X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=c5ebc1333546ae7cbfb2e29067b27c77bebf9ac3;hp=7a6e8bfdf79c57809aa9dde9f0b966877e67d86b;hb=1b76ad22a23e704c1d931937953d44c9b206c867;hpb=b808677c8f0d6a1cf93ff75f4ad5b1199bd85311 diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7a6e8bfdf..c5ebc1333 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -51,7 +51,7 @@ functions from the OpenSSL library. */ # define EXIM_HAVE_RAND_PSEUDO #endif #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -# define EXIM_HAVE_SHA256 /*MMMM*/ +# define EXIM_HAVE_SHA256 #endif /* @@ -70,6 +70,7 @@ functions from the OpenSSL library. */ # if OPENSSL_VERSION_NUMBER >= 0x010100000L # define EXIM_HAVE_OPENSSL_CHECKHOST # define EXIM_HAVE_OPENSSL_DH_BITS +# define EXIM_HAVE_OPENSSL_TLS_METHOD # endif # if OPENSSL_VERSION_NUMBER >= 0x010000000L \ && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L @@ -81,7 +82,7 @@ functions from the OpenSSL library. */ || LIBRESSL_VERSION_NUMBER >= 0x20010000L # if !defined(OPENSSL_NO_ECDH) # if OPENSSL_VERSION_NUMBER >= 0x0090800fL -# define EXIM_HAVE_ECDH /*MMMM*/ +# define EXIM_HAVE_ECDH # endif # if OPENSSL_VERSION_NUMBER >= 0x10002000L # define EXIM_HAVE_OPENSSL_EC_NIST2NID @@ -98,6 +99,142 @@ functions from the OpenSSL library. */ # include #endif +/************************************************* +* OpenSSL option parse * +*************************************************/ + +typedef struct exim_openssl_option { + uschar *name; + long value; +} exim_openssl_option; +/* We could use a macro to expand, but we need the ifdef and not all the +options document which version they were introduced in. Policylet: include +all options unless explicitly for DTLS, let the administrator choose which +to apply. + +This list is current as of: + ==> 1.0.1b <== +Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev +Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev +*/ +static exim_openssl_option exim_openssl_options[] = { +/* KEEP SORTED ALPHABETICALLY! */ +#ifdef SSL_OP_ALL + { US"all", SSL_OP_ALL }, +#endif +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, +#endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE }, +#endif +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS }, +#endif +#ifdef SSL_OP_EPHEMERAL_RSA + { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA }, +#endif +#ifdef SSL_OP_LEGACY_SERVER_CONNECT + { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT }, +#endif +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER }, +#endif +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG + { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG }, +#endif +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING }, +#endif +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG + { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG }, +#endif +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, +#endif +#ifdef SSL_OP_NO_COMPRESSION + { US"no_compression", SSL_OP_NO_COMPRESSION }, +#endif +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, +#endif +#ifdef SSL_OP_NO_SSLv2 + { US"no_sslv2", SSL_OP_NO_SSLv2 }, +#endif +#ifdef SSL_OP_NO_SSLv3 + { US"no_sslv3", SSL_OP_NO_SSLv3 }, +#endif +#ifdef SSL_OP_NO_TICKET + { US"no_ticket", SSL_OP_NO_TICKET }, +#endif +#ifdef SSL_OP_NO_TLSv1 + { US"no_tlsv1", SSL_OP_NO_TLSv1 }, +#endif +#ifdef SSL_OP_NO_TLSv1_1 +#if SSL_OP_NO_TLSv1_1 == 0x00000400L + /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */ +#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring +#else + { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 }, +#endif +#endif +#ifdef SSL_OP_NO_TLSv1_2 + { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, +#endif +#ifdef SSL_OP_NO_TLSv1_3 + { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 }, +#endif +#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG + { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, +#endif +#ifdef SSL_OP_SINGLE_DH_USE + { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, +#endif +#ifdef SSL_OP_SINGLE_ECDH_USE + { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE }, +#endif +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG }, +#endif +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG }, +#endif +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG }, +#endif +#ifdef SSL_OP_TLS_D5_BUG + { US"tls_d5_bug", SSL_OP_TLS_D5_BUG }, +#endif +#ifdef SSL_OP_TLS_ROLLBACK_BUG + { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG }, +#endif +}; + +#ifndef MACRO_PREDEF +static int exim_openssl_options_size = nelem(exim_openssl_options); +#endif + +#ifdef