE;
if (expciphers && *expciphers == '\0')
expciphers = NULL;
}
if (!expciphers &&
!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
&expciphers, errstr))
- return NULL;
+ return FALSE;
/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
are separated by underscores. So that I can use either form in my tests, and
if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
{
tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
- return NULL;
+ return FALSE;
}
}
#ifdef SUPPORT_DANE
-if (tlsa_dnsa)
+if (conn_args->dane)
{
SSL_CTX_set_verify(exim_client_ctx->ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
if (!DANESSL_library_init())
{
tls_error(US"library init", host, NULL, errstr);
- return NULL;
+ return FALSE;
}
if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
{
tls_error(US"context init", host, NULL, errstr);
- return NULL;
+ return FALSE;
}
}
else
if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
client_static_cbinfo, errstr) != OK)
- return NULL;
+ return FALSE;
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
+#endif
+
if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
{
tls_error(US"SSL_new", host, NULL, errstr);
- return NULL;
+ return FALSE;
}
SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
-SSL_set_fd(exim_client_ctx->ssl, fd);
+
+SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
SSL_set_connect_state(exim_client_ctx->ssl);
if (ob->tls_sni)
{
if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
- return NULL;
+ return FALSE;
if (!tlsp->sni)
{
DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
}
#ifdef SUPPORT_DANE
-if (tlsa_dnsa)
- if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
- return NULL;
+if (conn_args->dane)
+ if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
+ return FALSE;
#endif
#ifndef DISABLE_OCSP
}
#endif
+#ifdef EXPERIMENTAL_TLS_RESUME
+if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
+ errstr))
+ return FALSE;
+#endif
+
#ifndef DISABLE_EVENT
client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
#endif
ALARM_CLR(0);
#ifdef SUPPORT_DANE
-if (tlsa_dnsa)
+if (conn_args->dane)
DANESSL_cleanup(exim_client_ctx->ssl);
#endif
if (rc <= 0)
{
tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
- return NULL;
+ return FALSE;
+ }
+
+DEBUG(D_tls)
+ {
+ debug_printf("SSL_connect succeeded\n");
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+ {
+ BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
+ SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
+ BIO_free(bp);
+ }
+#endif
}
-DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_client_resume_posthandshake(exim_client_ctx, tlsp);
+#endif
peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
-construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
-tlsp->cipher = cipherbuf;
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
+tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
/* Record the certificate we presented */
{
tlsp->ourcert = crt ? X509_dup(crt) : NULL;
}
-tlsp->active.sock = fd;
+tlsp->active.sock = cctx->sock;
tlsp->active.tls_ctx = exim_client_ctx;
-return exim_client_ctx;
+cctx->tls_ctx = exim_client_ctx;
+return TRUE;
}
case SSL_ERROR_ZERO_RETURN:
DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
- receive_getc = smtp_getc;
- receive_getbuf = smtp_getbuf;
- receive_get_cache = smtp_get_cache;
- receive_ungetc = smtp_ungetc;
- receive_feof = smtp_feof;
- receive_ferror = smtp_ferror;
- receive_smtp_buffered = smtp_buffered;
-
if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
SSL_shutdown(server_ssl);
-#ifndef DISABLE_OCSP
- sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
- server_static_cbinfo->verify_stack = NULL;
-#endif
- SSL_free(server_ssl);
- SSL_CTX_free(server_ctx);
- server_ctx = NULL;
- server_ssl = NULL;
- tls_in.active.sock = -1;
- tls_in.active.tls_ctx = NULL;
- tls_in.bits = 0;
- tls_in.cipher = NULL;
- tls_in.peerdn = NULL;
- tls_in.sni = NULL;
-
+ tls_close(NULL, TLS_NO_SHUTDOWN);
return FALSE;
