1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2019 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Portions Copyright (c) The OpenSSL Project 1999 */
12 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
13 library. It is #included into the tls.c file when that library is used. The
14 code herein is based on a patch that was originally contributed by Steve
15 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
17 No cryptographic code is included in Exim. All this module does is to call
18 functions from the OpenSSL library. */
23 #include <openssl/lhash.h>
24 #include <openssl/ssl.h>
25 #include <openssl/err.h>
26 #include <openssl/rand.h>
27 #ifndef OPENSSL_NO_ECDH
28 # include <openssl/ec.h>
31 # include <openssl/ocsp.h>
39 # define EXIM_OCSP_SKEW_SECONDS (300L)
40 # define EXIM_OCSP_MAX_AGE (-1L)
43 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
44 # define EXIM_HAVE_OPENSSL_TLSEXT
46 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
47 # define EXIM_HAVE_RSA_GENKEY_EX
49 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
50 # define EXIM_HAVE_OCSP_RESP_COUNT
51 # define OPENSSL_AUTO_SHA256
52 # define OPENSSL_MIN_PROTO_VERSION
54 # define EXIM_HAVE_EPHEM_RSA_KEX
55 # define EXIM_HAVE_RAND_PSEUDO
57 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
58 # define EXIM_HAVE_SHA256
61 /* X509_check_host provides sane certificate hostname checking, but was added
62 to OpenSSL late, after other projects forked off the code-base. So in
63 addition to guarding against the base version number, beware that LibreSSL
64 does not (at this time) support this function.
66 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
67 opt to disentangle and ask a LibreSSL user to provide glue for a third
68 crypto provider for libtls instead of continuing to tie the OpenSSL glue
69 into even twistier knots. If LibreSSL gains the same API, we can just
70 change this guard and punt the issue for a while longer. */
72 #ifndef LIBRESSL_VERSION_NUMBER
73 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
74 # define EXIM_HAVE_OPENSSL_CHECKHOST
75 # define EXIM_HAVE_OPENSSL_DH_BITS
76 # define EXIM_HAVE_OPENSSL_TLS_METHOD
77 # define EXIM_HAVE_OPENSSL_KEYLOG
78 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
79 # define EXIM_HAVE_SESSION_TICKET
80 # define EXIM_HAVE_OPESSL_TRACE
81 # define EXIM_HAVE_OPESSL_GET0_SERIAL
82 # define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
83 # define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
85 # define EXIM_HAVE_OCSP
87 # define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
89 # define EXIM_NEED_OPENSSL_INIT
91 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
92 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
93 # define EXIM_HAVE_OPENSSL_CHECKHOST
97 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
98 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
101 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
102 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
103 # define EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
106 #if !defined(LIBRESSL_VERSION_NUMBER) \
107 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
108 # if !defined(OPENSSL_NO_ECDH)
109 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
110 # define EXIM_HAVE_ECDH
112 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
113 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
118 #ifndef LIBRESSL_VERSION_NUMBER
119 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
120 # define OPENSSL_HAVE_KEYLOG_CB
121 # define OPENSSL_HAVE_NUM_TICKETS
122 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
123 # define EXIM_HAVE_EXP_CHNL_BNGNG
124 # define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
126 # define OPENSSL_BAD_SRVR_OURCERT
130 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x010002000L)
131 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
134 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
135 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
136 # define DISABLE_OCSP
139 #ifndef DISABLE_TLS_RESUME
140 # if OPENSSL_VERSION_NUMBER < 0x0101010L
141 # error OpenSSL version too old for session-resumption
145 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
146 # include <openssl/x509v3.h>
149 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
150 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
151 # define SSL_CIPHER_get_id(c) (c->id)
153 # ifndef MACRO_PREDEF
154 # include "tls-cipher-stdname.c"
158 #define TESTSUITE_TICKET_LIFE 10 /* seconds */
159 /*************************************************
160 * OpenSSL option parse *
161 *************************************************/
163 typedef struct exim_openssl_option {
166 } exim_openssl_option;
167 /* We could use a macro to expand, but we need the ifdef and not all the
168 options document which version they were introduced in. Policylet: include
169 all options unless explicitly for DTLS, let the administrator choose which
172 This list is current as of:
175 XXX could we autobuild this list, as with predefined-macros?
176 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
177 Also allow a numeric literal?
179 static exim_openssl_option exim_openssl_options[] = {
180 /* KEEP SORTED ALPHABETICALLY! */
182 { US"all", (long) SSL_OP_ALL },
184 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
185 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
187 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
188 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
190 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
191 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
193 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
194 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
196 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
197 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
199 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
200 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
202 #ifdef SSL_OP_EPHEMERAL_RSA
203 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
205 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
206 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
208 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
209 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
211 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
212 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
214 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
215 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
217 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
218 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
220 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
221 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
223 #ifdef SSL_OP_NO_ANTI_REPLAY
224 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
226 #ifdef SSL_OP_NO_COMPRESSION
227 { US"no_compression", SSL_OP_NO_COMPRESSION },
229 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
230 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
232 #ifdef SSL_OP_NO_RENEGOTIATION
233 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
235 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
236 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
238 #ifdef SSL_OP_NO_SSLv2
239 { US"no_sslv2", SSL_OP_NO_SSLv2 },
241 #ifdef SSL_OP_NO_SSLv3
242 { US"no_sslv3", SSL_OP_NO_SSLv3 },
244 #ifdef SSL_OP_NO_TICKET
245 { US"no_ticket", SSL_OP_NO_TICKET },
247 #ifdef SSL_OP_NO_TLSv1
248 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
250 #ifdef SSL_OP_NO_TLSv1_1
251 # if OPENSSL_VERSION_NUMBER < 0x30000000L
252 # if SSL_OP_NO_TLSv1_1 == 0x00000400L
253 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
254 # warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
255 # define NO_SSL_OP_NO_TLSv1_1
258 # ifndef NO_SSL_OP_NO_TLSv1_1
259 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
262 #ifdef SSL_OP_NO_TLSv1_2
263 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
265 #ifdef SSL_OP_NO_TLSv1_3
266 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
268 #ifdef SSL_OP_PRIORITIZE_CHACHA
269 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
271 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
272 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
274 #ifdef SSL_OP_SINGLE_DH_USE
275 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
277 #ifdef SSL_OP_SINGLE_ECDH_USE
278 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
280 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
281 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
283 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
284 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
286 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
287 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
289 #ifdef SSL_OP_TLS_D5_BUG
290 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
292 #ifdef SSL_OP_TLS_ROLLBACK_BUG
293 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
295 #ifdef SSL_OP_TLSEXT_PADDING
296 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
301 static int exim_openssl_options_size = nelem(exim_openssl_options);
302 static long init_options = 0;
311 for (struct exim_openssl_option * o = exim_openssl_options;
312 o < exim_openssl_options + nelem(exim_openssl_options); o++)
314 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
315 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
317 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
318 builtin_macro_create(buf);
321 # ifndef DISABLE_TLS_RESUME
322 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
324 # ifdef SSL_OP_NO_TLSv1_3
325 builtin_macro_create(US"_HAVE_TLS1_3");
327 # ifdef OPENSSL_BAD_SRVR_OURCERT
328 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
330 # ifdef EXIM_HAVE_OCSP
331 builtin_macro_create(US"_HAVE_TLS_OCSP");
332 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
334 # ifdef EXIM_HAVE_ALPN
335 builtin_macro_create(US"_HAVE_TLS_ALPN");
340 /******************************************************************************/
342 /* Structure for collecting random data for seeding. */
344 typedef struct randstuff {
349 /* Local static variables */
351 static BOOL client_verify_callback_called = FALSE;
352 static BOOL server_verify_callback_called = FALSE;
353 static const uschar *sid_ctx = US"exim";
355 /* We have three different contexts to care about.
357 Simple case: client, `client_ctx`
358 As a client, we can be doing a callout or cut-through delivery while receiving
359 a message. So we have a client context, which should have options initialised
360 from the SMTP Transport. We may also concurrently want to make TLS connections
361 to utility daemons, so client-contexts are allocated and passed around in call
362 args rather than using a gobal.
365 There are two cases: with and without ServerNameIndication from the client.
366 Given TLS SNI, we can be using different keys, certs and various other
367 configuration settings, because they're re-expanded with $tls_sni set. This
368 allows vhosting with TLS. This SNI is sent in the handshake.
369 A client might not send SNI, so we need a fallback, and an initial setup too.
370 So as a server, we start out using `server_ctx`.
371 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
372 `server_sni` from `server_ctx` and then initialise settings by re-expanding
380 } exim_openssl_client_tls_ctx;
383 /* static SSL_CTX *server_ctx = NULL; */
384 /* static SSL *server_ssl = NULL; */
386 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
387 static SSL_CTX *server_sni = NULL;
389 #ifdef EXIM_HAVE_ALPN
390 static BOOL server_seen_alpn = FALSE;
393 static char ssl_errstring[256];
395 static int ssl_session_timeout = 7200; /* Two hours */
396 static BOOL client_verify_optional = FALSE;
397 static BOOL server_verify_optional = FALSE;
399 static BOOL reexpand_tls_files_for_sni = FALSE;
402 typedef struct ocsp_resp {
403 struct ocsp_resp * next;
404 OCSP_RESPONSE * resp;
407 typedef struct exim_openssl_state {
408 exim_tlslib_state lib_state;
409 #define lib_ctx libdata0
410 #define lib_ssl libdata1
413 uschar * certificate;
420 const uschar *file_expanded;
421 ocsp_resplist *olist;
422 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
425 X509_STORE *verify_store; /* non-null if status requested */
426 uschar *verify_errstr; /* only if _required */
427 BOOL verify_required;
432 /* these are cached from first expand */
433 uschar * server_cipher_list;
434 /* only passed down to tls_error: */
436 const uschar * verify_cert_hostnames;
437 #ifndef DISABLE_EVENT
438 uschar * event_action;
440 } exim_openssl_state_st;
442 /* should figure out a cleanup of API to handle state preserved per
443 implementation, for various reasons, which can be void * in the APIs.
444 For now, we hack around it. */
445 exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */
446 exim_openssl_state_st state_server = {.is_server = TRUE};
449 setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
454 static int tls_server_stapling_cb(SSL *s, void *arg);
455 static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
456 static void x509_store_dump_cert_s_names(X509_STORE * store);
461 /* Daemon-called, before every connection, key create/rotate */
462 #ifndef DISABLE_TLS_RESUME
463 static void tk_init(void);
464 static int tls_exdata_idx = -1;
468 tls_per_lib_daemon_tick(void)
470 #ifndef DISABLE_TLS_RESUME
475 /* Called once at daemon startup */
478 tls_per_lib_daemon_init(void)
480 tls_daemon_creds_reload();
484 /*************************************************
486 *************************************************/
488 /* Called from lots of places when errors occur before actually starting to do
489 the TLS handshake, that is, while the session is still in clear. Always returns
490 DEFER for a server and FAIL for a client so that most calls can use "return
491 tls_error(...)" to do this processing and then give an appropriate return. A
492 single function is used for both server and client, because it is called from
493 some shared functions.
496 prefix text to include in the logged error
497 host NULL if setting up a server;
498 the connected host if setting up a client
499 msg error message or NULL if we should ask OpenSSL
500 errstr pointer to output error message
502 Returns: OK/DEFER/FAIL
506 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
510 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
511 msg = US ssl_errstring;
514 msg = string_sprintf("(%s): %s", prefix, msg);
515 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
516 if (errstr) *errstr = msg;
517 return host ? FAIL : DEFER;
522 /**************************************************
523 * General library initalisation *
524 **************************************************/
527 lib_rand_init(void * addr)
530 if (!RAND_status()) return TRUE;
532 gettimeofday(&r.tv, NULL);
534 RAND_seed(US (&r), sizeof(r));
535 RAND_seed(US big_buffer, big_buffer_size);
536 if (addr) RAND_seed(US addr, sizeof(addr));
538 return RAND_status();
543 tls_openssl_init(void)
545 static BOOL once = FALSE;
549 #ifdef EXIM_NEED_OPENSSL_INIT
550 SSL_load_error_strings(); /* basic set up */
551 OpenSSL_add_ssl_algorithms();
554 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
555 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
556 list of available digests. */
557 EVP_add_digest(EVP_sha256());
560 (void) lib_rand_init(NULL);
561 (void) tls_openssl_options_parse(openssl_options, &init_options);
566 /*************************************************
567 * Initialize for DH *
568 *************************************************/
570 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
574 sctx The current SSL CTX (inbound or outbound)
575 dhparam DH parameter file or fixed parameter identity string
576 errstr error string pointer
578 Returns: TRUE if OK (nothing to set up, or setup worked)
582 init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
585 #if OPENSSL_VERSION_NUMBER < 0x30000000L
594 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
597 if (!dhexpanded || !*dhexpanded)
598 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
599 else if (dhexpanded[0] == '/')
601 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
603 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
604 NULL, US strerror(errno), errstr);
610 if (Ustrcmp(dhexpanded, "none") == 0)
612 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
616 if (!(pem = std_dh_prime_named(dhexpanded)))
618 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
619 NULL, US strerror(errno), errstr);
622 bio = BIO_new_mem_buf(CS pem, -1);
626 #if OPENSSL_VERSION_NUMBER < 0x30000000L
627 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
629 pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
634 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
639 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
640 an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with 2236.