MACRO_PREDEF +void +options_tls(void) +{ +struct exim_openssl_option * o; +uschar buf[64]; + +for (o = exim_openssl_options; + o < exim_openssl_options + nelem(exim_openssl_options); o++) + { + /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1 + being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */ + + spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name); + builtin_macro_create(buf); + } +} +#else + +/******************************************************************************/ + /* Structure for collecting random data for seeding. */ typedef struct randstuff { @@ -116,7 +253,9 @@ static const uschar *sid_ctx = US"exim"; Simple case: client, `client_ctx` As a client, we can be doing a callout or cut-through delivery while receiving a message. So we have a client context, which should have options initialised - from the SMTP Transport. + from the SMTP Transport. We may also concurrently want to make TLS connections + to utility daemons, so client-contexts are allocated and passed around in call + args rather than using a gobal. Server: There are two cases: with and without ServerNameIndication from the client. @@ -130,9 +269,12 @@ Server: configuration. */ -static SSL_CTX *client_ctx = NULL; +typedef struct { + SSL_CTX * ctx; + SSL * ssl; +} exim_openssl_client_tls_ctx; + static SSL_CTX *server_ctx = NULL; -static SSL *client_ssl = NULL; static SSL *server_ssl = NULL; #ifdef EXIM_HAVE_OPENSSL_TLSEXT @@ -430,7 +572,7 @@ else if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) - /* client, wanting hostname check */ + /* client, wanting hostname check */ { #ifdef EXIM_HAVE_OPENSSL_CHECKHOST @@ -904,7 +1046,7 @@ We do not free the stack since it could be needed a second time for SNI handling. Separately we might try to replace using OCSP_basic_verify() - which seems to not -be a public interface into the OpenSSL library (there's no manual entry) - +be a public interface into the OpenSSL library (there's no manual entry) - But what with? We also use OCSP_basic_verify in the client stapling callback. And there we NEED it; we must verify that status... unless the library does it for us anyway? */ @@ -954,7 +1096,7 @@ supply_response: return; bad: - if (running_in_test_harness) + if (f.running_in_test_harness) { extern char ** environ; uschar ** p; @@ -1000,7 +1142,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa)) goto err; X509_set_version(x509, 2); /* N+1 - version 3 */ -ASN1_INTEGER_set(X509_get_serialNumber(x509), 0); +ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ X509_set_pubkey(x509, pkey); @@ -1088,7 +1230,7 @@ if (!cbinfo->certificate) { if (!cbinfo->is_server) /* client */ return OK; - /* server */ + /* server */ if (tls_install_selfsign(sctx, errstr) != OK) return DEFER; } @@ -1216,7 +1358,11 @@ if (!reexpand_tls_files_for_sni) not confident that memcpy wouldn't break some internal reference counting. Especially since there's a references struct member, which would be off. */ +#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD +if (!(server_sni = SSL_CTX_new(TLS_server_method()))) +#else if (!(server_sni = SSL_CTX_new(SSLv23_server_method()))) +#endif { ERR_error_string(ERR_get_error(), ssl_errstring); DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring); @@ -1238,8 +1384,10 @@ if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr) ) return SSL_TLSEXT_ERR_NOACK; -if (cbinfo->server_cipher_list) - SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list); +if ( cbinfo->server_cipher_list + && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list)) + return SSL_TLSEXT_ERR_NOACK; + #ifndef DISABLE_OCSP if (cbinfo->u_ocsp.server.file) { @@ -1545,7 +1693,11 @@ when OpenSSL is built without SSLv2 support. By disabling with openssl_options, we can let admins re-enable with the existing knob. */ +#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD +if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method()))) +#else if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method()))) +#endif return tls_error(US"SSL_CTX_new", host, NULL, errstr); /* It turns out that we need to seed the random number generator this early in @@ -1601,9 +1753,15 @@ if (init_options) else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); -/* Disable session cache unconditionally */ - +/* We'd like to disable session cache unconditionally, but foolish Outlook +Express clients then give up the first TLS connection and make a second one +(which works). Only when there is an IMAP service on the same machine. +Presumably OE is trying to use the cache for A on B. Leave it enabled for +now, until we work out a decent way of presenting control to the config. It +will never be used because we use a new context every time. */ +#ifdef notdef (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +#endif /* Initialize with DH parameters if supplied */ /* Initialize ECDH temp key parameter selection */ @@ -1629,7 +1787,7 @@ if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK) } # endif -if (host == NULL) /* server */ +if (!host) /* server */ { # ifndef DISABLE_OCSP /* We check u_ocsp.server.file, not server.response, because we care about if @@ -1698,15 +1856,13 @@ Returns: nothing static void construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits) { -/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't +/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ -const SSL_CIPHER *c; -const uschar *ver; -ver = (const uschar *)SSL_get_version(ssl); +const uschar * ver = CUS SSL_get_version(ssl); +const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); -c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); SSL_CIPHER_get_bits(c, bits); string_format(cipherbuf, bsize, "%s:%s:%u", ver, @@ -1746,6 +1902,7 @@ else * Set up for verifying certificates * *************************************************/ +#ifndef DISABLE_OCSP /* Load certs from file, return TRUE on success */ static BOOL @@ -1754,16 +1911,21 @@ chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack) BIO * bp; X509 * x; +while (sk_X509_num(verify_stack) > 0) + X509_free(sk_X509_pop(verify_stack)); + if (!(bp = BIO_new_file(CS file, "r"))) return FALSE; while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) sk_X509_push(verify_stack, x); BIO_free(bp); return TRUE; } +#endif -/* Called by both client and server startup +/* Called by both client and server startup; on the server possibly +repeated after a Server Name Indication. Arguments: sctx SSL_CTX* to initialise @@ -1855,9 +2017,9 @@ if (expcerts && *expcerts) { STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file); + SSL_CTX_set_client_CA_list(sctx, names); DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", sk_X509_NAME_num(names)); - SSL_CTX_set_client_CA_list(sctx, names); } } } @@ -1956,7 +2118,7 @@ static uschar cipherbuf[256]; /* Check for previous activation */ -if (tls_in.active >= 0) +if (tls_in.active.sock >= 0) { tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr); smtp_printf("554 Already in TLS\r\n", FALSE); @@ -1980,6 +2142,10 @@ if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr) /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they were historically separated by underscores. So that I can use either form in my tests, and also for general convenience, we turn underscores into hyphens here. + +XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites() +for TLS 1.3 . Since we do not call it at present we get the default list: +TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 */ if (expciphers) @@ -2004,14 +2170,14 @@ server_verify_callback_called = FALSE; if (verify_check_host(&tls_verify_hosts) == OK) { rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, - FALSE, verify_callback_server, errstr); + FALSE, verify_callback_server, errstr); if (rc != OK) return rc; server_verify_optional = FALSE; } else if (verify_check_host(&tls_try_verify_hosts) == OK) { rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, - TRUE, verify_callback_server, errstr); + TRUE, verify_callback_server, errstr); if (rc != OK) return rc; server_verify_optional = TRUE; } @@ -2097,7 +2263,7 @@ DEBUG(D_tls) */ if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size); ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0; -ssl_xfer_eof = ssl_xfer_error = 0; +ssl_xfer_eof = ssl_xfer_error = FALSE; receive_getc = tls_getc; receive_getbuf = tls_getbuf; @@ -2107,7 +2273,8 @@ receive_feof = tls_feof; receive_ferror = tls_ferror; receive_smtp_buffered = tls_smtp_buffered; -tls_in.active = fileno(smtp_out); +tls_in.active.sock = fileno(smtp_out); +tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */ return OK; } @@ -2127,10 +2294,10 @@ int rc; if ( ( !ob->tls_verify_hosts && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) ) - || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) + || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK ) client_verify_optional = FALSE; -else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) +else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK) client_verify_optional = TRUE; else return OK; @@ -2140,7 +2307,7 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates, errstr)) != OK) return