#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
# define EXIM_HAVE_OPENSSL_TLSEXT
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010100000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
+
+/*
+ * X509_check_host provides sane certificate hostname checking, but was added
+ * to OpenSSL late, after other projects forked off the code-base. So in
+ * addition to guarding against the base version number, beware that LibreSSL
+ * does not (at this time) support this function.
+ *
+ * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+ * opt to disentangle and ask a LibreSSL user to provide glue for a third
+ * crypto provider for libtls instead of continuing to tie the OpenSSL glue
+ * into even twistier knots. If LibreSSL gains the same API, we can just
+ * change this guard and punt the issue for a while longer.
+ */
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
+# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
&& (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
#endif
#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
uschar dn[256];
#ifdef EXPERIMENTAL_EVENT
int depth = X509_STORE_CTX_get_error_depth(x509ctx);
-uschar * yield;
BOOL dummy_called, optional = FALSE;
#endif
/* If dhparam is set, expand it, and load up the parameters for DH encryption.
Arguments:
+ sctx The current SSL CTX (inbound or outbound)
dhparam DH parameter file or fixed parameter identity string
host connected host, if client; NULL if server
+/*************************************************
+* Initialize for ECDH *
+*************************************************/
+
+/* Load parameters for ECDH encryption.
+
+For now, we stick to NIST P-256 because: it's simple and easy to configure;
+it avoids any patent issues that might bite redistributors; despite events in
+the news and concerns over curve choices, we're not cryptographers, we're not
+pretending to be, and this is "good enough" to be better than no support,
+protecting against most adversaries. Given another year or two, there might
+be sufficient clarity about a "right" way forward to let us make an informed
+decision, instead of a knee-jerk reaction.
+
+Longer-term, we should look at supporting both various named curves and
+external files generated with "openssl ecparam", much as we do for init_dh().
+We should also support "none" as a value, to explicitly avoid initialisation.
+
+Patches welcome.
+
+Arguments:
+ sctx The current SSL CTX (inbound or outbound)
+ host connected host, if client; NULL if server
+
+Returns: TRUE if OK (nothing to set up, or setup worked)
+*/
+
+static BOOL
+init_ecdh(SSL_CTX *sctx, host_item *host)
+{
+if (host) /* No ECDH setup for clients, only for servers */
+ return TRUE;
+
+#ifndef SSL_CTX_set_tmp_ecdh
+/* No elliptic curve API in OpenSSL, skip it */
+DEBUG(D_tls)
+ debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
+return TRUE;
+#else
+# ifndef NID_X9_62_prime256v1
+/* For now, stick to NIST P-256 to get "something" running.
+If that's not available, bail */
+DEBUG(D_tls)
+ debug_printf("NIST P-256 EC curve not available, skipping ECDH setup\n");
+return TRUE;
+# else
+ {
+ EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ BOOL rv;
+
+ /* The "tmp" in the name here refers to setting a tempoary key
+ not to the stability of the interface. */
+
+ if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) != 0))
+ {
+ DEBUG(D_tls) debug_printf("ECDH: enable NIST P-256 curve\n");
+ }
+ else
+ tls_error(US"Error enabling NIST P-256 curve", host, NULL);
+ EC_KEY_free(ecdh);
+ return rv;
+ }
+# endif
+#endif
+}
+
+
+
+
#ifndef DISABLE_OCSP
/*************************************************
* Load OCSP information into state *
SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
+
+if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
+ || !init_ecdh(server_sni, NULL)
+ )
+ return SSL_TLSEXT_ERR_NOACK;
+
if (cbinfo->server_cipher_list)
SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
#ifndef DISABLE_OCSP
/* do this after setup_certs, because this can require the certs for verifying
OCSP information. */
-rc = tls_expand_session_files(server_sni, cbinfo);
-if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
-
-if (!init_dh(server_sni, cbinfo->dhparam, NULL))
+if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
return SSL_TLSEXT_ERR_NOACK;
DEBUG(D_tls) debug_printf("Switching SSL context.\n");
/* Initialize with DH parameters if supplied */
-if (!init_dh(*ctxp, dhparam, host)) return DEFER;
+if ( !init_dh(*ctxp, dhparam, host)
+ || !init_ecdh(*ctxp, host)
+ )
+ return DEFER;
/* Set up certificate and key (and perhaps OCSP info) */
int rc;
uschar *expciphers;
tls_ext_ctx_cb *cbinfo;
-X509 * peercert;
static uschar peerdn[256];
static uschar cipherbuf[256];