641 But older OpenSSL can only report in bytes (octets), not bits. If someone wants
642 to dance at the edge, then they can raise the limit or use current libraries. */
644 #if OPENSSL_VERSION_NUMBER < 0x30000000L
645 # ifdef EXIM_HAVE_OPENSSL_DH_BITS
646 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
647 This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
648 dh_bitsize = DH_bits(dh);
650 dh_bitsize = 8 * DH_size(dh);
653 dh_bitsize = EVP_PKEY_get_bits(pkey);
656 /* Even if it is larger, we silently return success rather than cause things to
657 fail out, so that a too-large DH will not knock out all TLS; it's a debatable
658 choice. Likewise for a failing attempt to set one. */
660 if (dh_bitsize <= tls_dh_max_bits)
663 #if OPENSSL_VERSION_NUMBER < 0x30000000L
664 SSL_CTX_set_tmp_dh(sctx, dh)
666 SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
670 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
671 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
672 dhexpanded ? dhexpanded : US"default", ssl_errstring);
673 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
674 /* EVP_PKEY_free(pkey); crashes */
679 debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n",
680 dhexpanded ? dhexpanded : US"default", dh_bitsize);
684 debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
685 dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
687 #if OPENSSL_VERSION_NUMBER < 0x30000000L
690 /* The EVP_PKEY ownership stays with the ctx; do not free it */
699 /*************************************************
700 * Initialize for ECDH *
701 *************************************************/
703 /* Load parameters for ECDH encryption. Server only.
705 For now, we stick to NIST P-256 because: it's simple and easy to configure;
706 it avoids any patent issues that might bite redistributors; despite events in
707 the news and concerns over curve choices, we're not cryptographers, we're not
708 pretending to be, and this is "good enough" to be better than no support,
709 protecting against most adversaries. Given another year or two, there might
710 be sufficient clarity about a "right" way forward to let us make an informed
711 decision, instead of a knee-jerk reaction.
713 Longer-term, we should look at supporting both various named curves and
714 external files generated with "openssl ecparam", much as we do for init_dh().
715 We should also support "none" as a value, to explicitly avoid initialisation.
720 sctx The current SSL CTX (inbound or outbound)
721 errstr error string pointer
723 Returns: TRUE if OK (nothing to set up, or setup worked)
727 init_ecdh(SSL_CTX * sctx, uschar ** errstr)
729 #ifdef OPENSSL_NO_ECDH
736 # ifndef EXIM_HAVE_ECDH
738 debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
742 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
745 /* Is the option deliberately empty? */
747 if (!exp_curve || !*exp_curve)
749 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
750 DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
751 (void) SSL_CTX_set1_curves(sctx, &nid, 0);
756 /* "auto" needs to be handled carefully.
757 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
758 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
759 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
760 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
761 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
763 if (Ustrcmp(exp_curve, "auto") == 0)
765 #if OPENSSL_VERSION_NUMBER < 0x10002000L
766 DEBUG(D_tls) debug_printf(
767 " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
768 exp_curve = US"prime256v1";
770 # if defined SSL_CTRL_SET_ECDH_AUTO
771 DEBUG(D_tls) debug_printf(
772 " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
773 SSL_CTX_set_ecdh_auto(sctx, 1);
776 DEBUG(D_tls) debug_printf(
777 " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n");
783 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
784 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
785 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
789 uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
790 DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
791 if (errstr) *errstr = s;
795 # if OPENSSL_VERSION_NUMBER < 0x30000000L
798 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
800 tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
804 /* The "tmp" in the name here refers to setting a temporary key
805 not to the stability of the interface. */
807 if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
808 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
810 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
814 #else /* v 3.0.0 + */
816 if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
817 tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
819 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
825 # endif /*EXIM_HAVE_ECDH*/
826 #endif /*OPENSSL_NO_ECDH*/
831 /*************************************************
832 * Expand key and cert file specs *
833 *************************************************/
835 #if OPENSSL_VERSION_NUMBER < 0x30000000L
838 s SSL connection (not used)
842 Returns: pointer to generated key
846 rsa_callback(SSL *s, int export, int keylength)
849 #ifdef EXIM_HAVE_RSA_GENKEY_EX
850 BIGNUM *bn = BN_new();
853 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
855 # ifdef EXIM_HAVE_RSA_GENKEY_EX
856 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
857 || !(rsa_key = RSA_new())
858 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
861 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
865 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
866 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
872 #endif /* pre-3.0.0 */
876 /* Create and install a selfsigned certificate, for use in server mode */
877 /*XXX we could arrange to call this during prelo for a null tls_certificate option.
878 The normal cache inval + relo will suffice.
879 Just need a timer for inval. */
882 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
889 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
890 where = US"allocating pkey";
891 if (!(pkey = EVP_PKEY_new()))
894 where = US"allocating cert";
895 if (!(x509 = X509_new()))
898 where = US"generating pkey";
899 #if OPENSSL_VERSION_NUMBER < 0x30000000L
902 if (!(rsa = rsa_callback(NULL, 0, 2048)))
905 where = US"assigning pkey";
906 if (!EVP_PKEY_assign_RSA(pkey, rsa))
910 pkey = EVP_RSA_gen(2048);
913 X509_set_version(x509, 2); /* N+1 - version 3 */
914 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
915 X509_gmtime_adj(X509_get_notBefore(x509), 0);
916 X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */
917 X509_set_pubkey(x509, pkey);
919 name = X509_get_subject_name(x509);
920 X509_NAME_add_entry_by_txt(name, "C",
921 MBSTRING_ASC, CUS "UK", -1, -1, 0);
922 X509_NAME_add_entry_by_txt(name, "O",
923 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
924 X509_NAME_add_entry_by_txt(name, "CN",
925 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
926 X509_set_issuer_name(x509, name);
928 where = US"signing cert";
929 if (!X509_sign(x509, pkey, EVP_md5()))
932 where = US"installing selfsign cert";
933 if (!SSL_CTX_use_certificate(sctx, x509))
936 where = US"installing selfsign key";
937 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
943 (void) tls_error(where, NULL, NULL, errstr);
944 if (x509) X509_free(x509);
945 if (pkey) EVP_PKEY_free(pkey);
955 /*************************************************
956 * Information callback *
957 *************************************************/
959 /* The SSL library functions call this from time to time to indicate what they
960 are doing. We copy the string to the debugging output when TLS debugging has
972 info_callback(SSL * s, int where, int ret)
978 if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
979 if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept");
980 if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg");
981 if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit");
982 if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read");
983 if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write");
984 if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert");
985 if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
986 if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done");
988 if (where & SSL_CB_LOOP)
989 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
990 else if (where & SSL_CB_ALERT)
991 debug_printf("SSL %s %s:%s\n", g->s,
992 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
993 else if (where & SSL_CB_EXIT)
996 debug_printf("SSL %s: %s in %s\n", g->s,
997 ret == 0 ? "failed" : "error", SSL_state_string_long(s));
999 else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
1000 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
1004 #ifdef OPENSSL_HAVE_KEYLOG_CB
1006 keylog_callback(const SSL *ssl, const char *line)
1010 DEBUG(D_tls) debug_printf("%.200s\n", line);
1011 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
1012 if (!(fp = fopen(filename, "a"))) return;
1013 fprintf(fp, "%s\n", line);
1022 #ifndef DISABLE_EVENT
1024 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
1025 BOOL *calledp, const BOOL *optionalp, const uschar * what)
1031 ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
1034 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
1035 old_cert = tlsp->peercert;
1036 tlsp->peercert = X509_dup(cert);
1037 /* NB we do not bother setting peerdn */
1038 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno)))
1040 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
1041 "depth=%d cert=%s: %s",
1042 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1043 what, depth, dn, yield);
1047 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
1048 return 1; /* reject (leaving peercert set) */
1050 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
1051 "(host in tls_try_verify_hosts)\n");
1052 tlsp->verify_override = TRUE;
1054 X509_free(tlsp->peercert);
1055 tlsp->peercert = old_cert;
1061 /*************************************************
1062 * Callback for verification *
1063 *************************************************/
1065 /* The SSL library does certificate verification if set up to do so. This
1066 callback has the current yes/no state is in "state". If verification succeeded,
1067 we set the certificate-verified flag. If verification failed, what happens
1068 depends on whether the client is required to present a verifiable certificate
1071 If verification is optional, we change the state to yes, but still log the
1072 verification error. For some reason (it really would help to have proper
1073 documentation of OpenSSL), this callback function then gets called again, this
1074 time with state = 1. We must take care not to set the private verified flag on
1075 the second time through.
1077 Note: this function is not called if the client fails to present a certificate
1078 when asked. We get here only if a certificate has been received. Handling of
1079 optional verification for this case is done when requesting SSL to verify, by
1080 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
1082 May be called multiple times for different issues with a certificate, even
1083 for a given "depth" in the certificate chain.
1086 preverify_ok current yes/no state as 1/0
1087 x509ctx certificate information.
1088 tlsp per-direction (client vs. server) support data
1089 calledp has-been-called flag
1090 optionalp verification-is-optional flag
1092 Returns: 0 if verification should fail, otherwise 1
1096 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
1097 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
1099 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1100 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1103 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1105 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1106 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1107 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1110 dn[sizeof(dn)-1] = '\0';
1112 tlsp->verify_override = FALSE;
1113 if (preverify_ok == 0)
1115 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
1116 *verify_mode, sender_host_address)
1118 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
1119 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1121 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
1125 if (!tlsp->peercert)
1126 tlsp->peercert = X509_dup(cert); /* record failing cert */
1127 return 0; /* reject */
1129 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
1130 "tls_try_verify_hosts)\n");
1131 tlsp->verify_override = TRUE;
1134 else if (depth != 0)
1136 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
1137 #ifndef DISABLE_EVENT
1138 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1139 return 0; /* reject, with peercert set */
1144 const uschar * verify_cert_hostnames;
1146 if ( tlsp == &tls_out
1147 && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
1148 /* client, wanting hostname check */
1151 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
1152 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1153 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
1155 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
1156 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
1159 const uschar * list = verify_cert_hostnames;
1162 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
1163 if ((rc = X509_check_host(cert, CCS name, 0,
1164 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1165 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
1170 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1171 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1178 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
1181 uschar * extra = verify_mode
1182 ? string_sprintf(" (during %c-verify for [%s])",
1183 *verify_mode, sender_host_address)
1185 log_write(0, LOG_MAIN,
1186 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
1187 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1188 extra, dn, verify_cert_hostnames);
1192 if (!tlsp->peercert)
1193 tlsp->peercert = X509_dup(cert); /* record failing cert */
1194 return 0; /* reject */
1196 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
1197 "tls_try_verify_hosts)\n");
1198 tlsp->verify_override = TRUE;
1202 #ifndef DISABLE_EVENT
1203 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1204 return 0; /* reject, with peercert set */
1207 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
1208 *calledp ? "" : " authenticated", dn);
1212 return 1; /* accept, at least for this level */
1216 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
1218 return verify_callback(preverify_ok, x509ctx, &tls_out,
1219 &client_verify_callback_called, &client_verify_optional);
1223 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
1225 return verify_callback(preverify_ok, x509ctx, &tls_in,
1226 &server_verify_callback_called, &server_verify_optional);
1232 /* This gets called *by* the dane library verify callback, which interposes
1236 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
1238 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1240 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1241 #ifndef DISABLE_EVENT
1242 BOOL dummy_called, optional = FALSE;
1245 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1247 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1248 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1249 deliver_host_address);
1252 dn[sizeof(dn)-1] = '\0';
1254 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
1255 preverify_ok ? "ok":"BAD", depth, dn);
1257 #ifndef DISABLE_EVENT
1258 if (verify_event(&tls_out, cert, depth, dn,
1259 &dummy_called, &optional, US"DANE"))
1260 return 0; /* reject, with peercert set */
1263 if (preverify_ok == 1)
1264 tls_out.dane_verified = TRUE;
1267 int err = X509_STORE_CTX_get_error(x509ctx);
1269 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
1270 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
1273 return preverify_ok;
1276 #endif /*SUPPORT_DANE*/
1279 #ifndef DISABLE_OCSP
1281 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1283 BIO_printf(bp, "\t%s: ", str);
1284 ASN1_GENERALIZEDTIME_print(bp, time);
1288 /*************************************************
1289 * Load OCSP information into state *
1290 *************************************************/
1291 /* Called to load the server OCSP response from the given file into memory, once
1292 caller has determined this is needed. Checks validity. Debugs a message
1295 ASSUMES: single response, for single cert.
1298 state various parts of session state
1299 filename the filename putatively holding an OCSP response
1300 is_pem file is PEM format; otherwise is DER
1304 ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
1308 OCSP_RESPONSE * resp;
1309 OCSP_BASICRESP * basic_response;
1310 OCSP_SINGLERESP * single_response;
1311 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1312 STACK_OF(X509) * sk;
1313 int status, reason, i;
1316 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1318 if (!filename || !*filename) return;
1321 if (!(bio = BIO_new_file(CS filename, "rb")))
1323 log_write(0, LOG_MAIN|LOG_PANIC,
1324 "Failed to open OCSP response file \"%s\": %.100s",
1325 filename, ERR_reason_error_string(ERR_get_error()));
1331 uschar * data, * freep;
1334 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1336 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
1337 filename, ERR_reason_error_string(ERR_get_error()));
1341 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1342 OPENSSL_free(freep);
1345 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1350 log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
1351 filename, ERR_reason_error_string(ERR_get_error()));
1355 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1357 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1358 OCSP_response_status_str(status), status);
1364 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1365 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1370 if (!(basic_response = OCSP_response_get1_basic(resp)))
1373 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1377 sk = state->u_ocsp.server.verify_stack; /* set by setup_certs() / chain_from_pem_file() */
1379 /* May need to expose ability to adjust those flags?