/* Handle genuine errors */
int
tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
{
-int outbytes, error, left;
-SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
-static gstring * corked = NULL;
+size_t olen = len;
+int outbytes, error;
+SSL * ssl = ct_ctx
+ ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
+static gstring * server_corked = NULL;
+gstring ** corkedp = ct_ctx
+ ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
+gstring * corked = *corkedp;
DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
buff, (unsigned long)len, more ? ", more" : "");
/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
"more" is notified. This hack is only ok if small amounts are involved AND only
one stream does it, in one context (i.e. no store reset). Currently it is used
-for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
-/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
-a store reset there. */
+for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
+We support callouts done by the server process by using a separate client
+context for the stashed information. */
+/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
+a store reset there, so use POOL_PERM. */
+/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
-if (!ct_ctx && (more || corked))
+if ((more || corked))
{
-#ifdef EXPERIMENTAL_PIPE_CONNECT
+#ifdef SUPPORT_PIPE_CONNECT
int save_pool = store_pool;
store_pool = POOL_PERM;
#endif
corked = string_catn(corked, buff, len);
-#ifdef EXPERIMENTAL_PIPE_CONNECT
+#ifdef SUPPORT_PIPE_CONNECT
store_pool = save_pool;
#endif
if (more)
+ {
+ *corkedp = corked;
return len;
+ }
buff = CUS corked->s;
len = corked->ptr;
- corked = NULL;
+ *corkedp = NULL;
}
-for (left = len; left > 0;)
+for (int left = len; left > 0;)
{
DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
outbytes = SSL_write(ssl, CS buff, left);
return -1;
}
}
-return len;
+return olen;
}
}
}
-#ifndef DISABLE_OCSP
if (!o_ctx) /* server side */
{
+#ifndef DISABLE_OCSP
sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
server_static_cbinfo->verify_stack = NULL;
- }
#endif
+ receive_getc = smtp_getc;
+ receive_getbuf = smtp_getbuf;
+ receive_get_cache = smtp_get_cache;
+ receive_ungetc = smtp_ungetc;
+ receive_feof = smtp_feof;
+ receive_ferror = smtp_ferror;
+ receive_smtp_buffered = smtp_buffered;
+ tls_in.active.tls_ctx = NULL;
+ tls_in.sni = NULL;
+ /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+ }
+
SSL_CTX_free(*ctxp);
SSL_free(*sslp);
*ctxp = NULL;
int i, needed_len;
static pid_t pidlast = 0;
pid_t pidnow;
-uschar *p;
uschar smallbuf[sizeof(r)];
if (max <= 1)
}
r = 0;
-for (p = smallbuf; needed_len; --needed_len, ++p)
- {
- r *= 256;
- r += *p;
- }
+for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
+ r = 256 * r + *p;
/* We don't particularly care about weighted results; if someone wants
smooth distribution and cares enough then they should submit a patch then. */
tls_openssl_options_parse(uschar *option_spec, long *results)
{
long result, item;
-uschar *s, *end;
+uschar *end;
uschar keep_c;
BOOL adding, item_parsed;
+/* Server: send no (<= TLS1.2) session tickets */
result = SSL_OP_NO_TICKET;
+
/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
* from default because it increases BEAST susceptibility. */
#ifdef SSL_OP_NO_SSLv2
result |= SSL_OP_NO_SSLv2;
#endif
+#ifdef SSL_OP_NO_SSLv3
+result |= SSL_OP_NO_SSLv3;
+#endif
#ifdef SSL_OP_SINGLE_DH_USE
result |= SSL_OP_SINGLE_DH_USE;
#endif
return TRUE;
}
-for (s=option_spec; *s != '\0'; /**/)
+for (uschar * s = option_spec; *s; /**/)
{
while (isspace(*s)) ++s;
if (*s == '\0')
DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
return FALSE;
}
- DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
- adding ? "adding" : "removing", result, item, s);
+ DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
+ adding ? "adding to " : "removing from", result, item, s);
if (adding)
result |= item;
else
projects / exim.git / blobdiff