rc; -if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) +if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) { cbinfo->verify_cert_hostnames = #ifdef SUPPORT_I18N @@ -2170,7 +2337,7 @@ if (DANESSL_init(ssl, NULL, hostnames) != 1) for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) - ) if (rr->type == T_TLSA) + ) if (rr->type == T_TLSA && rr->size > 3) { const uschar * p = rr->data; uint8_t usage, selector, mtype; @@ -2222,27 +2389,28 @@ return DEFER; Argument: fd the fd of the connection - host connected host (for messages) - addr the first address + host connected host (for messages and option-tests) + addr the first address (for some randomness; can be NULL) tb transport (always smtp) tlsa_dnsa tlsa lookup, if DANE, else null + tlsp record details of channel configuration here; must be non-NULL errstr error string pointer -Returns: OK on success - FAIL otherwise - note that tls_error() will not give DEFER - because this is not a server +Returns: Pointer to TLS session context, or NULL on error */ -int +void * tls_client_start(int fd, host_item *host, address_item *addr, transport_instance * tb, #ifdef SUPPORT_DANE dns_answer * tlsa_dnsa, #endif - uschar ** errstr) + tls_support * tlsp, uschar ** errstr) { -smtp_transport_options_block * ob = - (smtp_transport_options_block *)tb->options_block; +smtp_transport_options_block * ob = tb + ? (smtp_transport_options_block *)tb->options_block + : &smtp_transport_option_defaults; +exim_openssl_client_tls_ctx * exim_client_ctx; static uschar peerdn[256]; uschar * expciphers; int rc; @@ -2253,8 +2421,13 @@ BOOL request_ocsp = FALSE; BOOL require_ocsp = FALSE; #endif +rc = store_pool; +store_pool = POOL_PERM; +exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx)); +store_pool = rc; + #ifdef SUPPORT_DANE -tls_out.tlsa_usage = 0; +tlsp->tlsa_usage = 0; #endif #ifndef DISABLE_OCSP @@ -2274,31 +2447,46 @@ tls_out.tlsa_usage = 0; # endif if ((require_ocsp = - verify_check_given_host(&ob->hosts_require_ocsp, host) == OK)) + verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK)) request_ocsp = TRUE; else # ifdef SUPPORT_DANE if (!request_ocsp) # endif request_ocsp = - verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; + verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK; } #endif -rc = tls_init(&client_ctx, host, NULL, +rc = tls_init(&exim_client_ctx->ctx, host, NULL, ob->tls_certificate, ob->tls_privatekey, #ifndef DISABLE_OCSP (void *)(long)request_ocsp, #endif addr, &client_static_cbinfo, errstr); -if (rc != OK) return rc; +if (rc != OK) return NULL; -tls_out.certificate_verified = FALSE; +tlsp->certificate_verified = FALSE; client_verify_callback_called = FALSE; -if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", - &expciphers, errstr)) - return FAIL; +expciphers = NULL; +#ifdef SUPPORT_DANE +if (tlsa_dnsa) + { + /* We fall back to tls_require_ciphers if unset, empty or forced failure, but + other failures should be treated as problems. */ + if (ob->dane_require_tls_ciphers && + !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers", + &expciphers, errstr)) + return NULL; + if (expciphers && *expciphers == '\0') + expciphers = NULL; + } +#endif +if (!expciphers && + !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", + &expciphers, errstr)) + return NULL; /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they are separated by underscores. So that I can use either form in my tests, and @@ -2309,62 +2497,74 @@ if (expciphers) uschar *s = expciphers; while (*s) { if (*s == '_') *s = '-'; s++; } DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers); - if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers)) - return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr); + if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers)) + { + tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr); + return NULL; + } } #ifdef SUPPORT_DANE if (tlsa_dnsa) { - SSL_CTX_set_verify(client_ctx, + SSL_CTX_set_verify(exim_client_ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback_client_dane); if (!DANESSL_library_init()) - return tls_error(US"library init", host, NULL, errstr); - if (DANESSL_CTX_init(client_ctx) <= 0) - return tls_error(US"context init", host, NULL, errstr); + { + tls_error(US"library init", host, NULL, errstr); + return NULL; + } + if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0) + { + tls_error(US"context init", host, NULL, errstr); + return NULL; + } } else #endif - if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, - client_static_cbinfo, errstr)) != OK) - return rc; + if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob, + client_static_cbinfo, errstr) != OK) + return NULL; -if ((client_ssl = SSL_new(client_ctx)) == NULL) - return tls_error(US"SSL_new", host, NULL, errstr); -SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx)); -SSL_set_fd(client_ssl, fd); -SSL_set_connect_state(client_ssl); +if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx))) + { + tls_error(US"SSL_new", host, NULL, errstr); + return NULL; + } +SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx)); +SSL_set_fd(exim_client_ctx->ssl, fd); +SSL_set_connect_state(exim_client_ctx->ssl); if (ob->tls_sni) { - if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr)) - return FAIL; - if (!tls_out.sni) + if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr)) + return NULL; + if (!tlsp->sni) { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); } - else if (!Ustrlen(tls_out.sni)) - tls_out.sni = NULL; + else if (!Ustrlen(tlsp->sni)) + tlsp->sni = NULL; else { #ifdef EXIM_HAVE_OPENSSL_TLSEXT - DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni); - SSL_set_tlsext_host_name(client_ssl, tls_out.sni); + DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni); + SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni); #else log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n", - tls_out.sni); + tlsp->sni); #endif } } #ifdef SUPPORT_DANE if (tlsa_dnsa) - if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK) - return rc; + if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK) + return NULL; #endif #ifndef DISABLE_OCSP @@ -2380,23 +2580,23 @@ if (request_ocsp) { /* Re-eval now $tls_out_tlsa_usage is populated. If this means we avoid the OCSP request, we wasted the setup cost in tls_init(). */ - require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; + require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK; request_ocsp = require_ocsp - || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; + || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK; } } # endif if (request_ocsp) { - SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp); + SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp); client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp; - tls_out.ocsp = OCSP_NOT_RESP; + tlsp->ocsp = OCSP_NOT_RESP; } #endif #ifndef DISABLE_EVENT -client_static_cbinfo->event_action = tb->event_action; +client_static_cbinfo->event_action = tb ? tb->event_action : NULL; #endif /* There doesn't seem to be a built-in timeout on connection. */ @@ -2404,33 +2604,36 @@ client_static_cbinfo->event_action = tb->event_action; DEBUG(D_tls) debug_printf("Calling SSL_connect\n"); sigalrm_seen = FALSE; alarm(ob->command_timeout); -rc = SSL_connect(client_ssl); +rc = SSL_connect(exim_client_ctx->ssl); alarm(0); #ifdef SUPPORT_DANE if (tlsa_dnsa) - DANESSL_cleanup(client_ssl); + DANESSL_cleanup(exim_client_ctx->ssl); #endif if (rc <= 0) - return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, - errstr); + { + tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr); + return NULL; + } DEBUG(D_tls) debug_printf("SSL_connect succeeded\n"); -peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn)); +peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); -construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits); -tls_out.cipher = cipherbuf; +construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits); +tlsp->cipher = cipherbuf; /* Record the certificate we presented */ { - X509 * crt = SSL_get_certificate(client_ssl); - tls_out.ourcert = crt ? X509_dup(crt) : NULL; + X509 * crt = SSL_get_certificate(exim_client_ctx->ssl); + tlsp->ourcert = crt ? X509_dup(crt) : NULL; } -tls_out.active = fd; -return OK; +tlsp->active.sock = fd; +tlsp->active.tls_ctx = exim_client_ctx; +return exim_client_ctx; } @@ -2450,50 +2653,70 @@ if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, MIN(ssl_xfer_buffer_size, lim)); error = SSL_get_error(server_ssl, inbytes); -alarm(0); +if (smtp_receive_timeout > 0) alarm(0); + +if (had_command_timeout) /* set by signal handler */ + smtp_command_timeout_exit(); /* does not return */ +if (had_command_sigterm) + smtp_command_sigterm_exit(); +if (had_data_timeout) + smtp_data_timeout_exit(); +if (had_data_sigint) + smtp_data_sigint_exit(); /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been closed down, not that the socket itself has been closed down. Revert to non-SSL handling. */ -if (error == SSL_ERROR_ZERO_RETURN) +switch(error) { - DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n"); + case SSL_ERROR_NONE: + break; - receive_getc = smtp_getc; - receive_getbuf = smtp_getbuf; - receive_get_cache = smtp_get_cache; - receive_ungetc = smtp_ungetc; - receive_feof = smtp_feof; - receive_ferror = smtp_ferror; - receive_smtp_buffered = smtp_buffered; - - SSL_free(server_ssl); - server_ssl = NULL; - tls_in.active = -1; - tls_in.bits = 0; - tls_in.cipher = NULL; - tls_in.peerdn = NULL; - tls_in.sni = NULL; + case SSL_ERROR_ZERO_RETURN: + DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n"); - return FALSE; - } + receive_getc = smtp_getc; + receive_getbuf = smtp_getbuf; + receive_get_cache = smtp_get_cache; + receive_ungetc = smtp_ungetc; + receive_feof = smtp_feof; + receive_ferror = smtp_ferror; + receive_smtp_buffered = smtp_buffered; -/* Handle genuine errors */ + if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN) + SSL_shutdown(server_ssl); -else if (error == SSL_ERROR_SSL) - { - ERR_error_string(ERR_get_error(), ssl_errstring); - log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring); - ssl_xfer_error = 1; - return FALSE; - } +#ifndef DISABLE_OCSP + sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); + server_static_cbinfo->verify_stack = NULL; +#endif + SSL_free(server_ssl); + SSL_CTX_free(server_ctx); + server_ctx = NULL; + server_ssl = NULL; + tls_in.active.sock = -1; + tls_in.active.tls_ctx = NULL; + tls_in.bits = 0; + tls_in.cipher = NULL; + tls_in.peerdn = NULL; + tls_in.sni = NULL; -else if (error != SSL_ERROR_NONE) - { - DEBUG(D_tls) debug_printf("Got SSL error %d\n", error); - ssl_xfer_error = 1; - return FALSE; + return FALSE; + + /* Handle genuine errors */ + case SSL_ERROR_SSL: + ERR_error_string(ERR_get_error(), ssl_errstring); + log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring); + ssl_xfer_error = TRUE; + return FALSE; + + default: + DEBUG(D_tls) debug_printf("Got SSL error %d\n", error); + DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL) + debug_printf(" - syscall %s\n", strerror(errno)); + ssl_xfer_error = TRUE; + return FALSE; } #ifndef DISABLE_DKIM @@ -2577,19 +2800,20 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0; /* Arguments: + ct_ctx client context pointer, or NULL for the one global server context buff buffer of data len size of buffer Returns: the number of bytes read - -1 after a failed read + -1 after a failed read, including EOF Only used by the client-side TLS. */ int -tls_read(BOOL is_server, uschar *buff, size_t len) +tls_read(void * ct_ctx, uschar *buff, size_t len) { -SSL *ssl = is_server ? server_ssl : client_ssl; +SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl; int inbytes; int error; @@ -2620,7 +2844,7 @@ return inbytes; /* Arguments: - is_server channel specifier + ct_ctx client context pointer, or NULL for the one global server context buff buffer of data len number of bytes more further data expected soon @@ -2632,10 +2856,10 @@ Used by both server-side and client-side TLS. */ int -tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more) +tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more) { int outbytes, error, left; -SSL *ssl = is_server ? server_ssl : client_ssl; +SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl; static gstring * corked = NULL; DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__, @@ -2646,7 +2870,7 @@ DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__, one stream does it, in one context (i.e. no store reset). Currently it is used for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */ -if (is_server && (more || corked)) +if (!ct_ctx && (more || corked)) { corked = string_catn(corked, buff, len); if (more) @@ -2658,7 +2882,7 @@ if (is_server && (more || corked)) for (left = len; left > 0;) { - DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left); + DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left); outbytes = SSL_write(ssl, CS buff, left); error = SSL_get_error(ssl, outbytes); DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error); @@ -2702,29 +2926,59 @@ return len; daemon, to shut down the TLS library, without actually doing a shutdown (which would tamper with the SSL session in the parent process). -Arguments: TRUE if SSL_shutdown is to be called +Arguments: + ct_ctx client TLS context pointer, or NULL for the one global server context + shutdown 1 if TLS close-alert is to be sent, + 2 if also response to be waited for + Returns: nothing Used by both server-side and client-side TLS. */ void -tls_close(BOOL is_server, BOOL shutdown) +tls_close(void * ct_ctx, int shutdown) { -SSL **sslp = is_server ? &server_ssl : &client_ssl; -int *fdp = is_server ? &tls_in.active : &tls_out.active; +exim_openssl_client_tls_ctx * o_ctx = ct_ctx; +SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx; +SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl; +int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock; if (*fdp < 0) return; /* TLS was not active */ if (shutdown) { - DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n"); - SSL_shutdown(*sslp); + int rc; + DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n", + shutdown > 1 ? " (with response-wait)" : ""); + + if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ + && shutdown > 1) + { + alarm(2); + rc = SSL_shutdown(*sslp); /* wait for response */ + alarm(0); + } + + if (rc < 0) DEBUG(D_tls) + { + ERR_error_string(ERR_get_error(), ssl_errstring); + debug_printf("SSL_shutdown: %s\n", ssl_errstring); + } + } + +#ifndef DISABLE_OCSP +if (!o_ctx) /* server side */ + { + sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); + server_static_cbinfo->verify_stack = NULL; } +#endif +SSL_CTX_free(*ctxp); SSL_free(*sslp); +*ctxp = NULL; *sslp = NULL; - *fdp = -1; } @@ -2774,8 +3028,11 @@ while (*s != 0) { if (*s == '_') *s = '-'; s++; } err = NULL; -ctx = SSL_CTX_new(SSLv23_server_method()); -if (!ctx) +#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD +if (!(ctx = SSL_CTX_new(TLS_server_method()))) +#else +if (!(ctx = SSL_CTX_new(SSLv23_server_method()))) +#endif { ERR_error_string(ERR_get_error(), ssl_errstring); return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring); @@ -2940,110 +3197,6 @@ Arguments: Returns success or failure in parsing */ -struct exim_openssl_option { - uschar *name; - long value; -}; -/* We could use a macro to expand, but we need the ifdef and not all the -options document which version they were introduced in. Policylet: include -all options unless explicitly for DTLS, let the administrator choose which -to apply. - -This list is current as of: - ==> 1.0.1b <== -Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev -*/ -static struct exim_openssl_option exim_openssl_options[] = { -/* KEEP SORTED ALPHABETICALLY! */ -#ifdef SSL_OP_ALL - { US"all", SSL_OP_ALL }, -#endif -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, -#endif -#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE }, -#endif -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS }, -#endif -#ifdef SSL_OP_EPHEMERAL_RSA - { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA }, -#endif -#ifdef SSL_OP_LEGACY_SERVER_CONNECT - { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT }, -#endif -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER }, -#endif -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG }, -#endif -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING }, -#endif -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG }, -#endif -#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, -#endif -#ifdef SSL_OP_NO_COMPRESSION - { US"no_compression", SSL_OP_NO_COMPRESSION }, -#endif -#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, -#endif -#ifdef SSL_OP_NO_SSLv2 - { US"no_sslv2", SSL_OP_NO_SSLv2 }, -#endif -#ifdef SSL_OP_NO_SSLv3 - { US"no_sslv3", SSL_OP_NO_SSLv3 }, -#endif -#ifdef SSL_OP_NO_TICKET - { US"no_ticket", SSL_OP_NO_TICKET }, -#endif -#ifdef SSL_OP_NO_TLSv1 - { US"no_tlsv1", SSL_OP_NO_TLSv1 }, -#endif -#ifdef SSL_OP_NO_TLSv1_1 -#if SSL_OP_NO_TLSv1_1 == 0x00000400L - /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */ -#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring -#else - { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 }, -#endif -#endif -#ifdef SSL_OP_NO_TLSv1_2 - { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, -#endif -#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG - { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, -#endif -#ifdef SSL_OP_SINGLE_DH_USE - { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, -#endif -#ifdef SSL_OP_SINGLE_ECDH_USE - { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE }, -#endif -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG }, -#endif -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG }, -#endif -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG }, -#endif -#ifdef SSL_OP_TLS_D5_BUG - { US"tls_d5_bug", SSL_OP_TLS_D5_BUG }, -#endif -#ifdef SSL_OP_TLS_ROLLBACK_BUG - { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG }, -#endif -}; -static int exim_openssl_options_size = - sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option); static BOOL @@ -3144,6 +3297,7 @@ for (s=option_spec; *s != '\0'; /**/) return TRUE; } +#endif /*!MACRO_PREDEF*/ /* vi: aw ai sw=2 */ /* End of tls-openssl.c */