X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/54c90be16587ca315041c964e251f07fc2bcf0e9..57233af5f91cdca9a0232a71fab2d12a538cb1a6:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index fdcb95ef2..6f2646f03 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -5,6 +5,8 @@ /* Copyright (c) University of Cambridge 1995 - 2012 */ /* See the file NOTICE for conditions of use and distribution. */ +/* Portions Copyright (c) The OpenSSL Project 1999 */ + /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL library. It is #included into the tls.c file when that library is used. The code herein is based on a patch that was originally contributed by Steve @@ -42,30 +44,62 @@ typedef struct randstuff { /* Local static variables */ -static BOOL verify_callback_called = FALSE; +static BOOL client_verify_callback_called = FALSE; +static BOOL server_verify_callback_called = FALSE; static const uschar *sid_ctx = US"exim"; -static SSL_CTX *ctx = NULL; +/* We have three different contexts to care about. + +Simple case: client, `client_ctx` + As a client, we can be doing a callout or cut-through delivery while receiving + a message. So we have a client context, which should have options initialised + from the SMTP Transport. + +Server: + There are two cases: with and without ServerNameIndication from the client. + Given TLS SNI, we can be using different keys, certs and various other + configuration settings, because they're re-expanded with $tls_sni set. This + allows vhosting with TLS. This SNI is sent in the handshake. + A client might not send SNI, so we need a fallback, and an initial setup too. + So as a server, we start out using `server_ctx`. + If SNI is sent by the client, then we as server, mid-negotiation, try to clone + `server_sni` from `server_ctx` and then initialise settings by re-expanding + configuration. +*/ + +static SSL_CTX *client_ctx = NULL; +static SSL_CTX *server_ctx = NULL; +static SSL *client_ssl = NULL; +static SSL *server_ssl = NULL; + #ifdef EXIM_HAVE_OPENSSL_TLSEXT -static SSL_CTX *ctx_sni = NULL; +static SSL_CTX *server_sni = NULL; #endif -static SSL *ssl = NULL; static char ssl_errstring[256]; static int ssl_session_timeout = 200; -static BOOL verify_optional = FALSE; +static BOOL client_verify_optional = FALSE; +static BOOL server_verify_optional = FALSE; -static BOOL reexpand_tls_files_for_sni = FALSE; +static BOOL reexpand_tls_files_for_sni = FALSE; typedef struct tls_ext_ctx_cb { uschar *certificate; uschar *privatekey; #ifdef EXPERIMENTAL_OCSP - uschar *ocsp_file; - uschar *ocsp_file_expanded; - OCSP_RESPONSE *ocsp_response; + BOOL is_server; + union { + struct { + uschar *file; + uschar *file_expanded; + OCSP_RESPONSE *response; + } server; + struct { + X509_STORE *verify_store; + } client; + } u_ocsp; #endif uschar *dhparam; /* these are cached from first expand */ @@ -77,17 +111,19 @@ typedef struct tls_ext_ctx_cb { /* should figure out a cleanup of API to handle state preserved per implementation, for various reasons, which can be void * in the APIs. For now, we hack around it. */ -tls_ext_ctx_cb *static_cbinfo = NULL; +tls_ext_ctx_cb *client_static_cbinfo = NULL; +tls_ext_ctx_cb *server_static_cbinfo = NULL; static int -setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional); +setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, + int (*cert_vfy_cb)(int, X509_STORE_CTX *) ); /* Callbacks */ #ifdef EXIM_HAVE_OPENSSL_TLSEXT static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg); #endif #ifdef EXPERIMENTAL_OCSP -static int tls_stapling_cb(SSL *s, void *arg); +static int tls_server_stapling_cb(SSL *s, void *arg); #endif @@ -171,6 +207,29 @@ return rsa_key; +/* Extreme debug +#if defined(EXPERIMENTAL_OCSP) +void +x509_store_dump_cert_s_names(X509_STORE * store) +{ +STACK_OF(X509_OBJECT) * roots= store->objs; +int i; +static uschar name[256]; + +for(i= 0; itype == X509_LU_X509) + { + X509 * current_cert= tmp_obj->data.x509; + X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name)); + debug_printf(" %s\n", name); + } + } +} +#endif +*/ + /************************************************* * Callback for verification * @@ -196,12 +255,13 @@ setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case. Arguments: state current yes/no state as 1/0 x509ctx certificate information. + client TRUE for client startup, FALSE for server startup Returns: 1 if verified, 0 if not */ static int -verify_callback(int state, X509_STORE_CTX *x509ctx) +verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp) { static uschar txt[256]; @@ -214,9 +274,9 @@ if (state == 0) x509ctx->error_depth, X509_verify_cert_error_string(x509ctx->error), txt); - tls_certificate_verified = FALSE; - verify_callback_called = TRUE; - if (!verify_optional) return 0; /* reject */ + tlsp->certificate_verified = FALSE; + *calledp = TRUE; + if (!*optionalp) return 0; /* reject */ DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " "tls_try_verify_hosts)\n"); return 1; /* accept */ @@ -226,20 +286,50 @@ if (x509ctx->error_depth != 0) { DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n", x509ctx->error_depth, txt); +#ifdef EXPERIMENTAL_OCSP + if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store) + { /* client, wanting stapling */ + /* Add the server cert's signing chain as the one + for the verification of the OCSP stapled information. */ + + if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store, + x509ctx->current_cert)) + ERR_clear_error(); + } +#endif } else { DEBUG(D_tls) debug_printf("SSL%s peer: %s\n", - verify_callback_called? "" : " authenticated", txt); - tls_peerdn = txt; + *calledp ? "" : " authenticated", txt); + tlsp->peerdn = txt; } -if (!verify_callback_called) tls_certificate_verified = TRUE; -verify_callback_called = TRUE; +/*XXX JGH: this looks bogus - we set "verified" first time through, which +will be for the root CS cert (calls work down the chain). Why should it +not be on the last call, where we're setting peerdn? + +To test: set up a chain anchored by a good root-CA but with a bad server cert. +Does certificate_verified get set? +*/ +if (!*calledp) tlsp->certificate_verified = TRUE; +*calledp = TRUE; return 1; /* accept */ } +static int +verify_callback_client(int state, X509_STORE_CTX *x509ctx) +{ +return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional); +} + +static int +verify_callback_server(int state, X509_STORE_CTX *x509ctx) +{ +return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional); +} + /************************************************* @@ -364,7 +454,7 @@ return TRUE; * Load OCSP information into state * *************************************************/ -/* Called to load the OCSP response from the given file into memory, once +/* Called to load the server OCSP response from the given file into memory, once caller has determined this is needed. Checks validity. Debugs a message if invalid. @@ -378,9 +468,7 @@ Arguments: */ static void -ocsp_load_response(SSL_CTX *sctx, - tls_ext_ctx_cb *cbinfo, - const uschar *expanded) +ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded) { BIO *bio; OCSP_RESPONSE *resp; @@ -391,18 +479,18 @@ X509_STORE *store; unsigned long verify_flags; int status, reason, i; -cbinfo->ocsp_file_expanded = string_copy(expanded); -if (cbinfo->ocsp_response) +cbinfo->u_ocsp.server.file_expanded = string_copy(expanded); +if (cbinfo->u_ocsp.server.response) { - OCSP_RESPONSE_free(cbinfo->ocsp_response); - cbinfo->ocsp_response = NULL; + OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response); + cbinfo->u_ocsp.server.response = NULL; } -bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb"); +bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb"); if (!bio) { DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n", - cbinfo->ocsp_file_expanded); + cbinfo->u_ocsp.server.file_expanded); return; } @@ -419,7 +507,7 @@ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n", OCSP_response_status_str(status), status); - return; + goto bad; } basic_response = OCSP_response_get1_basic(resp); @@ -427,7 +515,7 @@ if (!basic_response) { DEBUG(D_tls) debug_printf("OCSP response parse error: unable to extract basic response.\n"); - return; + goto bad; } store = SSL_CTX_get_cert_store(sctx); @@ -443,8 +531,8 @@ if (i <= 0) DEBUG(D_tls) { ERR_error_string(ERR_get_error(), ssl_errstring); debug_printf("OCSP response verify failure: %s\n", US ssl_errstring); - } - return; + } + goto bad; } /* Here's the simplifying assumption: there's only one response, for the @@ -459,27 +547,43 @@ if (!single_response) { DEBUG(D_tls) debug_printf("Unable to get first response from OCSP basic response.\n"); - return; + goto bad; } status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd); -/* how does this status differ from the one above? */ -if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) +if (status != V_OCSP_CERTSTATUS_GOOD) { - DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n", - OCSP_response_status_str(status), status); - return; + DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n", + OCSP_cert_status_str(status), status, + OCSP_crl_reason_str(reason), reason); + goto bad; } if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { DEBUG(D_tls) debug_printf("OCSP status invalid times.\n"); - return; + goto bad; } -cbinfo->ocsp_response = resp; +supply_response: +cbinfo->u_ocsp.server.response = resp; +return; + +bad: +if (running_in_test_harness) + { + extern char ** environ; + uschar ** p; + for (p = USS environ; *p != NULL; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); + goto supply_response; + } + } +return; } -#endif +#endif /*EXPERIMENTAL_OCSP*/ @@ -488,7 +592,7 @@ cbinfo->ocsp_response = resp; * Expand key and cert file specs * *************************************************/ -/* Called once during tls_init and possibly againt during TLS setup, for a +/* Called once during tls_init and possibly again during TLS setup, for a new context, if Server Name Indication was used and tls_sni was seen in the certificate string. @@ -507,7 +611,10 @@ uschar *expanded; if (cbinfo->certificate == NULL) return OK; -if (Ustrstr(cbinfo->certificate, US"tls_sni")) +if (Ustrstr(cbinfo->certificate, US"tls_sni") || + Ustrstr(cbinfo->certificate, US"tls_in_sni") || + Ustrstr(cbinfo->certificate, US"tls_out_sni") + ) reexpand_tls_files_for_sni = TRUE; if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded)) @@ -539,16 +646,16 @@ if (expanded != NULL && *expanded != 0) } #ifdef EXPERIMENTAL_OCSP -if (cbinfo->ocsp_file != NULL) +if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL) { - if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded)) + if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded)) return DEFER; if (expanded != NULL && *expanded != 0) { DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded); - if (cbinfo->ocsp_file_expanded && - (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0)) + if (cbinfo->u_ocsp.server.file_expanded && + (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0)) { DEBUG(D_tls) debug_printf("tls_ocsp_file value unchanged, using existing values.\n"); @@ -599,7 +706,7 @@ DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername, /* Make the extension value available for expansion */ store_pool = POOL_PERM; -tls_sni = string_copy(US servername); +tls_in.sni = string_copy(US servername); store_pool = old_pool; if (!reexpand_tls_files_for_sni) @@ -609,8 +716,8 @@ if (!reexpand_tls_files_for_sni) not confident that memcpy wouldn't break some internal reference counting. Especially since there's a references struct member, which would be off. */ -ctx_sni = SSL_CTX_new(SSLv23_server_method()); -if (!ctx_sni) +server_sni = SSL_CTX_new(SSLv23_server_method()); +if (!server_sni) { ERR_error_string(ERR_get_error(), ssl_errstring); DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring); @@ -620,35 +727,35 @@ if (!ctx_sni) /* Not sure how many of these are actually needed, since SSL object already exists. Might even need this selfsame callback, for reneg? */ -SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx)); -SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx)); -SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx)); -SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx)); -SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb); -SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo); +SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx)); +SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx)); +SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx)); +SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx)); +SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); +SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo); if (cbinfo->server_cipher_list) - SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list); + SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list); #ifdef EXPERIMENTAL_OCSP -if (cbinfo->ocsp_file) +if (cbinfo->u_ocsp.server.file) { - SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb); - SSL_CTX_set_tlsext_status_arg(ctx, cbinfo); + SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb); + SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo); } #endif -rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE); +rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; /* do this after setup_certs, because this can require the certs for verifying OCSP information. */ -rc = tls_expand_session_files(ctx_sni, cbinfo); +rc = tls_expand_session_files(server_sni, cbinfo); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; -rc = init_dh(ctx_sni, cbinfo->dhparam, NULL); +rc = init_dh(server_sni, cbinfo->dhparam, NULL); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; DEBUG(D_tls) debug_printf("Switching SSL context.\n"); -SSL_set_SSL_CTX(s, ctx_sni); +SSL_set_SSL_CTX(s, server_sni); return SSL_TLSEXT_ERR_OK; } @@ -658,6 +765,7 @@ return SSL_TLSEXT_ERR_OK; #ifdef EXPERIMENTAL_OCSP + /************************************************* * Callback to handle OCSP Stapling * *************************************************/ @@ -671,28 +779,158 @@ project. */ static int -tls_stapling_cb(SSL *s, void *arg) +tls_server_stapling_cb(SSL *s, void *arg) { const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg; uschar *response_der; int response_der_len; -DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n", - cbinfo->ocsp_response ? "have" : "lack"); -if (!cbinfo->ocsp_response) +if (log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding", + sender_host_address, cbinfo->u_ocsp.server.response ? "":" not"); +else + DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.", + cbinfo->u_ocsp.server.response ? "have" : "lack"); + +if (!cbinfo->u_ocsp.server.response) return SSL_TLSEXT_ERR_NOACK; response_der = NULL; -response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der); +response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der); if (response_der_len <= 0) return SSL_TLSEXT_ERR_NOACK; -SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len); +SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len); return SSL_TLSEXT_ERR_OK; } -#endif /* EXPERIMENTAL_OCSP */ +static void +time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time) +{ +BIO_printf(bp, "\t%s: ", str); +ASN1_GENERALIZEDTIME_print(bp, time); +BIO_puts(bp, "\n"); +} + +static int +tls_client_stapling_cb(SSL *s, void *arg) +{ +tls_ext_ctx_cb * cbinfo = arg; +const unsigned char * p; +int len; +OCSP_RESPONSE * rsp; +OCSP_BASICRESP * bs; +int i; + +DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):"); +len = SSL_get_tlsext_status_ocsp_resp(s, &p); +if(!p) + { + if (log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "Received TLS status response, null content"); + else + DEBUG(D_tls) debug_printf(" null\n"); + return 0; /* This is the fail case for require-ocsp; none from server */ + } +if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) + { + if (log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "Received TLS status response, parse error"); + else + DEBUG(D_tls) debug_printf(" parse error\n"); + return 0; + } + +if(!(bs = OCSP_response_get1_basic(rsp))) + { + if (log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "Received TLS status response, error parsing response"); + else + DEBUG(D_tls) debug_printf(" error parsing response\n"); + OCSP_RESPONSE_free(rsp); + return 0; + } + +/* We'd check the nonce here if we'd put one in the request. */ +/* However that would defeat cacheability on the server so we don't. */ + + +/* This section of code reworked from OpenSSL apps source; + The OpenSSL Project retains copyright: + Copyright (c) 1999 The OpenSSL Project. All rights reserved. +*/ + { + BIO * bp = NULL; + OCSP_CERTID *id; + int status, reason; + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + + DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE); + + /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */ + + /* Use the chain that verified the server cert to verify the stapled info */ + /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */ + + if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0) + { + BIO_printf(bp, "OCSP response verify failure\n"); + ERR_print_errors(bp); + i = 0; + goto out; + } + + BIO_printf(bp, "OCSP response well-formed and signed OK\n"); + + { + STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses; + OCSP_SINGLERESP * single; + + if (sk_OCSP_SINGLERESP_num(sresp) != 1) + { + log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled"); + goto out; + } + single = OCSP_resp_get0(bs, 0); + status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd); + } + + i = 0; + DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd); + DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd); + if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) + { + DEBUG(D_tls) ERR_print_errors(bp); + log_write(0, LOG_MAIN, "Server OSCP dates invalid"); + goto out; + } + + DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status)); + switch(status) + { + case V_OCSP_CERTSTATUS_GOOD: + i = 1; + break; + case V_OCSP_CERTSTATUS_REVOKED: + log_write(0, LOG_MAIN, "Server certificate revoked%s%s", + reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : ""); + DEBUG(D_tls) time_print(bp, "Revocation Time", rev); + i = 0; + break; + default: + log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling"); + i = 0; + break; + } + out: + BIO_free(bp); + } + +OCSP_RESPONSE_free(rsp); +return i; +} +#endif /*EXPERIMENTAL_OCSP*/ @@ -708,18 +946,19 @@ Arguments: dhparam DH parameter file certificate certificate file privatekey private key + ocsp_file file of stapling info (server); flag for require ocsp (client) addr address if client; NULL if server (for some randomness) Returns: OK/DEFER/FAIL */ static int -tls_init(host_item *host, uschar *dhparam, uschar *certificate, +tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, #ifdef EXPERIMENTAL_OCSP uschar *ocsp_file, #endif - address_item *addr) + address_item *addr, tls_ext_ctx_cb ** cbp) { long init_options; int rc; @@ -730,7 +969,14 @@ cbinfo = store_malloc(sizeof(tls_ext_ctx_cb)); cbinfo->certificate = certificate; cbinfo->privatekey = privatekey; #ifdef EXPERIMENTAL_OCSP -cbinfo->ocsp_file = ocsp_file; +if ((cbinfo->is_server = host==NULL)) + { + cbinfo->u_ocsp.server.file = ocsp_file; + cbinfo->u_ocsp.server.file_expanded = NULL; + cbinfo->u_ocsp.server.response = NULL; + } +else + cbinfo->u_ocsp.client.verify_store = NULL; #endif cbinfo->dhparam = dhparam; cbinfo->host = host; @@ -752,10 +998,10 @@ when OpenSSL is built without SSLv2 support. By disabling with openssl_options, we can let admins re-enable with the existing knob. */ -ctx = SSL_CTX_new((host == NULL)? +*ctxp = SSL_CTX_new((host == NULL)? SSLv23_server_method() : SSLv23_client_method()); -if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL); +if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL); /* It turns out that we need to seed the random number generator this early in order to get the full complement of ciphers to work. It took me roughly a day @@ -783,10 +1029,10 @@ if (!RAND_status()) /* Set up the information callback, which outputs if debugging is at a suitable level. */ -SSL_CTX_set_info_callback(ctx, (void (*)())info_callback); +SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback); /* Automatically re-try reads/writes after renegotiation. */ -(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); +(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY); /* Apply administrator-supplied work-arounds. Historically we applied just one requested option, @@ -804,7 +1050,7 @@ if (!okay) if (init_options) { DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options); - if (!(SSL_CTX_set_options(ctx, init_options))) + if (!(SSL_CTX_set_options(*ctxp, init_options))) return tls_error(string_sprintf( "SSL_CTX_set_option(%#lx)", init_options), host, NULL); } @@ -813,45 +1059,58 @@ else /* Initialize with DH parameters if supplied */ -if (!init_dh(ctx, dhparam, host)) return DEFER; +if (!init_dh(*ctxp, dhparam, host)) return DEFER; /* Set up certificate and key (and perhaps OCSP info) */ -rc = tls_expand_session_files(ctx, cbinfo); +rc = tls_expand_session_files(*ctxp, cbinfo); if (rc != OK) return rc; /* If we need to handle SNI, do so */ #ifdef EXIM_HAVE_OPENSSL_TLSEXT -if (host == NULL) +if (host == NULL) /* server */ { -#ifdef EXPERIMENTAL_OCSP - /* We check ocsp_file, not ocsp_response, because we care about if +# ifdef EXPERIMENTAL_OCSP + /* We check u_ocsp.server.file, not server.response, because we care about if the option exists, not what the current expansion might be, as SNI might change the certificate and OCSP file in use between now and the time the callback is invoked. */ - if (cbinfo->ocsp_file) + if (cbinfo->u_ocsp.server.file) { - SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb); - SSL_CTX_set_tlsext_status_arg(ctx, cbinfo); + SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb); + SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo); } -#endif +# endif /* We always do this, so that $tls_sni is available even if not used in tls_certificate */ - SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb); - SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo); + SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb); + SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo); } +# ifdef EXPERIMENTAL_OCSP +else /* client */ + if(ocsp_file) /* wanting stapling */ + { + if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new())) + { + DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n"); + return FAIL; + } + SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb); + SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo); + } +# endif #endif /* Set up the RSA callback */ -SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback); +SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback); /* Finally, set the timeout, and we are done */ -SSL_CTX_set_timeout(ctx, ssl_session_timeout); +SSL_CTX_set_timeout(*ctxp, ssl_session_timeout); DEBUG(D_tls) debug_printf("Initialized TLS\n"); -static_cbinfo = cbinfo; +*cbp = cbinfo; return OK; } @@ -863,17 +1122,17 @@ return OK; * Get name of cipher in use * *************************************************/ -/* The answer is left in a static buffer, and tls_cipher is set to point -to it. - +/* Argument: pointer to an SSL structure for the connection + buffer to use for answer + size of buffer + pointer to number of bits for cipher Returns: nothing */ static void -construct_cipher_name(SSL *ssl) +construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits) { -static uschar cipherbuf[256]; /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ @@ -911,11 +1170,10 @@ switch (ssl->session->ssl_version) } c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); -SSL_CIPHER_get_bits(c, &tls_bits); +SSL_CIPHER_get_bits(c, bits); -string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver, - SSL_CIPHER_get_name(c), tls_bits); -tls_cipher = cipherbuf; +string_format(cipherbuf, bsize, "%s:%s:%u", ver, + SSL_CIPHER_get_name(c), *bits); DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf); } @@ -937,19 +1195,21 @@ Arguments: host NULL in a server; the remote host in a client optional TRUE if called from a server for a host in tls_try_verify_hosts; otherwise passed as FALSE + cert_vfy_cb Callback function for certificate verification Returns: OK/DEFER/FAIL */ static int -setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional) +setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, + int (*cert_vfy_cb)(int, X509_STORE_CTX *) ) { uschar *expcerts, *expcrl; if (!expand_check(certs, US"tls_verify_certificates", &expcerts)) return DEFER; -if (expcerts != NULL) +if (expcerts != NULL && *expcerts != '\0') { struct stat statbuf; if (!SSL_CTX_set_default_verify_paths(sctx)) @@ -1041,7 +1301,7 @@ if (expcerts != NULL) SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT), - verify_callback); + cert_vfy_cb); } return OK; @@ -1072,10 +1332,11 @@ tls_server_start(const uschar *require_ciphers) int rc; uschar *expciphers; tls_ext_ctx_cb *cbinfo; +static uschar cipherbuf[256]; /* Check for previous activation */ -if (tls_active >= 0) +if (tls_in.active >= 0) { tls_error(US"STARTTLS received after TLS started", NULL, US""); smtp_printf("554 Already in TLS\r\n"); @@ -1085,13 +1346,13 @@ if (tls_active >= 0) /* Initialize the SSL library. If it fails, it will already have logged the error. */ -rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, +rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey, #ifdef EXPERIMENTAL_OCSP tls_ocsp_file, #endif - NULL); + NULL, &server_static_cbinfo); if (rc != OK) return rc; -cbinfo = static_cbinfo; +cbinfo = server_static_cbinfo; if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers)) return FAIL; @@ -1106,7 +1367,7 @@ if (expciphers != NULL) uschar *s = expciphers; while (*s != 0) { if (*s == '_') *s = '-'; s++; } DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers); - if (!SSL_CTX_set_cipher_list(ctx, CS expciphers)) + if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers)) return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL); cbinfo->server_cipher_list = expciphers; } @@ -1114,25 +1375,27 @@ if (expciphers != NULL) /* If this is a host for which certificate verification is mandatory or optional, set up appropriately. */ -tls_certificate_verified = FALSE; -verify_callback_called = FALSE; +tls_in.certificate_verified = FALSE; +server_verify_callback_called = FALSE; if (verify_check_host(&tls_verify_hosts) == OK) { - rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE); + rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, + FALSE, verify_callback_server); if (rc != OK) return rc; - verify_optional = FALSE; + server_verify_optional = FALSE; } else if (verify_check_host(&tls_try_verify_hosts) == OK) { - rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE); + rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, + TRUE, verify_callback_server); if (rc != OK) return rc; - verify_optional = TRUE; + server_verify_optional = TRUE; } /* Prepare for new connection */ -if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL); +if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL); /* Warning: we used to SSL_clear(ssl) here, it was removed. * @@ -1153,8 +1416,8 @@ make them disconnect. We need to have an explicit fflush() here, to force out the response. Other smtp_printf() calls do not need it, because in non-TLS mode, the fflush() happens when smtp_getc() is called. */ -SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx)); -if (!tls_on_connect) +SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx)); +if (!tls_in.on_connect) { smtp_printf("220 TLS go ahead\r\n"); fflush(smtp_out); @@ -1163,15 +1426,15 @@ if (!tls_on_connect) /* Now negotiate the TLS session. We put our own timer on it, since it seems that the OpenSSL library doesn't. */ -SSL_set_wfd(ssl, fileno(smtp_out)); -SSL_set_rfd(ssl, fileno(smtp_in)); -SSL_set_accept_state(ssl); +SSL_set_wfd(server_ssl, fileno(smtp_out)); +SSL_set_rfd(server_ssl, fileno(smtp_in)); +SSL_set_accept_state(server_ssl); DEBUG(D_tls) debug_printf("Calling SSL_accept\n"); sigalrm_seen = FALSE; if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); -rc = SSL_accept(ssl); +rc = SSL_accept(server_ssl); alarm(0); if (rc <= 0) @@ -1188,16 +1451,22 @@ DEBUG(D_tls) debug_printf("SSL_accept was successful\n"); /* TLS has been set up. Adjust the input functions to read via TLS, and initialize things. */ -construct_cipher_name(ssl); +construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits); +tls_in.cipher = cipherbuf; DEBUG(D_tls) { uschar buf[2048]; - if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL) + if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL) debug_printf("Shared ciphers: %s\n", buf); } +/* Only used by the server-side tls (tls_in), including tls_getc. + Client-side (tls_out) reads (seem to?) go via + smtp_read_response()/ip_recv(). + Hence no need to duplicate for _in and _out. + */ ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size); ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0; ssl_xfer_eof = ssl_xfer_error = 0; @@ -1208,7 +1477,7 @@ receive_feof = tls_feof; receive_ferror = tls_ferror; receive_smtp_buffered = tls_smtp_buffered; -tls_active = fileno(smtp_out); +tls_in.active = fileno(smtp_out); return OK; } @@ -1226,7 +1495,6 @@ Argument: fd the fd of the connection host connected host (for messages) addr the first address - dhparam DH parameter file certificate certificate file privatekey private key file sni TLS SNI to send to remote host @@ -1243,25 +1511,34 @@ Returns: OK on success */ int -tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam, +tls_client_start(int fd, host_item *host, address_item *addr, uschar *certificate, uschar *privatekey, uschar *sni, uschar *verify_certs, uschar *crl, - uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout) + uschar *require_ciphers, +#ifdef EXPERIMENTAL_OCSP + uschar *hosts_require_ocsp, +#endif + int dh_min_bits ARG_UNUSED, int timeout) { static uschar txt[256]; uschar *expciphers; X509* server_cert; int rc; +static uschar cipherbuf[256]; +#ifdef EXPERIMENTAL_OCSP +BOOL require_ocsp = verify_check_this_host(&hosts_require_ocsp, + NULL, host->name, host->address, NULL) == OK; +#endif -rc = tls_init(host, dhparam, certificate, privatekey, +rc = tls_init(&client_ctx, host, NULL, certificate, privatekey, #ifdef EXPERIMENTAL_OCSP - NULL, + require_ocsp ? US"" : NULL, #endif - addr); + addr, &client_static_cbinfo); if (rc != OK) return rc; -tls_certificate_verified = FALSE; -verify_callback_called = FALSE; +tls_out.certificate_verified = FALSE; +client_verify_callback_called = FALSE; if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers)) return FAIL; @@ -1275,43 +1552,54 @@ if (expciphers != NULL) uschar *s = expciphers; while (*s != 0) { if (*s == '_') *s = '-'; s++; } DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers); - if (!SSL_CTX_set_cipher_list(ctx, CS expciphers)) + if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers)) return tls_error(US"SSL_CTX_set_cipher_list", host, NULL); } -rc = setup_certs(ctx, verify_certs, crl, host, FALSE); +rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client); if (rc != OK) return rc; -if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL); -SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx)); -SSL_set_fd(ssl, fd); -SSL_set_connect_state(ssl); +if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL); +SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx)); +SSL_set_fd(client_ssl, fd); +SSL_set_connect_state(client_ssl); if (sni) { - if (!expand_check(sni, US"tls_sni", &tls_sni)) + if (!expand_check(sni, US"tls_sni", &tls_out.sni)) return FAIL; - if (!Ustrlen(tls_sni)) - tls_sni = NULL; + if (tls_out.sni == NULL) + { + DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); + } + else if (!Ustrlen(tls_out.sni)) + tls_out.sni = NULL; else { #ifdef EXIM_HAVE_OPENSSL_TLSEXT - DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni); - SSL_set_tlsext_host_name(ssl, tls_sni); + DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni); + SSL_set_tlsext_host_name(client_ssl, tls_out.sni); #else DEBUG(D_tls) debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n", - tls_sni); + tls_out.sni); #endif } } +#ifdef EXPERIMENTAL_OCSP +/* Request certificate status at connection-time. If the server +does OCSP stapling we will get the callback (set in tls_init()) */ +if (require_ocsp) + SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp); +#endif + /* There doesn't seem to be a built-in timeout on connection. */ DEBUG(D_tls) debug_printf("Calling SSL_connect\n"); sigalrm_seen = FALSE; alarm(timeout); -rc = SSL_connect(ssl); +rc = SSL_connect(client_ssl); alarm(0); if (rc <= 0) @@ -1320,19 +1608,20 @@ if (rc <= 0) DEBUG(D_tls) debug_printf("SSL_connect succeeded\n"); /* Beware anonymous ciphers which lead to server_cert being NULL */ -server_cert = SSL_get_peer_certificate (ssl); +server_cert = SSL_get_peer_certificate (client_ssl); if (server_cert) { - tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), + tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), CS txt, sizeof(txt)); - tls_peerdn = txt; + tls_out.peerdn = txt; } else - tls_peerdn = NULL; + tls_out.peerdn = NULL; -construct_cipher_name(ssl); /* Sets tls_cipher */ +construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits); +tls_out.cipher = cipherbuf; -tls_active = fd; +tls_out.active = fd; return OK; } @@ -1349,6 +1638,8 @@ it refills the buffer via the SSL reading function. Arguments: none Returns: the next character or EOF + +Only used by the server-side TLS. */ int @@ -1359,12 +1650,12 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm) int error; int inbytes; - DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl, + DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl, ssl_xfer_buffer, ssl_xfer_buffer_size); if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); - inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size); - error = SSL_get_error(ssl, inbytes); + inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size); + error = SSL_get_error(server_ssl, inbytes); alarm(0); /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been @@ -1381,13 +1672,13 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm) receive_ferror = smtp_ferror; receive_smtp_buffered = smtp_buffered; - SSL_free(ssl); - ssl = NULL; - tls_active = -1; - tls_bits = 0; - tls_cipher = NULL; - tls_peerdn = NULL; - tls_sni = NULL; + SSL_free(server_ssl); + server_ssl = NULL; + tls_in.active = -1; + tls_in.bits = 0; + tls_in.cipher = NULL; + tls_in.peerdn = NULL; + tls_in.sni = NULL; return smtp_getc(); } @@ -1434,11 +1725,14 @@ Arguments: Returns: the number of bytes read -1 after a failed read + +Only used by the client-side TLS. */ int -tls_read(uschar *buff, size_t len) +tls_read(BOOL is_server, uschar *buff, size_t len) { +SSL *ssl = is_server ? server_ssl : client_ssl; int inbytes; int error; @@ -1471,19 +1765,23 @@ return inbytes; /* Arguments: + is_server channel specifier buff buffer of data len number of bytes Returns: the number of bytes after a successful write, -1 after a failed write + +Used by both server-side and client-side TLS. */ int -tls_write(const uschar *buff, size_t len) +tls_write(BOOL is_server, const uschar *buff, size_t len) { int outbytes; int error; int left = len; +SSL *ssl = is_server ? server_ssl : client_ssl; DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left); while (left > 0) @@ -1508,6 +1806,11 @@ while (left > 0) log_write(0, LOG_MAIN, "SSL channel closed on write"); return -1; + case SSL_ERROR_SYSCALL: + log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s", + sender_fullhost ? sender_fullhost : US"", + strerror(errno)); + default: log_write(0, LOG_MAIN, "SSL_write error %d", error); return -1; @@ -1528,23 +1831,28 @@ would tamper with the SSL session in the parent process). Arguments: TRUE if SSL_shutdown is to be called Returns: nothing + +Used by both server-side and client-side TLS. */ void -tls_close(BOOL shutdown) +tls_close(BOOL is_server, BOOL shutdown) { -if (tls_active < 0) return; /* TLS was not active */ +SSL **sslp = is_server ? &server_ssl : &client_ssl; +int *fdp = is_server ? &tls_in.active : &tls_out.active; + +if (*fdp < 0) return; /* TLS was not active */ if (shutdown) { DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n"); - SSL_shutdown(ssl); + SSL_shutdown(*sslp); } -SSL_free(ssl); -ssl = NULL; +SSL_free(*sslp); +*sslp = NULL; -tls_active = -1; +*fdp = -1; } @@ -1662,12 +1970,26 @@ vaguely_random_number(int max) { unsigned int r; int i, needed_len; +static pid_t pidlast = 0; +pid_t pidnow; uschar *p; uschar smallbuf[sizeof(r)]; if (max <= 1) return 0; +pidnow = getpid(); +if (pidnow != pidlast) + { + /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state + is unique for each thread", this doesn't apparently apply across processes, + so our own warning from vaguely_random_number_fallback() applies here too. + Fix per PostgreSQL. */ + if (pidlast != 0) + RAND_cleanup(); + pidlast = pidnow; + } + /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */ if (!RAND_status()) {