1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2019 */
6 /* Copyright (c) The Exim Maintainers 2020 - 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Portions Copyright (c) The OpenSSL Project 1999 */
11 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
12 library. It is #included into the tls.c file when that library is used. The
13 code herein is based on a patch that was originally contributed by Steve
14 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
16 No cryptographic code is included in Exim. All this module does is to call
17 functions from the OpenSSL library. */
22 #include <openssl/lhash.h>
23 #include <openssl/ssl.h>
24 #include <openssl/err.h>
25 #include <openssl/rand.h>
26 #ifndef OPENSSL_NO_ECDH
27 # include <openssl/ec.h>
30 # include <openssl/ocsp.h>
38 # define EXIM_OCSP_SKEW_SECONDS (300L)
39 # define EXIM_OCSP_MAX_AGE (-1L)
42 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
43 # define EXIM_HAVE_OPENSSL_TLSEXT
45 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
46 # define EXIM_HAVE_RSA_GENKEY_EX
48 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
49 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define OPENSSL_AUTO_SHA256
52 # define EXIM_HAVE_EPHEM_RSA_KEX
53 # define EXIM_HAVE_RAND_PSEUDO
55 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
56 # define EXIM_HAVE_SHA256
59 /* X509_check_host provides sane certificate hostname checking, but was added
60 to OpenSSL late, after other projects forked off the code-base. So in
61 addition to guarding against the base version number, beware that LibreSSL
62 does not (at this time) support this function.
64 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
65 opt to disentangle and ask a LibreSSL user to provide glue for a third
66 crypto provider for libtls instead of continuing to tie the OpenSSL glue
67 into even twistier knots. If LibreSSL gains the same API, we can just
68 change this guard and punt the issue for a while longer. */
70 #ifndef LIBRESSL_VERSION_NUMBER
71 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
72 # define EXIM_HAVE_OPENSSL_CHECKHOST
73 # define EXIM_HAVE_OPENSSL_DH_BITS
74 # define EXIM_HAVE_OPENSSL_TLS_METHOD
75 # define EXIM_HAVE_OPENSSL_KEYLOG
76 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
77 # define EXIM_HAVE_SESSION_TICKET
78 # define EXIM_HAVE_OPESSL_TRACE
79 # define EXIM_HAVE_OPESSL_GET0_SERIAL
81 # define EXIM_HAVE_OCSP
83 # define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
85 # define EXIM_NEED_OPENSSL_INIT
87 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
88 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
89 # define EXIM_HAVE_OPENSSL_CHECKHOST
93 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
94 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
97 #if !defined(LIBRESSL_VERSION_NUMBER) \
98 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
99 # if !defined(OPENSSL_NO_ECDH)
100 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
101 # define EXIM_HAVE_ECDH
103 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
104 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
109 #ifndef LIBRESSL_VERSION_NUMBER
110 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
111 # define OPENSSL_HAVE_KEYLOG_CB
112 # define OPENSSL_HAVE_NUM_TICKETS
113 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
115 # define OPENSSL_BAD_SRVR_OURCERT
119 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
120 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
121 # define DISABLE_OCSP
124 #ifndef DISABLE_TLS_RESUME
125 # if OPENSSL_VERSION_NUMBER < 0x0101010L
126 # error OpenSSL version too old for session-resumption
130 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
131 # include <openssl/x509v3.h>
134 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
135 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
136 # define SSL_CIPHER_get_id(c) (c->id)
138 # ifndef MACRO_PREDEF
139 # include "tls-cipher-stdname.c"
143 /*************************************************
144 * OpenSSL option parse *
145 *************************************************/
147 typedef struct exim_openssl_option {
150 } exim_openssl_option;
151 /* We could use a macro to expand, but we need the ifdef and not all the
152 options document which version they were introduced in. Policylet: include
153 all options unless explicitly for DTLS, let the administrator choose which
156 This list is current as of:
159 XXX could we autobuild this list, as with predefined-macros?
160 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
161 Also allow a numeric literal?
163 static exim_openssl_option exim_openssl_options[] = {
164 /* KEEP SORTED ALPHABETICALLY! */
166 { US"all", (long) SSL_OP_ALL },
168 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
169 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
171 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
172 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
174 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
175 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
177 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
178 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
180 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
181 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
183 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
184 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
186 #ifdef SSL_OP_EPHEMERAL_RSA
187 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
189 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
190 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
192 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
193 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
195 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
196 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
198 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
199 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
201 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
202 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
204 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
205 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
207 #ifdef SSL_OP_NO_ANTI_REPLAY
208 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
210 #ifdef SSL_OP_NO_COMPRESSION
211 { US"no_compression", SSL_OP_NO_COMPRESSION },
213 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
214 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
216 #ifdef SSL_OP_NO_RENEGOTIATION
217 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
219 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
220 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
222 #ifdef SSL_OP_NO_SSLv2
223 { US"no_sslv2", SSL_OP_NO_SSLv2 },
225 #ifdef SSL_OP_NO_SSLv3
226 { US"no_sslv3", SSL_OP_NO_SSLv3 },
228 #ifdef SSL_OP_NO_TICKET
229 { US"no_ticket", SSL_OP_NO_TICKET },
231 #ifdef SSL_OP_NO_TLSv1
232 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
234 #ifdef SSL_OP_NO_TLSv1_1
235 # if OPENSSL_VERSION_NUMBER < 0x30000000L
236 # if SSL_OP_NO_TLSv1_1 == 0x00000400L
237 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
238 # warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
239 # define NO_SSL_OP_NO_TLSv1_1
242 # ifndef NO_SSL_OP_NO_TLSv1_1
243 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
246 #ifdef SSL_OP_NO_TLSv1_2
247 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
249 #ifdef SSL_OP_NO_TLSv1_3
250 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
252 #ifdef SSL_OP_PRIORITIZE_CHACHA
253 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
255 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
256 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
258 #ifdef SSL_OP_SINGLE_DH_USE
259 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
261 #ifdef SSL_OP_SINGLE_ECDH_USE
262 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
264 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
265 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
267 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
268 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
270 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
271 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
273 #ifdef SSL_OP_TLS_D5_BUG
274 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
276 #ifdef SSL_OP_TLS_ROLLBACK_BUG
277 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
279 #ifdef SSL_OP_TLSEXT_PADDING
280 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
285 static int exim_openssl_options_size = nelem(exim_openssl_options);
286 static long init_options = 0;
295 for (struct exim_openssl_option * o = exim_openssl_options;
296 o < exim_openssl_options + nelem(exim_openssl_options); o++)
298 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
299 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
301 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
302 builtin_macro_create(buf);
305 # ifndef DISABLE_TLS_RESUME
306 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
308 # ifdef SSL_OP_NO_TLSv1_3
309 builtin_macro_create(US"_HAVE_TLS1_3");
311 # ifdef OPENSSL_BAD_SRVR_OURCERT
312 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
314 # ifdef EXIM_HAVE_OCSP
315 builtin_macro_create(US"_HAVE_TLS_OCSP");
316 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
318 # ifdef EXIM_HAVE_ALPN
319 builtin_macro_create(US"_HAVE_TLS_ALPN");
324 /******************************************************************************/
326 /* Structure for collecting random data for seeding. */
328 typedef struct randstuff {
333 /* Local static variables */
335 static BOOL client_verify_callback_called = FALSE;
336 static BOOL server_verify_callback_called = FALSE;
337 static const uschar *sid_ctx = US"exim";
339 /* We have three different contexts to care about.
341 Simple case: client, `client_ctx`
342 As a client, we can be doing a callout or cut-through delivery while receiving
343 a message. So we have a client context, which should have options initialised
344 from the SMTP Transport. We may also concurrently want to make TLS connections
345 to utility daemons, so client-contexts are allocated and passed around in call
346 args rather than using a gobal.
349 There are two cases: with and without ServerNameIndication from the client.
350 Given TLS SNI, we can be using different keys, certs and various other
351 configuration settings, because they're re-expanded with $tls_sni set. This
352 allows vhosting with TLS. This SNI is sent in the handshake.
353 A client might not send SNI, so we need a fallback, and an initial setup too.
354 So as a server, we start out using `server_ctx`.
355 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
356 `server_sni` from `server_ctx` and then initialise settings by re-expanding
364 } exim_openssl_client_tls_ctx;
367 /* static SSL_CTX *server_ctx = NULL; */
368 /* static SSL *server_ssl = NULL; */
370 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
371 static SSL_CTX *server_sni = NULL;
373 #ifdef EXIM_HAVE_ALPN
374 static BOOL server_seen_alpn = FALSE;
377 static char ssl_errstring[256];
379 static int ssl_session_timeout = 7200; /* Two hours */
380 static BOOL client_verify_optional = FALSE;
381 static BOOL server_verify_optional = FALSE;
383 static BOOL reexpand_tls_files_for_sni = FALSE;
386 typedef struct ocsp_resp {
387 struct ocsp_resp * next;
388 OCSP_RESPONSE * resp;
391 typedef struct exim_openssl_state {
392 exim_tlslib_state lib_state;
393 #define lib_ctx libdata0
394 #define lib_ssl libdata1
397 uschar * certificate;
401 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
405 const uschar *file_expanded;
406 ocsp_resplist *olist;
409 X509_STORE *verify_store; /* non-null if status requested */
410 BOOL verify_required;
415 /* these are cached from first expand */
416 uschar * server_cipher_list;
417 /* only passed down to tls_error: */
419 const uschar * verify_cert_hostnames;
420 #ifndef DISABLE_EVENT
421 uschar * event_action;
423 } exim_openssl_state_st;
425 /* should figure out a cleanup of API to handle state preserved per
426 implementation, for various reasons, which can be void * in the APIs.
427 For now, we hack around it. */
428 exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */
429 exim_openssl_state_st state_server = {.is_server = TRUE};
432 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
437 static int tls_server_stapling_cb(SSL *s, void *arg);
442 /* Daemon-called, before every connection, key create/rotate */
443 #ifndef DISABLE_TLS_RESUME
444 static void tk_init(void);
445 static int tls_exdata_idx = -1;
449 tls_per_lib_daemon_tick(void)
451 #ifndef DISABLE_TLS_RESUME
456 /* Called once at daemon startup */
459 tls_per_lib_daemon_init(void)
461 tls_daemon_creds_reload();
465 /*************************************************
467 *************************************************/
469 /* Called from lots of places when errors occur before actually starting to do
470 the TLS handshake, that is, while the session is still in clear. Always returns
471 DEFER for a server and FAIL for a client so that most calls can use "return
472 tls_error(...)" to do this processing and then give an appropriate return. A
473 single function is used for both server and client, because it is called from
474 some shared functions.
477 prefix text to include in the logged error
478 host NULL if setting up a server;
479 the connected host if setting up a client
480 msg error message or NULL if we should ask OpenSSL
481 errstr pointer to output error message
483 Returns: OK/DEFER/FAIL
487 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
491 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
492 msg = US ssl_errstring;
495 msg = string_sprintf("(%s): %s", prefix, msg);
496 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
497 if (errstr) *errstr = msg;
498 return host ? FAIL : DEFER;
503 /**************************************************
504 * General library initalisation *
505 **************************************************/
508 lib_rand_init(void * addr)
511 if (!RAND_status()) return TRUE;
513 gettimeofday(&r.tv, NULL);
515 RAND_seed(US (&r), sizeof(r));
516 RAND_seed(US big_buffer, big_buffer_size);
517 if (addr) RAND_seed(US addr, sizeof(addr));
519 return RAND_status();
524 tls_openssl_init(void)
526 static BOOL once = FALSE;
530 #ifdef EXIM_NEED_OPENSSL_INIT
531 SSL_load_error_strings(); /* basic set up */
532 OpenSSL_add_ssl_algorithms();
535 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
536 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
537 list of available digests. */
538 EVP_add_digest(EVP_sha256());
541 (void) lib_rand_init(NULL);
542 (void) tls_openssl_options_parse(openssl_options, &init_options);
547 /*************************************************
548 * Initialize for DH *
549 *************************************************/
551 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
554 sctx The current SSL CTX (inbound or outbound)
555 dhparam DH parameter file or fixed parameter identity string
556 host connected host, if client; NULL if server
557 errstr error string pointer
559 Returns: TRUE if OK (nothing to set up, or setup worked)
563 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
571 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
574 if (!dhexpanded || !*dhexpanded)
575 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
576 else if (dhexpanded[0] == '/')
578 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
580 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
581 host, US strerror(errno), errstr);
587 if (Ustrcmp(dhexpanded, "none") == 0)
589 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
593 if (!(pem = std_dh_prime_named(dhexpanded)))
595 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
596 host, US strerror(errno), errstr);
599 bio = BIO_new_mem_buf(CS pem, -1);
602 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
605 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
610 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
611 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
612 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
613 * If someone wants to dance at the edge, then they can raise the limit or use
614 * current libraries. */
615 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
616 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
617 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
618 dh_bitsize = DH_bits(dh);
620 dh_bitsize = 8 * DH_size(dh);
623 /* Even if it is larger, we silently return success rather than cause things
624 * to fail out, so that a too-large DH will not knock out all TLS; it's a
625 * debatable choice. */
626 if (dh_bitsize > tls_dh_max_bits)
629 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
630 dh_bitsize, tls_dh_max_bits);
634 SSL_CTX_set_tmp_dh(sctx, dh);
636 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
637 dhexpanded ? dhexpanded : US"default", dh_bitsize);
649 /*************************************************
650 * Initialize for ECDH *
651 *************************************************/
653 /* Load parameters for ECDH encryption.
655 For now, we stick to NIST P-256 because: it's simple and easy to configure;
656 it avoids any patent issues that might bite redistributors; despite events in
657 the news and concerns over curve choices, we're not cryptographers, we're not
658 pretending to be, and this is "good enough" to be better than no support,
659 protecting against most adversaries. Given another year or two, there might
660 be sufficient clarity about a "right" way forward to let us make an informed
661 decision, instead of a knee-jerk reaction.
663 Longer-term, we should look at supporting both various named curves and
664 external files generated with "openssl ecparam", much as we do for init_dh().
665 We should also support "none" as a value, to explicitly avoid initialisation.
670 sctx The current SSL CTX (inbound or outbound)
671 host connected host, if client; NULL if server
672 errstr error string pointer
674 Returns: TRUE if OK (nothing to set up, or setup worked)
678 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
680 #ifdef OPENSSL_NO_ECDH
689 if (host) /* No ECDH setup for clients, only for servers */
692 # ifndef EXIM_HAVE_ECDH
694 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
698 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
700 if (!exp_curve || !*exp_curve)
703 /* "auto" needs to be handled carefully.
704 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
705 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
706 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
707 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
708 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
710 if (Ustrcmp(exp_curve, "auto") == 0)
712 #if OPENSSL_VERSION_NUMBER < 0x10002000L
713 DEBUG(D_tls) debug_printf(
714 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
715 exp_curve = US"prime256v1";
717 # if defined SSL_CTRL_SET_ECDH_AUTO
718 DEBUG(D_tls) debug_printf(
719 "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
720 SSL_CTX_set_ecdh_auto(sctx, 1);
723 DEBUG(D_tls) debug_printf(
724 "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n");
730 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
731 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
732 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
733 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
737 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
742 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
744 tls_error(US"Unable to create ec curve", host, NULL, errstr);
748 /* The "tmp" in the name here refers to setting a temporary key
749 not to the stability of the interface. */
751 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
752 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
754 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
759 # endif /*EXIM_HAVE_ECDH*/
760 #endif /*OPENSSL_NO_ECDH*/
765 /*************************************************
766 * Expand key and cert file specs *
767 *************************************************/
771 s SSL connection (not used)
775 Returns: pointer to generated key
779 rsa_callback(SSL *s, int export, int keylength)
782 #ifdef EXIM_HAVE_RSA_GENKEY_EX
783 BIGNUM *bn = BN_new();
786 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
788 #ifdef EXIM_HAVE_RSA_GENKEY_EX
789 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
790 || !(rsa_key = RSA_new())
791 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
794 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
798 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
799 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
808 /* Create and install a selfsigned certificate, for use in server mode */
809 /*XXX we could arrange to call this during prelo for a null tls_certificate option.
810 The normal cache inval + relo will suffice.
811 Just need a timer for inval. */
814 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
822 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
823 where = US"allocating pkey";
824 if (!(pkey = EVP_PKEY_new()))
827 where = US"allocating cert";
828 if (!(x509 = X509_new()))
831 where = US"generating pkey";
832 if (!(rsa = rsa_callback(NULL, 0, 2048)))
835 where = US"assigning pkey";
836 if (!EVP_PKEY_assign_RSA(pkey, rsa))
839 X509_set_version(x509, 2); /* N+1 - version 3 */
840 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
841 X509_gmtime_adj(X509_get_notBefore(x509), 0);
842 X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */
843 X509_set_pubkey(x509, pkey);
845 name = X509_get_subject_name(x509);
846 X509_NAME_add_entry_by_txt(name, "C",
847 MBSTRING_ASC, CUS "UK", -1, -1, 0);
848 X509_NAME_add_entry_by_txt(name, "O",
849 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
850 X509_NAME_add_entry_by_txt(name, "CN",
851 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
852 X509_set_issuer_name(x509, name);
854 where = US"signing cert";
855 if (!X509_sign(x509, pkey, EVP_md5()))
858 where = US"installing selfsign cert";
859 if (!SSL_CTX_use_certificate(sctx, x509))
862 where = US"installing selfsign key";
863 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
869 (void) tls_error(where, NULL, NULL, errstr);
870 if (x509) X509_free(x509);
871 if (pkey) EVP_PKEY_free(pkey);
881 /*************************************************
882 * Information callback *
883 *************************************************/
885 /* The SSL library functions call this from time to time to indicate what they
886 are doing. We copy the string to the debugging output when TLS debugging has
898 info_callback(SSL *s, int where, int ret)
904 if (where & SSL_ST_CONNECT)
905 str = US"SSL_connect";
906 else if (where & SSL_ST_ACCEPT)
907 str = US"SSL_accept";
909 str = US"SSL info (undefined)";
911 if (where & SSL_CB_LOOP)
912 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
913 else if (where & SSL_CB_ALERT)
914 debug_printf("SSL3 alert %s:%s:%s\n",
915 str = where & SSL_CB_READ ? US"read" : US"write",
916 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
917 else if (where & SSL_CB_EXIT)
920 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
922 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
924 else if (where & SSL_CB_HANDSHAKE_START)
925 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
926 else if (where & SSL_CB_HANDSHAKE_DONE)
927 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
931 #ifdef OPENSSL_HAVE_KEYLOG_CB
933 keylog_callback(const SSL *ssl, const char *line)
937 DEBUG(D_tls) debug_printf("%.200s\n", line);
938 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
939 if (!(fp = fopen(filename, "a"))) return;
940 fprintf(fp, "%s\n", line);
949 #ifndef DISABLE_EVENT
951 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
952 BOOL *calledp, const BOOL *optionalp, const uschar * what)
958 ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
961 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
962 old_cert = tlsp->peercert;
963 tlsp->peercert = X509_dup(cert);
964 /* NB we do not bother setting peerdn */
965 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
967 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
968 "depth=%d cert=%s: %s",
969 tlsp == &tls_out ? deliver_host_address : sender_host_address,
970 what, depth, dn, yield);
974 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
975 return 1; /* reject (leaving peercert set) */
977 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
978 "(host in tls_try_verify_hosts)\n");
979 tlsp->verify_override = TRUE;
981 X509_free(tlsp->peercert);
982 tlsp->peercert = old_cert;
988 /*************************************************
989 * Callback for verification *
990 *************************************************/
992 /* The SSL library does certificate verification if set up to do so. This
993 callback has the current yes/no state is in "state". If verification succeeded,
994 we set the certificate-verified flag. If verification failed, what happens
995 depends on whether the client is required to present a verifiable certificate
998 If verification is optional, we change the state to yes, but still log the
999 verification error. For some reason (it really would help to have proper
1000 documentation of OpenSSL), this callback function then gets called again, this
1001 time with state = 1. We must take care not to set the private verified flag on
1002 the second time through.
1004 Note: this function is not called if the client fails to present a certificate
1005 when asked. We get here only if a certificate has been received. Handling of
1006 optional verification for this case is done when requesting SSL to verify, by
1007 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
1009 May be called multiple times for different issues with a certificate, even
1010 for a given "depth" in the certificate chain.
1013 preverify_ok current yes/no state as 1/0
1014 x509ctx certificate information.
1015 tlsp per-direction (client vs. server) support data
1016 calledp has-been-called flag
1017 optionalp verification-is-optional flag
1019 Returns: 0 if verification should fail, otherwise 1
1023 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
1024 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
1026 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1027 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1030 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1032 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1033 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1034 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1037 dn[sizeof(dn)-1] = '\0';
1039 tlsp->verify_override = FALSE;
1040 if (preverify_ok == 0)
1042 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
1043 *verify_mode, sender_host_address)
1045 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
1046 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1048 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
1052 if (!tlsp->peercert)
1053 tlsp->peercert = X509_dup(cert); /* record failing cert */
1054 return 0; /* reject */
1056 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
1057 "tls_try_verify_hosts)\n");
1058 tlsp->verify_override = TRUE;
1061 else if (depth != 0)
1063 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
1064 #ifndef DISABLE_OCSP
1065 if (tlsp == &tls_out && client_static_state->u_ocsp.client.verify_store)
1066 { /* client, wanting stapling */
1067 /* Add the server cert's signing chain as the one
1068 for the verification of the OCSP stapled information. */
1070 if (!X509_STORE_add_cert(client_static_state->u_ocsp.client.verify_store,
1073 sk_X509_push(client_static_state->verify_stack, cert);
1076 #ifndef DISABLE_EVENT
1077 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1078 return 0; /* reject, with peercert set */
1083 const uschar * verify_cert_hostnames;
1085 if ( tlsp == &tls_out
1086 && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
1087 /* client, wanting hostname check */
1090 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
1091 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1092 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
1094 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
1095 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
1098 const uschar * list = verify_cert_hostnames;
1101 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
1102 if ((rc = X509_check_host(cert, CCS name, 0,
1103 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1104 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
1109 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1110 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1117 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
1120 uschar * extra = verify_mode
1121 ? string_sprintf(" (during %c-verify for [%s])",
1122 *verify_mode, sender_host_address)
1124 log_write(0, LOG_MAIN,
1125 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
1126 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1127 extra, dn, verify_cert_hostnames);
1131 if (!tlsp->peercert)
1132 tlsp->peercert = X509_dup(cert); /* record failing cert */
1133 return 0; /* reject */
1135 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
1136 "tls_try_verify_hosts)\n");
1137 tlsp->verify_override = TRUE;
1141 #ifndef DISABLE_EVENT
1142 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1143 return 0; /* reject, with peercert set */
1146 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
1147 *calledp ? "" : " authenticated", dn);
1151 return 1; /* accept, at least for this level */
1155 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
1157 return verify_callback(preverify_ok, x509ctx, &tls_out,
1158 &client_verify_callback_called, &client_verify_optional);
1162 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
1164 return verify_callback(preverify_ok, x509ctx, &tls_in,
1165 &server_verify_callback_called, &server_verify_optional);
1171 /* This gets called *by* the dane library verify callback, which interposes
1175 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
1177 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1179 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1180 #ifndef DISABLE_EVENT
1181 BOOL dummy_called, optional = FALSE;
1184 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1186 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1187 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1188 deliver_host_address);
1191 dn[sizeof(dn)-1] = '\0';
1193 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
1194 preverify_ok ? "ok":"BAD", depth, dn);
1196 #ifndef DISABLE_EVENT
1197 if (verify_event(&tls_out, cert, depth, dn,
1198 &dummy_called, &optional, US"DANE"))
1199 return 0; /* reject, with peercert set */
1202 if (preverify_ok == 1)
1204 tls_out.dane_verified = TRUE;
1205 #ifndef DISABLE_OCSP
1206 if (client_static_state->u_ocsp.client.verify_store)
1207 { /* client, wanting stapling */
1208 /* Add the server cert's signing chain as the one
1209 for the verification of the OCSP stapled information. */
1211 if (!X509_STORE_add_cert(client_static_state->u_ocsp.client.verify_store,
1214 sk_X509_push(client_static_state->verify_stack, cert);
1220 int err = X509_STORE_CTX_get_error(x509ctx);
1222 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
1223 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
1226 return preverify_ok;
1229 #endif /*SUPPORT_DANE*/
1232 #ifndef DISABLE_OCSP
1233 /*************************************************
1234 * Load OCSP information into state *
1235 *************************************************/
1236 /* Called to load the server OCSP response from the given file into memory, once
1237 caller has determined this is needed. Checks validity. Debugs a message
1240 ASSUMES: single response, for single cert.
1243 state various parts of session state
1244 filename the filename putatively holding an OCSP response
1245 is_pem file is PEM format; otherwise is DER
1249 ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
1253 OCSP_RESPONSE * resp;
1254 OCSP_BASICRESP * basic_response;
1255 OCSP_SINGLERESP * single_response;
1256 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1257 STACK_OF(X509) * sk;
1258 unsigned long verify_flags;
1259 int status, reason, i;
1262 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1264 if (!filename || !*filename) return;
1267 if (!(bio = BIO_new_file(CS filename, "rb")))
1269 log_write(0, LOG_MAIN|LOG_PANIC,
1270 "Failed to open OCSP response file \"%s\": %.100s",
1271 filename, ERR_reason_error_string(ERR_get_error()));
1277 uschar * data, * freep;
1280 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1282 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
1283 filename, ERR_reason_error_string(ERR_get_error()));
1287 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1288 OPENSSL_free(freep);
1291 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1296 log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
1297 filename, ERR_reason_error_string(ERR_get_error()));
1301 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1303 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1304 OCSP_response_status_str(status), status);
1310 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1311 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1316 if (!(basic_response = OCSP_response_get1_basic(resp)))
1319 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1323 sk = state->verify_stack;
1324 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1326 /* May need to expose ability to adjust those flags?
1327 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1328 OCSP_TRUSTOTHER OCSP_NOINTERN */
1330 /* This does a full verify on the OCSP proof before we load it for serving
1331 up; possibly overkill - just date-checks might be nice enough.
1333 OCSP_basic_verify takes a "store" arg, but does not
1334 use it for the chain verification, which is all we do
1335 when OCSP_NOVERIFY is set. The content from the wire
1336 "basic_response" and a cert-stack "sk" are all that is used.
1338 We have a stack, loaded in setup_certs() if tls_verify_certificates
1339 was a file (not a directory, or "system"). It is unfortunate we
1340 cannot used the connection context store, as that would neatly
1341 handle the "system" case too, but there seems to be no library
1342 function for getting a stack from a store.
1343 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1344 We do not free the stack since it could be needed a second time for
1347 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1348 be a public interface into the OpenSSL library (there's no manual entry) -
1349 But what with? We also use OCSP_basic_verify in the client stapling callback.
1350 And there we NEED it; we must verify that status... unless the
1351 library does it for us anyway? */
1353 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1357 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1358 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1363 /* Here's the simplifying assumption: there's only one response, for the
1364 one certificate we use, and nothing for anything else in a chain. If this
1365 proves false, we need to extract a cert id from our issued cert
1366 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1367 right cert in the stack and then calls OCSP_single_get0_status()).
1369 I'm hoping to avoid reworking a bunch more of how we handle state here.
1371 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1374 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1377 debug_printf("Unable to get first response from OCSP basic response.\n");
1381 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1382 if (status != V_OCSP_CERTSTATUS_GOOD)
1384 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1385 OCSP_cert_status_str(status), status,
1386 OCSP_crl_reason_str(reason), reason);
1390 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1392 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1397 /* Add the resp to the list used by tls_server_stapling_cb() */
1399 ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
1400 while (oentry = *op)
1402 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1403 oentry->next = NULL;
1404 oentry->resp = resp;
1409 if (f.running_in_test_harness)
1411 extern char ** environ;
1412 if (environ) for (uschar ** p = USS environ; *p; p++)
1413 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1415 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1416 goto supply_response;
1424 ocsp_free_response_list(exim_openssl_state_st * cbinfo)
1426 for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1427 olist = olist->next)
1428 OCSP_RESPONSE_free(olist->resp);
1429 cbinfo->u_ocsp.server.olist = NULL;
1431 #endif /*!DISABLE_OCSP*/
1438 tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1441 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1442 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1443 return tls_error(string_sprintf(
1444 "SSL_CTX_use_certificate_chain_file file=%s", file),
1445 cbinfo->host, NULL, errstr);
1450 tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1453 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1454 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1455 return tls_error(string_sprintf(
1456 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1463 /* Called once during tls_init and possibly again during TLS setup, for a
1464 new context, if Server Name Indication was used and tls_sni was seen in
1465 the certificate string.
1468 sctx the SSL_CTX* to update
1469 state various parts of session state
1470 errstr error string pointer
1472 Returns: OK/DEFER/FAIL
1476 tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
1481 if (!state->certificate)
1483 if (!state->is_server) /* client */
1486 if (tls_install_selfsign(sctx, errstr) != OK)
1493 if ( !reexpand_tls_files_for_sni
1494 && ( Ustrstr(state->certificate, US"tls_sni")
1495 || Ustrstr(state->certificate, US"tls_in_sni")
1496 || Ustrstr(state->certificate, US"tls_out_sni")
1498 reexpand_tls_files_for_sni = TRUE;
1500 if (!expand_check(state->certificate, US"tls_certificate", &expanded, errstr))
1504 if (state->is_server)
1506 const uschar * file_list = expanded;
1509 #ifndef DISABLE_OCSP
1510 const uschar * olist = state->u_ocsp.server.file;
1513 BOOL fmt_pem = FALSE;
1516 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1518 if (olist && !*olist)
1521 if ( state->u_ocsp.server.file_expanded && olist
1522 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
1524 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1529 ocsp_free_response_list(state);
1530 state->u_ocsp.server.file_expanded = olist;
1534 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1536 if ((err = tls_add_certfile(sctx, state, file, errstr)))
1539 #ifndef DISABLE_OCSP
1541 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1543 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1548 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1553 ocsp_load_response(state, ofile, fmt_pem);
1556 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1560 else /* would there ever be a need for multiple client certs? */
1561 if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
1564 if ( state->privatekey
1565 && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr))
1568 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1569 of the expansion is an empty string, ignore it also, and assume the private
1570 key is in the same file as the certificate. */
1572 if (expanded && *expanded)
1573 if (state->is_server)
1575 const uschar * file_list = expanded;
1579 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1580 if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
1583 else /* would there ever be a need for multiple client certs? */
1584 if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
1594 /**************************************************
1595 * One-time init credentials for server and client *
1596 **************************************************/
1599 server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
1600 uschar * ciphers, uschar ** errstr)
1602 for (uschar * s = ciphers; *s; s++ ) if (*s == '_') *s = '-';
1603 DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
1604 if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
1605 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1606 state->server_cipher_list = ciphers;
1613 lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
1616 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1617 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1619 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1621 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1623 /* Set up the information callback, which outputs if debugging is at a suitable
1628 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1629 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1630 /* this needs a debug build of OpenSSL */
1631 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1633 #ifdef OPENSSL_HAVE_KEYLOG_CB
1634 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1638 /* Automatically re-try reads/writes after renegotiation. */
1639 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1646 tls_server_creds_init(void)
1649 uschar * dummy_errstr;
1650 unsigned lifetime = 0;
1654 state_server.lib_state = null_tls_preload;
1656 if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
1658 state_server.lib_state.lib_ctx = ctx;
1660 /* Preload DH params and EC curve */
1662 if (opt_unset_or_noexpand(tls_dhparam))
1664 DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n");
1665 if (init_dh(ctx, tls_dhparam, NULL, &dummy_errstr))
1666 state_server.lib_state.dh = TRUE;
1668 if (opt_unset_or_noexpand(tls_eccurve))
1670 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n");
1671 if (init_ecdh(ctx, NULL, &dummy_errstr))
1672 state_server.lib_state.ecdh = TRUE;
1675 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1676 /* If we can, preload the server-side cert, key and ocsp */
1678 if ( opt_set_and_noexpand(tls_certificate)
1679 # ifndef DISABLE_OCSP
1680 && opt_unset_or_noexpand(tls_ocsp_file)
1682 && opt_unset_or_noexpand(tls_privatekey))
1684 /* Set watches on the filenames. The implementation does de-duplication
1685 so we can just blindly do them all. */
1687 if ( tls_set_watch(tls_certificate, TRUE)
1688 # ifndef DISABLE_OCSP
1689 && tls_set_watch(tls_ocsp_file, TRUE)
1691 && tls_set_watch(tls_privatekey, TRUE))
1693 state_server.certificate = tls_certificate;
1694 state_server.privatekey = tls_privatekey;
1695 #ifndef DISABLE_OCSP
1696 state_server.u_ocsp.server.file = tls_ocsp_file;
1699 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1700 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1701 state_server.lib_state.conn_certs = TRUE;
1704 else if ( !tls_certificate && !tls_privatekey
1705 # ifndef DISABLE_OCSP
1709 { /* Generate & preload a selfsigned cert. No files to watch. */
1710 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1712 state_server.lib_state.conn_certs = TRUE;
1713 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1717 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1720 /* If we can, preload the Authorities for checking client certs against.
1721 Actual choice to do verify is made (tls_{,try_}verify_hosts)
1722 at TLS conn startup */
1724 if ( opt_set_and_noexpand(tls_verify_certificates)
1725 && opt_unset_or_noexpand(tls_crl))
1727 /* Watch the default dir also as they are always included */
1729 if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1730 && tls_set_watch(tls_verify_certificates, FALSE)
1731 && tls_set_watch(tls_crl, FALSE))
1733 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1735 if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr)
1737 state_server.lib_state.cabundle = TRUE;
1741 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1742 #endif /* EXIM_HAVE_INOTIFY */
1745 /* If we can, preload the ciphers control string */
1747 if (opt_set_and_noexpand(tls_require_ciphers))
1749 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
1750 if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
1751 &dummy_errstr) == OK)
1752 state_server.lib_state.pri_string = TRUE;
1755 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1762 /* Preload whatever creds are static, onto a transport. The client can then
1763 just copy the pointer as it starts up.
1764 Called from the daemon after a cache-invalidate with watch set; called from
1765 a queue-run startup with watch clear. */
1768 tls_client_creds_init(transport_instance * t, BOOL watch)
1770 smtp_transport_options_block * ob = t->options_block;
1771 exim_openssl_state_st tpt_dummy_state;
1772 host_item * dummy_host = (host_item *)1;
1773 uschar * dummy_errstr;
1778 ob->tls_preload = null_tls_preload;
1779 if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
1781 ob->tls_preload.lib_ctx = ctx;
1783 tpt_dummy_state.lib_state = ob->tls_preload;
1785 if (opt_unset_or_noexpand(tls_dhparam))
1787 DEBUG(D_tls) debug_printf("TLS: preloading DH params for transport '%s'\n", t->name);
1788 if (init_dh(ctx, tls_dhparam, NULL, &dummy_errstr))
1789 ob->tls_preload.dh = TRUE;
1791 if (opt_unset_or_noexpand(tls_eccurve))
1793 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for transport '%s'\n", t->name);
1794 if (init_ecdh(ctx, NULL, &dummy_errstr))
1795 ob->tls_preload.ecdh = TRUE;
1798 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1799 if ( opt_set_and_noexpand(ob->tls_certificate)
1800 && opt_unset_or_noexpand(ob->tls_privatekey))
1803 || ( tls_set_watch(ob->tls_certificate, FALSE)
1804 && tls_set_watch(ob->tls_privatekey, FALSE)
1807 uschar * pkey = ob->tls_privatekey;
1810 debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
1812 if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
1814 && tls_add_pkeyfile(ctx, &tpt_dummy_state,
1815 pkey ? pkey : ob->tls_certificate,
1818 ob->tls_preload.conn_certs = TRUE;
1823 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1826 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1827 && opt_unset_or_noexpand(ob->tls_crl))
1830 || tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1831 && tls_set_watch(ob->tls_verify_certificates, FALSE)
1832 && tls_set_watch(ob->tls_crl, FALSE)
1836 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1838 if (setup_certs(ctx, ob->tls_verify_certificates,
1839 ob->tls_crl, dummy_host, &dummy_errstr) == OK)
1840 ob->tls_preload.cabundle = TRUE;
1845 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1847 #endif /*EXIM_HAVE_INOTIFY*/
1851 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1852 /* Invalidate the creds cached, by dropping the current ones.
1853 Call when we notice one of the source files has changed. */
1856 tls_server_creds_invalidate(void)
1858 SSL_CTX_free(state_server.lib_state.lib_ctx);
1859 state_server.lib_state = null_tls_preload;
1864 tls_client_creds_invalidate(transport_instance * t)
1866 smtp_transport_options_block * ob = t->options_block;
1867 SSL_CTX_free(ob->tls_preload.lib_ctx);
1868 ob->tls_preload = null_tls_preload;
1874 tls_server_creds_invalidate(void)
1878 tls_client_creds_invalidate(transport_instance * t)
1881 #endif /*EXIM_HAVE_INOTIFY*/
1885 #ifndef DISABLE_OCSP
1887 x509_store_dump_cert_s_names(X509_STORE * store)
1889 STACK_OF(X509_OBJECT) * roots= store->objs;
1890 static uschar name[256];
1892 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
1894 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
1895 if(tmp_obj->type == X509_LU_X509)
1897 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
1898 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
1900 name[sizeof(name)-1] = '\0';
1901 debug_printf(" %s\n", name);
1910 #ifndef DISABLE_TLS_RESUME
1911 /* Manage the keysets used for encrypting the session tickets, on the server. */
1913 typedef struct { /* Session ticket encryption key */
1916 const EVP_CIPHER * aes_cipher;
1917 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
1918 const EVP_MD * hmac_hash;
1919 uschar hmac_key[16];
1924 static exim_stek exim_tk; /* current key */
1925 static exim_stek exim_tk_old; /* previous key */
1930 time_t t = time(NULL);
1932 if (exim_tk.name[0])
1934 if (exim_tk.renew >= t) return;
1935 exim_tk_old = exim_tk;
1938 if (f.running_in_test_harness) ssl_session_timeout = 6;
1940 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
1941 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
1942 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
1943 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
1945 exim_tk.name[0] = 'E';
1946 exim_tk.aes_cipher = EVP_aes_256_cbc();
1947 exim_tk.hmac_hash = EVP_sha256();
1948 exim_tk.expire = t + ssl_session_timeout;
1949 exim_tk.renew = t + ssl_session_timeout/2;
1955 if (!exim_tk.name[0]) return NULL;
1960 tk_find(const uschar * name)
1962 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
1963 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
1967 /* Callback for session tickets, on server */
1969 ticket_key_callback(SSL * ssl, uschar key_name[16],
1970 uschar * iv, EVP_CIPHER_CTX * c_ctx, HMAC_CTX * hctx, int enc)
1972 tls_support * tlsp = state_server.tlsp;
1977 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
1978 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
1980 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
1981 return -1; /* insufficient random */
1983 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
1984 return 0; /* key couldn't be created */
1985 memcpy(key_name, key->name, 16);
1986 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
1988 /*XXX will want these dependent on the ssl session strength */
1989 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
1990 key->hmac_hash, NULL);
1991 EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
1993 DEBUG(D_tls) debug_printf("ticket created\n");
1998 time_t now = time(NULL);
2000 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
2001 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2003 if (!(key = tk_find(key_name)) || key->expire < now)
2007 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
2008 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
2013 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
2014 key->hmac_hash, NULL);
2015 EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2017 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
2019 /* The ticket lifetime and renewal are the same as the STEK lifetime and
2020 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
2021 be better. To do that we'd have to encode ticket lifetime in the name as
2022 we don't yet see the restored session. Could check posthandshake for TLS1.3
2023 and trigger a new ticket then, but cannot do that for TLS1.2 */
2024 return key->renew < now ? 2 : 1;
2032 setup_cert_verify(SSL_CTX * ctx, BOOL optional,
2033 int (*cert_vfy_cb)(int, X509_STORE_CTX *))
2035 /* If verification is optional, don't fail if no certificate */
2037 SSL_CTX_set_verify(ctx,
2038 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2043 /*************************************************
2044 * Callback to handle SNI *
2045 *************************************************/
2047 /* Called when acting as server during the TLS session setup if a Server Name
2048 Indication extension was sent by the client.
2050 API documentation is OpenSSL s_server.c implementation.
2053 s SSL* of the current session
2054 ad unknown (part of OpenSSL API) (unused)
2055 arg Callback of "our" registered data
2057 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
2059 XXX might need to change to using ClientHello callback,
2060 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
2063 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2065 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
2067 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2068 exim_openssl_state_st *state = (exim_openssl_state_st *) arg;
2070 int old_pool = store_pool;
2071 uschar * dummy_errstr;
2074 return SSL_TLSEXT_ERR_OK;
2076 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
2077 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
2079 /* Make the extension value available for expansion */
2080 store_pool = POOL_PERM;
2081 tls_in.sni = string_copy_taint(US servername, TRUE);
2082 store_pool = old_pool;
2084 if (!reexpand_tls_files_for_sni)
2085 return SSL_TLSEXT_ERR_OK;
2087 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
2088 not confident that memcpy wouldn't break some internal reference counting.
2089 Especially since there's a references struct member, which would be off. */
2091 if (lib_ctx_new(&server_sni, NULL, &dummy_errstr) != OK)
2094 /* Not sure how many of these are actually needed, since SSL object
2095 already exists. Might even need this selfsame callback, for reneg? */
2098 SSL_CTX * ctx = state_server.lib_state.lib_ctx;
2099 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
2100 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
2101 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
2102 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
2103 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
2104 SSL_CTX_set_tlsext_servername_arg(server_sni, state);
2107 if ( !init_dh(server_sni, state->dhparam, NULL, &dummy_errstr)
2108 || !init_ecdh(server_sni, NULL, &dummy_errstr)
2112 if ( state->server_cipher_list
2113 && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
2116 #ifndef DISABLE_OCSP
2117 if (state->u_ocsp.server.file)
2119 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
2120 SSL_CTX_set_tlsext_status_arg(server_sni, state);
2126 if ( !expand_check(tls_verify_certificates, US"tls_verify_certificates",
2127 &expcerts, &dummy_errstr)
2128 || (rc = setup_certs(server_sni, expcerts, tls_crl, NULL,
2129 &dummy_errstr)) != OK)
2132 if (expcerts && *expcerts)
2133 setup_cert_verify(server_sni, FALSE, verify_callback_server);
2136 /* do this after setup_certs, because this can require the certs for verifying
2137 OCSP information. */
2138 if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK)
2141 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
2142 SSL_set_SSL_CTX(s, server_sni);
2143 return SSL_TLSEXT_ERR_OK;
2145 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
2147 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
2152 #ifdef EXIM_HAVE_ALPN
2153 /*************************************************
2154 * Callback to handle ALPN *
2155 *************************************************/
2157 /* Called on server if tls_alpn nonblank after expansion,
2158 when client offers ALPN, after the SNI callback.
2159 If set and not matching the list then we dump the connection */
2162 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
2163 const uschar * in, unsigned int inlen, void * arg)
2165 server_seen_alpn = TRUE;
2168 debug_printf("Received TLS ALPN offer:");
2169 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2172 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2173 debug_printf(" '%.*s'", siz, in + pos + 1);
2175 debug_printf(". Our list: '%s'\n", tls_alpn);
2178 /* Look for an acceptable ALPN */
2180 if ( inlen > 1 /* at least one name */
2181 && in[0]+1 == inlen /* filling the vector, so exactly one name */
2184 const uschar * list = tls_alpn;
2186 for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
2187 if (Ustrncmp(in+1, name, in[0]) == 0)
2189 *out = in+1; /* we checked for exactly one, so can just point to it */
2191 return SSL_TLSEXT_ERR_OK; /* use ALPN */
2195 /* More than one name from clilent, or name did not match our list. */
2197 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
2198 Maybe as an option in future; for now leave control to the config (must-tls). */
2200 DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
2201 return SSL_TLSEXT_ERR_ALERT_FATAL;
2203 #endif /* EXIM_HAVE_ALPN */
2207 #ifndef DISABLE_OCSP
2209 /*************************************************
2210 * Callback to handle OCSP Stapling *
2211 *************************************************/
2213 /* Called when acting as server during the TLS session setup if the client
2214 requests OCSP information with a Certificate Status Request.
2216 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
2222 tls_server_stapling_cb(SSL *s, void *arg)
2224 const exim_openssl_state_st * state = arg;
2225 ocsp_resplist * olist = state->u_ocsp.server.olist;
2226 uschar * response_der; /*XXX blob */
2227 int response_der_len;
2230 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
2231 olist ? "have" : "lack");
2233 tls_in.ocsp = OCSP_NOT_RESP;
2235 return SSL_TLSEXT_ERR_NOACK;
2237 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
2239 const X509 * cert_sent = SSL_get_certificate(s);
2240 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
2241 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
2243 for (; olist; olist = olist->next)
2245 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
2246 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
2247 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
2248 ASN1_INTEGER * res_cert_serial;
2249 const BIGNUM * resp_bn;
2250 ASN1_OCTET_STRING * res_cert_iNameHash;
2253 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
2254 (OCSP_CERTID *) cid);
2255 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
2259 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
2260 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
2263 if (BN_cmp(cert_bn, resp_bn) == 0)
2265 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
2267 /*XXX TODO: check the rest of the list for duplicate matches.
2268 If any, need to also check the Issuer Name hash.
2269 Without this, we will provide the wrong status in the case of
2274 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
2278 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
2279 return SSL_TLSEXT_ERR_NOACK;
2285 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
2286 return SSL_TLSEXT_ERR_NOACK;
2290 /*XXX could we do the i2d earlier, rather than during the callback? */
2291 response_der = NULL;
2292 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
2293 if (response_der_len <= 0)
2294 return SSL_TLSEXT_ERR_NOACK;
2296 SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
2297 response_der, response_der_len);
2298 tls_in.ocsp = OCSP_VFIED;
2299 return SSL_TLSEXT_ERR_OK;
2304 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
2306 BIO_printf(bp, "\t%s: ", str);
2307 ASN1_GENERALIZEDTIME_print(bp, time);
2312 tls_client_stapling_cb(SSL *s, void *arg)
2314 exim_openssl_state_st * cbinfo = arg;
2315 const unsigned char * p;
2317 OCSP_RESPONSE * rsp;
2318 OCSP_BASICRESP * bs;
2321 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
2322 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
2325 /* Expect this when we requested ocsp but got none */
2326 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
2327 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
2329 DEBUG(D_tls) debug_printf(" null\n");
2330 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2333 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
2335 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
2336 if (LOGGING(tls_cipher))
2337 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
2339 DEBUG(D_tls) debug_printf(" parse error\n");
2343 if (!(bs = OCSP_response_get1_basic(rsp)))
2345 tls_out.ocsp = OCSP_FAILED;
2346 if (LOGGING(tls_cipher))
2347 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
2349 DEBUG(D_tls) debug_printf(" error parsing response\n");
2350 OCSP_RESPONSE_free(rsp);
2354 /* We'd check the nonce here if we'd put one in the request. */
2355 /* However that would defeat cacheability on the server so we don't. */
2357 /* This section of code reworked from OpenSSL apps source;
2358 The OpenSSL Project retains copyright:
2359 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
2363 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
2364 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
2367 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2369 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
2371 /* Use the chain that verified the server cert to verify the stapled info */
2372 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
2374 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
2375 cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
2376 if (ERR_peek_error())
2378 tls_out.ocsp = OCSP_FAILED;
2379 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
2380 "Received TLS cert status response, itself unverifiable: %s",
2381 ERR_reason_error_string(ERR_peek_error()));
2382 BIO_printf(bp, "OCSP response verify failure\n");
2383 ERR_print_errors(bp);
2384 OCSP_RESPONSE_print(bp, rsp, 0);
2388 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
2389 " in the root CA certificate; ignoring\n");
2391 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
2393 /*XXX So we have a good stapled OCSP status. How do we know
2394 it is for the cert of interest? OpenSSL 1.1.0 has a routine
2395 OCSP_resp_find_status() which matches on a cert id, which presumably
2396 we should use. Making an id needs OCSP_cert_id_new(), which takes
2397 issuerName, issuerKey, serialNumber. Are they all in the cert?
2399 For now, carry on blindly accepting the resp. */
2402 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
2403 OCSP_resp_count(bs) - 1;
2405 sk_OCSP_SINGLERESP_num(sresp) - 1;
2409 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
2411 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
2413 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
2414 - but what happens with a GnuTLS-style input?
2416 we could do with a debug label for each singleresp
2417 - it has a certID with a serialNumber, but I see no API to get that
2419 status = OCSP_single_get0_status(single, &reason, &rev,
2420 &thisupd, &nextupd);
2422 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
2423 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
2424 if (!OCSP_check_validity(thisupd, nextupd,
2425 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
2427 tls_out.ocsp = OCSP_FAILED;
2428 DEBUG(D_tls) ERR_print_errors(bp);
2429 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
2433 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
2434 OCSP_cert_status_str(status));
2437 case V_OCSP_CERTSTATUS_GOOD:
2438 continue; /* the idx loop */
2439 case V_OCSP_CERTSTATUS_REVOKED:
2440 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2441 reason != -1 ? "; reason: " : "",
2442 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2443 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2446 log_write(0, LOG_MAIN,
2447 "Server certificate status unknown, in OCSP stapling");
2455 tls_out.ocsp = OCSP_VFIED;
2459 tls_out.ocsp = OCSP_FAILED;
2460 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2465 OCSP_RESPONSE_free(rsp);
2468 #endif /*!DISABLE_OCSP*/
2471 /*************************************************
2472 * Initialize for TLS *
2473 *************************************************/
2474 /* Called from both server and client code, to do preliminary initialization
2475 of the library. We allocate and return a context structure.
2478 host connected host, if client; NULL if server
2479 ob transport options block, if client; NULL if server
2480 ocsp_file file of stapling info (server); flag for require ocsp (client)
2481 addr address if client; NULL if server (for some randomness)
2482 caller_state place to put pointer to allocated state-struct
2483 errstr error string pointer
2485 Returns: OK/DEFER/FAIL
2489 tls_init(host_item * host, smtp_transport_options_block * ob,
2490 #ifndef DISABLE_OCSP
2493 address_item *addr, exim_openssl_state_st ** caller_state,
2498 exim_openssl_state_st * state;
2501 if (host) /* client */
2503 state = store_malloc(sizeof(exim_openssl_state_st));
2504 memset(state, 0, sizeof(*state));
2505 state->certificate = ob->tls_certificate;
2506 state->privatekey = ob->tls_privatekey;
2507 state->is_server = FALSE;
2508 state->dhparam = NULL;
2509 state->lib_state = ob->tls_preload;
2513 state = &state_server;
2514 state->certificate = tls_certificate;
2515 state->privatekey = tls_privatekey;
2516 state->is_server = TRUE;
2517 state->dhparam = tls_dhparam;
2518 state->lib_state = state_server.lib_state;
2524 if (!state->lib_state.pri_string)
2525 state->server_cipher_list = NULL;
2527 #ifndef DISABLE_EVENT
2528 state->event_action = NULL;
2533 /* It turns out that we need to seed the random number generator this early in
2534 order to get the full complement of ciphers to work. It took me roughly a day
2535 of work to discover this by experiment.
2537 On systems that have /dev/urandom, SSL may automatically seed itself from
2538 there. Otherwise, we have to make something up as best we can. Double check
2541 Although we likely called this before, at daemon startup, this is a chance
2542 to mix in further variable info (time, pid) if needed. */
2544 if (!lib_rand_init(addr))
2545 return tls_error(US"RAND_status", host,
2546 US"unable to seed random number generator", errstr);
2548 /* Apply administrator-supplied work-arounds.
2549 Historically we applied just one requested option,
2550 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2551 moved to an administrator-controlled list of options to specify and
2552 grandfathered in the first one as the default value for "openssl_options".
2554 No OpenSSL version number checks: the options we accept depend upon the
2555 availability of the option value macros from OpenSSL. */
2558 if (!tls_openssl_options_parse(openssl_options, &init_options))
2559 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2561 /* Create a context.
2562 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2563 negotiation in the different methods; as far as I can tell, the only
2564 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2565 when OpenSSL is built without SSLv2 support.
2566 By disabling with openssl_options, we can let admins re-enable with the
2569 if (!(ctx = state->lib_state.lib_ctx))
2571 if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
2573 state->lib_state.lib_ctx = ctx;
2576 #ifndef DISABLE_TLS_RESUME
2577 tlsp->resumption = RESUME_SUPPORTED;
2581 #ifndef DISABLE_TLS_RESUME
2582 /* Should the server offer session resumption? */
2583 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2585 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2586 init_options &= ~SSL_OP_NO_TICKET;
2587 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2588 tlsp->host_resumable = TRUE;
2592 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
2593 if (!(SSL_CTX_set_options(ctx, init_options)))
2594 return tls_error(string_sprintf(
2595 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2598 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2600 /* We'd like to disable session cache unconditionally, but foolish Outlook
2601 Express clients then give up the first TLS connection and make a second one
2602 (which works). Only when there is an IMAP service on the same machine.
2603 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2604 now, until we work out a decent way of presenting control to the config. It
2605 will never be used because we use a new context every time. */
2607 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2610 /* Initialize with DH parameters if supplied */
2611 /* Initialize ECDH temp key parameter selection */
2613 if (state->lib_state.dh)
2614 { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
2616 if (!init_dh(ctx, state->dhparam, host, errstr)) return DEFER;
2618 if (state->lib_state.ecdh)
2619 { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
2621 if (!init_ecdh(ctx, host, errstr)) return DEFER;
2623 /* Set up certificate and key (and perhaps OCSP info) */
2625 if (state->lib_state.conn_certs)
2628 debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
2632 #ifndef DISABLE_OCSP
2635 state->u_ocsp.server.file = ocsp_file;
2636 state->u_ocsp.server.file_expanded = NULL;
2637 state->u_ocsp.server.olist = NULL;
2640 if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
2643 /* If we need to handle SNI or OCSP, do so */
2645 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2646 # ifndef DISABLE_OCSP
2647 if (!(state->verify_stack = sk_X509_new_null()))
2649 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2654 if (!host) /* server */
2656 # ifndef DISABLE_OCSP
2657 /* We check u_ocsp.server.file, not server.olist, because we care about if
2658 the option exists, not what the current expansion might be, as SNI might
2659 change the certificate and OCSP file in use between now and the time the
2660 callback is invoked. */
2661 if (state->u_ocsp.server.file)
2663 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2664 SSL_CTX_set_tlsext_status_arg(ctx, state);
2667 /* We always do this, so that $tls_sni is available even if not used in
2669 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2670 SSL_CTX_set_tlsext_servername_arg(ctx, state);
2672 # ifdef EXIM_HAVE_ALPN
2673 if (tls_alpn && *tls_alpn)
2676 if ( expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
2677 && *exp_alpn && !isblank(*exp_alpn))
2679 tls_alpn = exp_alpn; /* subprocess so ok to overwrite */
2680 SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
2687 # ifndef DISABLE_OCSP
2689 if(ocsp_file) /* wanting stapling */
2691 if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
2693 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2696 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2697 SSL_CTX_set_tlsext_status_arg(ctx, state);
2702 state->verify_cert_hostnames = NULL;
2704 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
2705 /* Set up the RSA callback */
2706 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2709 /* Finally, set the session cache timeout, and we are done.
2710 The period appears to be also used for (server-generated) session tickets */
2712 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2713 DEBUG(D_tls) debug_printf("Initialized TLS\n");
2715 *caller_state = state;
2723 /*************************************************
2724 * Get name of cipher in use *
2725 *************************************************/
2728 Argument: pointer to an SSL structure for the connection
2729 pointer to number of bits for cipher
2730 Returns: pointer to allocated string in perm-pool
2734 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
2736 int pool = store_pool;
2737 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2738 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2739 the accessor functions use const in the prototype. */
2741 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2744 SSL_CIPHER_get_bits(c, bits);
2746 store_pool = POOL_PERM;
2747 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2749 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2754 /* Get IETF-standard name for ciphersuite.
2755 Argument: pointer to an SSL structure for the connection
2756 Returns: pointer to string
2759 static const uschar *
2760 cipher_stdname_ssl(SSL * ssl)
2762 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2763 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2765 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2766 return cipher_stdname(id >> 8, id & 0xff);
2771 static const uschar *
2772 tlsver_name(SSL * ssl)
2775 int pool = store_pool;
2777 store_pool = POOL_PERM;
2778 s = string_copy(US SSL_get_version(ssl));
2780 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
2781 for (;; p++) if (!(*p = p[1])) break;
2787 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2789 /*XXX we might consider a list-of-certs variable for the cert chain.
2790 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2791 in list-handling functions, also consider the difference between the entire
2792 chain and the elements sent by the peer. */
2794 tlsp->peerdn = NULL;
2796 /* Will have already noted peercert on a verify fail; possibly not the leaf */
2797 if (!tlsp->peercert)
2798 tlsp->peercert = SSL_get_peer_certificate(ssl);
2799 /* Beware anonymous ciphers which lead to server_cert being NULL */
2801 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2802 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2805 int oldpool = store_pool;
2807 peerdn[siz-1] = '\0'; /* paranoia */
2808 store_pool = POOL_PERM;
2809 tlsp->peerdn = string_copy(peerdn);
2810 store_pool = oldpool;
2812 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2813 but they don't get called on session-resumption. So use the official
2814 interface, which uses the resumed value. Unfortunately this claims verified
2815 when it actually failed but we're in try-verify mode, due to us wanting the
2816 knowlege that it failed so needing to have the callback and forcing a
2817 permissive return. If we don't force it, the TLS startup is failed.
2818 The extra bit of information is set in verify_override in the cb, stashed
2819 for resumption next to the TLS session, and used here. */
2821 if (!tlsp->verify_override)
2822 tlsp->certificate_verified =
2824 tlsp->dane_verified ||
2826 SSL_get_verify_result(ssl) == X509_V_OK;
2834 /*************************************************
2835 * Set up for verifying certificates *
2836 *************************************************/
2838 #ifndef DISABLE_OCSP
2839 /* Load certs from file, return TRUE on success */
2842 chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
2845 STACK_OF(X509) * verify_stack = *vp;
2848 while (sk_X509_num(verify_stack) > 0)
2849 X509_free(sk_X509_pop(verify_stack));
2851 verify_stack = sk_X509_new_null();
2853 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2854 for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
2855 sk_X509_push(verify_stack, x);
2864 /* Called by both client and server startup; on the server possibly
2865 repeated after a Server Name Indication.
2868 sctx SSL_CTX* to initialise
2869 certs certs file, expanded
2870 crl CRL file or NULL
2871 host NULL in a server; the remote host in a client
2872 errstr error string pointer
2874 Returns: OK/DEFER/FAIL
2878 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host,
2881 uschar *expcerts, *expcrl;
2883 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2885 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2887 if (expcerts && *expcerts)
2889 /* Tell the library to use its compiled-in location for the system default
2890 CA bundle. Then add the ones specified in the config, if any. */
2892 if (!SSL_CTX_set_default_verify_paths(sctx))
2893 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2895 if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
2897 struct stat statbuf;
2899 if (Ustat(expcerts, &statbuf) < 0)
2901 log_write(0, LOG_MAIN|LOG_PANIC,
2902 "failed to stat %s for certificates", expcerts);
2908 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2909 { file = NULL; dir = expcerts; }
2912 STACK_OF(X509) * verify_stack =
2913 #ifndef DISABLE_OCSP
2914 !host ? state_server.verify_stack :
2917 STACK_OF(X509) ** vp = &verify_stack;
2919 file = expcerts; dir = NULL;
2920 #ifndef DISABLE_OCSP
2921 /* In the server if we will be offering an OCSP proof, load chain from
2922 file for verifying the OCSP proof at load time. */
2924 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2925 This is inconsistent with the need to verify the OCSP proof of the server cert.
2928 && statbuf.st_size > 0
2929 && state_server.u_ocsp.server.file
2930 && !chain_from_pem_file(file, vp)
2933 log_write(0, LOG_MAIN|LOG_PANIC,
2934 "failed to load cert chain from %s", file);
2940 /* If a certificate file is empty, the load function fails with an
2941 unhelpful error message. If we skip it, we get the correct behaviour (no
2942 certificates are recognized, but the error message is still misleading (it
2943 says no certificate was supplied). But this is better. */
2945 if ( (!file || statbuf.st_size > 0)
2946 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2947 return tls_error(US"SSL_CTX_load_verify_locations",
2948 host, NULL, errstr);
2950 /* On the server load the list of CAs for which we will accept certs, for
2951 sending to the client. This is only for the one-file
2952 tls_verify_certificates variant.
2953 If a list isn't loaded into the server, but some verify locations are set,
2954 the server end appears to make a wildcard request for client certs.
2955 Meanwhile, the client library as default behaviour *ignores* the list
2956 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2957 Because of this, and that the dir variant is likely only used for
2958 the public-CA bundle (not for a private CA), not worth fixing. */
2962 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2963 int i = sk_X509_NAME_num(names);
2965 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
2966 DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
2967 i, i>1 ? "ies":"y");
2971 debug_printf("Added dir for additional certificate authorities\n");
2975 /* Handle a certificate revocation list. */
2977 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2979 /* This bit of code is now the version supplied by Lars Mainka. (I have
2980 merely reformatted it into the Exim code style.)
2982 "From here I changed the code to add support for multiple crl's
2983 in pem format in one file or to support hashed directory entries in
2984 pem format instead of a file. This method now uses the library function
2985 X509_STORE_load_locations to add the CRL location to the SSL context.
2986 OpenSSL will then handle the verify against CA certs and CRLs by
2987 itself in the verify callback." */
2989 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2990 if (expcrl && *expcrl)
2992 struct stat statbufcrl;
2993 if (Ustat(expcrl, &statbufcrl) < 0)
2995 log_write(0, LOG_MAIN|LOG_PANIC,
2996 "failed to stat %s for certificates revocation lists", expcrl);
3001 /* is it a file or directory? */
3003 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
3004 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
3008 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
3014 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
3016 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
3017 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
3019 /* setting the flags to check against the complete crl chain */
3021 X509_STORE_set_flags(cvstore,
3022 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3026 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
3034 /*************************************************
3035 * Start a TLS session in a server *
3036 *************************************************/
3037 /* This is called when Exim is running as a server, after having received
3038 the STARTTLS command. It must respond to that command, and then negotiate
3042 errstr pointer to error message
3044 Returns: OK on success
3045 DEFER for errors before the start of the negotiation
3046 FAIL for errors during the negotiation; the server can't
3051 tls_server_start(uschar ** errstr)
3054 uschar * expciphers;
3055 exim_openssl_state_st * dummy_statep;
3058 static uschar peerdn[256];
3060 /* Check for previous activation */
3062 if (tls_in.active.sock >= 0)
3064 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
3065 smtp_printf("554 Already in TLS\r\n", FALSE);
3069 /* Initialize the SSL library. If it fails, it will already have logged
3072 rc = tls_init(NULL, NULL,
3073 #ifndef DISABLE_OCSP
3076 NULL, &dummy_statep, &tls_in, errstr);
3077 if (rc != OK) return rc;
3078 ctx = state_server.lib_state.lib_ctx;
3080 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3081 were historically separated by underscores. So that I can use either form in my
3082 tests, and also for general convenience, we turn underscores into hyphens here.
3084 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
3085 for TLS 1.3 . Since we do not call it at present we get the default list:
3086 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
3089 if (state_server.lib_state.pri_string)
3090 { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
3093 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
3097 && (rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
3101 /* If this is a host for which certificate verification is mandatory or
3102 optional, set up appropriately. */
3104 tls_in.certificate_verified = FALSE;
3106 tls_in.dane_verified = FALSE;
3108 server_verify_callback_called = FALSE;
3110 if (verify_check_host(&tls_verify_hosts) == OK)
3111 server_verify_optional = FALSE;
3112 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3113 server_verify_optional = TRUE;
3119 if (!expand_check(tls_verify_certificates, US"tls_verify_certificates",
3122 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3124 if (state_server.lib_state.cabundle)
3125 { DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); }
3127 if ((rc = setup_certs(ctx, expcerts, tls_crl, NULL, errstr)) != OK)
3130 if (expcerts && *expcerts)
3131 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3135 #ifndef DISABLE_TLS_RESUME
3136 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
3137 /* despite working, appears to always return failure, so ignoring */
3139 #ifdef OPENSSL_HAVE_NUM_TICKETS
3140 # ifndef DISABLE_TLS_RESUME
3141 SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
3143 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
3148 /* Prepare for new connection */
3150 if (!(ssl = SSL_new(ctx)))
3151 return tls_error(US"SSL_new", NULL, NULL, errstr);
3152 state_server.lib_state.lib_ssl = ssl;
3154 /* Warning: we used to SSL_clear(ssl) here, it was removed.
3156 * With the SSL_clear(), we get strange interoperability bugs with
3157 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
3158 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
3160 * The SSL_clear() call is to let an existing SSL* be reused, typically after
3161 * session shutdown. In this case, we have a brand new object and there's no
3162 * obvious reason to immediately clear it. I'm guessing that this was
3163 * originally added because of incomplete initialisation which the clear fixed,
3164 * in some historic release.
3167 /* Set context and tell client to go ahead, except in the case of TLS startup
3168 on connection, where outputting anything now upsets the clients and tends to
3169 make them disconnect. We need to have an explicit fflush() here, to force out
3170 the response. Other smtp_printf() calls do not need it, because in non-TLS
3171 mode, the fflush() happens when smtp_getc() is called. */
3173 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
3174 if (!tls_in.on_connect)
3176 smtp_printf("220 TLS go ahead\r\n", FALSE);
3180 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3181 that the OpenSSL library doesn't. */
3183 SSL_set_wfd(ssl, fileno(smtp_out));
3184 SSL_set_rfd(ssl, fileno(smtp_in));
3185 SSL_set_accept_state(ssl);
3187 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
3190 sigalrm_seen = FALSE;
3191 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3192 rc = SSL_accept(ssl);
3197 int error = SSL_get_error(ssl, rc);
3200 case SSL_ERROR_NONE:
3203 case SSL_ERROR_ZERO_RETURN:
3204 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3205 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
3207 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
3210 tls_close(NULL, TLS_NO_SHUTDOWN);
3213 /* Handle genuine errors */
3217 int r = ERR_GET_REASON(ERR_peek_error());
3218 if ( r == SSL_R_WRONG_VERSION_NUMBER
3219 #ifdef SSL_R_VERSION_TOO_LOW
3220 || r == SSL_R_VERSION_TOO_LOW
3222 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
3223 s = string_sprintf("%s (%s)", s, SSL_get_version(ssl));
3224 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
3229 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3230 if (error == SSL_ERROR_SYSCALL)
3234 *errstr = US"SSL_accept: TCP connection closed by peer";
3237 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
3239 (void) tls_error(US"SSL_accept", NULL,
3240 sigalrm_seen ? US"timed out"
3241 : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
3247 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
3248 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
3249 anon-authentication ciphersuite negotiated. */
3251 #ifndef DISABLE_TLS_RESUME
3252 if (SSL_session_reused(ssl))
3254 tls_in.resumption |= RESUME_USED;
3255 DEBUG(D_tls) debug_printf("Session reused\n");
3259 #ifdef EXIM_HAVE_ALPN
3260 /* If require-alpn, check server_seen_alpn here. Else abort TLS */
3261 if (!tls_alpn || !*tls_alpn)
3262 { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
3263 else if (!server_seen_alpn)
3264 if (verify_check_host(&hosts_require_alpn) == OK)
3266 /* We'd like to send a definitive Alert but OpenSSL provides no facility */
3268 tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
3272 { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
3275 const uschar * name;
3277 SSL_get0_alpn_selected(ssl, &name, &len);
3279 debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
3281 debug_printf("ALPN: no protocol negotiated\n");
3286 /* TLS has been set up. Record data for the connection,
3287 adjust the input functions to read via TLS, and initialize things. */
3289 #ifdef SSL_get_extms_support
3290 tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
3292 peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
3294 tls_in.ver = tlsver_name(ssl);
3295 tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
3296 tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
3301 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
3302 debug_printf("Shared ciphers: %s\n", buf);
3304 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3306 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3307 SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
3312 #ifdef EXIM_HAVE_SESSION_TICKET
3314 SSL_SESSION * ss = SSL_get_session(ssl);
3315 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
3316 debug_printf("The session has a ticket, life %lu seconds\n",
3317 SSL_SESSION_get_ticket_lifetime_hint(ss));
3322 /* Record the certificate we presented */
3324 X509 * crt = SSL_get_certificate(ssl);
3325 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
3328 /* Channel-binding info for authenticators
3329 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */
3332 size_t len = SSL_get_peer_finished(ssl, &c, 0);
3333 int old_pool = store_pool;
3335 SSL_get_peer_finished(ssl, s = store_get((int)len, FALSE), len);
3336 store_pool = POOL_PERM;
3337 tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE);
3338 store_pool = old_pool;
3339 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p\n", tls_in.channelbinding);
3342 /* Only used by the server-side tls (tls_in), including tls_getc.
3343 Client-side (tls_out) reads (seem to?) go via
3344 smtp_read_response()/ip_recv().
3345 Hence no need to duplicate for _in and _out.
3347 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3348 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
3349 ssl_xfer_eof = ssl_xfer_error = FALSE;
3351 receive_getc = tls_getc;
3352 receive_getbuf = tls_getbuf;
3353 receive_get_cache = tls_get_cache;
3354 receive_hasc = tls_hasc;
3355 receive_ungetc = tls_ungetc;
3356 receive_feof = tls_feof;
3357 receive_ferror = tls_ferror;
3359 tls_in.active.sock = fileno(smtp_out);
3360 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
3368 tls_client_basic_ctx_init(SSL_CTX * ctx,
3369 host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
3374 /* Back-compatible old behaviour if tls_verify_certificates is set but both
3375 tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
3376 host patterns if one of them is set with content. */
3378 if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts
3379 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3381 && ( !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
3382 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3385 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3387 client_verify_optional = FALSE;
3388 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3389 client_verify_optional = TRUE;
3395 if (!expand_check(ob->tls_verify_certificates, US"tls_verify_certificates",
3398 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3400 if (state->lib_state.cabundle)
3401 { DEBUG(D_tls) debug_printf("TLS: CA bundle was preloaded\n"); }
3403 if ((rc = setup_certs(ctx, expcerts, ob->tls_crl, host, errstr)) != OK)
3406 if (expcerts && *expcerts)
3407 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3410 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3412 state->verify_cert_hostnames =
3414 string_domain_utf8_to_alabel(host->certname, NULL);
3418 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
3419 state->verify_cert_hostnames);
3427 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
3430 const char * hostnames[2] = { CS host->name, NULL };
3433 if (DANESSL_init(ssl, NULL, hostnames) != 1)
3434 return tls_error(US"hostnames load", host, NULL, errstr);
3436 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3437 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3438 ) if (rr->type == T_TLSA && rr->size > 3)
3440 const uschar * p = rr->data;
3441 uint8_t usage, selector, mtype;
3442 const char * mdname;
3446 /* Only DANE-TA(2) and DANE-EE(3) are supported */
3447 if (usage != 2 && usage != 3) continue;
3454 default: continue; /* Only match-types 0, 1, 2 are supported */
3455 case 0: mdname = NULL; break;
3456 case 1: mdname = "sha256"; break;
3457 case 2: mdname = "sha512"; break;
3461 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
3464 return tls_error(US"tlsa load", host, NULL, errstr);
3465 case 0: /* action not taken */
3469 tls_out.tlsa_usage |= 1<<usage;
3475 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
3478 #endif /*SUPPORT_DANE*/
3482 #ifndef DISABLE_TLS_RESUME
3483 /* On the client, get any stashed session for the given IP from hints db
3484 and apply it to the ssl-connection for attempted resumption. */
3487 tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
3489 tlsp->resumption |= RESUME_SUPPORTED;
3490 if (tlsp->host_resumable)
3492 dbdata_tls_session * dt;
3494 open_db dbblock, * dbm_file;
3496 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3497 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
3498 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3500 /* key for the db is the IP */
3501 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
3503 SSL_SESSION * ss = NULL;
3504 const uschar * sess_asn1 = dt->session;
3506 len -= sizeof(dbdata_tls_session);
3507 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3511 ERR_error_string_n(ERR_get_error(),
3512 ssl_errstring, sizeof(ssl_errstring));
3513 debug_printf("decoding session: %s\n", ssl_errstring);
3518 unsigned long lifetime =
3519 #ifdef EXIM_HAVE_SESSION_TICKET
3520 SSL_SESSION_get_ticket_lifetime_hint(ss);
3521 #else /* Use, fairly arbitrilarily, what we as server would */
3522 f.running_in_test_harness ? 6 : ssl_session_timeout;
3524 if (lifetime + dt->time_stamp < time(NULL))
3526 DEBUG(D_tls) debug_printf("session expired\n");
3527 dbfn_delete(dbm_file, key);
3529 else if (!SSL_set_session(ssl, ss))
3533 ERR_error_string_n(ERR_get_error(),
3534 ssl_errstring, sizeof(ssl_errstring));
3535 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3540 DEBUG(D_tls) debug_printf("good session\n");
3541 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3542 tlsp->verify_override = dt->verify_override;
3543 tlsp->ocsp = dt->ocsp;
3548 DEBUG(D_tls) debug_printf("no session record\n");
3549 dbfn_close(dbm_file);
3555 /* On the client, save the session for later resumption */
3558 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3560 exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3563 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3565 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3567 # ifdef OPENSSL_HAVE_NUM_TICKETS
3568 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3571 int len = i2d_SSL_SESSION(ss, NULL);
3572 int dlen = sizeof(dbdata_tls_session) + len;
3573 dbdata_tls_session * dt = store_get(dlen, TRUE);
3574 uschar * s = dt->session;
3575 open_db dbblock, * dbm_file;
3577 DEBUG(D_tls) debug_printf("session is resumable\n");
3578 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3580 dt->verify_override = tlsp->verify_override;
3581 dt->ocsp = tlsp->ocsp;
3582 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3584 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3586 const uschar * key = cbinfo->host->address;
3587 dbfn_delete(dbm_file, key);
3588 dbfn_write(dbm_file, key, dt, dlen);
3589 dbfn_close(dbm_file);
3590 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3599 tls_client_ctx_resume_prehandshake(
3600 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
3601 smtp_transport_options_block * ob, host_item * host)
3603 /* Should the client request a session resumption ticket? */
3604 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
3606 tlsp->host_resumable = TRUE;
3608 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3609 SSL_SESS_CACHE_CLIENT
3610 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3611 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
3616 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
3617 host_item * host, uschar ** errstr)
3619 if (tlsp->host_resumable)
3622 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3623 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3625 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3626 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
3628 tls_error(US"set ex_data", host, NULL, errstr);
3631 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state);
3634 tlsp->resumption = RESUME_SUPPORTED;
3635 /* Pick up a previous session, saved on an old ticket */
3636 tls_retrieve_session(tlsp, ssl, host->address);
3641 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3644 if (SSL_session_reused(exim_client_ctx->ssl))
3646 DEBUG(D_tls) debug_printf("The session was reused\n");
3647 tlsp->resumption |= RESUME_USED;
3650 #endif /* !DISABLE_TLS_RESUME */
3653 #ifdef EXIM_HAVE_ALPN
3654 /* Expand and convert an Exim list to an ALPN list. False return for fail.
3655 NULL plist return for silent no-ALPN.
3659 tls_alpn_plist(const uschar * tls_alpn, const uschar ** plist, unsigned * plen,
3664 if (!expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr))
3669 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
3674 /* The server implementation only accepts exactly one protocol name
3675 but it's little extra code complexity in the client. */
3677 const uschar * list = exp_alpn;
3678 uschar * p = store_get(Ustrlen(exp_alpn), is_tainted(exp_alpn)), * s, * t;
3682 for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
3684 *t++ = len = (uschar) Ustrlen(s);
3687 *plist = (*plen = t - p) ? p : NULL;
3691 #endif /* EXIM_HAVE_ALPN */
3694 /*************************************************
3695 * Start a TLS session in a client *
3696 *************************************************/
3698 /* Called from the smtp transport after STARTTLS has been accepted.
3701 cctx connection context
3702 conn_args connection details
3703 cookie datum for randomness; can be NULL
3704 tlsp record details of TLS channel configuration here; must be non-NULL
3705 errstr error string pointer
3707 Returns: TRUE for success with TLS session context set in connection context,
3712 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3713 void * cookie, tls_support * tlsp, uschar ** errstr)
3715 host_item * host = conn_args->host; /* for msgs and option-tests */
3716 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3717 smtp_transport_options_block * ob = tb
3718 ? (smtp_transport_options_block *)tb->options_block
3719 : &smtp_transport_option_defaults;
3720 exim_openssl_client_tls_ctx * exim_client_ctx;
3721 uschar * expciphers;
3723 static uschar peerdn[256];
3725 #ifndef DISABLE_OCSP
3726 BOOL request_ocsp = FALSE;
3727 BOOL require_ocsp = FALSE;
3731 store_pool = POOL_PERM;
3732 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
3733 exim_client_ctx->corked = NULL;
3737 tlsp->tlsa_usage = 0;
3740 #ifndef DISABLE_OCSP
3742 # ifdef SUPPORT_DANE
3743 /*XXX this should be moved to caller, to be common across gnutls/openssl */
3744 if ( conn_args->dane
3745 && ob->hosts_request_ocsp[0] == '*'
3746 && ob->hosts_request_ocsp[1] == '\0'
3749 /* Unchanged from default. Use a safer one under DANE */
3750 request_ocsp = TRUE;
3751 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3752 " {= {4}{$tls_out_tlsa_usage}} } "
3758 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
3759 request_ocsp = TRUE;
3761 # ifdef SUPPORT_DANE
3765 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3769 rc = tls_init(host, ob,
3770 #ifndef DISABLE_OCSP
3771 (void *)(long)request_ocsp,
3773 cookie, &client_static_state, tlsp, errstr);
3774 if (rc != OK) return FALSE;
3776 exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
3778 tlsp->certificate_verified = FALSE;
3779 client_verify_callback_called = FALSE;
3783 if (conn_args->dane)
3785 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3786 other failures should be treated as problems. */
3787 if (ob->dane_require_tls_ciphers &&
3788 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3789 &expciphers, errstr))
3791 if (expciphers && *expciphers == '\0')
3796 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3797 &expciphers, errstr))
3800 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3801 are separated by underscores. So that I can use either form in my tests, and
3802 also for general convenience, we turn underscores into hyphens here. */
3806 uschar *s = expciphers;
3807 while (*s) { if (*s == '_') *s = '-'; s++; }
3808 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
3809 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3811 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
3817 if (conn_args->dane)
3819 SSL_CTX_set_verify(exim_client_ctx->ctx,
3820 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3821 verify_callback_client_dane);
3823 if (!DANESSL_library_init())
3825 tls_error(US"library init", host, NULL, errstr);
3828 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3830 tls_error(US"context init", host, NULL, errstr);
3838 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3839 client_static_state, errstr) != OK)
3842 #ifndef DISABLE_TLS_RESUME
3843 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3847 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3849 tls_error(US"SSL_new", host, NULL, errstr);
3852 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
3854 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3855 SSL_set_connect_state(exim_client_ctx->ssl);
3859 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3863 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3865 else if (!Ustrlen(tlsp->sni))
3869 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3870 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3871 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3873 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3880 #ifdef EXIM_HAVE_ALPN
3882 const uschar * plist;
3885 if (!tls_alpn_plist(ob->tls_alpn, &plist, &plen, errstr))
3888 if (SSL_set_alpn_protos(exim_client_ctx->ssl, plist, plen) != 0)
3890 tls_error(US"alpn init", host, NULL, errstr);
3894 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
3897 log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
3902 if (conn_args->dane)
3903 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3907 #ifndef DISABLE_OCSP
3908 /* Request certificate status at connection-time. If the server
3909 does OCSP stapling we will get the callback (set in tls_init()) */
3910 # ifdef SUPPORT_DANE
3914 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3915 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3917 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3918 this means we avoid the OCSP request, we wasted the setup
3919 cost in tls_init(). */
3920 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3921 request_ocsp = require_ocsp
3922 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3929 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3930 client_static_state->u_ocsp.client.verify_required = require_ocsp;
3931 tlsp->ocsp = OCSP_NOT_RESP;
3935 #ifndef DISABLE_TLS_RESUME
3936 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3941 #ifndef DISABLE_EVENT
3942 client_static_state->event_action = tb ? tb->event_action : NULL;
3945 /* There doesn't seem to be a built-in timeout on connection. */
3947 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3948 sigalrm_seen = FALSE;
3949 ALARM(ob->command_timeout);
3950 rc = SSL_connect(exim_client_ctx->ssl);
3954 if (conn_args->dane)
3955 DANESSL_cleanup(exim_client_ctx->ssl);
3960 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3966 debug_printf("SSL_connect succeeded\n");
3967 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3969 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3970 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3976 #ifndef DISABLE_TLS_RESUME
3977 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3980 #ifdef EXIM_HAVE_ALPN
3981 if (ob->tls_alpn) /* We requested. See what was negotiated. */
3983 const uschar * name;
3986 SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
3988 { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
3989 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
3991 /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
3992 tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
3998 #ifdef SSL_get_extms_support
3999 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
4001 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
4003 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
4004 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
4005 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
4007 /* Record the certificate we presented */
4009 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
4010 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
4013 /*XXX will this work with continued-TLS? */
4014 /* Channel-binding info for authenticators */
4017 size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0);
4018 int old_pool = store_pool;
4020 SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len);
4021 store_pool = POOL_PERM;
4022 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE);
4023 store_pool = old_pool;
4024 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
4027 tlsp->active.sock = cctx->sock;
4028 tlsp->active.tls_ctx = exim_client_ctx;
4029 cctx->tls_ctx = exim_client_ctx;
4038 tls_refill(unsigned lim)
4040 SSL * ssl = state_server.lib_state.lib_ssl;
4044 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4045 ssl_xfer_buffer, ssl_xfer_buffer_size);
4048 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4049 inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
4050 MIN(ssl_xfer_buffer_size, lim));
4051 error = SSL_get_error(ssl, inbytes);
4052 if (smtp_receive_timeout > 0) ALARM_CLR(0);
4054 if (had_command_timeout) /* set by signal handler */
4055 smtp_command_timeout_exit(); /* does not return */
4056 if (had_command_sigterm)
4057 smtp_command_sigterm_exit();
4058 if (had_data_timeout)
4059 smtp_data_timeout_exit();
4060 if (had_data_sigint)
4061 smtp_data_sigint_exit();
4063 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
4064 closed down, not that the socket itself has been closed down. Revert to
4065 non-SSL handling. */
4069 case SSL_ERROR_NONE:
4072 case SSL_ERROR_ZERO_RETURN:
4073 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4075 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
4078 tls_close(NULL, TLS_NO_SHUTDOWN);
4081 /* Handle genuine errors */
4083 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4084 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
4085 ssl_xfer_error = TRUE;
4089 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
4090 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
4091 debug_printf(" - syscall %s\n", strerror(errno));
4092 ssl_xfer_error = TRUE;
4096 #ifndef DISABLE_DKIM
4097 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
4099 ssl_xfer_buffer_hwm = inbytes;
4100 ssl_xfer_buffer_lwm = 0;
4105 /*************************************************
4106 * TLS version of getc *
4107 *************************************************/
4109 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
4110 it refills the buffer via the SSL reading function.
4112 Arguments: lim Maximum amount to read/buffer
4113 Returns: the next character or EOF
4115 Only used by the server-side TLS.
4119 tls_getc(unsigned lim)
4121 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4122 if (!tls_refill(lim))
4123 return ssl_xfer_error ? EOF : smtp_getc(lim);
4125 /* Something in the buffer; return next uschar */
4127 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
4133 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
4137 tls_getbuf(unsigned * len)
4142 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4143 if (!tls_refill(*len))
4145 if (!ssl_xfer_error) return smtp_getbuf(len);
4150 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
4152 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
4153 ssl_xfer_buffer_lwm += size;
4160 tls_get_cache(unsigned lim)
4162 #ifndef DISABLE_DKIM
4163 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
4164 debug_printf("tls_get_cache\n");
4168 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
4174 tls_could_getc(void)
4176 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
4177 || SSL_pending(state_server.lib_state.lib_ssl) > 0;
4181 /*************************************************
4182 * Read bytes from TLS channel *
4183 *************************************************/
4187 ct_ctx client context pointer, or NULL for the one global server context
4191 Returns: the number of bytes read
4192 -1 after a failed read, including EOF
4194 Only used by the client-side TLS.
4198 tls_read(void * ct_ctx, uschar *buff, size_t len)
4200 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4201 : state_server.lib_state.lib_ssl;
4205 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4206 buff, (unsigned int)len);
4209 inbytes = SSL_read(ssl, CS buff, len);
4210 error = SSL_get_error(ssl, inbytes);
4212 if (error == SSL_ERROR_ZERO_RETURN)
4214 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4217 else if (error != SSL_ERROR_NONE)
4227 /*************************************************
4228 * Write bytes down TLS channel *
4229 *************************************************/
4233 ct_ctx client context pointer, or NULL for the one global server context
4236 more further data expected soon
4238 Returns: the number of bytes after a successful write,
4239 -1 after a failed write
4241 Used by both server-side and client-side TLS. Calling with len zero and more unset
4242 will flush buffered writes; buff can be null for this case.
4246 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4249 int outbytes, error;
4251 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4252 : state_server.lib_state.lib_ssl;
4253 static gstring * server_corked = NULL;
4254 gstring ** corkedp = ct_ctx
4255 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
4256 gstring * corked = *corkedp;
4258 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
4259 buff, (unsigned long)len, more ? ", more" : "");
4261 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
4262 "more" is notified. This hack is only ok if small amounts are involved AND only
4263 one stream does it, in one context (i.e. no store reset). Currently it is used
4264 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
4265 We support callouts done by the server process by using a separate client
4266 context for the stashed information. */
4267 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
4268 a store reset there, so use POOL_PERM. */
4269 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
4273 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
4275 int save_pool = store_pool;
4276 store_pool = POOL_PERM;
4278 corked = string_catn(corked, buff, len);
4280 store_pool = save_pool;
4287 buff = CUS corked->s;
4292 for (int left = len; left > 0;)
4294 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
4296 outbytes = SSL_write(ssl, CS buff, left);
4297 error = SSL_get_error(ssl, outbytes);
4298 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
4301 case SSL_ERROR_NONE: /* the usual case */
4307 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4308 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
4311 case SSL_ERROR_ZERO_RETURN:
4312 log_write(0, LOG_MAIN, "SSL channel closed on write");
4315 case SSL_ERROR_SYSCALL:
4316 if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
4317 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
4318 sender_fullhost ? sender_fullhost : US"<unknown>",
4320 else if (LOGGING(protocol_detail))
4321 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4322 " SMTP response and TLS close\n", sender_host_address);
4324 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4325 " client reset TCP before TLS close\n", sender_host_address);
4329 log_write(0, LOG_MAIN, "SSL_write error %d", error);
4340 ct_ctx client TLS context pointer, or NULL for the one global server context
4344 tls_shutdown_wr(void * ct_ctx)
4346 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4347 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4348 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4351 if (*fdp < 0) return; /* TLS was not active */
4353 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4355 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
4356 rc = SSL_shutdown(*sslp);
4357 if (rc < 0) DEBUG(D_tls)
4359 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4360 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4364 /*************************************************
4365 * Close down a TLS session *
4366 *************************************************/
4368 /* This is also called from within a delivery subprocess forked from the
4369 daemon, to shut down the TLS library, without actually doing a shutdown (which
4370 would tamper with the SSL session in the parent process).
4373 ct_ctx client TLS context pointer, or NULL for the one global server context
4374 do_shutdown 0 no data-flush or TLS close-alert
4375 1 if TLS close-alert is to be sent,
4376 2 if also response to be waited for
4380 Used by both server-side and client-side TLS.
4384 tls_close(void * ct_ctx, int do_shutdown)
4386 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4387 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4388 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4390 if (*fdp < 0) return; /* TLS was not active */
4395 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
4396 do_shutdown > 1 ? " (with response-wait)" : "");
4398 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4400 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
4404 rc = SSL_shutdown(*sslp); /* wait for response */
4408 if (rc < 0) DEBUG(D_tls)
4410 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4411 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4415 if (!o_ctx) /* server side */
4417 #ifndef DISABLE_OCSP
4418 sk_X509_pop_free(state_server.verify_stack, X509_free);
4419 state_server.verify_stack = NULL;
4422 receive_getc = smtp_getc;
4423 receive_getbuf = smtp_getbuf;
4424 receive_get_cache = smtp_get_cache;
4425 receive_hasc = smtp_hasc;
4426 receive_ungetc = smtp_ungetc;
4427 receive_feof = smtp_feof;
4428 receive_ferror = smtp_ferror;
4429 tls_in.active.tls_ctx = NULL;
4431 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
4442 /*************************************************
4443 * Let tls_require_ciphers be checked at startup *
4444 *************************************************/
4446 /* The tls_require_ciphers option, if set, must be something which the
4449 Returns: NULL on success, or error message
4453 tls_validate_require_cipher(void)
4456 uschar *s, *expciphers, *err;
4460 if (!(tls_require_ciphers && *tls_require_ciphers))
4463 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4465 return US"failed to expand tls_require_ciphers";
4467 if (!(expciphers && *expciphers))
4470 /* normalisation ripped from above */
4472 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
4476 if (lib_ctx_new(&ctx, NULL, &err) == OK)
4479 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4481 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
4483 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4484 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
4485 expciphers, ssl_errstring);
4496 /*************************************************
4497 * Report the library versions. *
4498 *************************************************/
4500 /* There have historically been some issues with binary compatibility in
4501 OpenSSL libraries; if Exim (like many other applications) is built against
4502 one version of OpenSSL but the run-time linker picks up another version,
4503 it can result in serious failures, including crashing with a SIGSEGV. So
4504 report the version found by the compiler and the run-time version.
4506 Note: some OS vendors backport security fixes without changing the version
4507 number/string, and the version date remains unchanged. The _build_ date
4508 will change, so we can more usefully assist with version diagnosis by also
4509 reporting the build date.
4511 Arguments: a FILE* to print the results to
4516 tls_version_report(FILE *f)
4518 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
4521 OPENSSL_VERSION_TEXT,
4522 SSLeay_version(SSLEAY_VERSION),
4523 SSLeay_version(SSLEAY_BUILT_ON));
4524 /* third line is 38 characters for the %s and the line is 73 chars long;
4525 the OpenSSL output includes a "built on: " prefix already. */
4531 /*************************************************
4532 * Random number generation *
4533 *************************************************/
4535 /* Pseudo-random number generation. The result is not expected to be
4536 cryptographically strong but not so weak that someone will shoot themselves
4537 in the foot using it as a nonce in input in some email header scheme or
4538 whatever weirdness they'll twist this into. The result should handle fork()
4539 and avoid repeating sequences. OpenSSL handles that for us.
4543 Returns a random number in range [0, max-1]
4547 vaguely_random_number(int max)
4551 static pid_t pidlast = 0;
4553 uschar smallbuf[sizeof(r)];
4559 if (pidnow != pidlast)
4561 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
4562 is unique for each thread", this doesn't apparently apply across processes,
4563 so our own warning from vaguely_random_number_fallback() applies here too.
4564 Fix per PostgreSQL. */
4570 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
4574 gettimeofday(&r.tv, NULL);
4577 RAND_seed(US (&r), sizeof(r));
4579 /* We're after pseudo-random, not random; if we still don't have enough data
4580 in the internal PRNG then our options are limited. We could sleep and hope
4581 for entropy to come along (prayer technique) but if the system is so depleted
4582 in the first place then something is likely to just keep taking it. Instead,
4583 we'll just take whatever little bit of pseudo-random we can still manage to
4586 needed_len = sizeof(r);
4587 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
4588 asked for a number less than 10. */
4589 for (r = max, i = 0; r; ++i)
4595 #ifdef EXIM_HAVE_RAND_PSEUDO
4596 /* We do not care if crypto-strong */
4597 i = RAND_pseudo_bytes(smallbuf, needed_len);
4599 i = RAND_bytes(smallbuf, needed_len);
4605 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
4606 return vaguely_random_number_fallback(max);
4610 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
4613 /* We don't particularly care about weighted results; if someone wants
4614 smooth distribution and cares enough then they should submit a patch then. */
4621 /*************************************************
4622 * OpenSSL option parse *
4623 *************************************************/
4625 /* Parse one option for tls_openssl_options_parse below
4628 name one option name
4629 value place to store a value for it
4630 Returns success or failure in parsing
4636 tls_openssl_one_option_parse(uschar *name, long *value)
4639 int last = exim_openssl_options_size;
4640 while (last > first)
4642 int middle = (first + last)/2;
4643 int c = Ustrcmp(name, exim_openssl_options[middle].name);
4646 *value = exim_openssl_options[middle].value;
4660 /*************************************************
4661 * OpenSSL option parsing logic *
4662 *************************************************/
4664 /* OpenSSL has a number of compatibility options which an administrator might
4665 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
4666 we look like log_selector.
4669 option_spec the administrator-supplied string of options
4670 results ptr to long storage for the options bitmap
4671 Returns success or failure
4675 tls_openssl_options_parse(uschar *option_spec, long *results)
4678 uschar * exp, * end;
4679 BOOL adding, item_parsed;
4681 /* Server: send no (<= TLS1.2) session tickets */
4682 result = SSL_OP_NO_TICKET;
4684 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
4685 from default because it increases BEAST susceptibility. */
4686 #ifdef SSL_OP_NO_SSLv2
4687 result |= SSL_OP_NO_SSLv2;
4689 #ifdef SSL_OP_NO_SSLv3
4690 result |= SSL_OP_NO_SSLv3;
4692 #ifdef SSL_OP_SINGLE_DH_USE
4693 result |= SSL_OP_SINGLE_DH_USE;
4695 #ifdef SSL_OP_NO_RENEGOTIATION
4696 result |= SSL_OP_NO_RENEGOTIATION;
4705 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
4708 for (uschar * s = exp; *s; /**/)
4710 while (isspace(*s)) ++s;
4713 if (*s != '+' && *s != '-')
4715 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
4716 "+ or - expected but found \"%s\"\n", s);
4719 adding = *s++ == '+';
4720 for (end = s; *end && !isspace(*end); ) end++;
4721 item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
4724 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
4727 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
4728 adding ? "adding to " : "removing from", result, item, s);
4740 #endif /*!MACRO_PREDEF*/
4743 /* End of tls-openssl.c */