summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/readconf.c4
-rw-r--r--src/src/tls-gnu.c82
-rw-r--r--src/src/tls-openssl.c144
3 files changed, 182 insertions, 48 deletions
diff --git a/src/src/readconf.c b/src/src/readconf.c
index ba4cb668b..375f01a1a 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -2963,8 +2963,8 @@ if ( !tls_advertise_hosts
)
return TRUE;
else if (!nowarn && !tls_certificate)
- log_write(0, LOG_MAIN|LOG_PANIC,
- "Warning: No server certificate defined; TLS connections will fail.\n"
+ log_write(0, LOG_MAIN,
+ "Warning: No server certificate defined; will use a selfsigned one.\n"
" Suggested action: either install a certificate or change tls_advertise_hosts option");
oldsignal = signal(SIGCHLD, SIG_DFL);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 316906517..522bb9026 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -709,6 +709,70 @@ return OK;
+/* Create and install a selfsigned certificate, for use in server mode */
+
+static int
+tls_install_selfsign(exim_gnutls_state_st * state)
+{
+gnutls_x509_crt_t cert = NULL;
+time_t now;
+gnutls_x509_privkey_t pkey = NULL;
+const uschar * where;
+int rc;
+
+where = US"initialising pkey";
+if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
+
+where = US"initialising cert";
+if ((rc = gnutls_x509_crt_init(&cert))) goto err;
+
+where = US"generating pkey";
+if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
+ gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+ 0))) /* _to_pk_bits() Since: 2.12.0 */
+ goto err;
+
+where = US"configuring cert";
+now = 0;
+if ( (rc = gnutls_x509_crt_set_version(cert, 3))
+ || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
+ || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
+ || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
+ || (rc = gnutls_x509_crt_set_key(cert, pkey))
+
+ || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+ GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
+ || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+ GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
+ || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+ GNUTLS_OID_X520_COMMON_NAME, 0,
+ smtp_active_hostname, Ustrlen(smtp_active_hostname)))
+ )
+ goto err;
+
+where = US"signing cert";
+if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
+
+where = US"installing selfsign cert";
+ /* Since: 2.4.0 */
+if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
+ goto err;
+
+rc = OK;
+
+out:
+ if (cert) gnutls_x509_crt_deinit(cert);
+ if (pkey) gnutls_x509_privkey_deinit(pkey);
+ return rc;
+
+err:
+ rc = tls_error(where, gnutls_strerror(rc), NULL);
+ goto out;
+}
+
+
+
+
/*************************************************
* Variables re-expanded post-SNI *
*************************************************/
@@ -741,7 +805,6 @@ int cert_count;
/* We check for tls_sni *before* expansion. */
if (!host) /* server */
- {
if (!state->received_sni)
{
if (state->tls_certificate &&
@@ -762,7 +825,6 @@ if (!host) /* server */
saved_tls_verify_certificates = state->exp_tls_verify_certificates;
saved_tls_crl = state->exp_tls_crl;
}
- }
rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
@@ -779,14 +841,13 @@ if (!expand_check_tlsvar(tls_certificate))
/* certificate is mandatory in server, optional in client */
-if ((state->exp_tls_certificate == NULL) ||
- (*state->exp_tls_certificate == '\0'))
- {
+if ( !state->exp_tls_certificate
+ || !*state->exp_tls_certificate
+ )
if (!host)
- return tls_error(US"no TLS server certificate is specified", NULL, NULL);
+ return tls_install_selfsign(state);
else
DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
- }
if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
return DEFER;
@@ -806,9 +867,9 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
state->exp_tls_certificate, state->exp_tls_privatekey);
if (state->received_sni)
- {
- if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
- (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
+ if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
+ && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
+ )
{
DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
}
@@ -816,7 +877,6 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
{
DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
}
- }
rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 6036bce52..c24eb4544 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -214,7 +214,7 @@ Returns: OK/DEFER/FAIL
*/
static int
-tls_error(uschar * prefix, const host_item * host, uschar * msg)
+tls_error(uschar * prefix, const host_item * host, uschar * msg)
{
if (!msg)
{
@@ -273,8 +273,7 @@ if ( !BN_set_word(bn, (unsigned long)RSA_F4)
|| !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
)
#else
-rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
-if (rsa_key == NULL)
+if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
#endif
{
@@ -915,6 +914,73 @@ return;
+/* Create and install a selfsigned certificate, for use in server mode */
+
+static int
+tls_install_selfsign(SSL_CTX * sctx)
+{
+X509 * x509 = NULL;
+EVP_PKEY * pkey;
+RSA * rsa;
+X509_NAME * name;
+uschar * where;
+
+where = US"allocating pkey";
+if (!(pkey = EVP_PKEY_new()))
+ goto err;
+
+where = US"allocating cert";
+if (!(x509 = X509_new()))
+ goto err;
+
+where = US"generating pkey";
+ /* deprecated, use RSA_generate_key_ex() */
+if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
+ goto err;
+
+where = US"assiging pkey";
+if (!EVP_PKEY_assign_RSA(pkey, rsa))
+ goto err;
+
+X509_set_version(x509, 2); /* N+1 - version 3 */
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
+X509_gmtime_adj(X509_get_notBefore(x509), 0);
+X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
+X509_set_pubkey(x509, pkey);
+
+name = X509_get_subject_name(x509);
+X509_NAME_add_entry_by_txt(name, "C",
+ MBSTRING_ASC, "UK", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "O",
+ MBSTRING_ASC, "Exim Developers", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "CN",
+ MBSTRING_ASC, CS smtp_active_hostname, -1, -1, 0);
+X509_set_issuer_name(x509, name);
+
+where = US"signing cert";
+if (!X509_sign(x509, pkey, EVP_md5()))
+ goto err;
+
+where = US"installing selfsign cert";
+if (!SSL_CTX_use_certificate(sctx, x509))
+ goto err;
+
+where = US"installing selfsign key";
+if (!SSL_CTX_use_PrivateKey(sctx, pkey))
+ goto err;
+
+return OK;
+
+err:
+ (void) tls_error(where, NULL, NULL);
+ if (x509) X509_free(x509);
+ if (pkey) EVP_PKEY_free(pkey);
+ return DEFER;
+}
+
+
+
+
/*************************************************
* Expand key and cert file specs *
*************************************************/
@@ -935,41 +1001,49 @@ tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
{
uschar *expanded;
-if (cbinfo->certificate == NULL)
- return OK;
-
-if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
- Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
- Ustrstr(cbinfo->certificate, US"tls_out_sni")
- )
- reexpand_tls_files_for_sni = TRUE;
-
-if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
- return DEFER;
-
-if (expanded != NULL)
+if (!cbinfo->certificate)
{
- DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
- if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
- return tls_error(string_sprintf(
- "SSL_CTX_use_certificate_chain_file file=%s", expanded),
- cbinfo->host, NULL);
+ if (cbinfo->host) /* client */
+ return OK;
+ /* server */
+ if (tls_install_selfsign(sctx) != OK)
+ return DEFER;
}
+else
+ {
+ if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
+ Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
+ Ustrstr(cbinfo->certificate, US"tls_out_sni")
+ )
+ reexpand_tls_files_for_sni = TRUE;
-if (cbinfo->privatekey != NULL &&
- !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
- return DEFER;
+ if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
+ return DEFER;
-/* If expansion was forced to fail, key_expanded will be NULL. If the result
-of the expansion is an empty string, ignore it also, and assume the private
-key is in the same file as the certificate. */
+ if (expanded != NULL)
+ {
+ DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
+ if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
+ return tls_error(string_sprintf(
+ "SSL_CTX_use_certificate_chain_file file=%s", expanded),
+ cbinfo->host, NULL);
+ }
-if (expanded && *expanded)
- {
- DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
- if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
- return tls_error(string_sprintf(
- "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
+ if (cbinfo->privatekey != NULL &&
+ !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
+ return DEFER;
+
+ /* If expansion was forced to fail, key_expanded will be NULL. If the result
+ of the expansion is an empty string, ignore it also, and assume the private
+ key is in the same file as the certificate. */
+
+ if (expanded && *expanded)
+ {
+ DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
+ if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
+ return tls_error(string_sprintf(
+ "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
+ }
}
#ifndef DISABLE_OCSP
@@ -1429,8 +1503,8 @@ if ( !init_dh(*ctxp, dhparam, host)
/* Set up certificate and key (and perhaps OCSP info) */
-rc = tls_expand_session_files(*ctxp, cbinfo);
-if (rc != OK) return rc;
+if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
+ return rc;
/* If we need to handle SNI, do so */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT