1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
73 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
74 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
75 # define EXIM_HAVE_OPENSSL_CHECKHOST
79 #if !defined(LIBRESSL_VERSION_NUMBER) \
80 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
81 # if !defined(OPENSSL_NO_ECDH)
82 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
83 # define EXIM_HAVE_ECDH
85 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
86 # if OPENSSL_VERSION_NUMBER < 0x10100000L
87 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
94 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
95 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
99 /* Structure for collecting random data for seeding. */
101 typedef struct randstuff {
106 /* Local static variables */
108 static BOOL client_verify_callback_called = FALSE;
109 static BOOL server_verify_callback_called = FALSE;
110 static const uschar *sid_ctx = US"exim";
112 /* We have three different contexts to care about.
114 Simple case: client, `client_ctx`
115 As a client, we can be doing a callout or cut-through delivery while receiving
116 a message. So we have a client context, which should have options initialised
117 from the SMTP Transport.
120 There are two cases: with and without ServerNameIndication from the client.
121 Given TLS SNI, we can be using different keys, certs and various other
122 configuration settings, because they're re-expanded with $tls_sni set. This
123 allows vhosting with TLS. This SNI is sent in the handshake.
124 A client might not send SNI, so we need a fallback, and an initial setup too.
125 So as a server, we start out using `server_ctx`.
126 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
127 `server_sni` from `server_ctx` and then initialise settings by re-expanding
131 static SSL_CTX *client_ctx = NULL;
132 static SSL_CTX *server_ctx = NULL;
133 static SSL *client_ssl = NULL;
134 static SSL *server_ssl = NULL;
136 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
137 static SSL_CTX *server_sni = NULL;
140 static char ssl_errstring[256];
142 static int ssl_session_timeout = 200;
143 static BOOL client_verify_optional = FALSE;
144 static BOOL server_verify_optional = FALSE;
146 static BOOL reexpand_tls_files_for_sni = FALSE;
149 typedef struct tls_ext_ctx_cb {
157 uschar *file_expanded;
158 OCSP_RESPONSE *response;
161 X509_STORE *verify_store; /* non-null if status requested */
162 BOOL verify_required;
167 /* these are cached from first expand */
168 uschar *server_cipher_list;
169 /* only passed down to tls_error: */
171 const uschar * verify_cert_hostnames;
172 #ifndef DISABLE_EVENT
173 uschar * event_action;
177 /* should figure out a cleanup of API to handle state preserved per
178 implementation, for various reasons, which can be void * in the APIs.
179 For now, we hack around it. */
180 tls_ext_ctx_cb *client_static_cbinfo = NULL;
181 tls_ext_ctx_cb *server_static_cbinfo = NULL;
184 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
185 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
188 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
189 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
192 static int tls_server_stapling_cb(SSL *s, void *arg);
196 /*************************************************
198 *************************************************/
200 /* Called from lots of places when errors occur before actually starting to do
201 the TLS handshake, that is, while the session is still in clear. Always returns
202 DEFER for a server and FAIL for a client so that most calls can use "return
203 tls_error(...)" to do this processing and then give an appropriate return. A
204 single function is used for both server and client, because it is called from
205 some shared functions.
208 prefix text to include in the logged error
209 host NULL if setting up a server;
210 the connected host if setting up a client
211 msg error message or NULL if we should ask OpenSSL
213 Returns: OK/DEFER/FAIL
217 tls_error(uschar * prefix, const host_item * host, uschar * msg)
221 ERR_error_string(ERR_get_error(), ssl_errstring);
222 msg = (uschar *)ssl_errstring;
227 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
228 host->name, host->address, prefix, msg);
233 uschar *conn_info = smtp_get_connection_info();
234 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
236 /* I'd like to get separated H= here, but too hard for now */
237 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
238 conn_info, prefix, msg);
245 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
246 /*************************************************
247 * Callback to generate RSA key *
248 *************************************************/
256 Returns: pointer to generated key
260 rsa_callback(SSL *s, int export, int keylength)
263 #ifdef EXIM_HAVE_RSA_GENKEY_EX
264 BIGNUM *bn = BN_new();
267 export = export; /* Shut picky compilers up */
268 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
270 #ifdef EXIM_HAVE_RSA_GENKEY_EX
271 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
272 || !(rsa_key = RSA_new())
273 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
276 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
280 ERR_error_string(ERR_get_error(), ssl_errstring);
281 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
294 x509_store_dump_cert_s_names(X509_STORE * store)
296 STACK_OF(X509_OBJECT) * roots= store->objs;
298 static uschar name[256];
300 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
302 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
303 if(tmp_obj->type == X509_LU_X509)
305 X509 * current_cert= tmp_obj->data.x509;
306 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
307 name[sizeof(name)-1] = '\0';
308 debug_printf(" %s\n", name);
316 #ifndef DISABLE_EVENT
318 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
319 BOOL *calledp, const BOOL *optionalp, const uschar * what)
325 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
328 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
329 old_cert = tlsp->peercert;
330 tlsp->peercert = X509_dup(cert);
331 /* NB we do not bother setting peerdn */
332 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
334 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
335 "depth=%d cert=%s: %s",
336 tlsp == &tls_out ? deliver_host_address : sender_host_address,
337 what, depth, dn, yield);
341 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
342 return 1; /* reject (leaving peercert set) */
344 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
345 "(host in tls_try_verify_hosts)\n");
347 X509_free(tlsp->peercert);
348 tlsp->peercert = old_cert;
354 /*************************************************
355 * Callback for verification *
356 *************************************************/
358 /* The SSL library does certificate verification if set up to do so. This
359 callback has the current yes/no state is in "state". If verification succeeded,
360 we set the certificate-verified flag. If verification failed, what happens
361 depends on whether the client is required to present a verifiable certificate
364 If verification is optional, we change the state to yes, but still log the
365 verification error. For some reason (it really would help to have proper
366 documentation of OpenSSL), this callback function then gets called again, this
367 time with state = 1. We must take care not to set the private verified flag on
368 the second time through.
370 Note: this function is not called if the client fails to present a certificate
371 when asked. We get here only if a certificate has been received. Handling of
372 optional verification for this case is done when requesting SSL to verify, by
373 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
375 May be called multiple times for different issues with a certificate, even
376 for a given "depth" in the certificate chain.
379 preverify_ok current yes/no state as 1/0
380 x509ctx certificate information.