1380 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1381 OCSP_TRUSTOTHER OCSP_NOINTERN */
1383 /* This does a partial verify (only the signer link, not the whole chain-to-CA)
1384 on the OCSP proof before we load it for serving up; possibly overkill -
1385 just date-checks might be nice enough.
1387 OCSP_basic_verify takes a "store" arg, but does not
1388 use it for the chain verification, when OCSP_NOVERIFY is set.
1389 The content from the wire "basic_response" and a cert-stack "sk" are all
1392 We have a stack, loaded in setup_certs() if tls_verify_certificates
1393 was a file (not a directory, or "system"). It is unfortunate we
1394 cannot used the connection context store, as that would neatly
1395 handle the "system" case too, but there seems to be no library
1396 function for getting a stack from a store.
1397 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1398 [ 3.0.0 - sk = X509_STORE_get1_all_certs(store) ]
1399 We do not free the stack since it could be needed a second time for
1402 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1403 be a public interface into the OpenSSL library (there's no manual entry) -
1404 (in 3.0.0 + is is public)
1405 But what with? We also use OCSP_basic_verify in the client stapling callback.
1406 And there we NEED it; we must verify that status... unless the
1407 library does it for us anyway? */
1409 if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
1413 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1414 debug_printf("OCSP response has bad signature: %s\n", US ssl_errstring);
1419 /* Here's the simplifying assumption: there's only one response, for the
1420 one certificate we use, and nothing for anything else in a chain. If this
1421 proves false, we need to extract a cert id from our issued cert
1422 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1423 right cert in the stack and then calls OCSP_single_get0_status()).
1425 I'm hoping to avoid reworking a bunch more of how we handle state here.
1427 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1430 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1433 debug_printf("Unable to get first response from OCSP basic response.\n");
1437 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1438 if (status != V_OCSP_CERTSTATUS_GOOD)
1440 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1441 OCSP_cert_status_str(status), status,
1442 OCSP_crl_reason_str(reason), reason);
1446 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1450 BIO * bp = BIO_new(BIO_s_mem());
1453 time_print(bp, "This OCSP Update", thisupd);
1454 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
1455 if ((len = (int) BIO_get_mem_data(bp, CSS &s)) > 0) debug_printf("%.*s", len, s);
1456 debug_printf("OCSP status invalid times.\n");
1462 /* Add the resp to the list used by tls_server_stapling_cb() */
1464 ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
1465 while (oentry = *op)
1467 *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED);
1468 oentry->next = NULL;
1469 oentry->resp = resp;
1474 if (f.running_in_test_harness)
1476 extern char ** environ;
1477 if (environ) for (uschar ** p = USS environ; *p; p++)
1478 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1480 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1481 goto supply_response;
1489 ocsp_free_response_list(exim_openssl_state_st * state)
1491 for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
1492 olist = olist->next)
1493 OCSP_RESPONSE_free(olist->resp);
1494 state->u_ocsp.server.olist = NULL;
1496 #endif /*!DISABLE_OCSP*/
1503 tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1506 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1507 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1508 return tls_error(string_sprintf(
1509 "SSL_CTX_use_certificate_chain_file file=%s", file),
1510 cbinfo->host, NULL, errstr);
1515 tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1518 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1519 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1520 return tls_error(string_sprintf(
1521 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1528 /* Called once during tls_init and possibly again during TLS setup, for a
1529 new context, if Server Name Indication was used and tls_sni was seen in
1530 the certificate string.
1533 sctx the SSL_CTX* to update
1534 state various parts of session state
1535 errstr error string pointer
1537 Returns: OK/DEFER/FAIL
1541 tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
1546 if (!state->certificate)
1548 if (!state->is_server) /* client */
1551 if (tls_install_selfsign(sctx, errstr) != OK)
1558 if ( !reexpand_tls_files_for_sni
1559 && ( Ustrstr(state->certificate, US"tls_sni")
1560 || Ustrstr(state->certificate, US"tls_in_sni")
1561 || Ustrstr(state->certificate, US"tls_out_sni")
1563 reexpand_tls_files_for_sni = TRUE;
1565 if ( !expand_check(state->certificate, US"tls_certificate", &expanded, errstr)
1566 || f.expand_string_forcedfail)
1568 if (f.expand_string_forcedfail)
1569 *errstr = US"expansion of tls_certificate failed";
1574 if (state->is_server)
1576 const uschar * file_list = expanded;
1579 #ifndef DISABLE_OCSP
1580 const uschar * olist = state->u_ocsp.server.file;
1583 BOOL fmt_pem = FALSE;
1586 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1588 if (olist && !*olist)
1591 /* If doing a re-expand after SNI, avoid reloading the OCSP
1592 responses when the list of filenames has not changed.
1593 The creds-invali on content change wipes file_expanded, so that
1594 always reloads here. */
1596 if ( state->u_ocsp.server.file_expanded && olist
1597 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
1599 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1604 ocsp_free_response_list(state);
1605 state->u_ocsp.server.file_expanded = olist;
1609 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1611 if ((err = tls_add_certfile(sctx, state, file, errstr)))
1614 #ifndef DISABLE_OCSP
1616 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1618 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1623 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1628 ocsp_load_response(state, ofile, fmt_pem);
1631 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1635 else /* would there ever be a need for multiple client certs? */
1636 if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
1639 if ( state->privatekey
1640 && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr)
1641 || f.expand_string_forcedfail)
1643 if (f.expand_string_forcedfail)
1644 *errstr = US"expansion of tls_privatekey failed";
1648 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1649 of the expansion is an empty string, ignore it also, and assume the private
1650 key is in the same file as the certificate. */
1652 if (expanded && *expanded)
1653 if (state->is_server)
1655 const uschar * file_list = expanded;
1659 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1660 if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
1663 else /* would there ever be a need for multiple client certs? */
1664 if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
1674 /**************************************************
1675 * One-time init credentials for server and client *
1676 **************************************************/
1679 normalise_ciphers(uschar ** ciphers, const uschar * pre_expansion_ciphers)
1681 uschar * s = *ciphers;
1683 if (!s || !Ustrchr(s, '_')) return; /* no change needed */
1685 if (s == pre_expansion_ciphers)
1686 s = string_copy(s); /* get writable copy */
1688 for (uschar * t = s; *t; t++) if (*t == '_') *t = '-';
1693 server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
1694 uschar * ciphers, uschar ** errstr)
1696 DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
1697 if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
1698 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1699 state->server_cipher_list = ciphers;
1706 lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
1709 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1710 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1712 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1714 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1716 /* Set up the information callback, which outputs if debugging is at a suitable
1721 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1722 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1723 /* this needs a debug build of OpenSSL */
1724 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1726 #ifdef OPENSSL_HAVE_KEYLOG_CB
1727 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1731 /* Automatically re-try reads/writes after renegotiation. */
1732 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1739 tls_server_creds_init(void)
1742 uschar * dummy_errstr;
1743 unsigned lifetime = 0;
1747 state_server.lib_state = null_tls_preload;
1749 if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
1751 state_server.lib_state.lib_ctx = ctx;
1753 /* Preload DH params and EC curve */
1755 if (opt_unset_or_noexpand(tls_dhparam))
1757 DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam);
1758 if (init_dh(ctx, tls_dhparam, &dummy_errstr))
1759 state_server.lib_state.dh = TRUE;
1762 DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
1763 if (opt_unset_or_noexpand(tls_eccurve))
1765 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve);
1766 if (init_ecdh(ctx, &dummy_errstr))
1767 state_server.lib_state.ecdh = TRUE;
1770 DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
1772 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1773 /* If we can, preload the Authorities for checking client certs against.
1774 Actual choice to do verify is made (tls_{,try_}verify_hosts)
1775 at TLS conn startup.
1776 Do this before the server ocsp so that its info can verify the ocsp. */
1778 if ( opt_set_and_noexpand(tls_verify_certificates)
1779 && opt_unset_or_noexpand(tls_crl))
1781 /* Watch the default dir also as they are always included */
1783 if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1784 && tls_set_watch(tls_verify_certificates, FALSE)
1785 && tls_set_watch(tls_crl, FALSE))
1787 uschar * v_certs = tls_verify_certificates;
1788 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1790 if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
1791 state_server.lib_state.cabundle = TRUE;
1793 /* If we can, preload the server-side cert, key and ocsp */
1795 if ( opt_set_and_noexpand(tls_certificate)
1796 # ifndef DISABLE_OCSP
1797 && opt_unset_or_noexpand(tls_ocsp_file)
1799 && opt_unset_or_noexpand(tls_privatekey))
1801 /* Set watches on the filenames. The implementation does de-duplication
1802 so we can just blindly do them all. */
1804 if ( tls_set_watch(tls_certificate, TRUE)
1805 # ifndef DISABLE_OCSP
1806 && tls_set_watch(tls_ocsp_file, TRUE)
1808 && tls_set_watch(tls_privatekey, TRUE))
1810 state_server.certificate = tls_certificate;
1811 state_server.privatekey = tls_privatekey;
1812 #ifndef DISABLE_OCSP
1813 state_server.u_ocsp.server.file = tls_ocsp_file;
1816 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1817 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1818 state_server.lib_state.conn_certs = TRUE;
1821 else if ( !tls_certificate && !tls_privatekey
1822 # ifndef DISABLE_OCSP
1826 { /* Generate & preload a selfsigned cert. No files to watch. */
1827 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1829 state_server.lib_state.conn_certs = TRUE;
1830 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1834 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1838 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1841 #endif /* EXIM_HAVE_INOTIFY */
1844 /* If we can, preload the ciphers control string */
1846 if (opt_set_and_noexpand(tls_require_ciphers))
1848 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
1849 normalise_ciphers(&tls_require_ciphers, tls_require_ciphers);
1850 if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
1851 &dummy_errstr) == OK)
1852 state_server.lib_state.pri_string = TRUE;
1855 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1862 /* Preload whatever creds are static, onto a transport. The client can then
1863 just copy the pointer as it starts up.
1864 Called from the daemon after a cache-invalidate with watch set; called from
1865 a queue-run startup with watch clear. */
1868 tls_client_creds_init(transport_instance * t, BOOL watch)
1870 smtp_transport_options_block * ob = t->options_block;
1871 exim_openssl_state_st tpt_dummy_state;
1872 host_item * dummy_host = (host_item *)1;
1873 uschar * dummy_errstr;
1878 ob->tls_preload = null_tls_preload;
1879 if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
1881 ob->tls_preload.lib_ctx = ctx;
1883 tpt_dummy_state.lib_state = ob->tls_preload;
1885 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1886 if ( opt_set_and_noexpand(ob->tls_certificate)
1887 && opt_unset_or_noexpand(ob->tls_privatekey))
1890 || ( tls_set_watch(ob->tls_certificate, FALSE)
1891 && tls_set_watch(ob->tls_privatekey, FALSE)
1894 uschar * pkey = ob->tls_privatekey;
1897 debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
1899 if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
1901 && tls_add_pkeyfile(ctx, &tpt_dummy_state,
1902 pkey ? pkey : ob->tls_certificate,
1905 ob->tls_preload.conn_certs = TRUE;
1910 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1913 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1914 && opt_unset_or_noexpand(ob->tls_crl))
1917 || tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1918 && tls_set_watch(ob->tls_verify_certificates, FALSE)
1919 && tls_set_watch(ob->tls_crl, FALSE)
1922 uschar * v_certs = ob->tls_verify_certificates;
1924 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1926 if (setup_certs(ctx, &v_certs,
1927 ob->tls_crl, dummy_host, &dummy_errstr) == OK)
1928 ob->tls_preload.cabundle = TRUE;
1933 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1935 #endif /*EXIM_HAVE_INOTIFY*/
1939 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1940 /* Invalidate the creds cached, by dropping the current ones.
1941 Call when we notice one of the source files has changed. */
1944 tls_server_creds_invalidate(void)
1946 SSL_CTX_free(state_server.lib_state.lib_ctx);
1947 state_server.lib_state = null_tls_preload;
1948 #ifndef DISABLE_OCSP
1949 state_server.u_ocsp.server.file_expanded = NULL;
1955 tls_client_creds_invalidate(transport_instance * t)
1957 smtp_transport_options_block * ob = t->options_block;
1958 SSL_CTX_free(ob->tls_preload.lib_ctx);
1959 ob->tls_preload = null_tls_preload;
1965 tls_server_creds_invalidate(void)
1969 tls_client_creds_invalidate(transport_instance * t)
1972 #endif /*EXIM_HAVE_INOTIFY*/
1977 #ifndef DISABLE_OCSP
1979 debug_print_sn(const X509 * cert)
1981 X509_NAME * sn = X509_get_subject_name((X509 *)cert);
1982 static uschar name[256];
1983 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
1985 name[sizeof(name)-1] = '\0';
1986 debug_printf(" %s\n", name);
1991 x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk)
1994 debug_printf(" (null)\n");
1997 int idx = sk_X509_num(sk);
1999 debug_printf(" (empty)\n");
2001 while (--idx >= 0) debug_print_sn(sk_X509_value(sk, idx));
2006 x509_store_dump_cert_s_names(X509_STORE * store)
2008 # ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2010 debug_printf(" (no store)\n");
2013 STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
2014 x509_stack_dump_cert_s_names(sk);
2015 sk_X509_pop_free(sk, X509_free);
2019 #endif /*!DISABLE_OCSP*/
2024 #ifndef DISABLE_TLS_RESUME
2025 /* Manage the keysets used for encrypting the session tickets, on the server. */
2027 typedef struct { /* Session ticket encryption key */
2030 const EVP_CIPHER * aes_cipher;
2031 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
2032 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2033 const EVP_MD * hmac_hash;
2035 const uschar * hmac_hashname;
2037 uschar hmac_key[16];
2042 static exim_stek exim_tk; /* current key */
2043 static exim_stek exim_tk_old; /* previous key */
2048 time_t t = time(NULL);
2050 if (exim_tk.name[0])
2052 if (exim_tk.renew >= t) return;
2053 exim_tk_old = exim_tk;
2056 if (f.running_in_test_harness) ssl_session_timeout = TESTSUITE_TICKET_LIFE;
2058 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
2059 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
2060 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
2061 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
2063 exim_tk.name[0] = 'E';
2064 exim_tk.aes_cipher = EVP_aes_256_cbc();
2065 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2066 exim_tk.hmac_hash = EVP_sha256();
2068 exim_tk.hmac_hashname = US "sha256";
2070 exim_tk.expire = t + ssl_session_timeout;
2071 exim_tk.renew = t + ssl_session_timeout/2;
2077 if (!exim_tk.name[0]) return NULL;
2082 tk_find(const uschar * name)
2084 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
2085 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
2092 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2100 /*XXX will want these dependent on the ssl session strength */
2101 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2102 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
2103 key->hmac_hash, NULL);
2106 OSSL_PARAM params[3];
2107 uschar * hk = string_copy(key->hmac_hashname); /* need nonconst */
2108 params[0] = OSSL_PARAM_construct_octet_string("key", key->hmac_key, sizeof(key->hmac_key));
2109 params[1] = OSSL_PARAM_construct_utf8_string("digest", CS hk, 0);
2110 params[2] = OSSL_PARAM_construct_end();
2111 if (EVP_MAC_CTX_set_params(hctx, params) == 0)
2113 DEBUG(D_tls) debug_printf("EVP_MAC_CTX_set_params: %s\n",
2114 ERR_reason_error_string(ERR_get_error()));
2115 return 0; /* error in mac initialisation */
2122 /* Callback for session tickets, on server */
2124 ticket_key_callback(SSL * ssl, uschar key_name[16],
2125 uschar * iv, EVP_CIPHER_CTX * c_ctx,
2126 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2133 tls_support * tlsp = state_server.tlsp;
2138 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
2139 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2141 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
2142 return -1; /* insufficient random */
2144 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
2145 return 0; /* key couldn't be created */
2146 memcpy(key_name, key->name, 16);
2147 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
2149 if (tk_hmac_init(hctx, key) == 0) return 0;
2150 EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2152 DEBUG(D_tls) debug_printf("ticket created\n");
2157 time_t now = time(NULL);
2159 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
2160 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2162 if (!(key = tk_find(key_name)) || key->expire < now)
2166 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
2167 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
2172 if (tk_hmac_init(hctx, key) == 0) return 0;
2173 EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2175 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
2177 /* The ticket lifetime and renewal are the same as the STEK lifetime and
2178 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
2179 be better. To do that we'd have to encode ticket lifetime in the name as
2180 we don't yet see the restored session. Could check posthandshake for TLS1.3
2181 and trigger a new ticket then, but cannot do that for TLS1.2 */
2182 return key->renew < now ? 2 : 1;
2185 #endif /* !DISABLE_TLS_RESUME */
2190 setup_cert_verify(SSL_CTX * ctx, BOOL optional,
2191 int (*cert_vfy_cb)(int, X509_STORE_CTX *))
2193 /* If verification is optional, don't fail if no certificate */
2195 SSL_CTX_set_verify(ctx,
2196 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2201 /*************************************************
2202 * Callback to handle SNI *
2203 *************************************************/
2205 /* Called when acting as server during the TLS session setup if a Server Name
2206 Indication extension was sent by the client.
2208 API documentation is OpenSSL s_server.c implementation.
2211 s SSL* of the current session
2212 ad unknown (part of OpenSSL API) (unused)
2213 arg Callback of "our" registered data
2215 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
2217 XXX might need to change to using ClientHello callback,
2218 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
2221 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2223 tls_servername_cb(SSL * s, int * ad ARG_UNUSED, void * arg)
2225 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2226 exim_openssl_state_st * state = (exim_openssl_state_st *) arg;
2228 int old_pool = store_pool;
2232 return SSL_TLSEXT_ERR_OK;
2234 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
2235 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
2237 /* Make the extension value available for expansion */
2238 store_pool = POOL_PERM;
2239 tls_in.sni = string_copy_taint(US servername, GET_TAINTED);
2240 store_pool = old_pool;
2242 if (!reexpand_tls_files_for_sni)
2243 return SSL_TLSEXT_ERR_OK;
2245 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
2246 not confident that memcpy wouldn't break some internal reference counting.
2247 Especially since there's a references struct member, which would be off. */
2249 if (lib_ctx_new(&server_sni, NULL, &errstr) != OK)
2252 /* Not sure how many of these are actually needed, since SSL object
2253 already exists. Might even need this selfsame callback, for reneg? */
2256 SSL_CTX * ctx = state_server.lib_state.lib_ctx;
2257 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
2258 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
2259 #ifdef OPENSSL_MIN_PROTO_VERSION
2260 SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
2262 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
2263 SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
2264 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
2265 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
2266 SSL_CTX_set_tlsext_servername_arg(server_sni, state);
2269 if ( !init_dh(server_sni, state->dhparam, &errstr)
2270 || !init_ecdh(server_sni, &errstr)
2274 if ( state->server_cipher_list
2275 && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
2278 #ifndef DISABLE_OCSP
2279 if (state->u_ocsp.server.file)
2281 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
2282 SSL_CTX_set_tlsext_status_arg(server_sni, state);
2287 uschar * v_certs = tls_verify_certificates;
2288 if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
2292 if (v_certs && *v_certs)
2293 setup_cert_verify(server_sni, FALSE, verify_callback_server);
2296 /* do this after setup_certs, because this can require the certs for verifying
2297 OCSP information. */
2298 if ((rc = tls_expand_session_files(server_sni, state, &errstr)) != OK)
2301 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
2302 SSL_set_SSL_CTX(s, server_sni);
2303 return SSL_TLSEXT_ERR_OK;
2306 log_write(0, LOG_MAIN|LOG_PANIC, "%s", errstr);
2307 return SSL_TLSEXT_ERR_ALERT_FATAL;
2309 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
2314 #ifdef EXIM_HAVE_ALPN
2315 /*************************************************
2316 * Callback to handle ALPN *
2317 *************************************************/
2319 /* Called on server if tls_alpn nonblank after expansion,
2320 when client offers ALPN, after the SNI callback.
2321 If set and not matching the list then we dump the connection */
2324 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
2325 const uschar * in, unsigned int inlen, void * arg)
2329 server_seen_alpn = TRUE;
2332 debug_printf("Received TLS ALPN offer:");
2333 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2336 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2337 debug_printf(" '%.*s'", siz, in + pos + 1);
2339 debug_printf(". Our list: '%s'\n", tls_alpn);
2342 /* Look for an acceptable ALPN */
2344 if ( inlen > 1 /* at least one name */
2345 && in[0]+1 == inlen /* filling the vector, so exactly one name */
2348 const uschar * list = tls_alpn;
2350 for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
2351 if (Ustrncmp(in+1, name, in[0]) == 0)
2353 *out = in+1; /* we checked for exactly one, so can just point to it */
2355 return SSL_TLSEXT_ERR_OK; /* use ALPN */
2359 /* More than one name from client, or name did not match our list. */
2361 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
2362 Maybe as an option in future; for now leave control to the config (must-tls). */
2364 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2367 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2368 g = string_append_listele_n(g, ':', in + pos + 1, siz);
2370 log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
2371 gstring_release_unused(g);
2372 return SSL_TLSEXT_ERR_ALERT_FATAL;
2374 #endif /* EXIM_HAVE_ALPN */
2378 #ifndef DISABLE_OCSP
2380 /*************************************************
2381 * Callback to handle OCSP Stapling *
2382 *************************************************/
2384 /* Called when acting as server during the TLS session setup if the client
2385 requests OCSP information with a Certificate Status Request.
2387 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
2393 tls_server_stapling_cb(SSL *s, void *arg)
2395 const exim_openssl_state_st * state = arg;
2396 ocsp_resplist * olist = state->u_ocsp.server.olist;
2397 uschar * response_der; /*XXX blob */
2398 int response_der_len;
2401 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
2402 olist ? "have" : "lack");
2404 tls_in.ocsp = OCSP_NOT_RESP;
2406 return SSL_TLSEXT_ERR_NOACK;
2408 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
2410 const X509 * cert_sent = SSL_get_certificate(s);
2411 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
2412 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
2414 for (; olist; olist = olist->next)
2416 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
2417 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
2418 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
2419 ASN1_INTEGER * res_cert_serial;
2420 const BIGNUM * resp_bn;
2421 ASN1_OCTET_STRING * res_cert_iNameHash;
2424 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
2425 (OCSP_CERTID *) cid);
2426 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
2430 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
2431 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
2434 if (BN_cmp(cert_bn, resp_bn) == 0)
2436 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
2438 /*XXX TODO: check the rest of the list for duplicate matches.
2439 If any, need to also check the Issuer Name hash.
2440 Without this, we will provide the wrong status in the case of
2445 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
2449 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
2450 return SSL_TLSEXT_ERR_NOACK;
2456 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
2457 return SSL_TLSEXT_ERR_NOACK;
2461 /*XXX could we do the i2d earlier, rather than during the callback? */
2462 response_der = NULL;
2463 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
2464 if (response_der_len <= 0)
2465 return SSL_TLSEXT_ERR_NOACK;
2467 SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
2468 response_der, response_der_len);
2469 tls_in.ocsp = OCSP_VFIED;
2470 return SSL_TLSEXT_ERR_OK;
2475 add_chain_to_store(X509_STORE * store, STACK_OF(X509) * sk,
2476 const char * debug_text)
2482 debug_printf("chain for %s:\n", debug_text);
2483 x509_stack_dump_cert_s_names(sk);
2486 if ((idx = sk_X509_num(sk)) > 0)
2488 X509_STORE_add_cert(store, sk_X509_value(sk, idx));
2493 tls_client_stapling_cb(SSL * ssl, void * arg)
2495 exim_openssl_state_st * cbinfo = arg;
2496 const unsigned char * p;
2498 OCSP_RESPONSE * rsp;
2499 OCSP_BASICRESP * bs;
2502 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
2503 len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
2505 { /* Expect this when we requested ocsp but got none */
2506 if (SSL_session_reused(ssl) && tls_out.ocsp == OCSP_VFIED)
2508 DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
2512 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
2513 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
2515 DEBUG(D_tls) debug_printf(" null\n");
2517 if (!cbinfo->u_ocsp.client.verify_required)
2519 cbinfo->u_ocsp.client.verify_errstr =
2520 US"(SSL_connect) Required TLS certificate status not received";
2524 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
2526 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
2527 if (LOGGING(tls_cipher))
2528 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
2530 DEBUG(D_tls) debug_printf(" parse error\n");
2534 if (!(bs = OCSP_response_get1_basic(rsp)))
2536 tls_out.ocsp = OCSP_FAILED;
2537 if (LOGGING(tls_cipher))
2538 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
2540 DEBUG(D_tls) debug_printf(" error parsing response\n");
2541 OCSP_RESPONSE_free(rsp);
2545 /* We'd check the nonce here if we'd put one in the request. */
2546 /* However that would defeat cacheability on the server so we don't. */
2548 /* This section of code reworked from OpenSSL apps source;
2549 The OpenSSL Project retains copyright:
2550 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
2554 X509_STORE * verify_store = NULL;
2555 BOOL have_verified_OCSP_signer = FALSE;
2556 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
2557 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
2560 DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
2562 /* Use the CA & chain that verified the server cert to verify the stapled info */
2563 /*XXX could we do an event here, for observability of ocsp? What reasonable data could we give access to? */
2564 /* Dates would be a start. Do we need another opaque variable type, as for certs, plus an extract expansion? */
2567 /* If this routine is not available, we've avoided [in tls_client_start()]
2568 asking for certificate-status under DANE, so this callback won't run for
2569 that combination. It still will for non-DANE. */
2571 #ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
2574 if ( tls_out.dane_verified
2575 && (have_verified_OCSP_signer =
2576 OCSP_resp_get0_signer(bs, &signer, SSL_get0_verified_chain(ssl)) == 1))
2579 debug_printf("signer for OCSP basicres is in the verified chain;"
2580 " shortcut its verification\n");
2585 STACK_OF(X509) * verified_chain;
2587 verify_store = X509_STORE_new();
2589 SSL_get0_chain_certs(ssl, &verified_chain);
2590 add_chain_to_store(verify_store, verified_chain,
2591 "'current cert' per SSL_get0_chain_certs()");
2592 #ifdef EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
2593 verified_chain = SSL_get0_verified_chain(ssl);
2594 add_chain_to_store(verify_store, verified_chain,
2595 "SSL_get0_verified_chain()");
2602 debug_printf("Untrusted intermediate cert stack (from SSL_get_peer_cert_chain()):\n");
2603 x509_stack_dump_cert_s_names(SSL_get_peer_cert_chain(ssl));
2605 debug_printf("will use this CA store for verifying basicresp:\n");
2606 x509_store_dump_cert_s_names(verify_store);
2608 /* OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
2610 debug_printf("certs contained in basicresp:\n");
2611 x509_stack_dump_cert_s_names(
2612 #ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
2613 OCSP_resp_get0_certs(bs)
2619 #ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2620 /* could do via X509_STORE_get0_objects(); not worth it just for debug info */
2623 if (OCSP_resp_get0_signer(bs, &signer, X509_STORE_get1_all_certs(verify_store)) == 1)
2625 debug_printf("found signer for basicres:\n");
2626 debug_print_sn(signer);
2630 debug_printf("failed to find signer for basicres:\n");
2631 ERR_print_errors(bp);
2640 /* Under DANE the trust-anchor (at least in TA mode) is indicated by the TLSA
2641 record in DNS, and probably is not the root of the chain of certificates. So
2642 accept a partial chain for that case (and hope that anchor is visible for
2643 verifying the OCSP stapling).
2644 XXX for EE mode it won't even be that. Does that make OCSP useless for EE?
2646 Worse, for LetsEncrypt-mode (ocsp signer is leaf-signer) under DANE, the
2647 data used within OpenSSL for the signer has nil pointers for signing
2648 algorithms - and a crash results. Avoid this by shortcutting verification,
2649 having determined that the OCSP signer is in the (DANE-)validated set.
2652 #ifndef OCSP_PARTIAL_CHAIN /* defined for 3.0.0 onwards */
2653 # define OCSP_PARTIAL_CHAIN 0
2656 if ((i = OCSP_basic_verify(bs, SSL_get_peer_cert_chain(ssl),
2659 tls_out.dane_verified
2660 ? have_verified_OCSP_signer
2661 ? OCSP_NOVERIFY | OCSP_NOEXPLICIT
2662 : OCSP_PARTIAL_CHAIN | OCSP_NOEXPLICIT
2665 OCSP_NOEXPLICIT)) <= 0)
2667 DEBUG(D_tls) debug_printf("OCSP_basic_verify() fail: returned %d\n", i);
2668 if (ERR_peek_error())
2670 tls_out.ocsp = OCSP_FAILED;
2671 if (LOGGING(tls_cipher))
2673 static uschar peerdn[256];
2674 const uschar * errstr;;
2676 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2677 ERR_peek_error_all(NULL, NULL, NULL, CCSS &errstr, NULL);
2680 errstr = CUS ERR_reason_error_string(ERR_peek_error());
2682 X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(ssl)),
2683 CS peerdn, sizeof(peerdn));
2684 log_write(0, LOG_MAIN,
2685 "[%s] %s Received TLS cert (DN: '%.*s') status response, "
2686 "itself unverifiable: %s",
2687 deliver_host_address, deliver_host,
2688 (int)sizeof(peerdn), peerdn, errstr);
2692 BIO_printf(bp, "OCSP response verify failure\n");
2693 ERR_print_errors(bp);
2696 int len = (int) BIO_get_mem_data(bp, CSS &s);
2697 if (len > 0) debug_printf("%.*s", len, s);
2700 OCSP_RESPONSE_print(bp, rsp, 0);
2705 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
2706 " in the root CA certificate; ignoring\n");
2709 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
2711 /*XXX So we have a good stapled OCSP status. How do we know
2712 it is for the cert of interest? OpenSSL 1.1.0 has a routine
2713 OCSP_resp_find_status() which matches on a cert id, which presumably
2714 we should use. Making an id needs OCSP_cert_id_new(), which takes
2715 issuerName, issuerKey, serialNumber. Are they all in the cert?
2717 For now, carry on blindly accepting the resp. */
2720 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
2721 OCSP_resp_count(bs) - 1;
2723 sk_OCSP_SINGLERESP_num(sresp) - 1;
2727 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
2729 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
2731 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
2732 - but what happens with a GnuTLS-style input?
2734 we could do with a debug label for each singleresp
2735 - it has a certID with a serialNumber, but I see no API to get that
2737 status = OCSP_single_get0_status(single, &reason, &rev,
2738 &thisupd, &nextupd);
2742 time_print(bp, "This OCSP Update", thisupd);
2743 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
2745 if (!OCSP_check_validity(thisupd, nextupd,
2746 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
2748 tls_out.ocsp = OCSP_FAILED;
2749 DEBUG(D_tls) ERR_print_errors(bp);
2750 cbinfo->u_ocsp.client.verify_errstr =
2751 US"(SSL_connect) Server certificate status is out-of-date";
2752 log_write(0, LOG_MAIN, "OCSP dates invalid");
2756 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
2757 OCSP_cert_status_str(status));
2760 case V_OCSP_CERTSTATUS_GOOD:
2761 continue; /* the idx loop */
2762 case V_OCSP_CERTSTATUS_REVOKED:
2763 cbinfo->u_ocsp.client.verify_errstr =
2764 US"(SSL_connect) Server certificate revoked";
2765 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2766 reason != -1 ? "; reason: " : "",
2767 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2768 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2771 cbinfo->u_ocsp.client.verify_errstr =
2772 US"(SSL_connect) Server certificate has unknown status";
2773 log_write(0, LOG_MAIN,
2774 "Server certificate status unknown, in OCSP stapling");
2782 tls_out.ocsp = OCSP_VFIED;
2786 tls_out.ocsp = OCSP_FAILED;
2787 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2791 int len = (int) BIO_get_mem_data(bp, CSS &s);
2792 if (len > 0) debug_printf("%.*s", len, s);
2797 OCSP_RESPONSE_free(rsp);
2800 #endif /*!DISABLE_OCSP*/
2803 /*************************************************
2804 * Initialize for TLS *
2805 *************************************************/
2806 /* Called from both server and client code, to do preliminary initialization
2807 of the library. We allocate and return a context structure.
2810 host connected host, if client; NULL if server
2811 ob transport options block, if client; NULL if server
2812 ocsp_file file of stapling info (server); flag for require ocsp (client)
2813 addr address if client; NULL if server (for some randomness)
2814 caller_state place to put pointer to allocated state-struct
2815 errstr error string pointer
2817 Returns: OK/DEFER/FAIL
2821 tls_init(host_item * host, smtp_transport_options_block * ob,
2822 #ifndef DISABLE_OCSP
2825 address_item *addr, exim_openssl_state_st ** caller_state,
2826 tls_support * tlsp, uschar ** errstr)
2829 exim_openssl_state_st * state;
2832 if (host) /* client */
2834 state = store_malloc(sizeof(exim_openssl_state_st));
2835 memset(state, 0, sizeof(*state));
2836 state->certificate = ob->tls_certificate;
2837 state->privatekey = ob->tls_privatekey;
2838 state->is_server = FALSE;
2839 state->dhparam = NULL;
2840 state->lib_state = ob->tls_preload;
2844 state = &state_server;
2845 state->certificate = tls_certificate;
2846 state->privatekey = tls_privatekey;
2847 state->is_server = TRUE;
2848 state->dhparam = tls_dhparam;
2849 state->lib_state = state_server.lib_state;
2855 if (!state->lib_state.pri_string)
2856 state->server_cipher_list = NULL;
2858 #ifndef DISABLE_EVENT
2859 state->event_action = NULL;
2864 /* It turns out that we need to seed the random number generator this early in
2865 order to get the full complement of ciphers to work. It took me roughly a day
2866 of work to discover this by experiment.
2868 On systems that have /dev/urandom, SSL may automatically seed itself from
2869 there. Otherwise, we have to make something up as best we can. Double check
2872 Although we likely called this before, at daemon startup, this is a chance
2873 to mix in further variable info (time, pid) if needed. */
2875 if (!lib_rand_init(addr))
2876 return tls_error(US"RAND_status", host,
2877 US"unable to seed random number generator", errstr);
2879 /* Apply administrator-supplied work-arounds.
2880 Historically we applied just one requested option,
2881 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2882 moved to an administrator-controlled list of options to specify and
2883 grandfathered in the first one as the default value for "openssl_options".
2885 No OpenSSL version number checks: the options we accept depend upon the
2886 availability of the option value macros from OpenSSL. */
2889 if (!tls_openssl_options_parse(openssl_options, &init_options))
2890 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2892 /* Create a context.
2893 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2894 negotiation in the different methods; as far as I can tell, the only
2895 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2896 when OpenSSL is built without SSLv2 support.
2897 By disabling with openssl_options, we can let admins re-enable with the
2900 if (!(ctx = state->lib_state.lib_ctx))
2902 if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
2904 state->lib_state.lib_ctx = ctx;
2907 #ifndef DISABLE_TLS_RESUME
2908 tlsp->resumption = RESUME_SUPPORTED;
2912 #ifndef DISABLE_TLS_RESUME
2913 /* Should the server offer session resumption? */
2914 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2916 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2917 init_options &= ~SSL_OP_NO_TICKET;
2918 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2919 tlsp->host_resumable = TRUE;
2923 #ifdef OPENSSL_MIN_PROTO_VERSION
2924 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
2926 DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options);
2927 SSL_CTX_set_options(ctx, init_options);
2929 uint64_t readback = SSL_CTX_clear_options(ctx, ~init_options);
2930 if (readback != init_options)
2931 return tls_error(string_sprintf(
2932 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2936 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2938 /* We'd like to disable session cache unconditionally, but foolish Outlook
2939 Express clients then give up the first TLS connection and make a second one
2940 (which works). Only when there is an IMAP service on the same machine.
2941 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2942 now, until we work out a decent way of presenting control to the config. It
2943 will never be used because we use a new context every time. */
2945 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2948 /* Initialize with DH parameters if supplied */
2949 /* Initialize ECDH temp key parameter selection */
2953 if (state->lib_state.dh)
2954 { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
2956 if (!init_dh(ctx, state->dhparam, errstr)) return DEFER;
2958 if (state->lib_state.ecdh)
2959 { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
2961 if (!init_ecdh(ctx, errstr)) return DEFER;
2964 /* Set up certificate and key (and perhaps OCSP info) */
2966 if (state->lib_state.conn_certs)
2969 debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
2973 #ifndef DISABLE_OCSP
2974 if (!host) /* server */
2976 state->u_ocsp.server.file = ocsp_file;
2977 state->u_ocsp.server.file_expanded = NULL;
2978 state->u_ocsp.server.olist = NULL;
2981 if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
2984 /* If we need to handle SNI or OCSP, do so */
2986 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2987 # ifndef DISABLE_OCSP
2988 if (!host && !(state->u_ocsp.server.verify_stack = sk_X509_new_null()))
2990 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2995 if (!host) /* server */
2997 # ifndef DISABLE_OCSP
2998 /* We check u_ocsp.server.file, not server.olist, because we care about if
2999 the option exists, not what the current expansion might be, as SNI might
3000 change the certificate and OCSP file in use between now and the time the
3001 callback is invoked. */
3002 if (state->u_ocsp.server.file)
3004 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
3005 SSL_CTX_set_tlsext_status_arg(ctx, state);
3008 /* We always do this, so that $tls_sni is available even if not used in
3010 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
3011 SSL_CTX_set_tlsext_servername_arg(ctx, state);
3013 # ifdef EXIM_HAVE_ALPN
3014 if (tls_alpn && *tls_alpn)
3017 if ( expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
3018 && *exp_alpn && !isblank(*exp_alpn))
3020 tls_alpn = exp_alpn; /* subprocess so ok to overwrite */
3021 SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
3028 # ifndef DISABLE_OCSP
3030 if(ocsp_file) /* wanting stapling */
3032 if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
3034 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
3038 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
3039 SSL_CTX_set_tlsext_status_arg(ctx, state);
3042 #endif /*EXIM_HAVE_OPENSSL_TLSEXT*/
3044 state->verify_cert_hostnames = NULL;
3046 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
3047 /* Set up the RSA callback */
3048 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
3051 /* Finally, set the session cache timeout, and we are done.
3052 The period appears to be also used for (server-generated) session tickets */
3054 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
3055 DEBUG(D_tls) debug_printf("Initialized TLS\n");
3057 *caller_state = state;
3065 /*************************************************
3066 * Get name of cipher in use *
3067 *************************************************/
3070 Argument: pointer to an SSL structure for the connection
3071 pointer to number of bits for cipher
3072 Returns: pointer to allocated string in perm-pool
3076 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
3078 int pool = store_pool;
3079 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
3080 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
3081 the accessor functions use const in the prototype. */
3083 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
3086 SSL_CIPHER_get_bits(c, bits);
3088 store_pool = POOL_PERM;
3089 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
3091 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
3096 /* Get IETF-standard name for ciphersuite.
3097 Argument: pointer to an SSL structure for the connection
3098 Returns: pointer to string
3101 static const uschar *
3102 cipher_stdname_ssl(SSL * ssl)
3104 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
3105 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
3107 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
3108 return cipher_stdname(id >> 8, id & 0xff);
3113 static const uschar *
3114 tlsver_name(SSL * ssl)
3117 int pool = store_pool;
3119 store_pool = POOL_PERM;
3120 s = string_copy(US SSL_get_version(ssl));
3122 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
3123 for (;; p++) if (!(*p = p[1])) break;
3129 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
3131 /*XXX we might consider a list-of-certs variable for the cert chain.
3132 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
3133 in list-handling functions, also consider the difference between the entire
3134 chain and the elements sent by the peer. */
3136 tlsp->peerdn = NULL;
3138 /* Will have already noted peercert on a verify fail; possibly not the leaf */
3139 if (!tlsp->peercert)
3140 tlsp->peercert = SSL_get_peer_certificate(ssl);
3141 /* Beware anonymous ciphers which lead to server_cert being NULL */
3143 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
3144 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
3147 int oldpool = store_pool;
3149 peerdn[siz-1] = '\0'; /* paranoia */
3150 store_pool = POOL_PERM;
3151 tlsp->peerdn = string_copy(peerdn);
3152 store_pool = oldpool;
3154 /* We used to set CV in the cert-verify callbacks (either plain or dane)
3155 but they don't get called on session-resumption. So use the official
3156 interface, which uses the resumed value. Unfortunately this claims verified
3157 when it actually failed but we're in try-verify mode, due to us wanting the
3158 knowlege that it failed so needing to have the callback and forcing a
3159 permissive return. If we don't force it, the TLS startup is failed.
3160 The extra bit of information is set in verify_override in the cb, stashed
3161 for resumption next to the TLS session, and used here. */
3163 if (!tlsp->verify_override)
3164 tlsp->certificate_verified =
3166 tlsp->dane_verified ||
3168 SSL_get_verify_result(ssl) == X509_V_OK;
3176 /*************************************************
3177 * Set up for verifying certificates *
3178 *************************************************/
3180 #ifndef DISABLE_OCSP
3181 /* In the server, load certs from file, return TRUE on success */
3184 chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
3187 STACK_OF(X509) * verify_stack = *vp;
3190 while (sk_X509_num(verify_stack) > 0)
3191 X509_free(sk_X509_pop(verify_stack));
3193 verify_stack = sk_X509_new_null();
3195 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
3196 for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
3197 sk_X509_push(verify_stack, x);
3206 /* Called by both client and server startup; on the server possibly
3207 repeated after a Server Name Indication.
3210 sctx SSL_CTX* to initialise
3211 certsp certs file, returned expanded
3212 crl CRL file or NULL
3213 host NULL in a server; the remote host in a client
3214 errstr error string pointer
3216 Returns: OK/DEFER/FAIL
3220 setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
3223 uschar * expcerts, * expcrl;
3225 if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
3227 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3230 if (expcerts && *expcerts)
3232 /* Tell the library to use its compiled-in location for the system default
3233 CA bundle. Then add the ones specified in the config, if any. */
3235 if (!SSL_CTX_set_default_verify_paths(sctx))
3236 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
3238 if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
3240 struct stat statbuf;
3242 if (Ustat(expcerts, &statbuf) < 0)
3244 log_write(0, LOG_MAIN|LOG_PANIC,
3245 "failed to stat %s for certificates", expcerts);
3251 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
3252 { file = NULL; dir = expcerts; }
3255 STACK_OF(X509) * verify_stack =
3256 #ifndef DISABLE_OCSP
3257 !host ? state_server.u_ocsp.server.verify_stack :
3260 STACK_OF(X509) ** vp = &verify_stack;
3262 file = expcerts; dir = NULL;
3263 #ifndef DISABLE_OCSP
3264 /* In the server if we will be offering an OCSP proof; load chain from
3265 file for verifying the OCSP proof at load time. */
3267 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
3268 This is inconsistent with the need to verify the OCSP proof of the server cert.
3270 /* *debug_printf("file for checking server ocsp stapling is: %s\n", file); */
3272 && statbuf.st_size > 0
3273 && state_server.u_ocsp.server.file
3274 && !chain_from_pem_file(file, vp)
3277 log_write(0, LOG_MAIN|LOG_PANIC,
3278 "failed to load cert chain from %s", file);
3284 /* If a certificate file is empty, the load function fails with an
3285 unhelpful error message. If we skip it, we get the correct behaviour (no
3286 certificates are recognized, but the error message is still misleading (it
3287 says no certificate was supplied). But this is better. */
3289 if ( (!file || statbuf.st_size > 0)
3290 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
3291 return tls_error(US"SSL_CTX_load_verify_locations",
3292 host, NULL, errstr);
3294 /* On the server load the list of CAs for which we will accept certs, for
3295 sending to the client. This is only for the one-file
3296 tls_verify_certificates variant.
3297 If a list isn't loaded into the server, but some verify locations are set,
3298 the server end appears to make a wildcard request for client certs.
3299 Meanwhile, the client library as default behaviour *ignores* the list
3300 we send over the wire - see man SSL_CTX_set_client_cert_cb.
3301 Because of this, and that the dir variant is likely only used for
3302 the public-CA bundle (not for a private CA), not worth fixing. */
3306 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
3307 int i = sk_X509_NAME_num(names);
3309 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
3310 DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
3311 i, i>1 ? "ies":"y");
3315 debug_printf("Added dir for additional certificate authorities\n");
3319 /* Handle a certificate revocation list. */
3321 #if OPENSSL_VERSION_NUMBER > 0x00907000L
3323 /* This bit of code is now the version supplied by Lars Mainka. (I have
3324 merely reformatted it into the Exim code style.)
3326 "From here I changed the code to add support for multiple crl's
3327 in pem format in one file or to support hashed directory entries in
3328 pem format instead of a file. This method now uses the library function
3329 X509_STORE_load_locations to add the CRL location to the SSL context.
3330 OpenSSL will then handle the verify against CA certs and CRLs by
3331 itself in the verify callback." */
3333 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
3334 if (expcrl && *expcrl)
3336 struct stat statbufcrl;
3337 if (Ustat(expcrl, &statbufcrl) < 0)
3339 log_write(0, LOG_MAIN|LOG_PANIC,
3340 "failed to stat %s for certificates revocation lists", expcrl);
3345 /* is it a file or directory? */
3347 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
3348 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
3352 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
3358 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
3360 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
3361 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
3363 /* setting the flags to check against the complete crl chain */
3365 X509_STORE_set_flags(cvstore,
3366 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3370 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
3379 tls_dump_keylog(SSL * ssl)
3381 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3382 BIO * bp = BIO_new(BIO_s_mem());
3385 SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
3386 len = (int) BIO_get_mem_data(bp, CSS &s);
3387 if (len > 0) debug_printf("%.*s", len, s);
3393 /* Channel-binding info for authenticators
3394 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/
3399 tls_get_channel_binding(SSL * ssl, tls_support * tlsp, const void * taintval)
3404 #ifdef EXIM_HAVE_EXPORT_CHNL_BNGNG
3405 if (SSL_version(ssl) > TLS1_2_VERSION)
3407 /* It's not documented by OpenSSL how big the output buffer must be.
3408 The OpenSSL testcases use 80 bytes but don't say why. The GnuTLS impl only
3409 serves out 32B. RFC 9266 says it is 32B.
3410 Interop fails unless we use the same each end. */
3413 tlsp->channelbind_exporter = TRUE;
3414 taintval = GET_UNTAINTED;
3415 if (SSL_export_keying_material(ssl,
3416 s = store_get((int)len, taintval), len,
3417 "EXPORTER-Channel-Binding", (size_t) 24,
3424 len = SSL_get_peer_finished(ssl, &c, 0);
3425 len = SSL_get_peer_finished(ssl, s = store_get((int)len, taintval), len);
3430 int old_pool = store_pool;
3431 store_pool = POOL_PERM;
3432 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, taintval);
3433 store_pool = old_pool;
3434 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
3439 /*************************************************
3440 * Start a TLS session in a server *
3441 *************************************************/
3442 /* This is called when Exim is running as a server, after having received
3443 the STARTTLS command. It must respond to that command, and then negotiate
3447 errstr pointer to error message
3449 Returns: OK on success
3450 DEFER for errors before the start of the negotiation
3451 FAIL for errors during the negotiation; the server can't
3456 tls_server_start(uschar ** errstr)
3459 uschar * expciphers;
3460 exim_openssl_state_st * dummy_statep;
3463 static uschar peerdn[256];
3465 /* Check for previous activation */
3467 if (tls_in.active.sock >= 0)
3469 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
3470 smtp_printf("554 Already in TLS\r\n", FALSE);
3474 /* Initialize the SSL library. If it fails, it will already have logged
3477 rc = tls_init(NULL, NULL,
3478 #ifndef DISABLE_OCSP
3481 NULL, &dummy_statep, &tls_in, errstr);
3482 if (rc != OK) return rc;
3483 ctx = state_server.lib_state.lib_ctx;
3485 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3486 were historically separated by underscores. So that I can use either form in my
3487 tests, and also for general convenience, we turn underscores into hyphens here.
3489 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
3490 for TLS 1.3 . Since we do not call it at present we get the default list:
3491 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
3494 if (state_server.lib_state.pri_string)
3495 { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
3498 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
3503 normalise_ciphers(&expciphers, tls_require_ciphers);
3504 if ((rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
3509 /* If this is a host for which certificate verification is mandatory or
3510 optional, set up appropriately. */
3512 tls_in.certificate_verified = FALSE;
3514 tls_in.dane_verified = FALSE;
3516 server_verify_callback_called = FALSE;
3518 if (verify_check_host(&tls_verify_hosts) == OK)
3519 server_verify_optional = FALSE;
3520 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3521 server_verify_optional = TRUE;
3526 uschar * v_certs = tls_verify_certificates;
3528 if (state_server.lib_state.cabundle)
3530 DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
3531 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3535 if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
3537 if (v_certs && *v_certs)
3538 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3543 #ifndef DISABLE_TLS_RESUME
3544 # if OPENSSL_VERSION_NUMBER < 0x30000000L
3545 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
3546 /* despite working, appears to always return failure, so ignoring */
3548 SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ticket_key_callback);
3549 /* despite working, appears to always return failure, so ignoring */
3553 #ifdef OPENSSL_HAVE_NUM_TICKETS
3554 # ifndef DISABLE_TLS_RESUME
3555 SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
3557 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
3562 /* Prepare for new connection */
3564 if (!(ssl = SSL_new(ctx)))
3565 return tls_error(US"SSL_new", NULL, NULL, errstr);
3566 state_server.lib_state.lib_ssl = ssl;
3568 /* Warning: we used to SSL_clear(ssl) here, it was removed.
3570 * With the SSL_clear(), we get strange interoperability bugs with
3571 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
3572 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
3574 * The SSL_clear() call is to let an existing SSL* be reused, typically after
3575 * session shutdown. In this case, we have a brand new object and there's no
3576 * obvious reason to immediately clear it. I'm guessing that this was
3577 * originally added because of incomplete initialisation which the clear fixed,
3578 * in some historic release.
3581 /* Set context and tell client to go ahead, except in the case of TLS startup
3582 on connection, where outputting anything now upsets the clients and tends to
3583 make them disconnect. We need to have an explicit fflush() here, to force out
3584 the response. Other smtp_printf() calls do not need it, because in non-TLS
3585 mode, the fflush() happens when smtp_getc() is called. */
3587 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
3588 if (!tls_in.on_connect)
3590 smtp_printf("220 TLS go ahead\r\n", FALSE);
3594 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3595 that the OpenSSL library doesn't. */
3597 SSL_set_wfd(ssl, fileno(smtp_out));
3598 SSL_set_rfd(ssl, fileno(smtp_in));
3599 SSL_set_accept_state(ssl);
3601 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
3604 sigalrm_seen = FALSE;
3605 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3606 rc = SSL_accept(ssl);
3611 int error = SSL_get_error(ssl, rc);
3614 case SSL_ERROR_NONE:
3617 case SSL_ERROR_ZERO_RETURN:
3618 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3619 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
3620 #ifndef DISABLE_EVENT
3621 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3623 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
3626 tls_close(NULL, TLS_NO_SHUTDOWN);
3629 /* Handle genuine errors */
3633 int r = ERR_GET_REASON(ERR_peek_error());
3634 if ( r == SSL_R_WRONG_VERSION_NUMBER
3635 #ifdef SSL_R_VERSION_TOO_LOW
3636 || r == SSL_R_VERSION_TOO_LOW
3638 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
3639 s = string_sprintf("(%s)", SSL_get_version(ssl));
3640 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
3641 #ifndef DISABLE_EVENT
3642 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3648 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3649 if (error == SSL_ERROR_SYSCALL)
3653 *errstr = US"SSL_accept: TCP connection closed by peer";
3654 #ifndef DISABLE_EVENT
3655 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3659 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
3661 (void) tls_error(US"SSL_accept", NULL,
3662 sigalrm_seen ? US"timed out"
3663 : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
3665 #ifndef DISABLE_EVENT
3666 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3672 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
3673 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
3674 anon-authentication ciphersuite negotiated. */
3676 #ifndef DISABLE_TLS_RESUME
3677 if (SSL_session_reused(ssl))
3679 tls_in.resumption |= RESUME_USED;
3680 DEBUG(D_tls) debug_printf("Session reused\n");
3684 #ifdef EXIM_HAVE_ALPN
3685 /* If require-alpn, check server_seen_alpn here. Else abort TLS */
3686 if (!tls_alpn || !*tls_alpn)
3687 { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
3688 else if (!server_seen_alpn)
3689 if (verify_check_host(&hosts_require_alpn) == OK)
3691 /* We'd like to send a definitive Alert but OpenSSL provides no facility */
3693 tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
3697 { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
3700 const uschar * name;
3702 SSL_get0_alpn_selected(ssl, &name, &len);
3704 debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
3706 debug_printf("ALPN: no protocol negotiated\n");
3711 /* TLS has been set up. Record data for the connection,
3712 adjust the input functions to read via TLS, and initialize things. */
3714 #ifdef SSL_get_extms_support
3715 /*XXX what does this return for tls1.3 ? */
3716 tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
3718 peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
3720 tls_in.ver = tlsver_name(ssl);
3721 tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
3722 tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
3727 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
3728 debug_printf("Shared ciphers: %s\n", buf);
3730 tls_dump_keylog(ssl);
3732 #ifdef EXIM_HAVE_SESSION_TICKET
3734 SSL_SESSION * ss = SSL_get_session(ssl);
3735 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
3736 debug_printf("The session has a ticket, life %lu seconds\n",
3737 SSL_SESSION_get_ticket_lifetime_hint(ss));
3742 /* Record the certificate we presented */
3744 X509 * crt = SSL_get_certificate(ssl);
3745 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
3748 tls_get_channel_binding(ssl, &tls_in, GET_UNTAINTED);
3750 /* Only used by the server-side tls (tls_in), including tls_getc.
3751 Client-side (tls_out) reads (seem to?) go via
3752 smtp_read_response()/ip_recv().
3753 Hence no need to duplicate for _in and _out.
3755 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3756 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
3757 ssl_xfer_eof = ssl_xfer_error = FALSE;
3759 receive_getc = tls_getc;
3760 receive_getbuf = tls_getbuf;
3761 receive_get_cache = tls_get_cache;
3762 receive_hasc = tls_hasc;
3763 receive_ungetc = tls_ungetc;
3764 receive_feof = tls_feof;
3765 receive_ferror = tls_ferror;
3767 tls_in.active.sock = fileno(smtp_out);
3768 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
3776 tls_client_basic_ctx_init(SSL_CTX * ctx,
3777 host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
3782 /* Back-compatible old behaviour if tls_verify_certificates is set but both
3783 tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
3784 host patterns if one of them is set with content. */
3786 if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts
3787 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3789 && ( !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
3790 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3793 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3795 client_verify_optional = FALSE;
3796 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3797 client_verify_optional = TRUE;
3802 uschar * v_certs = ob->tls_verify_certificates;
3804 if (state->lib_state.cabundle)
3806 DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
3807 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3811 if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
3813 if (v_certs && *v_certs)
3814 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3818 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3820 state->verify_cert_hostnames =
3822 string_domain_utf8_to_alabel(host->certname, NULL);
3826 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
3827 state->verify_cert_hostnames);
3835 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
3838 const char * hostnames[2] = { CS host->name, NULL };
3841 if (DANESSL_init(ssl, NULL, hostnames) != 1)
3842 return tls_error(US"hostnames load", host, NULL, errstr);
3844 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3845 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3846 ) if (rr->type == T_TLSA && rr->size > 3)
3848 const uschar * p = rr->data;
3849 uint8_t usage, selector, mtype;
3850 const char * mdname;
3854 /* Only DANE-TA(2) and DANE-EE(3) are supported */
3855 if (usage != 2 && usage != 3) continue;
3862 default: continue; /* Only match-types 0, 1, 2 are supported */
3863 case 0: mdname = NULL; break;
3864 case 1: mdname = "sha256"; break;
3865 case 2: mdname = "sha512"; break;
3869 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
3872 return tls_error(US"tlsa load", host, NULL, errstr);
3873 case 0: /* action not taken */
3877 tls_out.tlsa_usage |= 1<<usage;
3883 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
3886 #endif /*SUPPORT_DANE*/
3890 #ifndef DISABLE_TLS_RESUME
3891 /* On the client, get any stashed session for the given IP from hints db
3892 and apply it to the ssl-connection for attempted resumption. */
3895 tls_retrieve_session(tls_support * tlsp, SSL * ssl)
3897 if (tlsp->host_resumable)
3899 dbdata_tls_session * dt;
3901 open_db dbblock, * dbm_file;
3903 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3905 debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
3906 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3908 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3910 SSL_SESSION * ss = NULL;
3911 const uschar * sess_asn1 = dt->session;
3913 len -= sizeof(dbdata_tls_session);
3914 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3918 ERR_error_string_n(ERR_get_error(),
3919 ssl_errstring, sizeof(ssl_errstring));
3920 debug_printf("decoding session: %s\n", ssl_errstring);
3925 unsigned long lifetime =
3926 #ifdef EXIM_HAVE_SESSION_TICKET
3927 SSL_SESSION_get_ticket_lifetime_hint(ss);
3928 #else /* Use, fairly arbitrilarily, what we as server would */
3929 f.running_in_test_harness ? TESTSUITE_TICKET_LIFE : ssl_session_timeout;
3931 time_t now = time(NULL), expires = lifetime + dt->time_stamp;
3934 DEBUG(D_tls) debug_printf("session expired (by " TIME_T_FMT "s from %lus)\n", now - expires, lifetime);
3935 dbfn_delete(dbm_file, tlsp->resume_index);
3937 else if (SSL_set_session(ssl, ss))
3939 DEBUG(D_tls) debug_printf("good session (" TIME_T_FMT "s left of %lus)\n", expires - now, lifetime);
3940 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3941 tlsp->verify_override = dt->verify_override;
3942 tlsp->ocsp = dt->ocsp;
3946 ERR_error_string_n(ERR_get_error(),
3947 ssl_errstring, sizeof(ssl_errstring));
3948 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3953 DEBUG(D_tls) debug_printf("no session record\n");
3954 dbfn_close(dbm_file);
3960 /* On the client, save the session for later resumption */
3963 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3965 exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3968 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3970 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3972 # ifdef OPENSSL_HAVE_NUM_TICKETS
3973 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3976 int len = i2d_SSL_SESSION(ss, NULL);
3977 int dlen = sizeof(dbdata_tls_session) + len;
3978 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
3979 uschar * s = dt->session;
3980 open_db dbblock, * dbm_file;
3982 DEBUG(D_tls) debug_printf("session is resumable\n");
3983 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3985 dt->verify_override = tlsp->verify_override;
3986 dt->ocsp = tlsp->ocsp;
3987 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3989 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3991 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
3992 dbfn_close(dbm_file);
3993 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
4001 /* Construct a key for session DB lookup, and setup the SSL_CTX for resumption */
4004 tls_client_ctx_resume_prehandshake(
4005 exim_openssl_client_tls_ctx * exim_client_ctx, smtp_connect_args * conn_args,
4006 tls_support * tlsp, smtp_transport_options_block * ob)
4008 tlsp->host_resumable = TRUE;
4009 tls_client_resmption_key(tlsp, conn_args, ob);
4011 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
4012 SSL_SESS_CACHE_CLIENT
4013 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
4014 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
4018 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
4019 host_item * host, uschar ** errstr)
4021 if (tlsp->host_resumable)
4024 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
4025 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
4027 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
4028 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
4030 tls_error(US"set ex_data", host, NULL, errstr);
4033 /* debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state); */
4036 tlsp->resumption = RESUME_SUPPORTED;
4037 /* Pick up a previous session, saved on an old ticket */
4038 tls_retrieve_session(tlsp, ssl);
4043 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
4046 if (SSL_session_reused(exim_client_ctx->ssl))
4048 DEBUG(D_tls) debug_printf("The session was reused\n");
4049 tlsp->resumption |= RESUME_USED;
4052 #endif /* !DISABLE_TLS_RESUME */
4055 #ifdef EXIM_HAVE_ALPN
4056 /* Expand and convert an Exim list to an ALPN list. False return for fail.
4057 NULL plist return for silent no-ALPN.
4059 Overwite the passed-in list with the expanded version.
4063 tls_alpn_plist(uschar ** tls_alpn, const uschar ** plist, unsigned * plen,
4068 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
4070 *tls_alpn = exp_alpn;
4074 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
4079 /* The server implementation only accepts exactly one protocol name
4080 but it's little extra code complexity in the client. */
4082 const uschar * list = exp_alpn;
4083 uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t;
4087 for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
4089 *t++ = len = (uschar) Ustrlen(s);
4092 *plist = (*plen = t - p) ? p : NULL;
4096 #endif /* EXIM_HAVE_ALPN */
4099 /*************************************************
4100 * Start a TLS session in a client *
4101 *************************************************/
4103 /* Called from the smtp transport after STARTTLS has been accepted.
4106 cctx connection context
4107 conn_args connection details
4108 cookie datum for randomness; can be NULL
4109 tlsp record details of TLS channel configuration here; must be non-NULL
4110 errstr error string pointer
4112 Returns: TRUE for success with TLS session context set in connection context,
4117 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
4118 void * cookie, tls_support * tlsp, uschar ** errstr)
4120 host_item * host = conn_args->host; /* for msgs and option-tests */
4121 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
4122 smtp_transport_options_block * ob = tb
4123 ? (smtp_transport_options_block *)tb->options_block
4124 : &smtp_transport_option_defaults;
4125 exim_openssl_client_tls_ctx * exim_client_ctx;
4126 uschar * expciphers;
4128 static uschar peerdn[256];
4130 #ifndef DISABLE_OCSP
4131 BOOL request_ocsp = FALSE;
4132 BOOL require_ocsp = FALSE;
4136 store_pool = POOL_PERM;
4137 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED);
4138 exim_client_ctx->corked = NULL;
4142 tlsp->tlsa_usage = 0;
4145 #ifndef DISABLE_OCSP
4147 # ifdef SUPPORT_DANE
4148 if ( conn_args->dane
4149 && ob->hosts_request_ocsp[0] == '*'
4150 && ob->hosts_request_ocsp[1] == '\0'
4153 /* Unchanged from default. Use a safer one under DANE */
4154 request_ocsp = TRUE;
4155 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
4156 " {= {4}{$tls_out_tlsa_usage}} } "
4162 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
4163 request_ocsp = TRUE;
4165 # ifdef SUPPORT_DANE
4169 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4171 # if defined(SUPPORT_DANE) && !defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER)
4172 if (conn_args->dane && (require_ocsp || request_ocsp))
4174 DEBUG(D_tls) debug_printf("OpenSSL version to early to combine OCSP"
4175 " and DANE; disabling OCSP\n");
4176 require_ocsp = request_ocsp = FALSE;
4182 rc = tls_init(host, ob,
4183 #ifndef DISABLE_OCSP
4184 (void *)(long)request_ocsp,
4186 cookie, &client_static_state, tlsp, errstr);
4187 if (rc != OK) return FALSE;
4189 exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
4191 tlsp->certificate_verified = FALSE;
4192 client_verify_callback_called = FALSE;
4196 if (conn_args->dane)
4198 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
4199 other failures should be treated as problems. */
4200 if (ob->dane_require_tls_ciphers &&
4201 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
4202 &expciphers, errstr))
4204 if (expciphers && *expciphers == '\0')
4207 normalise_ciphers(&expciphers, ob->dane_require_tls_ciphers);
4212 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
4213 &expciphers, errstr))
4216 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
4217 are separated by underscores. So that I can use either form in my tests, and
4218 also for general convenience, we turn underscores into hyphens here. */
4220 normalise_ciphers(&expciphers, ob->tls_require_ciphers);
4225 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
4226 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
4228 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
4234 if (conn_args->dane)
4236 SSL_CTX_set_verify(exim_client_ctx->ctx,
4237 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4238 verify_callback_client_dane);
4240 if (!DANESSL_library_init())
4242 tls_error(US"library init", host, NULL, errstr);
4245 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
4247 tls_error(US"context init", host, NULL, errstr);
4250 DEBUG(D_tls) debug_printf("since dane-mode conn, not loading the usual CA bundle\n");
4256 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
4257 client_static_state, errstr) != OK)
4262 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
4265 { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); }
4266 else if (!Ustrlen(tlsp->sni))
4270 #ifndef EXIM_HAVE_OPENSSL_TLSEXT
4271 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
4279 #ifdef EXIM_HAVE_ALPN
4281 const uschar * plist;
4284 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
4287 if (SSL_CTX_set_alpn_protos(exim_client_ctx->ctx, plist, plen) != 0)
4289 tls_error(US"alpn init", host, NULL, errstr);
4293 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
4296 log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
4300 #ifndef DISABLE_TLS_RESUME
4301 /*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
4302 will be very low. */
4304 if (!conn_args->have_lbserver) /* wanted for tls_client_resmption_key() */
4305 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
4306 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
4307 tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
4311 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
4313 tls_error(US"SSL_new", host, NULL, errstr);
4316 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
4317 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
4318 SSL_set_connect_state(exim_client_ctx->ssl);
4320 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
4323 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
4324 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
4329 if (conn_args->dane)
4330 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
4334 #ifndef DISABLE_OCSP
4335 /* Request certificate status at connection-time. If the server
4336 does OCSP stapling we will get the callback (set in tls_init()) */
4337 # ifdef SUPPORT_DANE
4341 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4342 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4344 { /* Re-eval now $tls_out_tlsa_usage is populated. If
4345 this means we avoid the OCSP request, we wasted the setup
4346 cost in tls_init(). */
4347 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
4348 request_ocsp = require_ocsp
4349 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4356 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
4357 client_static_state->u_ocsp.client.verify_required = require_ocsp;
4358 tlsp->ocsp = OCSP_NOT_RESP;
4362 #ifndef DISABLE_TLS_RESUME
4363 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
4368 #ifndef DISABLE_EVENT
4369 client_static_state->event_action = tb ? tb->event_action : NULL;
4372 /* There doesn't seem to be a built-in timeout on connection. */
4374 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
4375 sigalrm_seen = FALSE;
4376 ALARM(ob->command_timeout);
4377 rc = SSL_connect(exim_client_ctx->ssl);
4381 if (conn_args->dane)
4382 DANESSL_cleanup(exim_client_ctx->ssl);
4387 #ifndef DISABLE_OCSP
4388 if (client_static_state->u_ocsp.client.verify_errstr)
4389 { if (errstr) *errstr = client_static_state->u_ocsp.client.verify_errstr; }
4392 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
4398 debug_printf("SSL_connect succeeded\n");
4399 tls_dump_keylog(exim_client_ctx->ssl);
4402 #ifndef DISABLE_TLS_RESUME
4403 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
4406 #ifdef EXIM_HAVE_ALPN
4407 if (ob->tls_alpn) /* We requested. See what was negotiated. */
4409 const uschar * name;
4412 SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
4414 { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
4415 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
4417 /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
4418 tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
4424 #ifdef SSL_get_extms_support
4425 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
4427 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
4429 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
4430 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
4431 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
4433 /* Record the certificate we presented */
4435 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
4436 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
4439 /*XXX will this work with continued-TLS? */
4440 tls_get_channel_binding(exim_client_ctx->ssl, tlsp, GET_TAINTED);
4442 tlsp->active.sock = cctx->sock;
4443 tlsp->active.tls_ctx = exim_client_ctx;
4444 cctx->tls_ctx = exim_client_ctx;
4453 tls_refill(unsigned lim)
4455 SSL * ssl = state_server.lib_state.lib_ssl;
4459 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4460 ssl_xfer_buffer, ssl_xfer_buffer_size);
4463 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4464 inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
4465 MIN(ssl_xfer_buffer_size, lim));
4466 error = SSL_get_error(ssl, inbytes);
4467 if (smtp_receive_timeout > 0) ALARM_CLR(0);
4469 if (had_command_timeout) /* set by signal handler */
4470 smtp_command_timeout_exit(); /* does not return */
4471 if (had_command_sigterm)
4472 smtp_command_sigterm_exit();
4473 if (had_data_timeout)
4474 smtp_data_timeout_exit();
4475 if (had_data_sigint)
4476 smtp_data_sigint_exit();
4478 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
4479 closed down, not that the socket itself has been closed down. Revert to
4480 non-SSL handling. */
4484 case SSL_ERROR_NONE:
4487 case SSL_ERROR_ZERO_RETURN:
4488 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4490 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
4493 tls_close(NULL, TLS_NO_SHUTDOWN);
4496 /* Handle genuine errors */
4498 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4499 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
4500 ssl_xfer_error = TRUE;
4504 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
4505 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
4506 debug_printf(" - syscall %s\n", strerror(errno));
4507 ssl_xfer_error = TRUE;
4511 #ifndef DISABLE_DKIM
4512 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
4514 ssl_xfer_buffer_hwm = inbytes;
4515 ssl_xfer_buffer_lwm = 0;
4520 /*************************************************
4521 * TLS version of getc *
4522 *************************************************/
4524 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
4525 it refills the buffer via the SSL reading function.
4527 Arguments: lim Maximum amount to read/buffer
4528 Returns: the next character or EOF
4530 Only used by the server-side TLS.
4534 tls_getc(unsigned lim)
4536 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4537 if (!tls_refill(lim))
4538 return ssl_xfer_error ? EOF : smtp_getc(lim);
4540 /* Something in the buffer; return next uschar */
4542 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
4548 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
4552 tls_getbuf(unsigned * len)
4557 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4558 if (!tls_refill(*len))
4560 if (!ssl_xfer_error) return smtp_getbuf(len);
4565 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
4567 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
4568 ssl_xfer_buffer_lwm += size;
4575 tls_get_cache(unsigned lim)
4577 #ifndef DISABLE_DKIM
4578 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
4582 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
4588 tls_could_getc(void)
4590 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
4591 || SSL_pending(state_server.lib_state.lib_ssl) > 0;
4595 /*************************************************
4596 * Read bytes from TLS channel *
4597 *************************************************/
4601 ct_ctx client context pointer, or NULL for the one global server context
4605 Returns: the number of bytes read
4606 -1 after a failed read, including EOF
4608 Only used by the client-side TLS.
4612 tls_read(void * ct_ctx, uschar *buff, size_t len)
4614 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4615 : state_server.lib_state.lib_ssl;
4619 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4620 buff, (unsigned int)len);
4623 inbytes = SSL_read(ssl, CS buff, len);
4624 error = SSL_get_error(ssl, inbytes);
4626 if (error == SSL_ERROR_ZERO_RETURN)
4628 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4631 else if (error != SSL_ERROR_NONE)
4641 /*************************************************
4642 * Write bytes down TLS channel *
4643 *************************************************/
4647 ct_ctx client context pointer, or NULL for the one global server context
4650 more further data expected soon
4652 Returns: the number of bytes after a successful write,
4653 -1 after a failed write
4655 Used by both server-side and client-side TLS. Calling with len zero and more unset
4656 will flush buffered writes; buff can be null for this case.
4660 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4663 int outbytes, error;
4665 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4666 : state_server.lib_state.lib_ssl;
4667 static gstring * server_corked = NULL;
4668 gstring ** corkedp = ct_ctx
4669 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
4670 gstring * corked = *corkedp;
4672 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
4673 buff, (unsigned long)len, more ? ", more" : "");
4675 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
4676 "more" is notified. This hack is only ok if small amounts are involved AND only
4677 one stream does it, in one context (i.e. no store reset). Currently it is used
4678 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
4679 We support callouts done by the server process by using a separate client
4680 context for the stashed information. */
4681 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
4682 a store reset there, so use POOL_PERM. */
4683 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
4687 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
4689 int save_pool = store_pool;
4690 store_pool = POOL_PERM;
4692 corked = string_catn(corked, buff, len);
4694 store_pool = save_pool;
4701 buff = CUS corked->s;
4706 for (int left = len; left > 0;)
4708 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
4710 outbytes = SSL_write(ssl, CS buff, left);
4711 error = SSL_get_error(ssl, outbytes);
4712 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
4715 case SSL_ERROR_NONE: /* the usual case */
4721 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4722 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
4725 case SSL_ERROR_ZERO_RETURN:
4726 log_write(0, LOG_MAIN, "SSL channel closed on write");
4729 case SSL_ERROR_SYSCALL:
4730 if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
4731 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
4732 sender_fullhost ? sender_fullhost : US"<unknown>",
4734 else if (LOGGING(protocol_detail))
4735 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4736 " SMTP response and TLS close\n", sender_host_address);
4738 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4739 " client reset TCP before TLS close\n", sender_host_address);
4743 log_write(0, LOG_MAIN, "SSL_write error %d", error);
4754 ct_ctx client TLS context pointer, or NULL for the one global server context
4758 tls_shutdown_wr(void * ct_ctx)
4760 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4761 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4762 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4765 if (*fdp < 0) return; /* TLS was not active */
4767 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4769 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
4770 rc = SSL_shutdown(*sslp);
4771 if (rc < 0) DEBUG(D_tls)
4773 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4774 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4778 /*************************************************
4779 * Close down a TLS session *
4780 *************************************************/
4782 /* This is also called from within a delivery subprocess forked from the
4783 daemon, to shut down the TLS library, without actually doing a shutdown (which
4784 would tamper with the SSL session in the parent process).
4787 ct_ctx client TLS context pointer, or NULL for the one global server context
4788 do_shutdown 0 no data-flush or TLS close-alert
4789 1 if TLS close-alert is to be sent,
4790 2 if also response to be waited for
4794 Used by both server-side and client-side TLS.
4798 tls_close(void * ct_ctx, int do_shutdown)
4800 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4801 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4802 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4804 if (*fdp < 0) return; /* TLS was not active */
4806 if (do_shutdown > TLS_NO_SHUTDOWN)
4809 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
4810 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
4812 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4814 if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY
4815 || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
4817 && do_shutdown > TLS_SHUTDOWN_NOWAIT
4820 #ifdef EXIM_TCP_CORK
4821 (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
4824 rc = SSL_shutdown(*sslp); /* wait for response */
4828 if (rc < 0) DEBUG(D_tls)
4830 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4831 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4835 if (!o_ctx) /* server side */
4837 #ifndef DISABLE_OCSP
4838 sk_X509_pop_free(state_server.u_ocsp.server.verify_stack, X509_free);
4839 state_server.u_ocsp.server.verify_stack = NULL;
4842 receive_getc = smtp_getc;
4843 receive_getbuf = smtp_getbuf;
4844 receive_get_cache = smtp_get_cache;
4845 receive_hasc = smtp_hasc;
4846 receive_ungetc = smtp_ungetc;
4847 receive_feof = smtp_feof;
4848 receive_ferror = smtp_ferror;
4849 tls_in.active.tls_ctx = NULL;
4851 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
4862 /*************************************************
4863 * Let tls_require_ciphers be checked at startup *
4864 *************************************************/
4866 /* The tls_require_ciphers option, if set, must be something which the
4869 Returns: NULL on success, or error message
4873 tls_validate_require_cipher(void)
4876 uschar * expciphers, * err;
4880 if (!(tls_require_ciphers && *tls_require_ciphers))
4883 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4885 return US"failed to expand tls_require_ciphers";
4887 if (!(expciphers && *expciphers))
4890 normalise_ciphers(&expciphers, tls_require_ciphers);
4893 if (lib_ctx_new(&ctx, NULL, &err) == OK)
4896 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4898 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
4900 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4901 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
4902 expciphers, ssl_errstring);
4913 /*************************************************
4914 * Report the library versions. *
4915 *************************************************/
4917 /* There have historically been some issues with binary compatibility in
4918 OpenSSL libraries; if Exim (like many other applications) is built against
4919 one version of OpenSSL but the run-time linker picks up another version,
4920 it can result in serious failures, including crashing with a SIGSEGV. So
4921 report the version found by the compiler and the run-time version.
4923 Note: some OS vendors backport security fixes without changing the version
4924 number/string, and the version date remains unchanged. The _build_ date
4925 will change, so we can more usefully assist with version diagnosis by also
4926 reporting the build date.
4928 Arguments: string to append to
4933 tls_version_report(gstring * g)
4935 return string_fmt_append(g,
4936 "Library version: OpenSSL: Compile: %s\n"
4939 OPENSSL_VERSION_TEXT,
4940 SSLeay_version(SSLEAY_VERSION),
4941 SSLeay_version(SSLEAY_BUILT_ON));
4942 /* third line is 38 characters for the %s and the line is 73 chars long;
4943 the OpenSSL output includes a "built on: " prefix already. */
4949 /*************************************************
4950 * Random number generation *
4951 *************************************************/
4953 /* Pseudo-random number generation. The result is not expected to be
4954 cryptographically strong but not so weak that someone will shoot themselves
4955 in the foot using it as a nonce in input in some email header scheme or
4956 whatever weirdness they'll twist this into. The result should handle fork()
4957 and avoid repeating sequences. OpenSSL handles that for us.
4961 Returns a random number in range [0, max-1]
4965 vaguely_random_number(int max)
4969 static pid_t pidlast = 0;
4971 uschar smallbuf[sizeof(r)];
4977 if (pidnow != pidlast)
4979 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
4980 is unique for each thread", this doesn't apparently apply across processes,
4981 so our own warning from vaguely_random_number_fallback() applies here too.
4982 Fix per PostgreSQL. */
4988 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
4992 gettimeofday(&r.tv, NULL);
4995 RAND_seed(US (&r), sizeof(r));
4997 /* We're after pseudo-random, not random; if we still don't have enough data
4998 in the internal PRNG then our options are limited. We could sleep and hope
4999 for entropy to come along (prayer technique) but if the system is so depleted
5000 in the first place then something is likely to just keep taking it. Instead,
5001 we'll just take whatever little bit of pseudo-random we can still manage to
5004 needed_len = sizeof(r);
5005 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
5006 asked for a number less than 10. */
5007 for (r = max, i = 0; r; ++i)
5013 #ifdef EXIM_HAVE_RAND_PSEUDO
5014 /* We do not care if crypto-strong */
5015 i = RAND_pseudo_bytes(smallbuf, needed_len);
5017 i = RAND_bytes(smallbuf, needed_len);
5023 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
5024 return vaguely_random_number_fallback(max);
5028 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
5031 /* We don't particularly care about weighted results; if someone wants
5032 smooth distribution and cares enough then they should submit a patch then. */
5039 /*************************************************
5040 * OpenSSL option parse *
5041 *************************************************/
5043 /* Parse one option for tls_openssl_options_parse below
5046 name one option name
5047 value place to store a value for it
5048 Returns success or failure in parsing
5054 tls_openssl_one_option_parse(uschar *name, long *value)
5057 int last = exim_openssl_options_size;
5058 while (last > first)
5060 int middle = (first + last)/2;
5061 int c = Ustrcmp(name, exim_openssl_options[middle].name);
5064 *value = exim_openssl_options[middle].value;
5078 /*************************************************
5079 * OpenSSL option parsing logic *
5080 *************************************************/
5082 /* OpenSSL has a number of compatibility options which an administrator might
5083 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
5084 we look like log_selector.
5087 option_spec the administrator-supplied string of options
5088 results ptr to long storage for the options bitmap
5089 Returns success or failure
5093 tls_openssl_options_parse(uschar *option_spec, long *results)
5096 uschar * exp, * end;
5097 BOOL adding, item_parsed;
5099 /* Server: send no (<= TLS1.2) session tickets */
5100 result = SSL_OP_NO_TICKET;
5102 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
5103 from default because it increases BEAST susceptibility. */
5104 #ifdef SSL_OP_NO_SSLv2
5105 result |= SSL_OP_NO_SSLv2;
5107 #ifdef SSL_OP_NO_SSLv3
5108 result |= SSL_OP_NO_SSLv3;
5110 #ifdef SSL_OP_SINGLE_DH_USE
5111 result |= SSL_OP_SINGLE_DH_USE;
5113 #ifdef SSL_OP_NO_RENEGOTIATION
5114 result |= SSL_OP_NO_RENEGOTIATION;
5123 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
5126 for (uschar * s = exp; *s; /**/)
5128 while (isspace(*s)) ++s;
5131 if (*s != '+' && *s != '-')
5133 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
5134 "+ or - expected but found \"%s\"\n", s);
5137 adding = *s++ == '+';
5138 for (end = s; *end && !isspace(*end); ) end++;
5139 item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
5142 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
5145 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
5146 adding ? "adding to " : "removing from", result, item, s);
5158 #endif /*!MACRO_PREDEF*/
5161 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob