1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2019 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Portions Copyright (c) The OpenSSL Project 1999 */
12 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
13 library. It is #included into the tls.c file when that library is used. The
14 code herein is based on a patch that was originally contributed by Steve
15 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
17 No cryptographic code is included in Exim. All this module does is to call
18 functions from the OpenSSL library. */
23 #include <openssl/lhash.h>
24 #include <openssl/ssl.h>
25 #include <openssl/err.h>
26 #include <openssl/rand.h>
27 #ifndef OPENSSL_NO_ECDH
28 # include <openssl/ec.h>
31 # include <openssl/ocsp.h>
39 # define EXIM_OCSP_SKEW_SECONDS (300L)
40 # define EXIM_OCSP_MAX_AGE (-1L)
43 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
44 # define EXIM_HAVE_OPENSSL_TLSEXT
46 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
47 # define EXIM_HAVE_RSA_GENKEY_EX
49 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
50 # define EXIM_HAVE_OCSP_RESP_COUNT
51 # define OPENSSL_AUTO_SHA256
52 # define OPENSSL_MIN_PROTO_VERSION
54 # define EXIM_HAVE_EPHEM_RSA_KEX
55 # define EXIM_HAVE_RAND_PSEUDO
57 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
58 # define EXIM_HAVE_SHA256
61 /* X509_check_host provides sane certificate hostname checking, but was added
62 to OpenSSL late, after other projects forked off the code-base. So in
63 addition to guarding against the base version number, beware that LibreSSL
64 does not (at this time) support this function.
66 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
67 opt to disentangle and ask a LibreSSL user to provide glue for a third
68 crypto provider for libtls instead of continuing to tie the OpenSSL glue
69 into even twistier knots. If LibreSSL gains the same API, we can just
70 change this guard and punt the issue for a while longer. */
72 #ifndef LIBRESSL_VERSION_NUMBER
73 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
74 # define EXIM_HAVE_OPENSSL_CHECKHOST
75 # define EXIM_HAVE_OPENSSL_DH_BITS
76 # define EXIM_HAVE_OPENSSL_TLS_METHOD
77 # define EXIM_HAVE_OPENSSL_KEYLOG
78 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
79 # define EXIM_HAVE_SESSION_TICKET
80 # define EXIM_HAVE_OPESSL_TRACE
81 # define EXIM_HAVE_OPESSL_GET0_SERIAL
82 # define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
83 # define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
85 # define EXIM_HAVE_OCSP
87 # define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
89 # define EXIM_NEED_OPENSSL_INIT
91 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
92 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
93 # define EXIM_HAVE_OPENSSL_CHECKHOST
97 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
98 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
101 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
102 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
103 # define EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
106 #if !defined(LIBRESSL_VERSION_NUMBER) \
107 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
108 # if !defined(OPENSSL_NO_ECDH)
109 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
110 # define EXIM_HAVE_ECDH
112 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
113 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
118 #ifndef LIBRESSL_VERSION_NUMBER
119 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
120 # define OPENSSL_HAVE_KEYLOG_CB
121 # define OPENSSL_HAVE_NUM_TICKETS
122 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
123 # define EXIM_HAVE_EXP_CHNL_BNGNG
124 # define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
126 # define OPENSSL_BAD_SRVR_OURCERT
130 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x010002000L)
131 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
134 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
135 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
136 # define DISABLE_OCSP
139 #ifndef DISABLE_TLS_RESUME
140 # if OPENSSL_VERSION_NUMBER < 0x0101010L
141 # error OpenSSL version too old for session-resumption
145 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
146 # include <openssl/x509v3.h>
149 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
150 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
151 # define SSL_CIPHER_get_id(c) (c->id)
153 # ifndef MACRO_PREDEF
154 # include "tls-cipher-stdname.c"
158 #define TESTSUITE_TICKET_LIFE 10 /* seconds */
159 /*************************************************
160 * OpenSSL option parse *
161 *************************************************/
163 typedef struct exim_openssl_option {
166 } exim_openssl_option;
167 /* We could use a macro to expand, but we need the ifdef and not all the
168 options document which version they were introduced in. Policylet: include
169 all options unless explicitly for DTLS, let the administrator choose which
172 This list is current as of:
175 XXX could we autobuild this list, as with predefined-macros?
176 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
177 Also allow a numeric literal?
179 static exim_openssl_option exim_openssl_options[] = {
180 /* KEEP SORTED ALPHABETICALLY! */
182 { US"all", (long) SSL_OP_ALL },
184 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
185 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
187 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
188 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
190 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
191 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
193 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
194 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
196 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
197 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
199 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
200 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
202 #ifdef SSL_OP_EPHEMERAL_RSA
203 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
205 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
206 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
208 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
209 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
211 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
212 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
214 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
215 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
217 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
218 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
220 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
221 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
223 #ifdef SSL_OP_NO_ANTI_REPLAY
224 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
226 #ifdef SSL_OP_NO_COMPRESSION
227 { US"no_compression", SSL_OP_NO_COMPRESSION },
229 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
230 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
232 #ifdef SSL_OP_NO_RENEGOTIATION
233 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
235 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
236 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
238 #ifdef SSL_OP_NO_SSLv2
239 { US"no_sslv2", SSL_OP_NO_SSLv2 },
241 #ifdef SSL_OP_NO_SSLv3
242 { US"no_sslv3", SSL_OP_NO_SSLv3 },
244 #ifdef SSL_OP_NO_TICKET
245 { US"no_ticket", SSL_OP_NO_TICKET },
247 #ifdef SSL_OP_NO_TLSv1
248 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
250 #ifdef SSL_OP_NO_TLSv1_1
251 # if OPENSSL_VERSION_NUMBER < 0x30000000L
252 # if SSL_OP_NO_TLSv1_1 == 0x00000400L
253 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
254 # warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
255 # define NO_SSL_OP_NO_TLSv1_1
258 # ifndef NO_SSL_OP_NO_TLSv1_1
259 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
262 #ifdef SSL_OP_NO_TLSv1_2
263 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
265 #ifdef SSL_OP_NO_TLSv1_3
266 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
268 #ifdef SSL_OP_PRIORITIZE_CHACHA
269 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
271 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
272 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
274 #ifdef SSL_OP_SINGLE_DH_USE
275 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
277 #ifdef SSL_OP_SINGLE_ECDH_USE
278 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
280 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
281 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
283 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
284 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
286 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
287 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
289 #ifdef SSL_OP_TLS_D5_BUG
290 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
292 #ifdef SSL_OP_TLS_ROLLBACK_BUG
293 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
295 #ifdef SSL_OP_TLSEXT_PADDING
296 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
301 static int exim_openssl_options_size = nelem(exim_openssl_options);
302 static long init_options = 0;
311 for (struct exim_openssl_option * o = exim_openssl_options;
312 o < exim_openssl_options + nelem(exim_openssl_options); o++)
314 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
315 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
317 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
318 builtin_macro_create(buf);
321 # ifndef DISABLE_TLS_RESUME
322 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
324 # ifdef SSL_OP_NO_TLSv1_3
325 builtin_macro_create(US"_HAVE_TLS1_3");
327 # ifdef OPENSSL_BAD_SRVR_OURCERT
328 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
330 # ifdef EXIM_HAVE_OCSP
331 builtin_macro_create(US"_HAVE_TLS_OCSP");
332 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
334 # ifdef EXIM_HAVE_ALPN
335 builtin_macro_create(US"_HAVE_TLS_ALPN");
340 /******************************************************************************/
342 /* Structure for collecting random data for seeding. */
344 typedef struct randstuff {
349 /* Local static variables */
351 static BOOL client_verify_callback_called = FALSE;
352 static BOOL server_verify_callback_called = FALSE;
353 static const uschar *sid_ctx = US"exim";
355 /* We have three different contexts to care about.
357 Simple case: client, `client_ctx`
358 As a client, we can be doing a callout or cut-through delivery while receiving
359 a message. So we have a client context, which should have options initialised
360 from the SMTP Transport. We may also concurrently want to make TLS connections
361 to utility daemons, so client-contexts are allocated and passed around in call
362 args rather than using a gobal.
365 There are two cases: with and without ServerNameIndication from the client.
366 Given TLS SNI, we can be using different keys, certs and various other
367 configuration settings, because they're re-expanded with $tls_sni set. This
368 allows vhosting with TLS. This SNI is sent in the handshake.
369 A client might not send SNI, so we need a fallback, and an initial setup too.
370 So as a server, we start out using `server_ctx`.
371 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
372 `server_sni` from `server_ctx` and then initialise settings by re-expanding
380 } exim_openssl_client_tls_ctx;
383 /* static SSL_CTX *server_ctx = NULL; */
384 /* static SSL *server_ssl = NULL; */
386 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
387 static SSL_CTX *server_sni = NULL;
389 #ifdef EXIM_HAVE_ALPN
390 static BOOL server_seen_alpn = FALSE;
393 static char ssl_errstring[256];
395 static int ssl_session_timeout = 7200; /* Two hours */
396 static BOOL client_verify_optional = FALSE;
397 static BOOL server_verify_optional = FALSE;
399 static BOOL reexpand_tls_files_for_sni = FALSE;
402 typedef struct ocsp_resp {
403 struct ocsp_resp * next;
404 OCSP_RESPONSE * resp;
407 typedef struct exim_openssl_state {
408 exim_tlslib_state lib_state;
409 #define lib_ctx libdata0
410 #define lib_ssl libdata1
413 uschar * certificate;
420 const uschar *file_expanded;
421 ocsp_resplist *olist;
422 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
425 X509_STORE *verify_store; /* non-null if status requested */
426 uschar *verify_errstr; /* only if _required */
427 BOOL verify_required;
432 /* these are cached from first expand */
433 uschar * server_cipher_list;
434 /* only passed down to tls_error: */
436 const uschar * verify_cert_hostnames;
437 #ifndef DISABLE_EVENT
438 uschar * event_action;
440 } exim_openssl_state_st;
442 /* should figure out a cleanup of API to handle state preserved per
443 implementation, for various reasons, which can be void * in the APIs.
444 For now, we hack around it. */
445 exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */
446 exim_openssl_state_st state_server = {.is_server = TRUE};
449 setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
454 static int tls_server_stapling_cb(SSL *s, void *arg);
455 static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
456 static void x509_store_dump_cert_s_names(X509_STORE * store);
461 /* Daemon-called, before every connection, key create/rotate */
462 #ifndef DISABLE_TLS_RESUME
463 static void tk_init(void);
464 static int tls_exdata_idx = -1;
468 tls_per_lib_daemon_tick(void)
470 #ifndef DISABLE_TLS_RESUME
475 /* Called once at daemon startup */
478 tls_per_lib_daemon_init(void)
480 tls_daemon_creds_reload();
484 /*************************************************
486 *************************************************/
488 /* Called from lots of places when errors occur before actually starting to do
489 the TLS handshake, that is, while the session is still in clear. Always returns
490 DEFER for a server and FAIL for a client so that most calls can use "return
491 tls_error(...)" to do this processing and then give an appropriate return. A
492 single function is used for both server and client, because it is called from
493 some shared functions.
496 prefix text to include in the logged error
497 host NULL if setting up a server;
498 the connected host if setting up a client
499 msg error message or NULL if we should ask OpenSSL
500 errstr pointer to output error message
502 Returns: OK/DEFER/FAIL
506 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
510 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
511 msg = US ssl_errstring;
514 msg = string_sprintf("(%s): %s", prefix, msg);
515 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
516 if (errstr) *errstr = msg;
517 return host ? FAIL : DEFER;
522 /**************************************************
523 * General library initalisation *
524 **************************************************/
527 lib_rand_init(void * addr)
530 if (!RAND_status()) return TRUE;
532 gettimeofday(&r.tv, NULL);
534 RAND_seed(US (&r), sizeof(r));
535 RAND_seed(US big_buffer, big_buffer_size);
536 if (addr) RAND_seed(US addr, sizeof(addr));
538 return RAND_status();
543 tls_openssl_init(void)
545 static BOOL once = FALSE;
549 #ifdef EXIM_NEED_OPENSSL_INIT
550 SSL_load_error_strings(); /* basic set up */
551 OpenSSL_add_ssl_algorithms();
554 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
555 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
556 list of available digests. */
557 EVP_add_digest(EVP_sha256());
560 (void) lib_rand_init(NULL);
561 (void) tls_openssl_options_parse(openssl_options, &init_options);
566 /*************************************************
567 * Initialize for DH *
568 *************************************************/
570 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
574 sctx The current SSL CTX (inbound or outbound)
575 dhparam DH parameter file or fixed parameter identity string
576 errstr error string pointer
578 Returns: TRUE if OK (nothing to set up, or setup worked)
582 init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
585 #if OPENSSL_VERSION_NUMBER < 0x30000000L
594 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
597 if (!dhexpanded || !*dhexpanded)
598 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
599 else if (dhexpanded[0] == '/')
601 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
603 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
604 NULL, US strerror(errno), errstr);
610 if (Ustrcmp(dhexpanded, "none") == 0)
612 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
616 if (!(pem = std_dh_prime_named(dhexpanded)))
618 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
619 NULL, US strerror(errno), errstr);
622 bio = BIO_new_mem_buf(CS pem, -1);
626 #if OPENSSL_VERSION_NUMBER < 0x30000000L
627 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
629 pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
634 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
639 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
640 an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with 2236.
641 But older OpenSSL can only report in bytes (octets), not bits. If someone wants
642 to dance at the edge, then they can raise the limit or use current libraries. */
644 #if OPENSSL_VERSION_NUMBER < 0x30000000L
645 # ifdef EXIM_HAVE_OPENSSL_DH_BITS
646 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
647 This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
648 dh_bitsize = DH_bits(dh);
650 dh_bitsize = 8 * DH_size(dh);
653 dh_bitsize = EVP_PKEY_get_bits(pkey);
656 /* Even if it is larger, we silently return success rather than cause things to
657 fail out, so that a too-large DH will not knock out all TLS; it's a debatable
658 choice. Likewise for a failing attempt to set one. */
660 if (dh_bitsize <= tls_dh_max_bits)
663 #if OPENSSL_VERSION_NUMBER < 0x30000000L
664 SSL_CTX_set_tmp_dh(sctx, dh)
666 SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
670 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
671 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
672 dhexpanded ? dhexpanded : US"default", ssl_errstring);
673 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
674 /* EVP_PKEY_free(pkey); crashes */
679 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
680 dhexpanded ? dhexpanded : US"default", dh_bitsize);
684 debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
685 dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
687 #if OPENSSL_VERSION_NUMBER < 0x30000000L
690 /* The EVP_PKEY ownership stays with the ctx; do not free it */
699 /*************************************************
700 * Initialize for ECDH *
701 *************************************************/
703 /* Load parameters for ECDH encryption. Server only.
705 For now, we stick to NIST P-256 because: it's simple and easy to configure;
706 it avoids any patent issues that might bite redistributors; despite events in
707 the news and concerns over curve choices, we're not cryptographers, we're not
708 pretending to be, and this is "good enough" to be better than no support,
709 protecting against most adversaries. Given another year or two, there might
710 be sufficient clarity about a "right" way forward to let us make an informed
711 decision, instead of a knee-jerk reaction.
713 Longer-term, we should look at supporting both various named curves and
714 external files generated with "openssl ecparam", much as we do for init_dh().
715 We should also support "none" as a value, to explicitly avoid initialisation.
720 sctx The current SSL CTX (inbound or outbound)
721 errstr error string pointer
723 Returns: TRUE if OK (nothing to set up, or setup worked)
727 init_ecdh(SSL_CTX * sctx, uschar ** errstr)
729 #ifdef OPENSSL_NO_ECDH
737 # ifndef EXIM_HAVE_ECDH
739 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
743 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
745 if (!exp_curve || !*exp_curve)
748 /* "auto" needs to be handled carefully.
749 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
750 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
751 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
752 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
753 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
755 if (Ustrcmp(exp_curve, "auto") == 0)
757 #if OPENSSL_VERSION_NUMBER < 0x10002000L
758 DEBUG(D_tls) debug_printf(
759 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
760 exp_curve = US"prime256v1";
762 # if defined SSL_CTRL_SET_ECDH_AUTO
763 DEBUG(D_tls) debug_printf(
764 "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
765 SSL_CTX_set_ecdh_auto(sctx, 1);
768 DEBUG(D_tls) debug_printf(
769 "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n");
775 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
776 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
777 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
778 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
782 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
787 # if OPENSSL_VERSION_NUMBER < 0x30000000L
790 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
792 tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
796 /* The "tmp" in the name here refers to setting a temporary key
797 not to the stability of the interface. */
799 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
800 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
802 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
806 #else /* v 3.0.0 + */
808 if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
809 tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
811 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve);
817 # endif /*EXIM_HAVE_ECDH*/
818 #endif /*OPENSSL_NO_ECDH*/
823 /*************************************************
824 * Expand key and cert file specs *
825 *************************************************/
827 #if OPENSSL_VERSION_NUMBER < 0x30000000L
830 s SSL connection (not used)
834 Returns: pointer to generated key
838 rsa_callback(SSL *s, int export, int keylength)
841 #ifdef EXIM_HAVE_RSA_GENKEY_EX
842 BIGNUM *bn = BN_new();
845 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
847 # ifdef EXIM_HAVE_RSA_GENKEY_EX
848 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
849 || !(rsa_key = RSA_new())
850 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
853 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
857 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
858 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
864 #endif /* pre-3.0.0 */
868 /* Create and install a selfsigned certificate, for use in server mode */
869 /*XXX we could arrange to call this during prelo for a null tls_certificate option.
870 The normal cache inval + relo will suffice.
871 Just need a timer for inval. */
874 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
881 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
882 where = US"allocating pkey";
883 if (!(pkey = EVP_PKEY_new()))
886 where = US"allocating cert";
887 if (!(x509 = X509_new()))
890 where = US"generating pkey";
891 #if OPENSSL_VERSION_NUMBER < 0x30000000L
894 if (!(rsa = rsa_callback(NULL, 0, 2048)))
897 where = US"assigning pkey";
898 if (!EVP_PKEY_assign_RSA(pkey, rsa))
902 pkey = EVP_RSA_gen(2048);
905 X509_set_version(x509, 2); /* N+1 - version 3 */
906 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
907 X509_gmtime_adj(X509_get_notBefore(x509), 0);
908 X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */
909 X509_set_pubkey(x509, pkey);
911 name = X509_get_subject_name(x509);
912 X509_NAME_add_entry_by_txt(name, "C",
913 MBSTRING_ASC, CUS "UK", -1, -1, 0);
914 X509_NAME_add_entry_by_txt(name, "O",
915 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
916 X509_NAME_add_entry_by_txt(name, "CN",
917 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
918 X509_set_issuer_name(x509, name);
920 where = US"signing cert";
921 if (!X509_sign(x509, pkey, EVP_md5()))
924 where = US"installing selfsign cert";
925 if (!SSL_CTX_use_certificate(sctx, x509))
928 where = US"installing selfsign key";
929 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
935 (void) tls_error(where, NULL, NULL, errstr);
936 if (x509) X509_free(x509);
937 if (pkey) EVP_PKEY_free(pkey);
947 /*************************************************
948 * Information callback *
949 *************************************************/
951 /* The SSL library functions call this from time to time to indicate what they
952 are doing. We copy the string to the debugging output when TLS debugging has
964 info_callback(SSL * s, int where, int ret)
970 if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
971 if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept");
972 if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg");
973 if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit");
974 if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read");
975 if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write");
976 if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert");
977 if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
978 if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done");
980 if (where & SSL_CB_LOOP)
981 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
982 else if (where & SSL_CB_ALERT)
983 debug_printf("SSL %s %s:%s\n", g->s,
984 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
985 else if (where & SSL_CB_EXIT)
988 debug_printf("SSL %s: %s in %s\n", g->s,
989 ret == 0 ? "failed" : "error", SSL_state_string_long(s));
991 else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
992 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
996 #ifdef OPENSSL_HAVE_KEYLOG_CB
998 keylog_callback(const SSL *ssl, const char *line)
1002 DEBUG(D_tls) debug_printf("%.200s\n", line);
1003 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
1004 if (!(fp = fopen(filename, "a"))) return;
1005 fprintf(fp, "%s\n", line);
1014 #ifndef DISABLE_EVENT
1016 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
1017 BOOL *calledp, const BOOL *optionalp, const uschar * what)
1023 ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
1026 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
1027 old_cert = tlsp->peercert;
1028 tlsp->peercert = X509_dup(cert);
1029 /* NB we do not bother setting peerdn */
1030 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno)))
1032 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
1033 "depth=%d cert=%s: %s",
1034 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1035 what, depth, dn, yield);
1039 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
1040 return 1; /* reject (leaving peercert set) */
1042 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
1043 "(host in tls_try_verify_hosts)\n");
1044 tlsp->verify_override = TRUE;
1046 X509_free(tlsp->peercert);
1047 tlsp->peercert = old_cert;
1053 /*************************************************
1054 * Callback for verification *
1055 *************************************************/
1057 /* The SSL library does certificate verification if set up to do so. This
1058 callback has the current yes/no state is in "state". If verification succeeded,
1059 we set the certificate-verified flag. If verification failed, what happens
1060 depends on whether the client is required to present a verifiable certificate
1063 If verification is optional, we change the state to yes, but still log the
1064 verification error. For some reason (it really would help to have proper
1065 documentation of OpenSSL), this callback function then gets called again, this
1066 time with state = 1. We must take care not to set the private verified flag on
1067 the second time through.
1069 Note: this function is not called if the client fails to present a certificate
1070 when asked. We get here only if a certificate has been received. Handling of
1071 optional verification for this case is done when requesting SSL to verify, by
1072 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
1074 May be called multiple times for different issues with a certificate, even
1075 for a given "depth" in the certificate chain.
1078 preverify_ok current yes/no state as 1/0
1079 x509ctx certificate information.
1080 tlsp per-direction (client vs. server) support data
1081 calledp has-been-called flag
1082 optionalp verification-is-optional flag
1084 Returns: 0 if verification should fail, otherwise 1
1088 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
1089 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
1091 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1092 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1095 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1097 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1098 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1099 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1102 dn[sizeof(dn)-1] = '\0';
1104 tlsp->verify_override = FALSE;
1105 if (preverify_ok == 0)
1107 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
1108 *verify_mode, sender_host_address)
1110 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
1111 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1113 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
1117 if (!tlsp->peercert)
1118 tlsp->peercert = X509_dup(cert); /* record failing cert */
1119 return 0; /* reject */
1121 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
1122 "tls_try_verify_hosts)\n");
1123 tlsp->verify_override = TRUE;
1126 else if (depth != 0)
1128 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
1129 #ifndef DISABLE_EVENT
1130 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1131 return 0; /* reject, with peercert set */
1136 const uschar * verify_cert_hostnames;
1138 if ( tlsp == &tls_out
1139 && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
1140 /* client, wanting hostname check */
1143 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
1144 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1145 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
1147 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
1148 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
1151 const uschar * list = verify_cert_hostnames;
1154 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
1155 if ((rc = X509_check_host(cert, CCS name, 0,
1156 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1157 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
1162 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1163 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1170 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
1173 uschar * extra = verify_mode
1174 ? string_sprintf(" (during %c-verify for [%s])",
1175 *verify_mode, sender_host_address)
1177 log_write(0, LOG_MAIN,
1178 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
1179 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1180 extra, dn, verify_cert_hostnames);
1184 if (!tlsp->peercert)
1185 tlsp->peercert = X509_dup(cert); /* record failing cert */
1186 return 0; /* reject */
1188 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
1189 "tls_try_verify_hosts)\n");
1190 tlsp->verify_override = TRUE;
1194 #ifndef DISABLE_EVENT
1195 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1196 return 0; /* reject, with peercert set */
1199 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
1200 *calledp ? "" : " authenticated", dn);
1204 return 1; /* accept, at least for this level */
1208 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
1210 return verify_callback(preverify_ok, x509ctx, &tls_out,
1211 &client_verify_callback_called, &client_verify_optional);
1215 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
1217 return verify_callback(preverify_ok, x509ctx, &tls_in,
1218 &server_verify_callback_called, &server_verify_optional);
1224 /* This gets called *by* the dane library verify callback, which interposes
1228 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
1230 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1232 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1233 #ifndef DISABLE_EVENT
1234 BOOL dummy_called, optional = FALSE;
1237 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1239 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1240 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1241 deliver_host_address);
1244 dn[sizeof(dn)-1] = '\0';
1246 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
1247 preverify_ok ? "ok":"BAD", depth, dn);
1249 #ifndef DISABLE_EVENT
1250 if (verify_event(&tls_out, cert, depth, dn,
1251 &dummy_called, &optional, US"DANE"))
1252 return 0; /* reject, with peercert set */
1255 if (preverify_ok == 1)
1256 tls_out.dane_verified = TRUE;
1259 int err = X509_STORE_CTX_get_error(x509ctx);
1261 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
1262 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
1265 return preverify_ok;
1268 #endif /*SUPPORT_DANE*/
1271 #ifndef DISABLE_OCSP
1273 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1275 BIO_printf(bp, "\t%s: ", str);
1276 ASN1_GENERALIZEDTIME_print(bp, time);
1280 /*************************************************
1281 * Load OCSP information into state *
1282 *************************************************/
1283 /* Called to load the server OCSP response from the given file into memory, once
1284 caller has determined this is needed. Checks validity. Debugs a message
1287 ASSUMES: single response, for single cert.
1290 state various parts of session state
1291 filename the filename putatively holding an OCSP response
1292 is_pem file is PEM format; otherwise is DER
1296 ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
1300 OCSP_RESPONSE * resp;
1301 OCSP_BASICRESP * basic_response;
1302 OCSP_SINGLERESP * single_response;
1303 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1304 STACK_OF(X509) * sk;
1305 int status, reason, i;
1308 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1310 if (!filename || !*filename) return;
1313 if (!(bio = BIO_new_file(CS filename, "rb")))
1315 log_write(0, LOG_MAIN|LOG_PANIC,
1316 "Failed to open OCSP response file \"%s\": %.100s",
1317 filename, ERR_reason_error_string(ERR_get_error()));
1323 uschar * data, * freep;
1326 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1328 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
1329 filename, ERR_reason_error_string(ERR_get_error()));
1333 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1334 OPENSSL_free(freep);
1337 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1342 log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
1343 filename, ERR_reason_error_string(ERR_get_error()));
1347 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1349 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1350 OCSP_response_status_str(status), status);
1356 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1357 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1362 if (!(basic_response = OCSP_response_get1_basic(resp)))
1365 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1369 sk = state->u_ocsp.server.verify_stack; /* set by setup_certs() / chain_from_pem_file() */
1371 /* May need to expose ability to adjust those flags?
1372 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1373 OCSP_TRUSTOTHER OCSP_NOINTERN */
1375 /* This does a partial verify (only the signer link, not the whole chain-to-CA)
1376 on the OCSP proof before we load it for serving up; possibly overkill -
1377 just date-checks might be nice enough.
1379 OCSP_basic_verify takes a "store" arg, but does not
1380 use it for the chain verification, when OCSP_NOVERIFY is set.
1381 The content from the wire "basic_response" and a cert-stack "sk" are all
1384 We have a stack, loaded in setup_certs() if tls_verify_certificates
1385 was a file (not a directory, or "system"). It is unfortunate we
1386 cannot used the connection context store, as that would neatly
1387 handle the "system" case too, but there seems to be no library
1388 function for getting a stack from a store.
1389 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1390 [ 3.0.0 - sk = X509_STORE_get1_all_certs(store) ]
1391 We do not free the stack since it could be needed a second time for
1394 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1395 be a public interface into the OpenSSL library (there's no manual entry) -
1396 (in 3.0.0 + is is public)
1397 But what with? We also use OCSP_basic_verify in the client stapling callback.
1398 And there we NEED it; we must verify that status... unless the
1399 library does it for us anyway? */
1401 if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
1405 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1406 debug_printf("OCSP response has bad signature: %s\n", US ssl_errstring);
1411 /* Here's the simplifying assumption: there's only one response, for the
1412 one certificate we use, and nothing for anything else in a chain. If this
1413 proves false, we need to extract a cert id from our issued cert
1414 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1415 right cert in the stack and then calls OCSP_single_get0_status()).
1417 I'm hoping to avoid reworking a bunch more of how we handle state here.
1419 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1422 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1425 debug_printf("Unable to get first response from OCSP basic response.\n");
1429 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1430 if (status != V_OCSP_CERTSTATUS_GOOD)
1432 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1433 OCSP_cert_status_str(status), status,
1434 OCSP_crl_reason_str(reason), reason);
1438 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1442 BIO * bp = BIO_new(BIO_s_mem());
1445 time_print(bp, "This OCSP Update", thisupd);
1446 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
1447 if ((len = (int) BIO_get_mem_data(bp, CSS &s)) > 0) debug_printf("%.*s", len, s);
1448 debug_printf("OCSP status invalid times.\n");
1454 /* Add the resp to the list used by tls_server_stapling_cb() */
1456 ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
1457 while (oentry = *op)
1459 *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED);
1460 oentry->next = NULL;
1461 oentry->resp = resp;
1466 if (f.running_in_test_harness)
1468 extern char ** environ;
1469 if (environ) for (uschar ** p = USS environ; *p; p++)
1470 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1472 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1473 goto supply_response;
1481 ocsp_free_response_list(exim_openssl_state_st * state)
1483 for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
1484 olist = olist->next)
1485 OCSP_RESPONSE_free(olist->resp);
1486 state->u_ocsp.server.olist = NULL;
1488 #endif /*!DISABLE_OCSP*/
1495 tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1498 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1499 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1500 return tls_error(string_sprintf(
1501 "SSL_CTX_use_certificate_chain_file file=%s", file),
1502 cbinfo->host, NULL, errstr);
1507 tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1510 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1511 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1512 return tls_error(string_sprintf(
1513 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1520 /* Called once during tls_init and possibly again during TLS setup, for a
1521 new context, if Server Name Indication was used and tls_sni was seen in
1522 the certificate string.
1525 sctx the SSL_CTX* to update
1526 state various parts of session state
1527 errstr error string pointer
1529 Returns: OK/DEFER/FAIL
1533 tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
1538 if (!state->certificate)
1540 if (!state->is_server) /* client */
1543 if (tls_install_selfsign(sctx, errstr) != OK)
1550 if ( !reexpand_tls_files_for_sni
1551 && ( Ustrstr(state->certificate, US"tls_sni")
1552 || Ustrstr(state->certificate, US"tls_in_sni")
1553 || Ustrstr(state->certificate, US"tls_out_sni")
1555 reexpand_tls_files_for_sni = TRUE;
1557 if ( !expand_check(state->certificate, US"tls_certificate", &expanded, errstr)
1558 || f.expand_string_forcedfail)
1560 if (f.expand_string_forcedfail)
1561 *errstr = US"expansion of tls_certificate failed";
1566 if (state->is_server)
1568 const uschar * file_list = expanded;
1571 #ifndef DISABLE_OCSP
1572 const uschar * olist = state->u_ocsp.server.file;
1575 BOOL fmt_pem = FALSE;
1578 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1580 if (olist && !*olist)
1583 /* If doing a re-expand after SNI, avoid reloading the OCSP
1584 responses when the list of filenames has not changed.
1585 The creds-invali on content change wipes file_expanded, so that
1586 always reloads here. */
1588 if ( state->u_ocsp.server.file_expanded && olist
1589 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
1591 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1596 ocsp_free_response_list(state);
1597 state->u_ocsp.server.file_expanded = olist;
1601 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1603 if ((err = tls_add_certfile(sctx, state, file, errstr)))
1606 #ifndef DISABLE_OCSP
1608 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1610 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1615 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1620 ocsp_load_response(state, ofile, fmt_pem);
1623 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1627 else /* would there ever be a need for multiple client certs? */
1628 if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
1631 if ( state->privatekey
1632 && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr)
1633 || f.expand_string_forcedfail)
1635 if (f.expand_string_forcedfail)
1636 *errstr = US"expansion of tls_privatekey failed";
1640 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1641 of the expansion is an empty string, ignore it also, and assume the private
1642 key is in the same file as the certificate. */
1644 if (expanded && *expanded)
1645 if (state->is_server)
1647 const uschar * file_list = expanded;
1651 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1652 if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
1655 else /* would there ever be a need for multiple client certs? */
1656 if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
1666 /**************************************************
1667 * One-time init credentials for server and client *
1668 **************************************************/
1671 normalise_ciphers(uschar ** ciphers, const uschar * pre_expansion_ciphers)
1673 uschar * s = *ciphers;
1675 if (!s || !Ustrchr(s, '_')) return; /* no change needed */
1677 if (s == pre_expansion_ciphers)
1678 s = string_copy(s); /* get writable copy */
1680 for (uschar * t = s; *t; t++) if (*t == '_') *t = '-';
1685 server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
1686 uschar * ciphers, uschar ** errstr)
1688 DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
1689 if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
1690 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1691 state->server_cipher_list = ciphers;
1698 lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
1701 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1702 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1704 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1706 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1708 /* Set up the information callback, which outputs if debugging is at a suitable
1713 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1714 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1715 /* this needs a debug build of OpenSSL */
1716 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1718 #ifdef OPENSSL_HAVE_KEYLOG_CB
1719 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1723 /* Automatically re-try reads/writes after renegotiation. */
1724 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1731 tls_server_creds_init(void)
1734 uschar * dummy_errstr;
1735 unsigned lifetime = 0;
1739 state_server.lib_state = null_tls_preload;
1741 if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
1743 state_server.lib_state.lib_ctx = ctx;
1745 /* Preload DH params and EC curve */
1747 if (opt_unset_or_noexpand(tls_dhparam))
1749 DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n");
1750 if (init_dh(ctx, tls_dhparam, &dummy_errstr))
1751 state_server.lib_state.dh = TRUE;
1754 DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
1755 if (opt_unset_or_noexpand(tls_eccurve))
1757 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n");
1758 if (init_ecdh(ctx, &dummy_errstr))
1759 state_server.lib_state.ecdh = TRUE;
1762 DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
1764 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1765 /* If we can, preload the Authorities for checking client certs against.
1766 Actual choice to do verify is made (tls_{,try_}verify_hosts)
1767 at TLS conn startup.
1768 Do this before the server ocsp so that its info can verify the ocsp. */
1770 if ( opt_set_and_noexpand(tls_verify_certificates)
1771 && opt_unset_or_noexpand(tls_crl))
1773 /* Watch the default dir also as they are always included */
1775 if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1776 && tls_set_watch(tls_verify_certificates, FALSE)
1777 && tls_set_watch(tls_crl, FALSE))
1779 uschar * v_certs = tls_verify_certificates;
1780 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1782 if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
1783 state_server.lib_state.cabundle = TRUE;
1785 /* If we can, preload the server-side cert, key and ocsp */
1787 if ( opt_set_and_noexpand(tls_certificate)
1788 # ifndef DISABLE_OCSP
1789 && opt_unset_or_noexpand(tls_ocsp_file)
1791 && opt_unset_or_noexpand(tls_privatekey))
1793 /* Set watches on the filenames. The implementation does de-duplication
1794 so we can just blindly do them all. */
1796 if ( tls_set_watch(tls_certificate, TRUE)
1797 # ifndef DISABLE_OCSP
1798 && tls_set_watch(tls_ocsp_file, TRUE)
1800 && tls_set_watch(tls_privatekey, TRUE))
1802 state_server.certificate = tls_certificate;
1803 state_server.privatekey = tls_privatekey;
1804 #ifndef DISABLE_OCSP
1805 state_server.u_ocsp.server.file = tls_ocsp_file;
1808 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1809 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1810 state_server.lib_state.conn_certs = TRUE;
1813 else if ( !tls_certificate && !tls_privatekey
1814 # ifndef DISABLE_OCSP
1818 { /* Generate & preload a selfsigned cert. No files to watch. */
1819 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1821 state_server.lib_state.conn_certs = TRUE;
1822 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1826 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1830 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1833 #endif /* EXIM_HAVE_INOTIFY */
1836 /* If we can, preload the ciphers control string */
1838 if (opt_set_and_noexpand(tls_require_ciphers))
1840 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
1841 normalise_ciphers(&tls_require_ciphers, tls_require_ciphers);
1842 if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
1843 &dummy_errstr) == OK)
1844 state_server.lib_state.pri_string = TRUE;
1847 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1854 /* Preload whatever creds are static, onto a transport. The client can then
1855 just copy the pointer as it starts up.
1856 Called from the daemon after a cache-invalidate with watch set; called from
1857 a queue-run startup with watch clear. */
1860 tls_client_creds_init(transport_instance * t, BOOL watch)
1862 smtp_transport_options_block * ob = t->options_block;
1863 exim_openssl_state_st tpt_dummy_state;
1864 host_item * dummy_host = (host_item *)1;
1865 uschar * dummy_errstr;
1870 ob->tls_preload = null_tls_preload;
1871 if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
1873 ob->tls_preload.lib_ctx = ctx;
1875 tpt_dummy_state.lib_state = ob->tls_preload;
1877 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1878 if ( opt_set_and_noexpand(ob->tls_certificate)
1879 && opt_unset_or_noexpand(ob->tls_privatekey))
1882 || ( tls_set_watch(ob->tls_certificate, FALSE)
1883 && tls_set_watch(ob->tls_privatekey, FALSE)
1886 uschar * pkey = ob->tls_privatekey;
1889 debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
1891 if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
1893 && tls_add_pkeyfile(ctx, &tpt_dummy_state,
1894 pkey ? pkey : ob->tls_certificate,
1897 ob->tls_preload.conn_certs = TRUE;
1902 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1905 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1906 && opt_unset_or_noexpand(ob->tls_crl))
1909 || tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1910 && tls_set_watch(ob->tls_verify_certificates, FALSE)
1911 && tls_set_watch(ob->tls_crl, FALSE)
1914 uschar * v_certs = ob->tls_verify_certificates;
1916 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1918 if (setup_certs(ctx, &v_certs,
1919 ob->tls_crl, dummy_host, &dummy_errstr) == OK)
1920 ob->tls_preload.cabundle = TRUE;
1925 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1927 #endif /*EXIM_HAVE_INOTIFY*/
1931 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1932 /* Invalidate the creds cached, by dropping the current ones.
1933 Call when we notice one of the source files has changed. */
1936 tls_server_creds_invalidate(void)
1938 SSL_CTX_free(state_server.lib_state.lib_ctx);
1939 state_server.lib_state = null_tls_preload;
1940 #ifndef DISABLE_OCSP
1941 state_server.u_ocsp.server.file_expanded = NULL;
1947 tls_client_creds_invalidate(transport_instance * t)
1949 smtp_transport_options_block * ob = t->options_block;
1950 SSL_CTX_free(ob->tls_preload.lib_ctx);
1951 ob->tls_preload = null_tls_preload;
1957 tls_server_creds_invalidate(void)
1961 tls_client_creds_invalidate(transport_instance * t)
1964 #endif /*EXIM_HAVE_INOTIFY*/
1969 #ifndef DISABLE_OCSP
1971 debug_print_sn(const X509 * cert)
1973 X509_NAME * sn = X509_get_subject_name((X509 *)cert);
1974 static uschar name[256];
1975 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
1977 name[sizeof(name)-1] = '\0';
1978 debug_printf(" %s\n", name);
1983 x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk)
1986 debug_printf(" (null)\n");
1989 int idx = sk_X509_num(sk);
1991 debug_printf(" (empty)\n");
1993 while (--idx >= 0) debug_print_sn(sk_X509_value(sk, idx));
1998 x509_store_dump_cert_s_names(X509_STORE * store)
2000 # ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2002 debug_printf(" (no store)\n");
2005 STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
2006 x509_stack_dump_cert_s_names(sk);
2007 sk_X509_pop_free(sk, X509_free);
2011 #endif /*!DISABLE_OCSP*/
2016 #ifndef DISABLE_TLS_RESUME
2017 /* Manage the keysets used for encrypting the session tickets, on the server. */
2019 typedef struct { /* Session ticket encryption key */
2022 const EVP_CIPHER * aes_cipher;
2023 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
2024 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2025 const EVP_MD * hmac_hash;
2027 const uschar * hmac_hashname;
2029 uschar hmac_key[16];
2034 static exim_stek exim_tk; /* current key */
2035 static exim_stek exim_tk_old; /* previous key */
2040 time_t t = time(NULL);
2042 if (exim_tk.name[0])
2044 if (exim_tk.renew >= t) return;
2045 exim_tk_old = exim_tk;
2048 if (f.running_in_test_harness) ssl_session_timeout = TESTSUITE_TICKET_LIFE;
2050 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
2051 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
2052 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
2053 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
2055 exim_tk.name[0] = 'E';
2056 exim_tk.aes_cipher = EVP_aes_256_cbc();
2057 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2058 exim_tk.hmac_hash = EVP_sha256();
2060 exim_tk.hmac_hashname = US "sha256";
2062 exim_tk.expire = t + ssl_session_timeout;
2063 exim_tk.renew = t + ssl_session_timeout/2;
2069 if (!exim_tk.name[0]) return NULL;
2074 tk_find(const uschar * name)
2076 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
2077 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
2084 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2092 /*XXX will want these dependent on the ssl session strength */
2093 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2094 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
2095 key->hmac_hash, NULL);
2098 OSSL_PARAM params[3];
2099 uschar * hk = string_copy(key->hmac_hashname); /* need nonconst */
2100 params[0] = OSSL_PARAM_construct_octet_string("key", key->hmac_key, sizeof(key->hmac_key));
2101 params[1] = OSSL_PARAM_construct_utf8_string("digest", CS hk, 0);
2102 params[2] = OSSL_PARAM_construct_end();
2103 if (EVP_MAC_CTX_set_params(hctx, params) == 0)
2105 DEBUG(D_tls) debug_printf("EVP_MAC_CTX_set_params: %s\n",
2106 ERR_reason_error_string(ERR_get_error()));
2107 return 0; /* error in mac initialisation */
2114 /* Callback for session tickets, on server */
2116 ticket_key_callback(SSL * ssl, uschar key_name[16],
2117 uschar * iv, EVP_CIPHER_CTX * c_ctx,
2118 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2125 tls_support * tlsp = state_server.tlsp;
2130 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
2131 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2133 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
2134 return -1; /* insufficient random */
2136 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
2137 return 0; /* key couldn't be created */
2138 memcpy(key_name, key->name, 16);
2139 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
2141 if (tk_hmac_init(hctx, key) == 0) return 0;
2142 EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2144 DEBUG(D_tls) debug_printf("ticket created\n");
2149 time_t now = time(NULL);
2151 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
2152 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2154 if (!(key = tk_find(key_name)) || key->expire < now)
2158 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
2159 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
2164 if (tk_hmac_init(hctx, key) == 0) return 0;
2165 EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2167 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
2169 /* The ticket lifetime and renewal are the same as the STEK lifetime and
2170 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
2171 be better. To do that we'd have to encode ticket lifetime in the name as
2172 we don't yet see the restored session. Could check posthandshake for TLS1.3
2173 and trigger a new ticket then, but cannot do that for TLS1.2 */
2174 return key->renew < now ? 2 : 1;
2177 #endif /* !DISABLE_TLS_RESUME */
2182 setup_cert_verify(SSL_CTX * ctx, BOOL optional,
2183 int (*cert_vfy_cb)(int, X509_STORE_CTX *))
2185 /* If verification is optional, don't fail if no certificate */
2187 SSL_CTX_set_verify(ctx,
2188 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2193 /*************************************************
2194 * Callback to handle SNI *
2195 *************************************************/
2197 /* Called when acting as server during the TLS session setup if a Server Name
2198 Indication extension was sent by the client.
2200 API documentation is OpenSSL s_server.c implementation.
2203 s SSL* of the current session
2204 ad unknown (part of OpenSSL API) (unused)
2205 arg Callback of "our" registered data
2207 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
2209 XXX might need to change to using ClientHello callback,
2210 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
2213 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2215 tls_servername_cb(SSL * s, int * ad ARG_UNUSED, void * arg)
2217 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2218 exim_openssl_state_st * state = (exim_openssl_state_st *) arg;
2220 int old_pool = store_pool;
2224 return SSL_TLSEXT_ERR_OK;
2226 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
2227 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
2229 /* Make the extension value available for expansion */
2230 store_pool = POOL_PERM;
2231 tls_in.sni = string_copy_taint(US servername, GET_TAINTED);
2232 store_pool = old_pool;
2234 if (!reexpand_tls_files_for_sni)
2235 return SSL_TLSEXT_ERR_OK;
2237 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
2238 not confident that memcpy wouldn't break some internal reference counting.
2239 Especially since there's a references struct member, which would be off. */
2241 if (lib_ctx_new(&server_sni, NULL, &errstr) != OK)
2244 /* Not sure how many of these are actually needed, since SSL object
2245 already exists. Might even need this selfsame callback, for reneg? */
2248 SSL_CTX * ctx = state_server.lib_state.lib_ctx;
2249 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
2250 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
2251 #ifdef OPENSSL_MIN_PROTO_VERSION
2252 SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
2254 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
2255 SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
2256 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
2257 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
2258 SSL_CTX_set_tlsext_servername_arg(server_sni, state);
2261 if ( !init_dh(server_sni, state->dhparam, &errstr)
2262 || !init_ecdh(server_sni, &errstr)
2266 if ( state->server_cipher_list
2267 && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
2270 #ifndef DISABLE_OCSP
2271 if (state->u_ocsp.server.file)
2273 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
2274 SSL_CTX_set_tlsext_status_arg(server_sni, state);
2279 uschar * v_certs = tls_verify_certificates;
2280 if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
2284 if (v_certs && *v_certs)
2285 setup_cert_verify(server_sni, FALSE, verify_callback_server);
2288 /* do this after setup_certs, because this can require the certs for verifying
2289 OCSP information. */
2290 if ((rc = tls_expand_session_files(server_sni, state, &errstr)) != OK)
2293 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
2294 SSL_set_SSL_CTX(s, server_sni);
2295 return SSL_TLSEXT_ERR_OK;
2298 log_write(0, LOG_MAIN|LOG_PANIC, "%s", errstr);
2299 return SSL_TLSEXT_ERR_ALERT_FATAL;
2301 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
2306 #ifdef EXIM_HAVE_ALPN
2307 /*************************************************
2308 * Callback to handle ALPN *
2309 *************************************************/
2311 /* Called on server if tls_alpn nonblank after expansion,
2312 when client offers ALPN, after the SNI callback.
2313 If set and not matching the list then we dump the connection */
2316 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
2317 const uschar * in, unsigned int inlen, void * arg)
2319 server_seen_alpn = TRUE;
2322 debug_printf("Received TLS ALPN offer:");
2323 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2326 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2327 debug_printf(" '%.*s'", siz, in + pos + 1);
2329 debug_printf(". Our list: '%s'\n", tls_alpn);
2332 /* Look for an acceptable ALPN */
2334 if ( inlen > 1 /* at least one name */
2335 && in[0]+1 == inlen /* filling the vector, so exactly one name */
2338 const uschar * list = tls_alpn;
2340 for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
2341 if (Ustrncmp(in+1, name, in[0]) == 0)
2343 *out = in+1; /* we checked for exactly one, so can just point to it */
2345 return SSL_TLSEXT_ERR_OK; /* use ALPN */
2349 /* More than one name from clilent, or name did not match our list. */
2351 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
2352 Maybe as an option in future; for now leave control to the config (must-tls). */
2354 DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
2355 return SSL_TLSEXT_ERR_ALERT_FATAL;
2357 #endif /* EXIM_HAVE_ALPN */
2361 #ifndef DISABLE_OCSP
2363 /*************************************************
2364 * Callback to handle OCSP Stapling *
2365 *************************************************/
2367 /* Called when acting as server during the TLS session setup if the client
2368 requests OCSP information with a Certificate Status Request.
2370 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
2376 tls_server_stapling_cb(SSL *s, void *arg)
2378 const exim_openssl_state_st * state = arg;
2379 ocsp_resplist * olist = state->u_ocsp.server.olist;
2380 uschar * response_der; /*XXX blob */
2381 int response_der_len;
2384 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
2385 olist ? "have" : "lack");
2387 tls_in.ocsp = OCSP_NOT_RESP;
2389 return SSL_TLSEXT_ERR_NOACK;
2391 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
2393 const X509 * cert_sent = SSL_get_certificate(s);
2394 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
2395 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
2397 for (; olist; olist = olist->next)
2399 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
2400 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
2401 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
2402 ASN1_INTEGER * res_cert_serial;
2403 const BIGNUM * resp_bn;
2404 ASN1_OCTET_STRING * res_cert_iNameHash;
2407 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
2408 (OCSP_CERTID *) cid);
2409 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
2413 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
2414 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
2417 if (BN_cmp(cert_bn, resp_bn) == 0)
2419 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
2421 /*XXX TODO: check the rest of the list for duplicate matches.
2422 If any, need to also check the Issuer Name hash.
2423 Without this, we will provide the wrong status in the case of
2428 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
2432 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
2433 return SSL_TLSEXT_ERR_NOACK;
2439 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
2440 return SSL_TLSEXT_ERR_NOACK;
2444 /*XXX could we do the i2d earlier, rather than during the callback? */
2445 response_der = NULL;
2446 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
2447 if (response_der_len <= 0)
2448 return SSL_TLSEXT_ERR_NOACK;
2450 SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
2451 response_der, response_der_len);
2452 tls_in.ocsp = OCSP_VFIED;
2453 return SSL_TLSEXT_ERR_OK;
2458 add_chain_to_store(X509_STORE * store, STACK_OF(X509) * sk,
2459 const char * debug_text)
2465 debug_printf("chain for %s:\n", debug_text);
2466 x509_stack_dump_cert_s_names(sk);
2469 if ((idx = sk_X509_num(sk)) > 0)
2471 X509_STORE_add_cert(store, sk_X509_value(sk, idx));
2476 tls_client_stapling_cb(SSL * ssl, void * arg)
2478 exim_openssl_state_st * cbinfo = arg;
2479 const unsigned char * p;
2481 OCSP_RESPONSE * rsp;
2482 OCSP_BASICRESP * bs;
2485 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
2486 len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
2488 { /* Expect this when we requested ocsp but got none */
2489 if (SSL_session_reused(ssl) && tls_out.ocsp == OCSP_VFIED)
2491 DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
2495 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
2496 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
2498 DEBUG(D_tls) debug_printf(" null\n");
2500 if (!cbinfo->u_ocsp.client.verify_required)
2502 cbinfo->u_ocsp.client.verify_errstr =
2503 US"(SSL_connect) Required TLS certificate status not received";
2507 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
2509 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
2510 if (LOGGING(tls_cipher))
2511 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
2513 DEBUG(D_tls) debug_printf(" parse error\n");
2517 if (!(bs = OCSP_response_get1_basic(rsp)))
2519 tls_out.ocsp = OCSP_FAILED;
2520 if (LOGGING(tls_cipher))
2521 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
2523 DEBUG(D_tls) debug_printf(" error parsing response\n");
2524 OCSP_RESPONSE_free(rsp);
2528 /* We'd check the nonce here if we'd put one in the request. */
2529 /* However that would defeat cacheability on the server so we don't. */
2531 /* This section of code reworked from OpenSSL apps source;
2532 The OpenSSL Project retains copyright:
2533 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
2537 X509_STORE * verify_store = NULL;
2538 BOOL have_verified_OCSP_signer = FALSE;
2539 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
2540 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
2543 DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
2545 /* Use the CA & chain that verified the server cert to verify the stapled info */
2546 /*XXX could we do an event here, for observability of ocsp? What reasonable data could we give access to? */
2547 /* Dates would be a start. Do we need another opaque variable type, as for certs, plus an extract expansion? */
2550 /* If this routine is not available, we've avoided [in tls_client_start()]
2551 asking for certificate-status under DANE, so this callback won't run for
2552 that combination. It still will for non-DANE. */
2554 #ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
2557 if ( tls_out.dane_verified
2558 && (have_verified_OCSP_signer =
2559 OCSP_resp_get0_signer(bs, &signer, SSL_get0_verified_chain(ssl)) == 1))
2562 debug_printf("signer for OCSP basicres is in the verified chain;"
2563 " shortcut its verification\n");
2568 STACK_OF(X509) * verified_chain;
2570 verify_store = X509_STORE_new();
2572 SSL_get0_chain_certs(ssl, &verified_chain);
2573 add_chain_to_store(verify_store, verified_chain,
2574 "'current cert' per SSL_get0_chain_certs()");
2575 #ifdef EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
2576 verified_chain = SSL_get0_verified_chain(ssl);
2577 add_chain_to_store(verify_store, verified_chain,
2578 "SSL_get0_verified_chain()");
2585 debug_printf("Untrusted intermediate cert stack (from SSL_get_peer_cert_chain()):\n");
2586 x509_stack_dump_cert_s_names(SSL_get_peer_cert_chain(ssl));
2588 debug_printf("will use this CA store for verifying basicresp:\n");
2589 x509_store_dump_cert_s_names(verify_store);
2591 /* OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
2593 debug_printf("certs contained in basicresp:\n");
2594 x509_stack_dump_cert_s_names(
2595 #ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
2596 OCSP_resp_get0_certs(bs)
2602 #ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2603 /* could do via X509_STORE_get0_objects(); not worth it just for debug info */
2606 if (OCSP_resp_get0_signer(bs, &signer, X509_STORE_get1_all_certs(verify_store)) == 1)
2608 debug_printf("found signer for basicres:\n");
2609 debug_print_sn(signer);
2613 debug_printf("failed to find signer for basicres:\n");
2614 ERR_print_errors(bp);
2623 /* Under DANE the trust-anchor (at least in TA mode) is indicated by the TLSA
2624 record in DNS, and probably is not the root of the chain of certificates. So
2625 accept a partial chain for that case (and hope that anchor is visible for
2626 verifying the OCSP stapling).
2627 XXX for EE mode it won't even be that. Does that make OCSP useless for EE?
2629 Worse, for LetsEncrypt-mode (ocsp signer is leaf-signer) under DANE, the
2630 data used within OpenSSL for the signer has nil pointers for signing
2631 algorithms - and a crash results. Avoid this by shortcutting verification,
2632 having determined that the OCSP signer is in the (DANE-)validated set.
2635 #ifndef OCSP_PARTIAL_CHAIN /* defined for 3.0.0 onwards */
2636 # define OCSP_PARTIAL_CHAIN 0
2639 if ((i = OCSP_basic_verify(bs, SSL_get_peer_cert_chain(ssl),
2642 tls_out.dane_verified
2643 ? have_verified_OCSP_signer
2644 ? OCSP_NOVERIFY | OCSP_NOEXPLICIT
2645 : OCSP_PARTIAL_CHAIN | OCSP_NOEXPLICIT
2648 OCSP_NOEXPLICIT)) <= 0)
2650 DEBUG(D_tls) debug_printf("OCSP_basic_verify() fail: returned %d\n", i);
2651 if (ERR_peek_error())
2653 tls_out.ocsp = OCSP_FAILED;
2654 if (LOGGING(tls_cipher))
2656 static uschar peerdn[256];
2657 const uschar * errstr;;
2659 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2660 ERR_peek_error_all(NULL, NULL, NULL, CCSS &errstr, NULL);
2663 errstr = CUS ERR_reason_error_string(ERR_peek_error());
2665 X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(ssl)),
2666 CS peerdn, sizeof(peerdn));
2667 log_write(0, LOG_MAIN,
2668 "[%s] %s Received TLS cert (DN: '%.*s') status response, "
2669 "itself unverifiable: %s",
2670 deliver_host_address, deliver_host,
2671 (int)sizeof(peerdn), peerdn, errstr);
2675 BIO_printf(bp, "OCSP response verify failure\n");
2676 ERR_print_errors(bp);
2679 int len = (int) BIO_get_mem_data(bp, CSS &s);
2680 if (len > 0) debug_printf("%.*s", len, s);
2683 OCSP_RESPONSE_print(bp, rsp, 0);
2688 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
2689 " in the root CA certificate; ignoring\n");
2692 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
2694 /*XXX So we have a good stapled OCSP status. How do we know
2695 it is for the cert of interest? OpenSSL 1.1.0 has a routine
2696 OCSP_resp_find_status() which matches on a cert id, which presumably
2697 we should use. Making an id needs OCSP_cert_id_new(), which takes
2698 issuerName, issuerKey, serialNumber. Are they all in the cert?
2700 For now, carry on blindly accepting the resp. */
2703 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
2704 OCSP_resp_count(bs) - 1;
2706 sk_OCSP_SINGLERESP_num(sresp) - 1;
2710 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
2712 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
2714 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
2715 - but what happens with a GnuTLS-style input?
2717 we could do with a debug label for each singleresp
2718 - it has a certID with a serialNumber, but I see no API to get that
2720 status = OCSP_single_get0_status(single, &reason, &rev,
2721 &thisupd, &nextupd);
2725 time_print(bp, "This OCSP Update", thisupd);
2726 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
2728 if (!OCSP_check_validity(thisupd, nextupd,
2729 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
2731 tls_out.ocsp = OCSP_FAILED;
2732 DEBUG(D_tls) ERR_print_errors(bp);
2733 cbinfo->u_ocsp.client.verify_errstr =
2734 US"(SSL_connect) Server certificate status is out-of-date";
2735 log_write(0, LOG_MAIN, "OCSP dates invalid");
2739 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
2740 OCSP_cert_status_str(status));
2743 case V_OCSP_CERTSTATUS_GOOD:
2744 continue; /* the idx loop */
2745 case V_OCSP_CERTSTATUS_REVOKED:
2746 cbinfo->u_ocsp.client.verify_errstr =
2747 US"(SSL_connect) Server certificate revoked";
2748 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2749 reason != -1 ? "; reason: " : "",
2750 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2751 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2754 cbinfo->u_ocsp.client.verify_errstr =
2755 US"(SSL_connect) Server certificate has unknown status";
2756 log_write(0, LOG_MAIN,
2757 "Server certificate status unknown, in OCSP stapling");
2765 tls_out.ocsp = OCSP_VFIED;
2769 tls_out.ocsp = OCSP_FAILED;
2770 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2774 int len = (int) BIO_get_mem_data(bp, CSS &s);
2775 if (len > 0) debug_printf("%.*s", len, s);
2780 OCSP_RESPONSE_free(rsp);
2783 #endif /*!DISABLE_OCSP*/
2786 /*************************************************
2787 * Initialize for TLS *
2788 *************************************************/
2789 /* Called from both server and client code, to do preliminary initialization
2790 of the library. We allocate and return a context structure.
2793 host connected host, if client; NULL if server
2794 ob transport options block, if client; NULL if server
2795 ocsp_file file of stapling info (server); flag for require ocsp (client)
2796 addr address if client; NULL if server (for some randomness)
2797 caller_state place to put pointer to allocated state-struct
2798 errstr error string pointer
2800 Returns: OK/DEFER/FAIL
2804 tls_init(host_item * host, smtp_transport_options_block * ob,
2805 #ifndef DISABLE_OCSP
2808 address_item *addr, exim_openssl_state_st ** caller_state,
2809 tls_support * tlsp, uschar ** errstr)
2812 exim_openssl_state_st * state;
2815 if (host) /* client */
2817 state = store_malloc(sizeof(exim_openssl_state_st));
2818 memset(state, 0, sizeof(*state));
2819 state->certificate = ob->tls_certificate;
2820 state->privatekey = ob->tls_privatekey;
2821 state->is_server = FALSE;
2822 state->dhparam = NULL;
2823 state->lib_state = ob->tls_preload;
2827 state = &state_server;
2828 state->certificate = tls_certificate;
2829 state->privatekey = tls_privatekey;
2830 state->is_server = TRUE;
2831 state->dhparam = tls_dhparam;
2832 state->lib_state = state_server.lib_state;
2838 if (!state->lib_state.pri_string)
2839 state->server_cipher_list = NULL;
2841 #ifndef DISABLE_EVENT
2842 state->event_action = NULL;
2847 /* It turns out that we need to seed the random number generator this early in
2848 order to get the full complement of ciphers to work. It took me roughly a day
2849 of work to discover this by experiment.
2851 On systems that have /dev/urandom, SSL may automatically seed itself from
2852 there. Otherwise, we have to make something up as best we can. Double check
2855 Although we likely called this before, at daemon startup, this is a chance
2856 to mix in further variable info (time, pid) if needed. */
2858 if (!lib_rand_init(addr))
2859 return tls_error(US"RAND_status", host,
2860 US"unable to seed random number generator", errstr);
2862 /* Apply administrator-supplied work-arounds.
2863 Historically we applied just one requested option,
2864 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2865 moved to an administrator-controlled list of options to specify and
2866 grandfathered in the first one as the default value for "openssl_options".
2868 No OpenSSL version number checks: the options we accept depend upon the
2869 availability of the option value macros from OpenSSL. */
2872 if (!tls_openssl_options_parse(openssl_options, &init_options))
2873 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2875 /* Create a context.
2876 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2877 negotiation in the different methods; as far as I can tell, the only
2878 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2879 when OpenSSL is built without SSLv2 support.
2880 By disabling with openssl_options, we can let admins re-enable with the
2883 if (!(ctx = state->lib_state.lib_ctx))
2885 if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
2887 state->lib_state.lib_ctx = ctx;
2890 #ifndef DISABLE_TLS_RESUME
2891 tlsp->resumption = RESUME_SUPPORTED;
2895 #ifndef DISABLE_TLS_RESUME
2896 /* Should the server offer session resumption? */
2897 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2899 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2900 init_options &= ~SSL_OP_NO_TICKET;
2901 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2902 tlsp->host_resumable = TRUE;
2906 #ifdef OPENSSL_MIN_PROTO_VERSION
2907 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
2909 DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options);
2910 SSL_CTX_set_options(ctx, init_options);
2912 uint64_t readback = SSL_CTX_clear_options(ctx, ~init_options);
2913 if (readback != init_options)
2914 return tls_error(string_sprintf(
2915 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2919 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2921 /* We'd like to disable session cache unconditionally, but foolish Outlook
2922 Express clients then give up the first TLS connection and make a second one
2923 (which works). Only when there is an IMAP service on the same machine.
2924 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2925 now, until we work out a decent way of presenting control to the config. It
2926 will never be used because we use a new context every time. */
2928 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2931 /* Initialize with DH parameters if supplied */
2932 /* Initialize ECDH temp key parameter selection */
2936 if (state->lib_state.dh)
2937 { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
2939 if (!init_dh(ctx, state->dhparam, errstr)) return DEFER;
2941 if (state->lib_state.ecdh)
2942 { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
2944 if (!init_ecdh(ctx, errstr)) return DEFER;
2947 /* Set up certificate and key (and perhaps OCSP info) */
2949 if (state->lib_state.conn_certs)
2952 debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
2956 #ifndef DISABLE_OCSP
2957 if (!host) /* server */
2959 state->u_ocsp.server.file = ocsp_file;
2960 state->u_ocsp.server.file_expanded = NULL;
2961 state->u_ocsp.server.olist = NULL;
2964 if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
2967 /* If we need to handle SNI or OCSP, do so */
2969 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2970 # ifndef DISABLE_OCSP
2971 if (!host && !(state->u_ocsp.server.verify_stack = sk_X509_new_null()))
2973 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2978 if (!host) /* server */
2980 # ifndef DISABLE_OCSP
2981 /* We check u_ocsp.server.file, not server.olist, because we care about if
2982 the option exists, not what the current expansion might be, as SNI might
2983 change the certificate and OCSP file in use between now and the time the
2984 callback is invoked. */
2985 if (state->u_ocsp.server.file)
2987 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2988 SSL_CTX_set_tlsext_status_arg(ctx, state);
2991 /* We always do this, so that $tls_sni is available even if not used in
2993 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2994 SSL_CTX_set_tlsext_servername_arg(ctx, state);
2996 # ifdef EXIM_HAVE_ALPN
2997 if (tls_alpn && *tls_alpn)
3000 if ( expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
3001 && *exp_alpn && !isblank(*exp_alpn))
3003 tls_alpn = exp_alpn; /* subprocess so ok to overwrite */
3004 SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
3011 # ifndef DISABLE_OCSP
3013 if(ocsp_file) /* wanting stapling */
3015 if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
3017 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
3021 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
3022 SSL_CTX_set_tlsext_status_arg(ctx, state);
3025 #endif /*EXIM_HAVE_OPENSSL_TLSEXT*/
3027 state->verify_cert_hostnames = NULL;
3029 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
3030 /* Set up the RSA callback */
3031 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
3034 /* Finally, set the session cache timeout, and we are done.
3035 The period appears to be also used for (server-generated) session tickets */
3037 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
3038 DEBUG(D_tls) debug_printf("Initialized TLS\n");
3040 *caller_state = state;
3048 /*************************************************
3049 * Get name of cipher in use *
3050 *************************************************/
3053 Argument: pointer to an SSL structure for the connection
3054 pointer to number of bits for cipher
3055 Returns: pointer to allocated string in perm-pool
3059 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
3061 int pool = store_pool;
3062 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
3063 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
3064 the accessor functions use const in the prototype. */
3066 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
3069 SSL_CIPHER_get_bits(c, bits);
3071 store_pool = POOL_PERM;
3072 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
3074 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
3079 /* Get IETF-standard name for ciphersuite.
3080 Argument: pointer to an SSL structure for the connection
3081 Returns: pointer to string
3084 static const uschar *
3085 cipher_stdname_ssl(SSL * ssl)
3087 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
3088 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
3090 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
3091 return cipher_stdname(id >> 8, id & 0xff);
3096 static const uschar *
3097 tlsver_name(SSL * ssl)
3100 int pool = store_pool;
3102 store_pool = POOL_PERM;
3103 s = string_copy(US SSL_get_version(ssl));
3105 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
3106 for (;; p++) if (!(*p = p[1])) break;
3112 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
3114 /*XXX we might consider a list-of-certs variable for the cert chain.
3115 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
3116 in list-handling functions, also consider the difference between the entire
3117 chain and the elements sent by the peer. */
3119 tlsp->peerdn = NULL;
3121 /* Will have already noted peercert on a verify fail; possibly not the leaf */
3122 if (!tlsp->peercert)
3123 tlsp->peercert = SSL_get_peer_certificate(ssl);
3124 /* Beware anonymous ciphers which lead to server_cert being NULL */
3126 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
3127 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
3130 int oldpool = store_pool;
3132 peerdn[siz-1] = '\0'; /* paranoia */
3133 store_pool = POOL_PERM;
3134 tlsp->peerdn = string_copy(peerdn);
3135 store_pool = oldpool;
3137 /* We used to set CV in the cert-verify callbacks (either plain or dane)
3138 but they don't get called on session-resumption. So use the official
3139 interface, which uses the resumed value. Unfortunately this claims verified
3140 when it actually failed but we're in try-verify mode, due to us wanting the
3141 knowlege that it failed so needing to have the callback and forcing a
3142 permissive return. If we don't force it, the TLS startup is failed.
3143 The extra bit of information is set in verify_override in the cb, stashed
3144 for resumption next to the TLS session, and used here. */
3146 if (!tlsp->verify_override)
3147 tlsp->certificate_verified =
3149 tlsp->dane_verified ||
3151 SSL_get_verify_result(ssl) == X509_V_OK;
3159 /*************************************************
3160 * Set up for verifying certificates *
3161 *************************************************/
3163 #ifndef DISABLE_OCSP
3164 /* In the server, load certs from file, return TRUE on success */
3167 chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
3170 STACK_OF(X509) * verify_stack = *vp;
3173 while (sk_X509_num(verify_stack) > 0)
3174 X509_free(sk_X509_pop(verify_stack));
3176 verify_stack = sk_X509_new_null();
3178 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
3179 for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
3180 sk_X509_push(verify_stack, x);
3189 /* Called by both client and server startup; on the server possibly
3190 repeated after a Server Name Indication.
3193 sctx SSL_CTX* to initialise
3194 certsp certs file, returned expanded
3195 crl CRL file or NULL
3196 host NULL in a server; the remote host in a client
3197 errstr error string pointer
3199 Returns: OK/DEFER/FAIL
3203 setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
3206 uschar * expcerts, * expcrl;
3208 if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
3210 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3213 if (expcerts && *expcerts)
3215 /* Tell the library to use its compiled-in location for the system default
3216 CA bundle. Then add the ones specified in the config, if any. */
3218 if (!SSL_CTX_set_default_verify_paths(sctx))
3219 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
3221 if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
3223 struct stat statbuf;
3225 if (Ustat(expcerts, &statbuf) < 0)
3227 log_write(0, LOG_MAIN|LOG_PANIC,
3228 "failed to stat %s for certificates", expcerts);
3234 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
3235 { file = NULL; dir = expcerts; }
3238 STACK_OF(X509) * verify_stack =
3239 #ifndef DISABLE_OCSP
3240 !host ? state_server.u_ocsp.server.verify_stack :
3243 STACK_OF(X509) ** vp = &verify_stack;
3245 file = expcerts; dir = NULL;
3246 #ifndef DISABLE_OCSP
3247 /* In the server if we will be offering an OCSP proof; load chain from
3248 file for verifying the OCSP proof at load time. */
3250 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
3251 This is inconsistent with the need to verify the OCSP proof of the server cert.
3253 /* *debug_printf("file for checking server ocsp stapling is: %s\n", file); */
3255 && statbuf.st_size > 0
3256 && state_server.u_ocsp.server.file
3257 && !chain_from_pem_file(file, vp)
3260 log_write(0, LOG_MAIN|LOG_PANIC,
3261 "failed to load cert chain from %s", file);
3267 /* If a certificate file is empty, the load function fails with an
3268 unhelpful error message. If we skip it, we get the correct behaviour (no
3269 certificates are recognized, but the error message is still misleading (it
3270 says no certificate was supplied). But this is better. */
3272 if ( (!file || statbuf.st_size > 0)
3273 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
3274 return tls_error(US"SSL_CTX_load_verify_locations",
3275 host, NULL, errstr);
3277 /* On the server load the list of CAs for which we will accept certs, for
3278 sending to the client. This is only for the one-file
3279 tls_verify_certificates variant.
3280 If a list isn't loaded into the server, but some verify locations are set,
3281 the server end appears to make a wildcard request for client certs.
3282 Meanwhile, the client library as default behaviour *ignores* the list
3283 we send over the wire - see man SSL_CTX_set_client_cert_cb.
3284 Because of this, and that the dir variant is likely only used for
3285 the public-CA bundle (not for a private CA), not worth fixing. */
3289 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
3290 int i = sk_X509_NAME_num(names);
3292 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
3293 DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
3294 i, i>1 ? "ies":"y");
3298 debug_printf("Added dir for additional certificate authorities\n");
3302 /* Handle a certificate revocation list. */
3304 #if OPENSSL_VERSION_NUMBER > 0x00907000L
3306 /* This bit of code is now the version supplied by Lars Mainka. (I have
3307 merely reformatted it into the Exim code style.)
3309 "From here I changed the code to add support for multiple crl's
3310 in pem format in one file or to support hashed directory entries in
3311 pem format instead of a file. This method now uses the library function
3312 X509_STORE_load_locations to add the CRL location to the SSL context.
3313 OpenSSL will then handle the verify against CA certs and CRLs by
3314 itself in the verify callback." */
3316 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
3317 if (expcrl && *expcrl)
3319 struct stat statbufcrl;
3320 if (Ustat(expcrl, &statbufcrl) < 0)
3322 log_write(0, LOG_MAIN|LOG_PANIC,
3323 "failed to stat %s for certificates revocation lists", expcrl);
3328 /* is it a file or directory? */
3330 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
3331 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
3335 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
3341 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
3343 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
3344 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
3346 /* setting the flags to check against the complete crl chain */
3348 X509_STORE_set_flags(cvstore,
3349 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3353 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
3362 tls_dump_keylog(SSL * ssl)
3364 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3365 BIO * bp = BIO_new(BIO_s_mem());
3368 SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
3369 len = (int) BIO_get_mem_data(bp, CSS &s);
3370 if (len > 0) debug_printf("%.*s", len, s);
3376 /* Channel-binding info for authenticators
3377 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/
3382 tls_get_channel_binding(SSL * ssl, tls_support * tlsp, const void * taintval)
3387 #ifdef EXIM_HAVE_EXPORT_CHNL_BNGNG
3388 if (SSL_version(ssl) > TLS1_2_VERSION)
3390 /* It's not documented by OpenSSL how big the output buffer must be.
3391 The OpenSSL testcases use 80 bytes but don't say why. The GnuTLS impl only
3392 serves out 32B. RFC 9266 says it is 32B.
3393 Interop fails unless we use the same each end. */
3396 tlsp->channelbind_exporter = TRUE;
3397 taintval = GET_UNTAINTED;
3398 if (SSL_export_keying_material(ssl,
3399 s = store_get((int)len, taintval), len,
3400 "EXPORTER-Channel-Binding", (size_t) 24,
3407 len = SSL_get_peer_finished(ssl, &c, 0);
3408 len = SSL_get_peer_finished(ssl, s = store_get((int)len, taintval), len);
3413 int old_pool = store_pool;
3414 store_pool = POOL_PERM;
3415 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, taintval);
3416 store_pool = old_pool;
3417 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
3422 /*************************************************
3423 * Start a TLS session in a server *
3424 *************************************************/
3425 /* This is called when Exim is running as a server, after having received
3426 the STARTTLS command. It must respond to that command, and then negotiate
3430 errstr pointer to error message
3432 Returns: OK on success
3433 DEFER for errors before the start of the negotiation
3434 FAIL for errors during the negotiation; the server can't
3439 tls_server_start(uschar ** errstr)
3442 uschar * expciphers;
3443 exim_openssl_state_st * dummy_statep;
3446 static uschar peerdn[256];
3448 /* Check for previous activation */
3450 if (tls_in.active.sock >= 0)
3452 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
3453 smtp_printf("554 Already in TLS\r\n", FALSE);
3457 /* Initialize the SSL library. If it fails, it will already have logged
3460 rc = tls_init(NULL, NULL,
3461 #ifndef DISABLE_OCSP
3464 NULL, &dummy_statep, &tls_in, errstr);
3465 if (rc != OK) return rc;
3466 ctx = state_server.lib_state.lib_ctx;
3468 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3469 were historically separated by underscores. So that I can use either form in my
3470 tests, and also for general convenience, we turn underscores into hyphens here.
3472 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
3473 for TLS 1.3 . Since we do not call it at present we get the default list:
3474 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
3477 if (state_server.lib_state.pri_string)
3478 { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
3481 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
3486 normalise_ciphers(&expciphers, tls_require_ciphers);
3487 if ((rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
3492 /* If this is a host for which certificate verification is mandatory or
3493 optional, set up appropriately. */
3495 tls_in.certificate_verified = FALSE;
3497 tls_in.dane_verified = FALSE;
3499 server_verify_callback_called = FALSE;
3501 if (verify_check_host(&tls_verify_hosts) == OK)
3502 server_verify_optional = FALSE;
3503 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3504 server_verify_optional = TRUE;
3509 uschar * v_certs = tls_verify_certificates;
3511 if (state_server.lib_state.cabundle)
3513 DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
3514 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3518 if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
3520 if (v_certs && *v_certs)
3521 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3526 #ifndef DISABLE_TLS_RESUME
3527 # if OPENSSL_VERSION_NUMBER < 0x30000000L
3528 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
3529 /* despite working, appears to always return failure, so ignoring */
3531 SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ticket_key_callback);
3532 /* despite working, appears to always return failure, so ignoring */
3536 #ifdef OPENSSL_HAVE_NUM_TICKETS
3537 # ifndef DISABLE_TLS_RESUME
3538 SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
3540 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
3545 /* Prepare for new connection */
3547 if (!(ssl = SSL_new(ctx)))
3548 return tls_error(US"SSL_new", NULL, NULL, errstr);
3549 state_server.lib_state.lib_ssl = ssl;
3551 /* Warning: we used to SSL_clear(ssl) here, it was removed.
3553 * With the SSL_clear(), we get strange interoperability bugs with
3554 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
3555 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
3557 * The SSL_clear() call is to let an existing SSL* be reused, typically after
3558 * session shutdown. In this case, we have a brand new object and there's no
3559 * obvious reason to immediately clear it. I'm guessing that this was
3560 * originally added because of incomplete initialisation which the clear fixed,
3561 * in some historic release.
3564 /* Set context and tell client to go ahead, except in the case of TLS startup
3565 on connection, where outputting anything now upsets the clients and tends to
3566 make them disconnect. We need to have an explicit fflush() here, to force out
3567 the response. Other smtp_printf() calls do not need it, because in non-TLS
3568 mode, the fflush() happens when smtp_getc() is called. */
3570 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
3571 if (!tls_in.on_connect)
3573 smtp_printf("220 TLS go ahead\r\n", FALSE);
3577 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3578 that the OpenSSL library doesn't. */
3580 SSL_set_wfd(ssl, fileno(smtp_out));
3581 SSL_set_rfd(ssl, fileno(smtp_in));
3582 SSL_set_accept_state(ssl);
3584 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
3587 sigalrm_seen = FALSE;
3588 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3589 rc = SSL_accept(ssl);
3594 int error = SSL_get_error(ssl, rc);
3597 case SSL_ERROR_NONE:
3600 case SSL_ERROR_ZERO_RETURN:
3601 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3602 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
3603 #ifndef DISABLE_EVENT
3604 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3606 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
3609 tls_close(NULL, TLS_NO_SHUTDOWN);
3612 /* Handle genuine errors */
3616 int r = ERR_GET_REASON(ERR_peek_error());
3617 if ( r == SSL_R_WRONG_VERSION_NUMBER
3618 #ifdef SSL_R_VERSION_TOO_LOW
3619 || r == SSL_R_VERSION_TOO_LOW
3621 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
3622 s = string_sprintf("(%s)", SSL_get_version(ssl));
3623 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
3624 #ifndef DISABLE_EVENT
3625 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3631 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3632 if (error == SSL_ERROR_SYSCALL)
3636 *errstr = US"SSL_accept: TCP connection closed by peer";
3637 #ifndef DISABLE_EVENT
3638 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3642 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
3644 (void) tls_error(US"SSL_accept", NULL,
3645 sigalrm_seen ? US"timed out"
3646 : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
3648 #ifndef DISABLE_EVENT
3649 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3655 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
3656 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
3657 anon-authentication ciphersuite negotiated. */
3659 #ifndef DISABLE_TLS_RESUME
3660 if (SSL_session_reused(ssl))
3662 tls_in.resumption |= RESUME_USED;
3663 DEBUG(D_tls) debug_printf("Session reused\n");
3667 #ifdef EXIM_HAVE_ALPN
3668 /* If require-alpn, check server_seen_alpn here. Else abort TLS */
3669 if (!tls_alpn || !*tls_alpn)
3670 { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
3671 else if (!server_seen_alpn)
3672 if (verify_check_host(&hosts_require_alpn) == OK)
3674 /* We'd like to send a definitive Alert but OpenSSL provides no facility */
3676 tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
3680 { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
3683 const uschar * name;
3685 SSL_get0_alpn_selected(ssl, &name, &len);
3687 debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
3689 debug_printf("ALPN: no protocol negotiated\n");
3694 /* TLS has been set up. Record data for the connection,
3695 adjust the input functions to read via TLS, and initialize things. */
3697 #ifdef SSL_get_extms_support
3698 /*XXX what does this return for tls1.3 ? */
3699 tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
3701 peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
3703 tls_in.ver = tlsver_name(ssl);
3704 tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
3705 tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
3710 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
3711 debug_printf("Shared ciphers: %s\n", buf);
3713 tls_dump_keylog(ssl);
3715 #ifdef EXIM_HAVE_SESSION_TICKET
3717 SSL_SESSION * ss = SSL_get_session(ssl);
3718 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
3719 debug_printf("The session has a ticket, life %lu seconds\n",
3720 SSL_SESSION_get_ticket_lifetime_hint(ss));
3725 /* Record the certificate we presented */
3727 X509 * crt = SSL_get_certificate(ssl);
3728 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
3731 tls_get_channel_binding(ssl, &tls_in, GET_UNTAINTED);
3733 /* Only used by the server-side tls (tls_in), including tls_getc.
3734 Client-side (tls_out) reads (seem to?) go via
3735 smtp_read_response()/ip_recv().
3736 Hence no need to duplicate for _in and _out.
3738 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3739 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
3740 ssl_xfer_eof = ssl_xfer_error = FALSE;
3742 receive_getc = tls_getc;
3743 receive_getbuf = tls_getbuf;
3744 receive_get_cache = tls_get_cache;
3745 receive_hasc = tls_hasc;
3746 receive_ungetc = tls_ungetc;
3747 receive_feof = tls_feof;
3748 receive_ferror = tls_ferror;
3750 tls_in.active.sock = fileno(smtp_out);
3751 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
3759 tls_client_basic_ctx_init(SSL_CTX * ctx,
3760 host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
3765 /* Back-compatible old behaviour if tls_verify_certificates is set but both
3766 tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
3767 host patterns if one of them is set with content. */
3769 if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts
3770 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3772 && ( !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
3773 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3776 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3778 client_verify_optional = FALSE;
3779 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3780 client_verify_optional = TRUE;
3785 uschar * v_certs = ob->tls_verify_certificates;
3787 if (state->lib_state.cabundle)
3789 DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
3790 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3794 if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
3796 if (v_certs && *v_certs)
3797 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3801 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3803 state->verify_cert_hostnames =
3805 string_domain_utf8_to_alabel(host->certname, NULL);
3809 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
3810 state->verify_cert_hostnames);
3818 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
3821 const char * hostnames[2] = { CS host->name, NULL };
3824 if (DANESSL_init(ssl, NULL, hostnames) != 1)
3825 return tls_error(US"hostnames load", host, NULL, errstr);
3827 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3828 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3829 ) if (rr->type == T_TLSA && rr->size > 3)
3831 const uschar * p = rr->data;
3832 uint8_t usage, selector, mtype;
3833 const char * mdname;
3837 /* Only DANE-TA(2) and DANE-EE(3) are supported */
3838 if (usage != 2 && usage != 3) continue;
3845 default: continue; /* Only match-types 0, 1, 2 are supported */
3846 case 0: mdname = NULL; break;
3847 case 1: mdname = "sha256"; break;
3848 case 2: mdname = "sha512"; break;
3852 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
3855 return tls_error(US"tlsa load", host, NULL, errstr);
3856 case 0: /* action not taken */
3860 tls_out.tlsa_usage |= 1<<usage;
3866 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
3869 #endif /*SUPPORT_DANE*/
3873 #ifndef DISABLE_TLS_RESUME
3874 /* On the client, get any stashed session for the given IP from hints db
3875 and apply it to the ssl-connection for attempted resumption. */
3878 tls_retrieve_session(tls_support * tlsp, SSL * ssl)
3880 if (tlsp->host_resumable)
3882 dbdata_tls_session * dt;
3884 open_db dbblock, * dbm_file;
3886 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3888 debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
3889 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3891 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3893 SSL_SESSION * ss = NULL;
3894 const uschar * sess_asn1 = dt->session;
3896 len -= sizeof(dbdata_tls_session);
3897 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3901 ERR_error_string_n(ERR_get_error(),
3902 ssl_errstring, sizeof(ssl_errstring));
3903 debug_printf("decoding session: %s\n", ssl_errstring);
3908 unsigned long lifetime =
3909 #ifdef EXIM_HAVE_SESSION_TICKET
3910 SSL_SESSION_get_ticket_lifetime_hint(ss);
3911 #else /* Use, fairly arbitrilarily, what we as server would */
3912 f.running_in_test_harness ? TESTSUITE_TICKET_LIFE : ssl_session_timeout;
3914 time_t now = time(NULL), expires = lifetime + dt->time_stamp;
3917 DEBUG(D_tls) debug_printf("session expired (by " TIME_T_FMT "s from %lus)\n", now - expires, lifetime);
3918 dbfn_delete(dbm_file, tlsp->resume_index);
3920 else if (SSL_set_session(ssl, ss))
3922 DEBUG(D_tls) debug_printf("good session (" TIME_T_FMT "s left of %lus)\n", expires - now, lifetime);
3923 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3924 tlsp->verify_override = dt->verify_override;
3925 tlsp->ocsp = dt->ocsp;
3929 ERR_error_string_n(ERR_get_error(),
3930 ssl_errstring, sizeof(ssl_errstring));
3931 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3936 DEBUG(D_tls) debug_printf("no session record\n");
3937 dbfn_close(dbm_file);
3943 /* On the client, save the session for later resumption */
3946 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3948 exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3951 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3953 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3955 # ifdef OPENSSL_HAVE_NUM_TICKETS
3956 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3959 int len = i2d_SSL_SESSION(ss, NULL);
3960 int dlen = sizeof(dbdata_tls_session) + len;
3961 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
3962 uschar * s = dt->session;
3963 open_db dbblock, * dbm_file;
3965 DEBUG(D_tls) debug_printf("session is resumable\n");
3966 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3968 dt->verify_override = tlsp->verify_override;
3969 dt->ocsp = tlsp->ocsp;
3970 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3972 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3974 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
3975 dbfn_close(dbm_file);
3976 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3984 /* Construct a key for session DB lookup, and setup the SSL_CTX for resumption */
3987 tls_client_ctx_resume_prehandshake(
3988 exim_openssl_client_tls_ctx * exim_client_ctx, smtp_connect_args * conn_args,
3989 tls_support * tlsp, smtp_transport_options_block * ob)
3991 tlsp->host_resumable = TRUE;
3992 tls_client_resmption_key(tlsp, conn_args, ob);
3994 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3995 SSL_SESS_CACHE_CLIENT
3996 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3997 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
4001 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
4002 host_item * host, uschar ** errstr)
4004 if (tlsp->host_resumable)
4007 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
4008 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
4010 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
4011 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
4013 tls_error(US"set ex_data", host, NULL, errstr);
4016 /* debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state); */
4019 tlsp->resumption = RESUME_SUPPORTED;
4020 /* Pick up a previous session, saved on an old ticket */
4021 tls_retrieve_session(tlsp, ssl);
4026 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
4029 if (SSL_session_reused(exim_client_ctx->ssl))
4031 DEBUG(D_tls) debug_printf("The session was reused\n");
4032 tlsp->resumption |= RESUME_USED;
4035 #endif /* !DISABLE_TLS_RESUME */
4038 #ifdef EXIM_HAVE_ALPN
4039 /* Expand and convert an Exim list to an ALPN list. False return for fail.
4040 NULL plist return for silent no-ALPN.
4042 Overwite the passed-in list with the expanded version.
4046 tls_alpn_plist(uschar ** tls_alpn, const uschar ** plist, unsigned * plen,
4051 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
4053 *tls_alpn = exp_alpn;
4057 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
4062 /* The server implementation only accepts exactly one protocol name
4063 but it's little extra code complexity in the client. */
4065 const uschar * list = exp_alpn;
4066 uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t;
4070 for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
4072 *t++ = len = (uschar) Ustrlen(s);
4075 *plist = (*plen = t - p) ? p : NULL;
4079 #endif /* EXIM_HAVE_ALPN */
4082 /*************************************************
4083 * Start a TLS session in a client *
4084 *************************************************/
4086 /* Called from the smtp transport after STARTTLS has been accepted.
4089 cctx connection context
4090 conn_args connection details
4091 cookie datum for randomness; can be NULL
4092 tlsp record details of TLS channel configuration here; must be non-NULL
4093 errstr error string pointer
4095 Returns: TRUE for success with TLS session context set in connection context,
4100 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
4101 void * cookie, tls_support * tlsp, uschar ** errstr)
4103 host_item * host = conn_args->host; /* for msgs and option-tests */
4104 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
4105 smtp_transport_options_block * ob = tb
4106 ? (smtp_transport_options_block *)tb->options_block
4107 : &smtp_transport_option_defaults;
4108 exim_openssl_client_tls_ctx * exim_client_ctx;
4109 uschar * expciphers;
4111 static uschar peerdn[256];
4113 #ifndef DISABLE_OCSP
4114 BOOL request_ocsp = FALSE;
4115 BOOL require_ocsp = FALSE;
4119 store_pool = POOL_PERM;
4120 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED);
4121 exim_client_ctx->corked = NULL;
4125 tlsp->tlsa_usage = 0;
4128 #ifndef DISABLE_OCSP
4130 # ifdef SUPPORT_DANE
4131 if ( conn_args->dane
4132 && ob->hosts_request_ocsp[0] == '*'
4133 && ob->hosts_request_ocsp[1] == '\0'
4136 /* Unchanged from default. Use a safer one under DANE */
4137 request_ocsp = TRUE;
4138 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
4139 " {= {4}{$tls_out_tlsa_usage}} } "
4145 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
4146 request_ocsp = TRUE;
4148 # ifdef SUPPORT_DANE
4152 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4154 # if defined(SUPPORT_DANE) && !defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER)
4155 if (conn_args->dane && (require_ocsp || request_ocsp))
4157 DEBUG(D_tls) debug_printf("OpenSSL version to early to combine OCSP"
4158 " and DANE; disabling OCSP\n");
4159 require_ocsp = request_ocsp = FALSE;
4165 rc = tls_init(host, ob,
4166 #ifndef DISABLE_OCSP
4167 (void *)(long)request_ocsp,
4169 cookie, &client_static_state, tlsp, errstr);
4170 if (rc != OK) return FALSE;
4172 exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
4174 tlsp->certificate_verified = FALSE;
4175 client_verify_callback_called = FALSE;
4179 if (conn_args->dane)
4181 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
4182 other failures should be treated as problems. */
4183 if (ob->dane_require_tls_ciphers &&
4184 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
4185 &expciphers, errstr))
4187 if (expciphers && *expciphers == '\0')
4190 normalise_ciphers(&expciphers, ob->dane_require_tls_ciphers);
4195 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
4196 &expciphers, errstr))
4199 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
4200 are separated by underscores. So that I can use either form in my tests, and
4201 also for general convenience, we turn underscores into hyphens here. */
4203 normalise_ciphers(&expciphers, ob->tls_require_ciphers);
4208 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
4209 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
4211 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
4217 if (conn_args->dane)
4219 SSL_CTX_set_verify(exim_client_ctx->ctx,
4220 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4221 verify_callback_client_dane);
4223 if (!DANESSL_library_init())
4225 tls_error(US"library init", host, NULL, errstr);
4228 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
4230 tls_error(US"context init", host, NULL, errstr);
4233 DEBUG(D_tls) debug_printf("since dane-mode conn, not loading the usual CA bundle\n");
4239 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
4240 client_static_state, errstr) != OK)
4245 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
4248 { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); }
4249 else if (!Ustrlen(tlsp->sni))
4253 #ifndef EXIM_HAVE_OPENSSL_TLSEXT
4254 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
4262 #ifdef EXIM_HAVE_ALPN
4264 const uschar * plist;
4267 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
4270 if (SSL_CTX_set_alpn_protos(exim_client_ctx->ctx, plist, plen) != 0)
4272 tls_error(US"alpn init", host, NULL, errstr);
4276 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
4279 log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
4283 #ifndef DISABLE_TLS_RESUME
4284 /*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
4285 will be very low. */
4287 if (!conn_args->have_lbserver) /* wanted for tls_client_resmption_key() */
4288 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
4289 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
4290 tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
4294 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
4296 tls_error(US"SSL_new", host, NULL, errstr);
4299 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
4300 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
4301 SSL_set_connect_state(exim_client_ctx->ssl);
4303 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
4306 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
4307 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
4312 if (conn_args->dane)
4313 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
4317 #ifndef DISABLE_OCSP
4318 /* Request certificate status at connection-time. If the server
4319 does OCSP stapling we will get the callback (set in tls_init()) */
4320 # ifdef SUPPORT_DANE
4324 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4325 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4327 { /* Re-eval now $tls_out_tlsa_usage is populated. If
4328 this means we avoid the OCSP request, we wasted the setup
4329 cost in tls_init(). */
4330 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
4331 request_ocsp = require_ocsp
4332 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4339 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
4340 client_static_state->u_ocsp.client.verify_required = require_ocsp;
4341 tlsp->ocsp = OCSP_NOT_RESP;
4345 #ifndef DISABLE_TLS_RESUME
4346 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
4351 #ifndef DISABLE_EVENT
4352 client_static_state->event_action = tb ? tb->event_action : NULL;
4355 /* There doesn't seem to be a built-in timeout on connection. */
4357 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
4358 sigalrm_seen = FALSE;
4359 ALARM(ob->command_timeout);
4360 rc = SSL_connect(exim_client_ctx->ssl);
4364 if (conn_args->dane)
4365 DANESSL_cleanup(exim_client_ctx->ssl);
4370 #ifndef DISABLE_OCSP
4371 if (client_static_state->u_ocsp.client.verify_errstr)
4372 { if (errstr) *errstr = client_static_state->u_ocsp.client.verify_errstr; }
4375 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
4381 debug_printf("SSL_connect succeeded\n");
4382 tls_dump_keylog(exim_client_ctx->ssl);
4385 #ifndef DISABLE_TLS_RESUME
4386 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
4389 #ifdef EXIM_HAVE_ALPN
4390 if (ob->tls_alpn) /* We requested. See what was negotiated. */
4392 const uschar * name;
4395 SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
4397 { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
4398 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
4400 /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
4401 tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
4407 #ifdef SSL_get_extms_support
4408 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
4410 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
4412 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
4413 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
4414 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
4416 /* Record the certificate we presented */
4418 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
4419 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
4422 /*XXX will this work with continued-TLS? */
4423 tls_get_channel_binding(exim_client_ctx->ssl, tlsp, GET_TAINTED);
4425 tlsp->active.sock = cctx->sock;
4426 tlsp->active.tls_ctx = exim_client_ctx;
4427 cctx->tls_ctx = exim_client_ctx;
4436 tls_refill(unsigned lim)
4438 SSL * ssl = state_server.lib_state.lib_ssl;
4442 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4443 ssl_xfer_buffer, ssl_xfer_buffer_size);
4446 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4447 inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
4448 MIN(ssl_xfer_buffer_size, lim));
4449 error = SSL_get_error(ssl, inbytes);
4450 if (smtp_receive_timeout > 0) ALARM_CLR(0);
4452 if (had_command_timeout) /* set by signal handler */
4453 smtp_command_timeout_exit(); /* does not return */
4454 if (had_command_sigterm)
4455 smtp_command_sigterm_exit();
4456 if (had_data_timeout)
4457 smtp_data_timeout_exit();
4458 if (had_data_sigint)
4459 smtp_data_sigint_exit();
4461 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
4462 closed down, not that the socket itself has been closed down. Revert to
4463 non-SSL handling. */
4467 case SSL_ERROR_NONE:
4470 case SSL_ERROR_ZERO_RETURN:
4471 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4473 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
4476 tls_close(NULL, TLS_NO_SHUTDOWN);
4479 /* Handle genuine errors */
4481 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4482 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
4483 ssl_xfer_error = TRUE;
4487 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
4488 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
4489 debug_printf(" - syscall %s\n", strerror(errno));
4490 ssl_xfer_error = TRUE;
4494 #ifndef DISABLE_DKIM
4495 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
4497 ssl_xfer_buffer_hwm = inbytes;
4498 ssl_xfer_buffer_lwm = 0;
4503 /*************************************************
4504 * TLS version of getc *
4505 *************************************************/
4507 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
4508 it refills the buffer via the SSL reading function.
4510 Arguments: lim Maximum amount to read/buffer
4511 Returns: the next character or EOF
4513 Only used by the server-side TLS.
4517 tls_getc(unsigned lim)
4519 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4520 if (!tls_refill(lim))
4521 return ssl_xfer_error ? EOF : smtp_getc(lim);
4523 /* Something in the buffer; return next uschar */
4525 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
4531 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
4535 tls_getbuf(unsigned * len)
4540 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4541 if (!tls_refill(*len))
4543 if (!ssl_xfer_error) return smtp_getbuf(len);
4548 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
4550 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
4551 ssl_xfer_buffer_lwm += size;
4558 tls_get_cache(unsigned lim)
4560 #ifndef DISABLE_DKIM
4561 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
4565 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
4571 tls_could_getc(void)
4573 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
4574 || SSL_pending(state_server.lib_state.lib_ssl) > 0;
4578 /*************************************************
4579 * Read bytes from TLS channel *
4580 *************************************************/
4584 ct_ctx client context pointer, or NULL for the one global server context
4588 Returns: the number of bytes read
4589 -1 after a failed read, including EOF
4591 Only used by the client-side TLS.
4595 tls_read(void * ct_ctx, uschar *buff, size_t len)
4597 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4598 : state_server.lib_state.lib_ssl;
4602 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4603 buff, (unsigned int)len);
4606 inbytes = SSL_read(ssl, CS buff, len);
4607 error = SSL_get_error(ssl, inbytes);
4609 if (error == SSL_ERROR_ZERO_RETURN)
4611 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4614 else if (error != SSL_ERROR_NONE)
4624 /*************************************************
4625 * Write bytes down TLS channel *
4626 *************************************************/
4630 ct_ctx client context pointer, or NULL for the one global server context
4633 more further data expected soon
4635 Returns: the number of bytes after a successful write,
4636 -1 after a failed write
4638 Used by both server-side and client-side TLS. Calling with len zero and more unset
4639 will flush buffered writes; buff can be null for this case.
4643 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4646 int outbytes, error;
4648 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4649 : state_server.lib_state.lib_ssl;
4650 static gstring * server_corked = NULL;
4651 gstring ** corkedp = ct_ctx
4652 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
4653 gstring * corked = *corkedp;
4655 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
4656 buff, (unsigned long)len, more ? ", more" : "");
4658 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
4659 "more" is notified. This hack is only ok if small amounts are involved AND only
4660 one stream does it, in one context (i.e. no store reset). Currently it is used
4661 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
4662 We support callouts done by the server process by using a separate client
4663 context for the stashed information. */
4664 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
4665 a store reset there, so use POOL_PERM. */
4666 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
4670 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
4672 int save_pool = store_pool;
4673 store_pool = POOL_PERM;
4675 corked = string_catn(corked, buff, len);
4677 store_pool = save_pool;
4684 buff = CUS corked->s;
4689 for (int left = len; left > 0;)
4691 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
4693 outbytes = SSL_write(ssl, CS buff, left);
4694 error = SSL_get_error(ssl, outbytes);
4695 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
4698 case SSL_ERROR_NONE: /* the usual case */
4704 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4705 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
4708 case SSL_ERROR_ZERO_RETURN:
4709 log_write(0, LOG_MAIN, "SSL channel closed on write");
4712 case SSL_ERROR_SYSCALL:
4713 if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
4714 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
4715 sender_fullhost ? sender_fullhost : US"<unknown>",
4717 else if (LOGGING(protocol_detail))
4718 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4719 " SMTP response and TLS close\n", sender_host_address);
4721 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4722 " client reset TCP before TLS close\n", sender_host_address);
4726 log_write(0, LOG_MAIN, "SSL_write error %d", error);
4737 ct_ctx client TLS context pointer, or NULL for the one global server context
4741 tls_shutdown_wr(void * ct_ctx)
4743 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4744 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4745 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4748 if (*fdp < 0) return; /* TLS was not active */
4750 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4752 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
4753 rc = SSL_shutdown(*sslp);
4754 if (rc < 0) DEBUG(D_tls)
4756 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4757 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4761 /*************************************************
4762 * Close down a TLS session *
4763 *************************************************/
4765 /* This is also called from within a delivery subprocess forked from the
4766 daemon, to shut down the TLS library, without actually doing a shutdown (which
4767 would tamper with the SSL session in the parent process).
4770 ct_ctx client TLS context pointer, or NULL for the one global server context
4771 do_shutdown 0 no data-flush or TLS close-alert
4772 1 if TLS close-alert is to be sent,
4773 2 if also response to be waited for
4777 Used by both server-side and client-side TLS.
4781 tls_close(void * ct_ctx, int do_shutdown)
4783 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4784 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4785 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4787 if (*fdp < 0) return; /* TLS was not active */
4789 if (do_shutdown > TLS_NO_SHUTDOWN)
4792 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
4793 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
4795 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4797 if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY
4798 || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
4800 && do_shutdown > TLS_SHUTDOWN_NOWAIT
4803 #ifdef EXIM_TCP_CORK
4804 (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
4807 rc = SSL_shutdown(*sslp); /* wait for response */
4811 if (rc < 0) DEBUG(D_tls)
4813 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4814 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4818 if (!o_ctx) /* server side */
4820 #ifndef DISABLE_OCSP
4821 sk_X509_pop_free(state_server.u_ocsp.server.verify_stack, X509_free);
4822 state_server.u_ocsp.server.verify_stack = NULL;
4825 receive_getc = smtp_getc;
4826 receive_getbuf = smtp_getbuf;
4827 receive_get_cache = smtp_get_cache;
4828 receive_hasc = smtp_hasc;
4829 receive_ungetc = smtp_ungetc;
4830 receive_feof = smtp_feof;
4831 receive_ferror = smtp_ferror;
4832 tls_in.active.tls_ctx = NULL;
4834 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
4845 /*************************************************
4846 * Let tls_require_ciphers be checked at startup *
4847 *************************************************/
4849 /* The tls_require_ciphers option, if set, must be something which the
4852 Returns: NULL on success, or error message
4856 tls_validate_require_cipher(void)
4859 uschar * expciphers, * err;
4863 if (!(tls_require_ciphers && *tls_require_ciphers))
4866 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4868 return US"failed to expand tls_require_ciphers";
4870 if (!(expciphers && *expciphers))
4873 normalise_ciphers(&expciphers, tls_require_ciphers);
4876 if (lib_ctx_new(&ctx, NULL, &err) == OK)
4879 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4881 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
4883 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4884 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
4885 expciphers, ssl_errstring);
4896 /*************************************************
4897 * Report the library versions. *
4898 *************************************************/
4900 /* There have historically been some issues with binary compatibility in
4901 OpenSSL libraries; if Exim (like many other applications) is built against
4902 one version of OpenSSL but the run-time linker picks up another version,
4903 it can result in serious failures, including crashing with a SIGSEGV. So
4904 report the version found by the compiler and the run-time version.
4906 Note: some OS vendors backport security fixes without changing the version
4907 number/string, and the version date remains unchanged. The _build_ date
4908 will change, so we can more usefully assist with version diagnosis by also
4909 reporting the build date.
4911 Arguments: string to append to
4916 tls_version_report(gstring * g)
4918 return string_fmt_append(g,
4919 "Library version: OpenSSL: Compile: %s\n"
4922 OPENSSL_VERSION_TEXT,
4923 SSLeay_version(SSLEAY_VERSION),
4924 SSLeay_version(SSLEAY_BUILT_ON));
4925 /* third line is 38 characters for the %s and the line is 73 chars long;
4926 the OpenSSL output includes a "built on: " prefix already. */
4932 /*************************************************
4933 * Random number generation *
4934 *************************************************/
4936 /* Pseudo-random number generation. The result is not expected to be
4937 cryptographically strong but not so weak that someone will shoot themselves
4938 in the foot using it as a nonce in input in some email header scheme or
4939 whatever weirdness they'll twist this into. The result should handle fork()
4940 and avoid repeating sequences. OpenSSL handles that for us.
4944 Returns a random number in range [0, max-1]
4948 vaguely_random_number(int max)
4952 static pid_t pidlast = 0;
4954 uschar smallbuf[sizeof(r)];
4960 if (pidnow != pidlast)
4962 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
4963 is unique for each thread", this doesn't apparently apply across processes,
4964 so our own warning from vaguely_random_number_fallback() applies here too.
4965 Fix per PostgreSQL. */
4971 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
4975 gettimeofday(&r.tv, NULL);
4978 RAND_seed(US (&r), sizeof(r));
4980 /* We're after pseudo-random, not random; if we still don't have enough data
4981 in the internal PRNG then our options are limited. We could sleep and hope
4982 for entropy to come along (prayer technique) but if the system is so depleted
4983 in the first place then something is likely to just keep taking it. Instead,
4984 we'll just take whatever little bit of pseudo-random we can still manage to
4987 needed_len = sizeof(r);
4988 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
4989 asked for a number less than 10. */
4990 for (r = max, i = 0; r; ++i)
4996 #ifdef EXIM_HAVE_RAND_PSEUDO
4997 /* We do not care if crypto-strong */
4998 i = RAND_pseudo_bytes(smallbuf, needed_len);
5000 i = RAND_bytes(smallbuf, needed_len);
5006 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
5007 return vaguely_random_number_fallback(max);
5011 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
5014 /* We don't particularly care about weighted results; if someone wants
5015 smooth distribution and cares enough then they should submit a patch then. */
5022 /*************************************************
5023 * OpenSSL option parse *
5024 *************************************************/
5026 /* Parse one option for tls_openssl_options_parse below
5029 name one option name
5030 value place to store a value for it
5031 Returns success or failure in parsing
5037 tls_openssl_one_option_parse(uschar *name, long *value)
5040 int last = exim_openssl_options_size;
5041 while (last > first)
5043 int middle = (first + last)/2;
5044 int c = Ustrcmp(name, exim_openssl_options[middle].name);
5047 *value = exim_openssl_options[middle].value;
5061 /*************************************************
5062 * OpenSSL option parsing logic *
5063 *************************************************/
5065 /* OpenSSL has a number of compatibility options which an administrator might
5066 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
5067 we look like log_selector.
5070 option_spec the administrator-supplied string of options
5071 results ptr to long storage for the options bitmap
5072 Returns success or failure
5076 tls_openssl_options_parse(uschar *option_spec, long *results)
5079 uschar * exp, * end;
5080 BOOL adding, item_parsed;
5082 /* Server: send no (<= TLS1.2) session tickets */
5083 result = SSL_OP_NO_TICKET;
5085 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
5086 from default because it increases BEAST susceptibility. */
5087 #ifdef SSL_OP_NO_SSLv2
5088 result |= SSL_OP_NO_SSLv2;
5090 #ifdef SSL_OP_NO_SSLv3
5091 result |= SSL_OP_NO_SSLv3;
5093 #ifdef SSL_OP_SINGLE_DH_USE
5094 result |= SSL_OP_SINGLE_DH_USE;
5096 #ifdef SSL_OP_NO_RENEGOTIATION
5097 result |= SSL_OP_NO_RENEGOTIATION;
5106 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
5109 for (uschar * s = exp; *s; /**/)
5111 while (isspace(*s)) ++s;
5114 if (*s != '+' && *s != '-')
5116 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
5117 "+ or - expected but found \"%s\"\n", s);
5120 adding = *s++ == '+';
5121 for (end = s; *end && !isspace(*end); ) end++;
5122 item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
5125 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
5128 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
5129 adding ? "adding to " : "removing from", result, item, s);
5141 #endif /*!MACRO_PREDEF*/
5144 /* End of tls-openssl.c */