381 tlsp per-direction (client vs. server) support data
382 calledp has-been-called flag
383 optionalp verification-is-optional flag
385 Returns: 0 if verification should fail, otherwise 1
389 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
390 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
392 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
393 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
396 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
397 dn[sizeof(dn)-1] = '\0';
399 if (preverify_ok == 0)
401 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
402 tlsp == &tls_out ? deliver_host_address : sender_host_address,
404 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
410 tlsp->peercert = X509_dup(cert); /* record failing cert */
411 return 0; /* reject */
413 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
414 "tls_try_verify_hosts)\n");
419 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
421 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
422 { /* client, wanting stapling */
423 /* Add the server cert's signing chain as the one
424 for the verification of the OCSP stapled information. */
426 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
431 #ifndef DISABLE_EVENT
432 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
433 return 0; /* reject, with peercert set */
438 const uschar * verify_cert_hostnames;
440 if ( tlsp == &tls_out
441 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
442 /* client, wanting hostname check */
445 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
446 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
447 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
449 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
450 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
453 const uschar * list = verify_cert_hostnames;
456 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
457 if ((rc = X509_check_host(cert, CCS name, 0,
458 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
459 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
464 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
465 tlsp == &tls_out ? deliver_host_address : sender_host_address);
472 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
475 log_write(0, LOG_MAIN,
476 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
477 tlsp == &tls_out ? deliver_host_address : sender_host_address,
483 tlsp->peercert = X509_dup(cert); /* record failing cert */
484 return 0; /* reject */
486 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
487 "tls_try_verify_hosts)\n");
491 #ifndef DISABLE_EVENT
492 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
493 return 0; /* reject, with peercert set */
496 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
497 *calledp ? "" : " authenticated", dn);
498 if (!*calledp) tlsp->certificate_verified = TRUE;
502 return 1; /* accept, at least for this level */
506 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
508 return verify_callback(preverify_ok, x509ctx, &tls_out,
509 &client_verify_callback_called, &client_verify_optional);
513 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
515 return verify_callback(preverify_ok, x509ctx, &tls_in,
516 &server_verify_callback_called, &server_verify_optional);
520 #ifdef EXPERIMENTAL_DANE
522 /* This gets called *by* the dane library verify callback, which interposes
526 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
528 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
530 #ifndef DISABLE_EVENT
531 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
532 BOOL dummy_called, optional = FALSE;
535 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
536 dn[sizeof(dn)-1] = '\0';
538 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
539 preverify_ok ? "ok":"BAD", depth, dn);
541 #ifndef DISABLE_EVENT
542 if (verify_event(&tls_out, cert, depth, dn,
543 &dummy_called, &optional, US"DANE"))
544 return 0; /* reject, with peercert set */
547 if (preverify_ok == 1)
548 tls_out.dane_verified =
549 tls_out.certificate_verified = TRUE;
552 int err = X509_STORE_CTX_get_error(x509ctx);
554 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
555 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
561 #endif /*EXPERIMENTAL_DANE*/
564 /*************************************************
565 * Information callback *
566 *************************************************/
568 /* The SSL library functions call this from time to time to indicate what they
569 are doing. We copy the string to the debugging output when TLS debugging has
581 info_callback(SSL *s, int where, int ret)
585 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
590 /*************************************************
591 * Initialize for DH *
592 *************************************************/
594 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
597 sctx The current SSL CTX (inbound or outbound)
598 dhparam DH parameter file or fixed parameter identity string
599 host connected host, if client; NULL if server
601 Returns: TRUE if OK (nothing to set up, or setup worked)
605 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
612 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
615 if (!dhexpanded || !*dhexpanded)
616 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
617 else if (dhexpanded[0] == '/')
619 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
621 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
622 host, US strerror(errno));
628 if (Ustrcmp(dhexpanded, "none") == 0)
630 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
634 if (!(pem = std_dh_prime_named(dhexpanded)))
636 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
637 host, US strerror(errno));
640 bio = BIO_new_mem_buf(CS pem, -1);
643 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
646 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
651 /* Even if it is larger, we silently return success rather than cause things
652 * to fail out, so that a too-large DH will not knock out all TLS; it's a
653 * debatable choice. */
654 if ((8*DH_size(dh)) > tls_dh_max_bits)
657 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
658 8*DH_size(dh), tls_dh_max_bits);
662 SSL_CTX_set_tmp_dh(sctx, dh);
664 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
665 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
677 /*************************************************
678 * Initialize for ECDH *
679 *************************************************/
681 /* Load parameters for ECDH encryption.
683 For now, we stick to NIST P-256 because: it's simple and easy to configure;
684 it avoids any patent issues that might bite redistributors; despite events in
685 the news and concerns over curve choices, we're not cryptographers, we're not
686 pretending to be, and this is "good enough" to be better than no support,
687 protecting against most adversaries. Given another year or two, there might
688 be sufficient clarity about a "right" way forward to let us make an informed
689 decision, instead of a knee-jerk reaction.
691 Longer-term, we should look at supporting both various named curves and
692 external files generated with "openssl ecparam", much as we do for init_dh().
693 We should also support "none" as a value, to explicitly avoid initialisation.
698 sctx The current SSL CTX (inbound or outbound)
699 host connected host, if client; NULL if server
701 Returns: TRUE if OK (nothing to set up, or setup worked)
705 init_ecdh(SSL_CTX * sctx, host_item * host)
707 #ifdef OPENSSL_NO_ECDH
716 if (host) /* No ECDH setup for clients, only for servers */
719 # ifndef EXIM_HAVE_ECDH
721 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
725 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
727 if (!exp_curve || !*exp_curve)
730 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
731 /* check if new enough library to support auto ECDH temp key parameter selection */
732 if (Ustrcmp(exp_curve, "auto") == 0)
734 DEBUG(D_tls) debug_printf(
735 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
736 SSL_CTX_set_ecdh_auto(sctx, 1);
741 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
742 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
743 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
744 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
748 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
754 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
756 tls_error(US"Unable to create ec curve", host, NULL);
760 /* The "tmp" in the name here refers to setting a temporary key
761 not to the stability of the interface. */
763 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
764 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
766 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
771 # endif /*EXIM_HAVE_ECDH*/
772 #endif /*OPENSSL_NO_ECDH*/
779 /*************************************************
780 * Load OCSP information into state *
781 *************************************************/
783 /* Called to load the server OCSP response from the given file into memory, once
784 caller has determined this is needed. Checks validity. Debugs a message
787 ASSUMES: single response, for single cert.
790 sctx the SSL_CTX* to update
791 cbinfo various parts of session state
792 expanded the filename putatively holding an OCSP response
797 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
801 OCSP_BASICRESP *basic_response;
802 OCSP_SINGLERESP *single_response;
803 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
805 unsigned long verify_flags;
806 int status, reason, i;
808 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
809 if (cbinfo->u_ocsp.server.response)
811 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
812 cbinfo->u_ocsp.server.response = NULL;
815 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
818 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
819 cbinfo->u_ocsp.server.file_expanded);
823 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
827 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
831 status = OCSP_response_status(resp);
832 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
834 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
835 OCSP_response_status_str(status), status);
839 basic_response = OCSP_response_get1_basic(resp);
843 debug_printf("OCSP response parse error: unable to extract basic response.\n");
847 store = SSL_CTX_get_cert_store(sctx);
848 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
850 /* May need to expose ability to adjust those flags?
851 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
852 OCSP_TRUSTOTHER OCSP_NOINTERN */
854 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
858 ERR_error_string(ERR_get_error(), ssl_errstring);
859 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
864 /* Here's the simplifying assumption: there's only one response, for the
865 one certificate we use, and nothing for anything else in a chain. If this
866 proves false, we need to extract a cert id from our issued cert
867 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
868 right cert in the stack and then calls OCSP_single_get0_status()).
870 I'm hoping to avoid reworking a bunch more of how we handle state here. */
871 single_response = OCSP_resp_get0(basic_response, 0);
872 if (!single_response)
875 debug_printf("Unable to get first response from OCSP basic response.\n");
879 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
880 if (status != V_OCSP_CERTSTATUS_GOOD)
882 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
883 OCSP_cert_status_str(status), status,
884 OCSP_crl_reason_str(reason), reason);
888 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
890 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
895 cbinfo->u_ocsp.server.response = resp;
899 if (running_in_test_harness)
901 extern char ** environ;
903 if (environ) for (p = USS environ; *p != NULL; p++)
904 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
906 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
907 goto supply_response;
912 #endif /*!DISABLE_OCSP*/
917 /* Create and install a selfsigned certificate, for use in server mode */
920 tls_install_selfsign(SSL_CTX * sctx)
928 where = US"allocating pkey";
929 if (!(pkey = EVP_PKEY_new()))
932 where = US"allocating cert";
933 if (!(x509 = X509_new()))
936 where = US"generating pkey";
937 /* deprecated, use RSA_generate_key_ex() */
938 if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
941 where = US"assiging pkey";
942 if (!EVP_PKEY_assign_RSA(pkey, rsa))
945 X509_set_version(x509, 2); /* N+1 - version 3 */
946 ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
947 X509_gmtime_adj(X509_get_notBefore(x509), 0);
948 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
949 X509_set_pubkey(x509, pkey);
951 name = X509_get_subject_name(x509);
952 X509_NAME_add_entry_by_txt(name, "C",
953 MBSTRING_ASC, "UK", -1, -1, 0);
954 X509_NAME_add_entry_by_txt(name, "O",
955 MBSTRING_ASC, "Exim Developers", -1, -1, 0);
956 X509_NAME_add_entry_by_txt(name, "CN",
957 MBSTRING_ASC, CS smtp_active_hostname, -1, -1, 0);
958 X509_set_issuer_name(x509, name);
960 where = US"signing cert";
961 if (!X509_sign(x509, pkey, EVP_md5()))
964 where = US"installing selfsign cert";
965 if (!SSL_CTX_use_certificate(sctx, x509))
968 where = US"installing selfsign key";
969 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
975 (void) tls_error(where, NULL, NULL);
976 if (x509) X509_free(x509);
977 if (pkey) EVP_PKEY_free(pkey);
984 /*************************************************
985 * Expand key and cert file specs *
986 *************************************************/
988 /* Called once during tls_init and possibly again during TLS setup, for a
989 new context, if Server Name Indication was used and tls_sni was seen in
990 the certificate string.
993 sctx the SSL_CTX* to update
994 cbinfo various parts of session state
996 Returns: OK/DEFER/FAIL
1000 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
1004 if (!cbinfo->certificate)
1006 if (cbinfo->host) /* client */
1009 if (tls_install_selfsign(sctx) != OK)
1014 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1015 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1016 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1018 reexpand_tls_files_for_sni = TRUE;
1020 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
1023 if (expanded != NULL)
1025 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1026 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1027 return tls_error(string_sprintf(
1028 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
1029 cbinfo->host, NULL);
1032 if (cbinfo->privatekey != NULL &&
1033 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
1036 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1037 of the expansion is an empty string, ignore it also, and assume the private
1038 key is in the same file as the certificate. */
1040 if (expanded && *expanded)
1042 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1043 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1044 return tls_error(string_sprintf(
1045 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
1049 #ifndef DISABLE_OCSP
1050 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1052 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
1055 if (expanded && *expanded)
1057 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1058 if ( cbinfo->u_ocsp.server.file_expanded
1059 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1061 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1065 ocsp_load_response(sctx, cbinfo, expanded);
1077 /*************************************************
1078 * Callback to handle SNI *
1079 *************************************************/
1081 /* Called when acting as server during the TLS session setup if a Server Name
1082 Indication extension was sent by the client.
1084 API documentation is OpenSSL s_server.c implementation.
1087 s SSL* of the current session
1088 ad unknown (part of OpenSSL API) (unused)
1089 arg Callback of "our" registered data
1091 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1094 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1096 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1098 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1099 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1101 int old_pool = store_pool;
1104 return SSL_TLSEXT_ERR_OK;
1106 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1107 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1109 /* Make the extension value available for expansion */
1110 store_pool = POOL_PERM;
1111 tls_in.sni = string_copy(US servername);
1112 store_pool = old_pool;
1114 if (!reexpand_tls_files_for_sni)
1115 return SSL_TLSEXT_ERR_OK;
1117 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1118 not confident that memcpy wouldn't break some internal reference counting.
1119 Especially since there's a references struct member, which would be off. */
1121 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1123 ERR_error_string(ERR_get_error(), ssl_errstring);
1124 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1125 return SSL_TLSEXT_ERR_NOACK;
1128 /* Not sure how many of these are actually needed, since SSL object
1129 already exists. Might even need this selfsame callback, for reneg? */
1131 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1132 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1133 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1134 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1135 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1136 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1138 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1139 || !init_ecdh(server_sni, NULL)
1141 return SSL_TLSEXT_ERR_NOACK;
1143 if (cbinfo->server_cipher_list)
1144 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1145 #ifndef DISABLE_OCSP
1146 if (cbinfo->u_ocsp.server.file)
1148 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1149 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1153 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1154 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1156 /* do this after setup_certs, because this can require the certs for verifying
1157 OCSP information. */
1158 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1159 return SSL_TLSEXT_ERR_NOACK;
1161 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1162 SSL_set_SSL_CTX(s, server_sni);
1164 return SSL_TLSEXT_ERR_OK;
1166 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1171 #ifndef DISABLE_OCSP
1173 /*************************************************
1174 * Callback to handle OCSP Stapling *
1175 *************************************************/
1177 /* Called when acting as server during the TLS session setup if the client
1178 requests OCSP information with a Certificate Status Request.
1180 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1186 tls_server_stapling_cb(SSL *s, void *arg)
1188 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1189 uschar *response_der;
1190 int response_der_len;
1193 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1194 cbinfo->u_ocsp.server.response ? "have" : "lack");
1196 tls_in.ocsp = OCSP_NOT_RESP;
1197 if (!cbinfo->u_ocsp.server.response)
1198 return SSL_TLSEXT_ERR_NOACK;
1200 response_der = NULL;
1201 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1203 if (response_der_len <= 0)
1204 return SSL_TLSEXT_ERR_NOACK;
1206 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1207 tls_in.ocsp = OCSP_VFIED;
1208 return SSL_TLSEXT_ERR_OK;
1213 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1215 BIO_printf(bp, "\t%s: ", str);
1216 ASN1_GENERALIZEDTIME_print(bp, time);
1221 tls_client_stapling_cb(SSL *s, void *arg)
1223 tls_ext_ctx_cb * cbinfo = arg;
1224 const unsigned char * p;
1226 OCSP_RESPONSE * rsp;
1227 OCSP_BASICRESP * bs;
1230 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1231 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1234 /* Expect this when we requested ocsp but got none */
1235 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1236 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1238 DEBUG(D_tls) debug_printf(" null\n");
1239 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1242 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1244 tls_out.ocsp = OCSP_FAILED;
1245 if (LOGGING(tls_cipher))
1246 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1248 DEBUG(D_tls) debug_printf(" parse error\n");
1252 if(!(bs = OCSP_response_get1_basic(rsp)))
1254 tls_out.ocsp = OCSP_FAILED;
1255 if (LOGGING(tls_cipher))
1256 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1258 DEBUG(D_tls) debug_printf(" error parsing response\n");
1259 OCSP_RESPONSE_free(rsp);
1263 /* We'd check the nonce here if we'd put one in the request. */
1264 /* However that would defeat cacheability on the server so we don't. */
1266 /* This section of code reworked from OpenSSL apps source;
1267 The OpenSSL Project retains copyright:
1268 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1273 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1275 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1277 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1279 /* Use the chain that verified the server cert to verify the stapled info */
1280 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1282 if ((i = OCSP_basic_verify(bs, NULL,
1283 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1285 tls_out.ocsp = OCSP_FAILED;
1286 if (LOGGING(tls_cipher))
1287 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1288 BIO_printf(bp, "OCSP response verify failure\n");
1289 ERR_print_errors(bp);
1293 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1295 /*XXX So we have a good stapled OCSP status. How do we know
1296 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1297 OCSP_resp_find_status() which matches on a cert id, which presumably
1298 we should use. Making an id needs OCSP_cert_id_new(), which takes
1299 issuerName, issuerKey, serialNumber. Are they all in the cert?
1301 For now, carry on blindly accepting the resp. */
1304 OCSP_SINGLERESP * single;
1306 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1307 if (OCSP_resp_count(bs) != 1)
1309 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1310 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1313 tls_out.ocsp = OCSP_FAILED;
1314 log_write(0, LOG_MAIN, "OCSP stapling "
1315 "with multiple responses not handled");
1318 single = OCSP_resp_get0(bs, 0);
1319 status = OCSP_single_get0_status(single, &reason, &rev,
1320 &thisupd, &nextupd);
1323 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1324 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1325 if (!OCSP_check_validity(thisupd, nextupd,
1326 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1328 tls_out.ocsp = OCSP_FAILED;
1329 DEBUG(D_tls) ERR_print_errors(bp);
1330 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1334 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1335 OCSP_cert_status_str(status));
1338 case V_OCSP_CERTSTATUS_GOOD:
1339 tls_out.ocsp = OCSP_VFIED;
1342 case V_OCSP_CERTSTATUS_REVOKED:
1343 tls_out.ocsp = OCSP_FAILED;
1344 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1345 reason != -1 ? "; reason: " : "",
1346 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1347 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1350 tls_out.ocsp = OCSP_FAILED;
1351 log_write(0, LOG_MAIN,
1352 "Server certificate status unknown, in OCSP stapling");
1357 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1362 OCSP_RESPONSE_free(rsp);
1365 #endif /*!DISABLE_OCSP*/
1368 /*************************************************
1369 * Initialize for TLS *
1370 *************************************************/
1372 /* Called from both server and client code, to do preliminary initialization
1373 of the library. We allocate and return a context structure.
1376 ctxp returned SSL context
1377 host connected host, if client; NULL if server
1378 dhparam DH parameter file
1379 certificate certificate file
1380 privatekey private key
1381 ocsp_file file of stapling info (server); flag for require ocsp (client)
1382 addr address if client; NULL if server (for some randomness)
1383 cbp place to put allocated callback context
1385 Returns: OK/DEFER/FAIL
1389 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1391 #ifndef DISABLE_OCSP
1394 address_item *addr, tls_ext_ctx_cb ** cbp)
1399 tls_ext_ctx_cb * cbinfo;
1401 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1402 cbinfo->certificate = certificate;
1403 cbinfo->privatekey = privatekey;
1404 #ifndef DISABLE_OCSP
1405 if ((cbinfo->is_server = host==NULL))
1407 cbinfo->u_ocsp.server.file = ocsp_file;
1408 cbinfo->u_ocsp.server.file_expanded = NULL;
1409 cbinfo->u_ocsp.server.response = NULL;
1412 cbinfo->u_ocsp.client.verify_store = NULL;
1414 cbinfo->dhparam = dhparam;
1415 cbinfo->server_cipher_list = NULL;
1416 cbinfo->host = host;
1417 #ifndef DISABLE_EVENT
1418 cbinfo->event_action = NULL;
1421 SSL_load_error_strings(); /* basic set up */
1422 OpenSSL_add_ssl_algorithms();
1424 #ifdef EXIM_HAVE_SHA256
1425 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1426 list of available digests. */
1427 EVP_add_digest(EVP_sha256());
1430 /* Create a context.
1431 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1432 negotiation in the different methods; as far as I can tell, the only
1433 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1434 when OpenSSL is built without SSLv2 support.
1435 By disabling with openssl_options, we can let admins re-enable with the
1438 *ctxp = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method());
1440 if (!*ctxp) return tls_error(US"SSL_CTX_new", host, NULL);
1442 /* It turns out that we need to seed the random number generator this early in
1443 order to get the full complement of ciphers to work. It took me roughly a day
1444 of work to discover this by experiment.
1446 On systems that have /dev/urandom, SSL may automatically seed itself from
1447 there. Otherwise, we have to make something up as best we can. Double check
1453 gettimeofday(&r.tv, NULL);
1456 RAND_seed((uschar *)(&r), sizeof(r));
1457 RAND_seed((uschar *)big_buffer, big_buffer_size);
1458 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1461 return tls_error(US"RAND_status", host,
1462 US"unable to seed random number generator");
1465 /* Set up the information callback, which outputs if debugging is at a suitable
1468 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1470 /* Automatically re-try reads/writes after renegotiation. */
1471 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1473 /* Apply administrator-supplied work-arounds.
1474 Historically we applied just one requested option,
1475 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1476 moved to an administrator-controlled list of options to specify and
1477 grandfathered in the first one as the default value for "openssl_options".
1479 No OpenSSL version number checks: the options we accept depend upon the
1480 availability of the option value macros from OpenSSL. */
1482 okay = tls_openssl_options_parse(openssl_options, &init_options);
1484 return tls_error(US"openssl_options parsing failed", host, NULL);
1488 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1489 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1490 return tls_error(string_sprintf(
1491 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1494 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1496 /* Initialize with DH parameters if supplied */
1497 /* Initialize ECDH temp key parameter selection */
1499 if ( !init_dh(*ctxp, dhparam, host)
1500 || !init_ecdh(*ctxp, host)
1504 /* Set up certificate and key (and perhaps OCSP info) */
1506 if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
1509 /* If we need to handle SNI, do so */
1510 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1511 if (host == NULL) /* server */
1513 # ifndef DISABLE_OCSP
1514 /* We check u_ocsp.server.file, not server.response, because we care about if
1515 the option exists, not what the current expansion might be, as SNI might
1516 change the certificate and OCSP file in use between now and the time the
1517 callback is invoked. */
1518 if (cbinfo->u_ocsp.server.file)
1520 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1521 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1524 /* We always do this, so that $tls_sni is available even if not used in
1526 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1527 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1529 # ifndef DISABLE_OCSP
1531 if(ocsp_file) /* wanting stapling */
1533 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1535 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1538 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1539 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1544 cbinfo->verify_cert_hostnames = NULL;
1546 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1547 /* Set up the RSA callback */
1548 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1551 /* Finally, set the timeout, and we are done */
1553 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1554 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1564 /*************************************************
1565 * Get name of cipher in use *
1566 *************************************************/
1569 Argument: pointer to an SSL structure for the connection
1570 buffer to use for answer
1572 pointer to number of bits for cipher
1577 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1579 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1580 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1581 the accessor functions use const in the prototype. */
1582 const SSL_CIPHER *c;
1585 ver = (const uschar *)SSL_get_version(ssl);
1587 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1588 SSL_CIPHER_get_bits(c, bits);
1590 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1591 SSL_CIPHER_get_name(c), *bits);
1593 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1598 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1600 /*XXX we might consider a list-of-certs variable for the cert chain.
1601 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1602 in list-handling functions, also consider the difference between the entire
1603 chain and the elements sent by the peer. */
1605 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1606 if (!tlsp->peercert)
1607 tlsp->peercert = SSL_get_peer_certificate(ssl);
1608 /* Beware anonymous ciphers which lead to server_cert being NULL */
1611 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1612 peerdn[bsize-1] = '\0';
1613 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1616 tlsp->peerdn = NULL;
1623 /*************************************************
1624 * Set up for verifying certificates *
1625 *************************************************/
1627 /* Called by both client and server startup
1630 sctx SSL_CTX* to initialise
1631 certs certs file or NULL
1632 crl CRL file or NULL
1633 host NULL in a server; the remote host in a client
1634 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1635 otherwise passed as FALSE
1636 cert_vfy_cb Callback function for certificate verification
1638 Returns: OK/DEFER/FAIL
1642 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1643 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1645 uschar *expcerts, *expcrl;
1647 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1650 if (expcerts && *expcerts)
1652 /* Tell the library to use its compiled-in location for the system default
1653 CA bundle. Then add the ones specified in the config, if any. */
1655 if (!SSL_CTX_set_default_verify_paths(sctx))
1656 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1658 if (Ustrcmp(expcerts, "system") != 0)
1660 struct stat statbuf;
1662 if (Ustat(expcerts, &statbuf) < 0)
1664 log_write(0, LOG_MAIN|LOG_PANIC,
1665 "failed to stat %s for certificates", expcerts);
1671 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1672 { file = NULL; dir = expcerts; }
1674 { file = expcerts; dir = NULL; }
1676 /* If a certificate file is empty, the next function fails with an
1677 unhelpful error message. If we skip it, we get the correct behaviour (no
1678 certificates are recognized, but the error message is still misleading (it
1679 says no certificate was supplied.) But this is better. */
1681 if ( (!file || statbuf.st_size > 0)
1682 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1683 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1685 /* Load the list of CAs for which we will accept certs, for sending
1686 to the client. This is only for the one-file tls_verify_certificates
1688 If a list isn't loaded into the server, but
1689 some verify locations are set, the server end appears to make
1690 a wildcard reqest for client certs.
1691 Meanwhile, the client library as default behaviour *ignores* the list
1692 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1693 Because of this, and that the dir variant is likely only used for
1694 the public-CA bundle (not for a private CA), not worth fixing.
1698 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1700 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1701 sk_X509_NAME_num(names));
1702 SSL_CTX_set_client_CA_list(sctx, names);
1707 /* Handle a certificate revocation list. */
1709 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1711 /* This bit of code is now the version supplied by Lars Mainka. (I have
1712 merely reformatted it into the Exim code style.)
1714 "From here I changed the code to add support for multiple crl's
1715 in pem format in one file or to support hashed directory entries in
1716 pem format instead of a file. This method now uses the library function
1717 X509_STORE_load_locations to add the CRL location to the SSL context.
1718 OpenSSL will then handle the verify against CA certs and CRLs by
1719 itself in the verify callback." */
1721 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1722 if (expcrl && *expcrl)
1724 struct stat statbufcrl;
1725 if (Ustat(expcrl, &statbufcrl) < 0)
1727 log_write(0, LOG_MAIN|LOG_PANIC,
1728 "failed to stat %s for certificates revocation lists", expcrl);
1733 /* is it a file or directory? */
1735 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1736 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1740 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1746 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1748 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1749 return tls_error(US"X509_STORE_load_locations", host, NULL);
1751 /* setting the flags to check against the complete crl chain */
1753 X509_STORE_set_flags(cvstore,
1754 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1758 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1760 /* If verification is optional, don't fail if no certificate */
1762 SSL_CTX_set_verify(sctx,
1763 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1772 /*************************************************
1773 * Start a TLS session in a server *
1774 *************************************************/
1776 /* This is called when Exim is running as a server, after having received
1777 the STARTTLS command. It must respond to that command, and then negotiate
1781 require_ciphers allowed ciphers
1783 Returns: OK on success
1784 DEFER for errors before the start of the negotiation
1785 FAIL for errors during the negotation; the server can't
1790 tls_server_start(const uschar *require_ciphers)
1794 tls_ext_ctx_cb *cbinfo;
1795 static uschar peerdn[256];
1796 static uschar cipherbuf[256];
1798 /* Check for previous activation */
1800 if (tls_in.active >= 0)
1802 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1803 smtp_printf("554 Already in TLS\r\n");
1807 /* Initialize the SSL library. If it fails, it will already have logged
1810 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1811 #ifndef DISABLE_OCSP
1814 NULL, &server_static_cbinfo);
1815 if (rc != OK) return rc;
1816 cbinfo = server_static_cbinfo;
1818 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1821 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1822 were historically separated by underscores. So that I can use either form in my
1823 tests, and also for general convenience, we turn underscores into hyphens here.
1826 if (expciphers != NULL)
1828 uschar *s = expciphers;
1829 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1830 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1831 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1832 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1833 cbinfo->server_cipher_list = expciphers;
1836 /* If this is a host for which certificate verification is mandatory or
1837 optional, set up appropriately. */
1839 tls_in.certificate_verified = FALSE;
1840 #ifdef EXPERIMENTAL_DANE
1841 tls_in.dane_verified = FALSE;
1843 server_verify_callback_called = FALSE;
1845 if (verify_check_host(&tls_verify_hosts) == OK)
1847 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1848 FALSE, verify_callback_server);
1849 if (rc != OK) return rc;
1850 server_verify_optional = FALSE;
1852 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1854 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1855 TRUE, verify_callback_server);
1856 if (rc != OK) return rc;
1857 server_verify_optional = TRUE;
1860 /* Prepare for new connection */
1862 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1864 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1866 * With the SSL_clear(), we get strange interoperability bugs with
1867 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1868 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1870 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1871 * session shutdown. In this case, we have a brand new object and there's no
1872 * obvious reason to immediately clear it. I'm guessing that this was
1873 * originally added because of incomplete initialisation which the clear fixed,
1874 * in some historic release.
1877 /* Set context and tell client to go ahead, except in the case of TLS startup
1878 on connection, where outputting anything now upsets the clients and tends to
1879 make them disconnect. We need to have an explicit fflush() here, to force out
1880 the response. Other smtp_printf() calls do not need it, because in non-TLS
1881 mode, the fflush() happens when smtp_getc() is called. */
1883 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1884 if (!tls_in.on_connect)
1886 smtp_printf("220 TLS go ahead\r\n");
1890 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1891 that the OpenSSL library doesn't. */
1893 SSL_set_wfd(server_ssl, fileno(smtp_out));
1894 SSL_set_rfd(server_ssl, fileno(smtp_in));
1895 SSL_set_accept_state(server_ssl);
1897 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1899 sigalrm_seen = FALSE;
1900 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1901 rc = SSL_accept(server_ssl);
1906 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1907 if (ERR_get_error() == 0)
1908 log_write(0, LOG_MAIN,
1909 "TLS client disconnected cleanly (rejected our certificate?)");
1913 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1915 /* TLS has been set up. Adjust the input functions to read via TLS,
1916 and initialize things. */
1918 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1920 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1921 tls_in.cipher = cipherbuf;
1926 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1927 debug_printf("Shared ciphers: %s\n", buf);
1930 /* Record the certificate we presented */
1932 X509 * crt = SSL_get_certificate(server_ssl);
1933 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1936 /* Only used by the server-side tls (tls_in), including tls_getc.
1937 Client-side (tls_out) reads (seem to?) go via
1938 smtp_read_response()/ip_recv().
1939 Hence no need to duplicate for _in and _out.
1941 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1942 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1943 ssl_xfer_eof = ssl_xfer_error = 0;
1945 receive_getc = tls_getc;
1946 receive_ungetc = tls_ungetc;
1947 receive_feof = tls_feof;
1948 receive_ferror = tls_ferror;
1949 receive_smtp_buffered = tls_smtp_buffered;
1951 tls_in.active = fileno(smtp_out);
1959 tls_client_basic_ctx_init(SSL_CTX * ctx,
1960 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1964 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1965 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1966 the specified host patterns if one of them is defined */
1968 if ( ( !ob->tls_verify_hosts
1969 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1971 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1973 client_verify_optional = FALSE;
1974 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1975 client_verify_optional = TRUE;
1979 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1980 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1983 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1985 cbinfo->verify_cert_hostnames =
1987 string_domain_utf8_to_alabel(host->name, NULL);
1991 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1992 cbinfo->verify_cert_hostnames);
1998 #ifdef EXPERIMENTAL_DANE
2000 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
2004 const char * hostnames[2] = { CS host->name, NULL };
2007 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2008 return tls_error(US"hostnames load", host, NULL);
2010 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2012 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2013 ) if (rr->type == T_TLSA)
2015 uschar * p = rr->data;
2016 uint8_t usage, selector, mtype;
2017 const char * mdname;
2021 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2022 if (usage != 2 && usage != 3) continue;
2029 default: continue; /* Only match-types 0, 1, 2 are supported */
2030 case 0: mdname = NULL; break;
2031 case 1: mdname = "sha256"; break;
2032 case 2: mdname = "sha512"; break;
2036 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2039 return tls_error(US"tlsa load", host, NULL);
2040 case 0: /* action not taken */
2044 tls_out.tlsa_usage |= 1<<usage;
2050 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2053 #endif /*EXPERIMENTAL_DANE*/
2057 /*************************************************
2058 * Start a TLS session in a client *
2059 *************************************************/
2061 /* Called from the smtp transport after STARTTLS has been accepted.
2064 fd the fd of the connection
2065 host connected host (for messages)
2066 addr the first address
2067 tb transport (always smtp)
2068 tlsa_dnsa tlsa lookup, if DANE, else null
2070 Returns: OK on success
2071 FAIL otherwise - note that tls_error() will not give DEFER
2072 because this is not a server
2076 tls_client_start(int fd, host_item *host, address_item *addr,
2077 transport_instance *tb
2078 #ifdef EXPERIMENTAL_DANE
2079 , dns_answer * tlsa_dnsa
2083 smtp_transport_options_block * ob =
2084 (smtp_transport_options_block *)tb->options_block;
2085 static uschar peerdn[256];
2086 uschar * expciphers;
2088 static uschar cipherbuf[256];
2090 #ifndef DISABLE_OCSP
2091 BOOL request_ocsp = FALSE;
2092 BOOL require_ocsp = FALSE;
2095 #ifdef EXPERIMENTAL_DANE
2096 tls_out.tlsa_usage = 0;
2099 #ifndef DISABLE_OCSP
2101 # ifdef EXPERIMENTAL_DANE
2103 && ob->hosts_request_ocsp[0] == '*'
2104 && ob->hosts_request_ocsp[1] == '\0'
2107 /* Unchanged from default. Use a safer one under DANE */
2108 request_ocsp = TRUE;
2109 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2110 " {= {4}{$tls_out_tlsa_usage}} } "
2116 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2117 request_ocsp = TRUE;
2119 # ifdef EXPERIMENTAL_DANE
2123 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2127 rc = tls_init(&client_ctx, host, NULL,
2128 ob->tls_certificate, ob->tls_privatekey,
2129 #ifndef DISABLE_OCSP
2130 (void *)(long)request_ocsp,
2132 addr, &client_static_cbinfo);
2133 if (rc != OK) return rc;
2135 tls_out.certificate_verified = FALSE;
2136 client_verify_callback_called = FALSE;
2138 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2142 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2143 are separated by underscores. So that I can use either form in my tests, and
2144 also for general convenience, we turn underscores into hyphens here. */
2146 if (expciphers != NULL)
2148 uschar *s = expciphers;
2149 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2150 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2151 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2152 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2155 #ifdef EXPERIMENTAL_DANE
2158 SSL_CTX_set_verify(client_ctx,
2159 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2160 verify_callback_client_dane);
2162 if (!DANESSL_library_init())
2163 return tls_error(US"library init", host, NULL);
2164 if (DANESSL_CTX_init(client_ctx) <= 0)
2165 return tls_error(US"context init", host, NULL);
2171 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2175 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2176 return tls_error(US"SSL_new", host, NULL);
2177 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2178 SSL_set_fd(client_ssl, fd);
2179 SSL_set_connect_state(client_ssl);
2183 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2185 if (tls_out.sni == NULL)
2187 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2189 else if (!Ustrlen(tls_out.sni))
2193 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2194 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2195 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2197 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2203 #ifdef EXPERIMENTAL_DANE
2205 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2209 #ifndef DISABLE_OCSP
2210 /* Request certificate status at connection-time. If the server
2211 does OCSP stapling we will get the callback (set in tls_init()) */
2212 # ifdef EXPERIMENTAL_DANE
2216 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2217 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2219 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2220 this means we avoid the OCSP request, we wasted the setup
2221 cost in tls_init(). */
2222 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2223 request_ocsp = require_ocsp
2224 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2231 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2232 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2233 tls_out.ocsp = OCSP_NOT_RESP;
2237 #ifndef DISABLE_EVENT
2238 client_static_cbinfo->event_action = tb->event_action;
2241 /* There doesn't seem to be a built-in timeout on connection. */
2243 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2244 sigalrm_seen = FALSE;
2245 alarm(ob->command_timeout);
2246 rc = SSL_connect(client_ssl);
2249 #ifdef EXPERIMENTAL_DANE
2251 DANESSL_cleanup(client_ssl);
2255 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2257 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2259 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2261 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2262 tls_out.cipher = cipherbuf;
2264 /* Record the certificate we presented */
2266 X509 * crt = SSL_get_certificate(client_ssl);
2267 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2270 tls_out.active = fd;
2278 /*************************************************
2279 * TLS version of getc *
2280 *************************************************/
2282 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2283 it refills the buffer via the SSL reading function.
2286 Returns: the next character or EOF
2288 Only used by the server-side TLS.
2294 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2299 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2300 ssl_xfer_buffer, ssl_xfer_buffer_size);
2302 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2303 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2304 error = SSL_get_error(server_ssl, inbytes);
2307 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2308 closed down, not that the socket itself has been closed down. Revert to
2309 non-SSL handling. */
2311 if (error == SSL_ERROR_ZERO_RETURN)
2313 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2315 receive_getc = smtp_getc;
2316 receive_ungetc = smtp_ungetc;
2317 receive_feof = smtp_feof;
2318 receive_ferror = smtp_ferror;
2319 receive_smtp_buffered = smtp_buffered;
2321 SSL_free(server_ssl);
2325 tls_in.cipher = NULL;
2326 tls_in.peerdn = NULL;
2332 /* Handle genuine errors */
2334 else if (error == SSL_ERROR_SSL)
2336 ERR_error_string(ERR_get_error(), ssl_errstring);
2337 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2342 else if (error != SSL_ERROR_NONE)
2344 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2349 #ifndef DISABLE_DKIM
2350 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2352 ssl_xfer_buffer_hwm = inbytes;
2353 ssl_xfer_buffer_lwm = 0;
2356 /* Something in the buffer; return next uschar */
2358 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2363 /*************************************************
2364 * Read bytes from TLS channel *
2365 *************************************************/
2372 Returns: the number of bytes read
2373 -1 after a failed read
2375 Only used by the client-side TLS.
2379 tls_read(BOOL is_server, uschar *buff, size_t len)
2381 SSL *ssl = is_server ? server_ssl : client_ssl;
2385 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2386 buff, (unsigned int)len);
2388 inbytes = SSL_read(ssl, CS buff, len);
2389 error = SSL_get_error(ssl, inbytes);
2391 if (error == SSL_ERROR_ZERO_RETURN)
2393 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2396 else if (error != SSL_ERROR_NONE)
2408 /*************************************************
2409 * Write bytes down TLS channel *
2410 *************************************************/
2414 is_server channel specifier
2418 Returns: the number of bytes after a successful write,
2419 -1 after a failed write
2421 Used by both server-side and client-side TLS.
2425 tls_write(BOOL is_server, const uschar *buff, size_t len)
2430 SSL *ssl = is_server ? server_ssl : client_ssl;
2432 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2435 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2436 outbytes = SSL_write(ssl, CS buff, left);
2437 error = SSL_get_error(ssl, outbytes);
2438 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2442 ERR_error_string(ERR_get_error(), ssl_errstring);
2443 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2446 case SSL_ERROR_NONE:
2451 case SSL_ERROR_ZERO_RETURN:
2452 log_write(0, LOG_MAIN, "SSL channel closed on write");
2455 case SSL_ERROR_SYSCALL:
2456 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2457 sender_fullhost ? sender_fullhost : US"<unknown>",
2462 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2471 /*************************************************
2472 * Close down a TLS session *
2473 *************************************************/
2475 /* This is also called from within a delivery subprocess forked from the
2476 daemon, to shut down the TLS library, without actually doing a shutdown (which
2477 would tamper with the SSL session in the parent process).
2479 Arguments: TRUE if SSL_shutdown is to be called
2482 Used by both server-side and client-side TLS.
2486 tls_close(BOOL is_server, BOOL shutdown)
2488 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2489 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2491 if (*fdp < 0) return; /* TLS was not active */
2495 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2496 SSL_shutdown(*sslp);
2508 /*************************************************
2509 * Let tls_require_ciphers be checked at startup *
2510 *************************************************/
2512 /* The tls_require_ciphers option, if set, must be something which the
2515 Returns: NULL on success, or error message
2519 tls_validate_require_cipher(void)
2522 uschar *s, *expciphers, *err;
2524 /* this duplicates from tls_init(), we need a better "init just global
2525 state, for no specific purpose" singleton function of our own */
2527 SSL_load_error_strings();
2528 OpenSSL_add_ssl_algorithms();
2529 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2530 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2531 list of available digests. */
2532 EVP_add_digest(EVP_sha256());
2535 if (!(tls_require_ciphers && *tls_require_ciphers))
2538 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2539 return US"failed to expand tls_require_ciphers";
2541 if (!(expciphers && *expciphers))
2544 /* normalisation ripped from above */
2546 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2550 ctx = SSL_CTX_new(SSLv23_server_method());
2553 ERR_error_string(ERR_get_error(), ssl_errstring);
2554 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2558 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2560 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2562 ERR_error_string(ERR_get_error(), ssl_errstring);
2563 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2574 /*************************************************
2575 * Report the library versions. *
2576 *************************************************/
2578 /* There have historically been some issues with binary compatibility in
2579 OpenSSL libraries; if Exim (like many other applications) is built against
2580 one version of OpenSSL but the run-time linker picks up another version,
2581 it can result in serious failures, including crashing with a SIGSEGV. So
2582 report the version found by the compiler and the run-time version.
2584 Note: some OS vendors backport security fixes without changing the version
2585 number/string, and the version date remains unchanged. The _build_ date
2586 will change, so we can more usefully assist with version diagnosis by also
2587 reporting the build date.
2589 Arguments: a FILE* to print the results to
2594 tls_version_report(FILE *f)
2596 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2599 OPENSSL_VERSION_TEXT,
2600 SSLeay_version(SSLEAY_VERSION),
2601 SSLeay_version(SSLEAY_BUILT_ON));
2602 /* third line is 38 characters for the %s and the line is 73 chars long;
2603 the OpenSSL output includes a "built on: " prefix already. */
2609 /*************************************************
2610 * Random number generation *
2611 *************************************************/
2613 /* Pseudo-random number generation. The result is not expected to be
2614 cryptographically strong but not so weak that someone will shoot themselves
2615 in the foot using it as a nonce in input in some email header scheme or
2616 whatever weirdness they'll twist this into. The result should handle fork()
2617 and avoid repeating sequences. OpenSSL handles that for us.
2621 Returns a random number in range [0, max-1]
2625 vaguely_random_number(int max)
2629 static pid_t pidlast = 0;
2632 uschar smallbuf[sizeof(r)];
2638 if (pidnow != pidlast)
2640 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2641 is unique for each thread", this doesn't apparently apply across processes,
2642 so our own warning from vaguely_random_number_fallback() applies here too.
2643 Fix per PostgreSQL. */
2649 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2653 gettimeofday(&r.tv, NULL);
2656 RAND_seed((uschar *)(&r), sizeof(r));
2658 /* We're after pseudo-random, not random; if we still don't have enough data
2659 in the internal PRNG then our options are limited. We could sleep and hope
2660 for entropy to come along (prayer technique) but if the system is so depleted
2661 in the first place then something is likely to just keep taking it. Instead,
2662 we'll just take whatever little bit of pseudo-random we can still manage to
2665 needed_len = sizeof(r);
2666 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2667 asked for a number less than 10. */
2668 for (r = max, i = 0; r; ++i)
2674 #ifdef EXIM_HAVE_RAND_PSEUDO
2675 /* We do not care if crypto-strong */
2676 i = RAND_pseudo_bytes(smallbuf, needed_len);
2678 i = RAND_bytes(smallbuf, needed_len);
2684 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2685 return vaguely_random_number_fallback(max);
2689 for (p = smallbuf; needed_len; --needed_len, ++p)
2695 /* We don't particularly care about weighted results; if someone wants
2696 smooth distribution and cares enough then they should submit a patch then. */
2703 /*************************************************
2704 * OpenSSL option parse *
2705 *************************************************/
2707 /* Parse one option for tls_openssl_options_parse below
2710 name one option name
2711 value place to store a value for it
2712 Returns success or failure in parsing
2715 struct exim_openssl_option {
2719 /* We could use a macro to expand, but we need the ifdef and not all the
2720 options document which version they were introduced in. Policylet: include
2721 all options unless explicitly for DTLS, let the administrator choose which
2724 This list is current as of:
2726 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2728 static struct exim_openssl_option exim_openssl_options[] = {
2729 /* KEEP SORTED ALPHABETICALLY! */
2731 { US"all", SSL_OP_ALL },
2733 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2734 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2736 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2737 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2739 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2740 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2742 #ifdef SSL_OP_EPHEMERAL_RSA
2743 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2745 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2746 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2748 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2749 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2751 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2752 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2754 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2755 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2757 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2758 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2760 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2761 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2763 #ifdef SSL_OP_NO_COMPRESSION
2764 { US"no_compression", SSL_OP_NO_COMPRESSION },
2766 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2767 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2769 #ifdef SSL_OP_NO_SSLv2
2770 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2772 #ifdef SSL_OP_NO_SSLv3
2773 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2775 #ifdef SSL_OP_NO_TICKET
2776 { US"no_ticket", SSL_OP_NO_TICKET },
2778 #ifdef SSL_OP_NO_TLSv1
2779 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2781 #ifdef SSL_OP_NO_TLSv1_1
2782 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2783 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2784 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2786 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2789 #ifdef SSL_OP_NO_TLSv1_2
2790 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2792 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2793 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2795 #ifdef SSL_OP_SINGLE_DH_USE
2796 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2798 #ifdef SSL_OP_SINGLE_ECDH_USE
2799 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2801 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2802 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2804 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2805 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2807 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2808 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2810 #ifdef SSL_OP_TLS_D5_BUG
2811 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2813 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2814 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2817 static int exim_openssl_options_size =
2818 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2822 tls_openssl_one_option_parse(uschar *name, long *value)
2825 int last = exim_openssl_options_size;
2826 while (last > first)
2828 int middle = (first + last)/2;
2829 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2832 *value = exim_openssl_options[middle].value;
2846 /*************************************************
2847 * OpenSSL option parsing logic *
2848 *************************************************/
2850 /* OpenSSL has a number of compatibility options which an administrator might
2851 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2852 we look like log_selector.
2855 option_spec the administrator-supplied string of options
2856 results ptr to long storage for the options bitmap
2857 Returns success or failure
2861 tls_openssl_options_parse(uschar *option_spec, long *results)
2866 BOOL adding, item_parsed;
2869 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2870 * from default because it increases BEAST susceptibility. */
2871 #ifdef SSL_OP_NO_SSLv2
2872 result |= SSL_OP_NO_SSLv2;
2874 #ifdef SSL_OP_SINGLE_DH_USE
2875 result |= SSL_OP_SINGLE_DH_USE;
2878 if (option_spec == NULL)
2884 for (s=option_spec; *s != '\0'; /**/)
2886 while (isspace(*s)) ++s;
2889 if (*s != '+' && *s != '-')
2891 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2892 "+ or - expected but found \"%s\"\n", s);
2895 adding = *s++ == '+';
2896 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2899 item_parsed = tls_openssl_one_option_parse(s, &item);
2903 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2906 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2907 adding ? "adding" : "removing", result, item, s);
2921 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob