1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2009 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9 library. It is #included into the tls.c file when that library is used. The
10 code herein is based on a patch that was originally contributed by Steve
11 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
13 No cryptographic code is included in Exim. All this module does is to call
14 functions from the OpenSSL library. */
19 #include <openssl/lhash.h>
20 #include <openssl/ssl.h>
21 #include <openssl/err.h>
22 #include <openssl/rand.h>
24 /* Structure for collecting random data for seeding. */
26 typedef struct randstuff {
31 /* Local static variables */
33 static BOOL verify_callback_called = FALSE;
34 static const uschar *sid_ctx = US"exim";
36 static SSL_CTX *ctx = NULL;
37 static SSL *ssl = NULL;
39 static char ssl_errstring[256];
41 static int ssl_session_timeout = 200;
42 static BOOL verify_optional = FALSE;
48 /*************************************************
50 *************************************************/
52 /* Called from lots of places when errors occur before actually starting to do
53 the TLS handshake, that is, while the session is still in clear. Always returns
54 DEFER for a server and FAIL for a client so that most calls can use "return
55 tls_error(...)" to do this processing and then give an appropriate return. A
56 single function is used for both server and client, because it is called from
57 some shared functions.
60 prefix text to include in the logged error
61 host NULL if setting up a server;
62 the connected host if setting up a client
63 msg error message or NULL if we should ask OpenSSL
65 Returns: OK/DEFER/FAIL
69 tls_error(uschar *prefix, host_item *host, uschar *msg)
73 ERR_error_string(ERR_get_error(), ssl_errstring);
74 msg = (uschar *)ssl_errstring;
79 uschar *conn_info = smtp_get_connection_info();
80 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
82 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
83 conn_info, prefix, msg);
88 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
89 host->name, host->address, prefix, msg);
96 /*************************************************
97 * Callback to generate RSA key *
98 *************************************************/
106 Returns: pointer to generated key
110 rsa_callback(SSL *s, int export, int keylength)
113 export = export; /* Shut picky compilers up */
114 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
115 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
118 ERR_error_string(ERR_get_error(), ssl_errstring);
119 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
129 /*************************************************
130 * Callback for verification *
131 *************************************************/
133 /* The SSL library does certificate verification if set up to do so. This
134 callback has the current yes/no state is in "state". If verification succeeded,
135 we set up the tls_peerdn string. If verification failed, what happens depends
136 on whether the client is required to present a verifiable certificate or not.
138 If verification is optional, we change the state to yes, but still log the
139 verification error. For some reason (it really would help to have proper
140 documentation of OpenSSL), this callback function then gets called again, this
141 time with state = 1. In fact, that's useful, because we can set up the peerdn
142 value, but we must take care not to set the private verified flag on the second
145 Note: this function is not called if the client fails to present a certificate
146 when asked. We get here only if a certificate has been received. Handling of
147 optional verification for this case is done when requesting SSL to verify, by
148 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
151 state current yes/no state as 1/0
152 x509ctx certificate information.
154 Returns: 1 if verified, 0 if not
158 verify_callback(int state, X509_STORE_CTX *x509ctx)
160 static uschar txt[256];
162 X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
163 CS txt, sizeof(txt));
167 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
168 x509ctx->error_depth,
169 X509_verify_cert_error_string(x509ctx->error),
171 tls_certificate_verified = FALSE;
172 verify_callback_called = TRUE;
173 if (!verify_optional) return 0; /* reject */
174 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
175 "tls_try_verify_hosts)\n");
176 return 1; /* accept */
179 if (x509ctx->error_depth != 0)
181 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
182 x509ctx->error_depth, txt);
186 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
187 verify_callback_called? "" : " authenticated", txt);
191 if (!verify_callback_called) tls_certificate_verified = TRUE;
192 verify_callback_called = TRUE;
194 return 1; /* accept */
199 /*************************************************
200 * Information callback *
201 *************************************************/
203 /* The SSL library functions call this from time to time to indicate what they
204 are doing. We copy the string to the debugging output when the level is high
216 info_callback(SSL *s, int where, int ret)
220 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
225 /*************************************************
226 * Initialize for DH *
227 *************************************************/
229 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
232 dhparam DH parameter file
233 host connected host, if client; NULL if server
235 Returns: TRUE if OK (nothing to set up, or setup worked)
239 init_dh(uschar *dhparam, host_item *host)
246 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
249 if (dhexpanded == NULL) return TRUE;
251 if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
253 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
254 host, (uschar *)strerror(errno));
259 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
261 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
267 SSL_CTX_set_tmp_dh(ctx, dh);
269 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
270 dhexpanded, 8*DH_size(dh));
282 /*************************************************
283 * Initialize for TLS *
284 *************************************************/
286 /* Called from both server and client code, to do preliminary initialization of
290 host connected host, if client; NULL if server
291 dhparam DH parameter file
292 certificate certificate file
293 privatekey private key
294 addr address if client; NULL if server (for some randomness)
296 Returns: OK/DEFER/FAIL
300 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
301 uschar *privatekey, address_item *addr)
306 SSL_load_error_strings(); /* basic set up */
307 OpenSSL_add_ssl_algorithms();
309 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
310 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
311 list of available digests. */
312 EVP_add_digest(EVP_sha256());
315 /* Create a context */
317 ctx = SSL_CTX_new((host == NULL)?
318 SSLv23_server_method() : SSLv23_client_method());
320 if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
322 /* It turns out that we need to seed the random number generator this early in
323 order to get the full complement of ciphers to work. It took me roughly a day
324 of work to discover this by experiment.
326 On systems that have /dev/urandom, SSL may automatically seed itself from
327 there. Otherwise, we have to make something up as best we can. Double check
333 gettimeofday(&r.tv, NULL);
336 RAND_seed((uschar *)(&r), sizeof(r));
337 RAND_seed((uschar *)big_buffer, big_buffer_size);
338 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
341 return tls_error(US"RAND_status", host,
342 US"unable to seed random number generator");
345 /* Set up the information callback, which outputs if debugging is at a suitable
348 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
350 /* Automatically re-try reads/writes after renegotiation. */
351 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
353 /* Apply administrator-supplied work-arounds.
354 Historically we applied just one requested option,
355 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
356 moved to an administrator-controlled list of options to specify and
357 grandfathered in the first one as the default value for "openssl_options".
359 No OpenSSL version number checks: the options we accept depend upon the
360 availability of the option value macros from OpenSSL. */
362 okay = tls_openssl_options_parse(openssl_options, &init_options);
364 return tls_error(US"openssl_options parsing failed", host, NULL);
368 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
369 if (!(SSL_CTX_set_options(ctx, init_options)))
370 return tls_error(string_sprintf(
371 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
374 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
376 /* Initialize with DH parameters if supplied */
378 if (!init_dh(dhparam, host)) return DEFER;
380 /* Set up certificate and key */
382 if (certificate != NULL)
385 if (!expand_check(certificate, US"tls_certificate", &expanded))
388 if (expanded != NULL)
390 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
391 if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
392 return tls_error(string_sprintf(
393 "SSL_CTX_use_certificate_chain_file file=%s", expanded), host, NULL);
396 if (privatekey != NULL &&
397 !expand_check(privatekey, US"tls_privatekey", &expanded))
400 /* If expansion was forced to fail, key_expanded will be NULL. If the result
401 of the expansion is an empty string, ignore it also, and assume the private
402 key is in the same file as the certificate. */
404 if (expanded != NULL && *expanded != 0)
406 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
407 if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
408 return tls_error(string_sprintf(
409 "SSL_CTX_use_PrivateKey_file file=%s", expanded), host, NULL);
413 /* Set up the RSA callback */
415 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
417 /* Finally, set the timeout, and we are done */
419 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
420 DEBUG(D_tls) debug_printf("Initialized TLS\n");
427 /*************************************************
428 * Get name of cipher in use *
429 *************************************************/
431 /* The answer is left in a static buffer, and tls_cipher is set to point
434 Argument: pointer to an SSL structure for the connection
439 construct_cipher_name(SSL *ssl)
441 static uschar cipherbuf[256];
442 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
443 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
444 the accessor functions use const in the prototype. */
448 switch (ssl->session->ssl_version)
462 #ifdef TLS1_1_VERSION
468 #ifdef TLS1_2_VERSION
478 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
479 SSL_CIPHER_get_bits(c, &tls_bits);
481 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
482 SSL_CIPHER_get_name(c), tls_bits);
483 tls_cipher = cipherbuf;
485 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
492 /*************************************************
493 * Set up for verifying certificates *
494 *************************************************/
496 /* Called by both client and server startup
499 certs certs file or NULL
501 host NULL in a server; the remote host in a client
502 optional TRUE if called from a server for a host in tls_try_verify_hosts;
503 otherwise passed as FALSE
505 Returns: OK/DEFER/FAIL
509 setup_certs(uschar *certs, uschar *crl, host_item *host, BOOL optional)
511 uschar *expcerts, *expcrl;
513 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
516 if (expcerts != NULL)
519 if (!SSL_CTX_set_default_verify_paths(ctx))
520 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
522 if (Ustat(expcerts, &statbuf) < 0)
524 log_write(0, LOG_MAIN|LOG_PANIC,
525 "failed to stat %s for certificates", expcerts);
531 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
532 { file = NULL; dir = expcerts; }
534 { file = expcerts; dir = NULL; }
536 /* If a certificate file is empty, the next function fails with an
537 unhelpful error message. If we skip it, we get the correct behaviour (no
538 certificates are recognized, but the error message is still misleading (it
539 says no certificate was supplied.) But this is better. */
541 if ((file == NULL || statbuf.st_size > 0) &&
542 !SSL_CTX_load_verify_locations(ctx, CS file, CS dir))
543 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
547 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CS file));
551 /* Handle a certificate revocation list. */
553 #if OPENSSL_VERSION_NUMBER > 0x00907000L
555 /* This bit of code is now the version supplied by Lars Mainka. (I have
556 * merely reformatted it into the Exim code style.)
558 * "From here I changed the code to add support for multiple crl's
559 * in pem format in one file or to support hashed directory entries in
560 * pem format instead of a file. This method now uses the library function
561 * X509_STORE_load_locations to add the CRL location to the SSL context.
562 * OpenSSL will then handle the verify against CA certs and CRLs by
563 * itself in the verify callback." */
565 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
566 if (expcrl != NULL && *expcrl != 0)
568 struct stat statbufcrl;
569 if (Ustat(expcrl, &statbufcrl) < 0)
571 log_write(0, LOG_MAIN|LOG_PANIC,
572 "failed to stat %s for certificates revocation lists", expcrl);
577 /* is it a file or directory? */
579 X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
580 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
584 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
590 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
592 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
593 return tls_error(US"X509_STORE_load_locations", host, NULL);
595 /* setting the flags to check against the complete crl chain */
597 X509_STORE_set_flags(cvstore,
598 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
602 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
604 /* If verification is optional, don't fail if no certificate */
606 SSL_CTX_set_verify(ctx,
607 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
616 /*************************************************
617 * Start a TLS session in a server *
618 *************************************************/
620 /* This is called when Exim is running as a server, after having received
621 the STARTTLS command. It must respond to that command, and then negotiate
625 require_ciphers allowed ciphers
626 ------------------------------------------------------
627 require_mac list of allowed MACs ) Not used
628 require_kx list of allowed key_exchange methods ) for
629 require_proto list of allowed protocols ) OpenSSL
630 ------------------------------------------------------
632 Returns: OK on success
633 DEFER for errors before the start of the negotiation
634 FAIL for errors during the negotation; the server can't
639 tls_server_start(uschar *require_ciphers, uschar *require_mac,
640 uschar *require_kx, uschar *require_proto)
645 /* Check for previous activation */
649 tls_error(US"STARTTLS received after TLS started", NULL, US"");
650 smtp_printf("554 Already in TLS\r\n");
654 /* Initialize the SSL library. If it fails, it will already have logged
657 rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
658 if (rc != OK) return rc;
660 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
663 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
664 are separated by underscores. So that I can use either form in my tests, and
665 also for general convenience, we turn underscores into hyphens here. */
667 if (expciphers != NULL)
669 uschar *s = expciphers;
670 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
671 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
672 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
673 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
676 /* If this is a host for which certificate verification is mandatory or
677 optional, set up appropriately. */
679 tls_certificate_verified = FALSE;
680 verify_callback_called = FALSE;
682 if (verify_check_host(&tls_verify_hosts) == OK)
684 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, FALSE);
685 if (rc != OK) return rc;
686 verify_optional = FALSE;
688 else if (verify_check_host(&tls_try_verify_hosts) == OK)
690 rc = setup_certs(tls_verify_certificates, tls_crl, NULL, TRUE);
691 if (rc != OK) return rc;
692 verify_optional = TRUE;
695 /* Prepare for new connection */
697 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
699 /* Warning: we used to SSL_clear(ssl) here, it was removed.
701 * With the SSL_clear(), we get strange interoperability bugs with
702 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
703 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
705 * The SSL_clear() call is to let an existing SSL* be reused, typically after
706 * session shutdown. In this case, we have a brand new object and there's no
707 * obvious reason to immediately clear it. I'm guessing that this was
708 * originally added because of incomplete initialisation which the clear fixed,
709 * in some historic release.
712 /* Set context and tell client to go ahead, except in the case of TLS startup
713 on connection, where outputting anything now upsets the clients and tends to
714 make them disconnect. We need to have an explicit fflush() here, to force out
715 the response. Other smtp_printf() calls do not need it, because in non-TLS
716 mode, the fflush() happens when smtp_getc() is called. */
718 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
721 smtp_printf("220 TLS go ahead\r\n");
725 /* Now negotiate the TLS session. We put our own timer on it, since it seems
726 that the OpenSSL library doesn't. */
728 SSL_set_wfd(ssl, fileno(smtp_out));
729 SSL_set_rfd(ssl, fileno(smtp_in));
730 SSL_set_accept_state(ssl);
732 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
734 sigalrm_seen = FALSE;
735 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
736 rc = SSL_accept(ssl);
741 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
742 if (ERR_get_error() == 0)
743 log_write(0, LOG_MAIN,
744 "TLS client disconnected cleanly (rejected our certificate?)");
748 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
750 /* TLS has been set up. Adjust the input functions to read via TLS,
751 and initialize things. */
753 construct_cipher_name(ssl);
758 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
759 debug_printf("Shared ciphers: %s\n", buf);
763 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
764 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
765 ssl_xfer_eof = ssl_xfer_error = 0;
767 receive_getc = tls_getc;
768 receive_ungetc = tls_ungetc;
769 receive_feof = tls_feof;
770 receive_ferror = tls_ferror;
771 receive_smtp_buffered = tls_smtp_buffered;
773 tls_active = fileno(smtp_out);
781 /*************************************************
782 * Start a TLS session in a client *
783 *************************************************/
785 /* Called from the smtp transport after STARTTLS has been accepted.
788 fd the fd of the connection
789 host connected host (for messages)
790 addr the first address
791 dhparam DH parameter file
792 certificate certificate file
793 privatekey private key file
794 verify_certs file for certificate verify
795 crl file containing CRL
796 require_ciphers list of allowed ciphers
797 ------------------------------------------------------
798 require_mac list of allowed MACs ) Not used
799 require_kx list of allowed key_exchange methods ) for
800 require_proto list of allowed protocols ) OpenSSL
801 ------------------------------------------------------
802 timeout startup timeout
804 Returns: OK on success
805 FAIL otherwise - note that tls_error() will not give DEFER
806 because this is not a server
810 tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
811 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
812 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
813 uschar *require_proto, int timeout)
815 static uschar txt[256];
820 rc = tls_init(host, dhparam, certificate, privatekey, addr);
821 if (rc != OK) return rc;
823 tls_certificate_verified = FALSE;
824 verify_callback_called = FALSE;
826 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
829 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
830 are separated by underscores. So that I can use either form in my tests, and
831 also for general convenience, we turn underscores into hyphens here. */
833 if (expciphers != NULL)
835 uschar *s = expciphers;
836 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
837 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
838 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
839 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
842 rc = setup_certs(verify_certs, crl, host, FALSE);
843 if (rc != OK) return rc;
845 if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
846 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
848 SSL_set_connect_state(ssl);
850 /* There doesn't seem to be a built-in timeout on connection. */
852 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
853 sigalrm_seen = FALSE;
855 rc = SSL_connect(ssl);
859 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
861 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
863 /* Beware anonymous ciphers which lead to server_cert being NULL */
864 server_cert = SSL_get_peer_certificate (ssl);
867 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
868 CS txt, sizeof(txt));
874 construct_cipher_name(ssl); /* Sets tls_cipher */
884 /*************************************************
885 * TLS version of getc *
886 *************************************************/
888 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
889 it refills the buffer via the SSL reading function.
892 Returns: the next character or EOF
898 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
903 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
904 ssl_xfer_buffer, ssl_xfer_buffer_size);
906 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
907 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
908 error = SSL_get_error(ssl, inbytes);
911 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
912 closed down, not that the socket itself has been closed down. Revert to
915 if (error == SSL_ERROR_ZERO_RETURN)
917 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
919 receive_getc = smtp_getc;
920 receive_ungetc = smtp_ungetc;
921 receive_feof = smtp_feof;
922 receive_ferror = smtp_ferror;
923 receive_smtp_buffered = smtp_buffered;
934 /* Handle genuine errors */
936 else if (error == SSL_ERROR_SSL)
938 ERR_error_string(ERR_get_error(), ssl_errstring);
939 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
944 else if (error != SSL_ERROR_NONE)
946 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
952 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
954 ssl_xfer_buffer_hwm = inbytes;
955 ssl_xfer_buffer_lwm = 0;
958 /* Something in the buffer; return next uschar */
960 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
965 /*************************************************
966 * Read bytes from TLS channel *
967 *************************************************/
974 Returns: the number of bytes read
975 -1 after a failed read
979 tls_read(uschar *buff, size_t len)
984 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
985 buff, (unsigned int)len);
987 inbytes = SSL_read(ssl, CS buff, len);
988 error = SSL_get_error(ssl, inbytes);
990 if (error == SSL_ERROR_ZERO_RETURN)
992 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
995 else if (error != SSL_ERROR_NONE)
1007 /*************************************************
1008 * Write bytes down TLS channel *
1009 *************************************************/
1016 Returns: the number of bytes after a successful write,
1017 -1 after a failed write
1021 tls_write(const uschar *buff, size_t len)
1027 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
1030 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
1031 outbytes = SSL_write(ssl, CS buff, left);
1032 error = SSL_get_error(ssl, outbytes);
1033 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1037 ERR_error_string(ERR_get_error(), ssl_errstring);
1038 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1041 case SSL_ERROR_NONE:
1046 case SSL_ERROR_ZERO_RETURN:
1047 log_write(0, LOG_MAIN, "SSL channel closed on write");
1051 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1060 /*************************************************
1061 * Close down a TLS session *
1062 *************************************************/
1064 /* This is also called from within a delivery subprocess forked from the
1065 daemon, to shut down the TLS library, without actually doing a shutdown (which
1066 would tamper with the SSL session in the parent process).
1068 Arguments: TRUE if SSL_shutdown is to be called
1073 tls_close(BOOL shutdown)
1075 if (tls_active < 0) return; /* TLS was not active */
1079 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1092 /*************************************************
1093 * Report the library versions. *
1094 *************************************************/
1096 /* There have historically been some issues with binary compatibility in
1097 OpenSSL libraries; if Exim (like many other applications) is built against
1098 one version of OpenSSL but the run-time linker picks up another version,
1099 it can result in serious failures, including crashing with a SIGSEGV. So
1100 report the version found by the compiler and the run-time version.
1102 Arguments: a FILE* to print the results to
1107 tls_version_report(FILE *f)
1109 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1111 OPENSSL_VERSION_TEXT,
1112 SSLeay_version(SSLEAY_VERSION));
1118 /*************************************************
1119 * Pseudo-random number generation *
1120 *************************************************/
1122 /* Pseudo-random number generation. The result is not expected to be
1123 cryptographically strong but not so weak that someone will shoot themselves
1124 in the foot using it as a nonce in input in some email header scheme or
1125 whatever weirdness they'll twist this into. The result should handle fork()
1126 and avoid repeating sequences. OpenSSL handles that for us.
1130 Returns a random number in range [0, max-1]
1134 pseudo_random_number(int max)
1139 uschar smallbuf[sizeof(r)];
1144 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1148 gettimeofday(&r.tv, NULL);
1151 RAND_seed((uschar *)(&r), sizeof(r));
1153 /* We're after pseudo-random, not random; if we still don't have enough data
1154 in the internal PRNG then our options are limited. We could sleep and hope
1155 for entropy to come along (prayer technique) but if the system is so depleted
1156 in the first place then something is likely to just keep taking it. Instead,
1157 we'll just take whatever little bit of pseudo-random we can still manage to
1160 needed_len = sizeof(r);
1161 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
1162 asked for a number less than 10. */
1163 for (r = max, i = 0; r; ++i)
1169 /* We do not care if crypto-strong */
1170 (void) RAND_pseudo_bytes(smallbuf, needed_len);
1172 for (p = smallbuf; needed_len; --needed_len, ++p)
1178 /* We don't particularly care about weighted results; if someone wants
1179 smooth distribution and cares enough then they should submit a patch then. */
1186 /*************************************************
1187 * OpenSSL option parse *
1188 *************************************************/
1190 /* Parse one option for tls_openssl_options_parse below
1193 name one option name
1194 value place to store a value for it
1195 Returns success or failure in parsing
1198 struct exim_openssl_option {
1202 /* We could use a macro to expand, but we need the ifdef and not all the
1203 options document which version they were introduced in. Policylet: include
1204 all options unless explicitly for DTLS, let the administrator choose which
1207 This list is current as of:
1209 static struct exim_openssl_option exim_openssl_options[] = {
1210 /* KEEP SORTED ALPHABETICALLY! */
1212 { US"all", SSL_OP_ALL },
1214 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
1215 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
1217 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
1218 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
1220 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1221 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
1223 #ifdef SSL_OP_EPHEMERAL_RSA
1224 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
1226 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
1227 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
1229 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
1230 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
1232 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
1233 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
1235 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
1236 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
1238 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
1239 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
1241 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1242 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
1244 #ifdef SSL_OP_NO_COMPRESSION
1245 { US"no_compression", SSL_OP_NO_COMPRESSION },
1247 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1248 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
1250 #ifdef SSL_OP_NO_SSLv2
1251 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1253 #ifdef SSL_OP_NO_SSLv3
1254 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1256 #ifdef SSL_OP_NO_TICKET
1257 { US"no_ticket", SSL_OP_NO_TICKET },
1259 #ifdef SSL_OP_NO_TLSv1
1260 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1262 #ifdef SSL_OP_NO_TLSv1_1
1263 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
1264 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1265 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1267 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1270 #ifdef SSL_OP_NO_TLSv1_2
1271 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1273 #ifdef SSL_OP_SINGLE_DH_USE
1274 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
1276 #ifdef SSL_OP_SINGLE_ECDH_USE
1277 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
1279 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
1280 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
1282 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
1283 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
1285 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
1286 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
1288 #ifdef SSL_OP_TLS_D5_BUG
1289 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
1291 #ifdef SSL_OP_TLS_ROLLBACK_BUG
1292 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
1295 static int exim_openssl_options_size =
1296 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1300 tls_openssl_one_option_parse(uschar *name, long *value)
1303 int last = exim_openssl_options_size;
1304 while (last > first)
1306 int middle = (first + last)/2;
1307 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1310 *value = exim_openssl_options[middle].value;
1324 /*************************************************
1325 * OpenSSL option parsing logic *
1326 *************************************************/
1328 /* OpenSSL has a number of compatibility options which an administrator might
1329 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1330 we look like log_selector.
1333 option_spec the administrator-supplied string of options
1334 results ptr to long storage for the options bitmap
1335 Returns success or failure
1339 tls_openssl_options_parse(uschar *option_spec, long *results)
1344 BOOL adding, item_parsed;
1347 /* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1348 * from default because it increases BEAST susceptibility. */
1350 if (option_spec == NULL)
1356 for (s=option_spec; *s != '\0'; /**/)
1358 while (isspace(*s)) ++s;
1361 if (*s != '+' && *s != '-')
1363 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
1364 "+ or - expected but found \"%s\"\n", s);
1367 adding = *s++ == '+';
1368 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1371 item_parsed = tls_openssl_one_option_parse(s, &item);
1374 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
1377 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1378 adding ? "adding" : "removing", result, item, s);
1391 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob