1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
73 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
74 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
75 # define EXIM_HAVE_OPENSSL_CHECKHOST
79 #if !defined(LIBRESSL_VERSION_NUMBER) \
80 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
81 # if !defined(OPENSSL_NO_ECDH)
82 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
83 # define EXIM_HAVE_ECDH
85 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
86 # if OPENSSL_VERSION_NUMBER < 0x10100000L
87 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
94 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
95 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
99 /* Structure for collecting random data for seeding. */
101 typedef struct randstuff {
106 /* Local static variables */
108 static BOOL client_verify_callback_called = FALSE;
109 static BOOL server_verify_callback_called = FALSE;
110 static const uschar *sid_ctx = US"exim";
112 /* We have three different contexts to care about.
114 Simple case: client, `client_ctx`
115 As a client, we can be doing a callout or cut-through delivery while receiving
116 a message. So we have a client context, which should have options initialised
117 from the SMTP Transport.
120 There are two cases: with and without ServerNameIndication from the client.
121 Given TLS SNI, we can be using different keys, certs and various other
122 configuration settings, because they're re-expanded with $tls_sni set. This
123 allows vhosting with TLS. This SNI is sent in the handshake.
124 A client might not send SNI, so we need a fallback, and an initial setup too.
125 So as a server, we start out using `server_ctx`.
126 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
127 `server_sni` from `server_ctx` and then initialise settings by re-expanding
131 static SSL_CTX *client_ctx = NULL;
132 static SSL_CTX *server_ctx = NULL;
133 static SSL *client_ssl = NULL;
134 static SSL *server_ssl = NULL;
136 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
137 static SSL_CTX *server_sni = NULL;
140 static char ssl_errstring[256];
142 static int ssl_session_timeout = 200;
143 static BOOL client_verify_optional = FALSE;
144 static BOOL server_verify_optional = FALSE;
146 static BOOL reexpand_tls_files_for_sni = FALSE;
149 typedef struct tls_ext_ctx_cb {
157 uschar *file_expanded;
158 OCSP_RESPONSE *response;
161 X509_STORE *verify_store; /* non-null if status requested */
162 BOOL verify_required;
167 /* these are cached from first expand */
168 uschar *server_cipher_list;
169 /* only passed down to tls_error: */
171 const uschar * verify_cert_hostnames;
172 #ifndef DISABLE_EVENT
173 uschar * event_action;
177 /* should figure out a cleanup of API to handle state preserved per
178 implementation, for various reasons, which can be void * in the APIs.
179 For now, we hack around it. */
180 tls_ext_ctx_cb *client_static_cbinfo = NULL;
181 tls_ext_ctx_cb *server_static_cbinfo = NULL;
184 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
185 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
188 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
189 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
192 static int tls_server_stapling_cb(SSL *s, void *arg);
196 /*************************************************
198 *************************************************/
200 /* Called from lots of places when errors occur before actually starting to do
201 the TLS handshake, that is, while the session is still in clear. Always returns
202 DEFER for a server and FAIL for a client so that most calls can use "return
203 tls_error(...)" to do this processing and then give an appropriate return. A
204 single function is used for both server and client, because it is called from
205 some shared functions.
208 prefix text to include in the logged error
209 host NULL if setting up a server;
210 the connected host if setting up a client
211 msg error message or NULL if we should ask OpenSSL
213 Returns: OK/DEFER/FAIL
217 tls_error(uschar * prefix, const host_item * host, uschar * msg)
221 ERR_error_string(ERR_get_error(), ssl_errstring);
222 msg = (uschar *)ssl_errstring;
227 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
228 host->name, host->address, prefix, msg);
233 uschar *conn_info = smtp_get_connection_info();
234 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
236 /* I'd like to get separated H= here, but too hard for now */
237 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
238 conn_info, prefix, msg);
245 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
246 /*************************************************
247 * Callback to generate RSA key *
248 *************************************************/
256 Returns: pointer to generated key
260 rsa_callback(SSL *s, int export, int keylength)
263 #ifdef EXIM_HAVE_RSA_GENKEY_EX
264 BIGNUM *bn = BN_new();
267 export = export; /* Shut picky compilers up */
268 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
270 #ifdef EXIM_HAVE_RSA_GENKEY_EX
271 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
272 || !(rsa_key = RSA_new())
273 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
276 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
280 ERR_error_string(ERR_get_error(), ssl_errstring);
281 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
294 x509_store_dump_cert_s_names(X509_STORE * store)
296 STACK_OF(X509_OBJECT) * roots= store->objs;
298 static uschar name[256];
300 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
302 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
303 if(tmp_obj->type == X509_LU_X509)
305 X509 * current_cert= tmp_obj->data.x509;
306 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
307 name[sizeof(name)-1] = '\0';
308 debug_printf(" %s\n", name);
316 #ifndef DISABLE_EVENT
318 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
319 BOOL *calledp, const BOOL *optionalp, const uschar * what)
325 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
328 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
329 old_cert = tlsp->peercert;
330 tlsp->peercert = X509_dup(cert);
331 /* NB we do not bother setting peerdn */
332 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
334 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
335 "depth=%d cert=%s: %s",
336 tlsp == &tls_out ? deliver_host_address : sender_host_address,
337 what, depth, dn, yield);
341 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
342 return 1; /* reject (leaving peercert set) */
344 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
345 "(host in tls_try_verify_hosts)\n");
347 X509_free(tlsp->peercert);
348 tlsp->peercert = old_cert;
354 /*************************************************
355 * Callback for verification *
356 *************************************************/
358 /* The SSL library does certificate verification if set up to do so. This
359 callback has the current yes/no state is in "state". If verification succeeded,
360 we set the certificate-verified flag. If verification failed, what happens
361 depends on whether the client is required to present a verifiable certificate
364 If verification is optional, we change the state to yes, but still log the
365 verification error. For some reason (it really would help to have proper
366 documentation of OpenSSL), this callback function then gets called again, this
367 time with state = 1. We must take care not to set the private verified flag on
368 the second time through.
370 Note: this function is not called if the client fails to present a certificate
371 when asked. We get here only if a certificate has been received. Handling of
372 optional verification for this case is done when requesting SSL to verify, by
373 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
375 May be called multiple times for different issues with a certificate, even
376 for a given "depth" in the certificate chain.
379 preverify_ok current yes/no state as 1/0
380 x509ctx certificate information.
381 tlsp per-direction (client vs. server) support data
382 calledp has-been-called flag
383 optionalp verification-is-optional flag
385 Returns: 0 if verification should fail, otherwise 1
389 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
390 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
392 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
393 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
396 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
397 dn[sizeof(dn)-1] = '\0';
399 if (preverify_ok == 0)
401 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
402 tlsp == &tls_out ? deliver_host_address : sender_host_address,
404 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
410 tlsp->peercert = X509_dup(cert); /* record failing cert */
411 return 0; /* reject */
413 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
414 "tls_try_verify_hosts)\n");
419 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
421 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
422 { /* client, wanting stapling */
423 /* Add the server cert's signing chain as the one
424 for the verification of the OCSP stapled information. */
426 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
431 #ifndef DISABLE_EVENT
432 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
433 return 0; /* reject, with peercert set */
438 const uschar * verify_cert_hostnames;
440 if ( tlsp == &tls_out
441 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
442 /* client, wanting hostname check */
445 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
446 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
447 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
449 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
450 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
453 const uschar * list = verify_cert_hostnames;
456 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
457 if ((rc = X509_check_host(cert, CCS name, 0,
458 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
459 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
464 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
465 tlsp == &tls_out ? deliver_host_address : sender_host_address);
472 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
475 log_write(0, LOG_MAIN,
476 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
477 tlsp == &tls_out ? deliver_host_address : sender_host_address,
483 tlsp->peercert = X509_dup(cert); /* record failing cert */
484 return 0; /* reject */
486 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
487 "tls_try_verify_hosts)\n");
491 #ifndef DISABLE_EVENT
492 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
493 return 0; /* reject, with peercert set */
496 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
497 *calledp ? "" : " authenticated", dn);
498 if (!*calledp) tlsp->certificate_verified = TRUE;
502 return 1; /* accept, at least for this level */
506 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
508 return verify_callback(preverify_ok, x509ctx, &tls_out,
509 &client_verify_callback_called, &client_verify_optional);
513 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
515 return verify_callback(preverify_ok, x509ctx, &tls_in,
516 &server_verify_callback_called, &server_verify_optional);
520 #ifdef EXPERIMENTAL_DANE
522 /* This gets called *by* the dane library verify callback, which interposes
526 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
528 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
530 #ifndef DISABLE_EVENT
531 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
532 BOOL dummy_called, optional = FALSE;
535 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
536 dn[sizeof(dn)-1] = '\0';
538 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
539 preverify_ok ? "ok":"BAD", depth, dn);
541 #ifndef DISABLE_EVENT
542 if (verify_event(&tls_out, cert, depth, dn,
543 &dummy_called, &optional, US"DANE"))
544 return 0; /* reject, with peercert set */
547 if (preverify_ok == 1)
548 tls_out.dane_verified =
549 tls_out.certificate_verified = TRUE;
552 int err = X509_STORE_CTX_get_error(x509ctx);
554 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
555 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
561 #endif /*EXPERIMENTAL_DANE*/
564 /*************************************************
565 * Information callback *
566 *************************************************/
568 /* The SSL library functions call this from time to time to indicate what they
569 are doing. We copy the string to the debugging output when TLS debugging has
581 info_callback(SSL *s, int where, int ret)
585 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
590 /*************************************************
591 * Initialize for DH *
592 *************************************************/
594 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
597 sctx The current SSL CTX (inbound or outbound)
598 dhparam DH parameter file or fixed parameter identity string
599 host connected host, if client; NULL if server
601 Returns: TRUE if OK (nothing to set up, or setup worked)
605 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
612 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
615 if (!dhexpanded || !*dhexpanded)
616 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
617 else if (dhexpanded[0] == '/')
619 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
621 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
622 host, US strerror(errno));
628 if (Ustrcmp(dhexpanded, "none") == 0)
630 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
634 if (!(pem = std_dh_prime_named(dhexpanded)))
636 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
637 host, US strerror(errno));
640 bio = BIO_new_mem_buf(CS pem, -1);
643 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
646 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
651 /* Even if it is larger, we silently return success rather than cause things
652 * to fail out, so that a too-large DH will not knock out all TLS; it's a
653 * debatable choice. */
654 if ((8*DH_size(dh)) > tls_dh_max_bits)
657 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
658 8*DH_size(dh), tls_dh_max_bits);
662 SSL_CTX_set_tmp_dh(sctx, dh);
664 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
665 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
677 /*************************************************
678 * Initialize for ECDH *
679 *************************************************/
681 /* Load parameters for ECDH encryption.
683 For now, we stick to NIST P-256 because: it's simple and easy to configure;
684 it avoids any patent issues that might bite redistributors; despite events in
685 the news and concerns over curve choices, we're not cryptographers, we're not
686 pretending to be, and this is "good enough" to be better than no support,
687 protecting against most adversaries. Given another year or two, there might
688 be sufficient clarity about a "right" way forward to let us make an informed
689 decision, instead of a knee-jerk reaction.
691 Longer-term, we should look at supporting both various named curves and
692 external files generated with "openssl ecparam", much as we do for init_dh().
693 We should also support "none" as a value, to explicitly avoid initialisation.
698 sctx The current SSL CTX (inbound or outbound)
699 host connected host, if client; NULL if server
701 Returns: TRUE if OK (nothing to set up, or setup worked)
705 init_ecdh(SSL_CTX * sctx, host_item * host)
707 #ifdef OPENSSL_NO_ECDH
716 if (host) /* No ECDH setup for clients, only for servers */
719 # ifndef EXIM_HAVE_ECDH
721 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
725 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
727 if (!exp_curve || !*exp_curve)
730 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
731 /* check if new enough library to support auto ECDH temp key parameter selection */
732 if (Ustrcmp(exp_curve, "auto") == 0)
734 DEBUG(D_tls) debug_printf(
735 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
736 SSL_CTX_set_ecdh_auto(sctx, 1);
741 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
742 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
743 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
744 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
748 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
754 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
756 tls_error(US"Unable to create ec curve", host, NULL);
760 /* The "tmp" in the name here refers to setting a temporary key
761 not to the stability of the interface. */
763 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
764 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
766 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
771 # endif /*EXIM_HAVE_ECDH*/
772 #endif /*OPENSSL_NO_ECDH*/
779 /*************************************************
780 * Load OCSP information into state *
781 *************************************************/
783 /* Called to load the server OCSP response from the given file into memory, once
784 caller has determined this is needed. Checks validity. Debugs a message
787 ASSUMES: single response, for single cert.
790 sctx the SSL_CTX* to update
791 cbinfo various parts of session state
792 expanded the filename putatively holding an OCSP response
797 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
801 OCSP_BASICRESP *basic_response;
802 OCSP_SINGLERESP *single_response;
803 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
805 unsigned long verify_flags;
806 int status, reason, i;
808 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
809 if (cbinfo->u_ocsp.server.response)
811 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
812 cbinfo->u_ocsp.server.response = NULL;
815 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
818 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
819 cbinfo->u_ocsp.server.file_expanded);
823 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
827 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
831 status = OCSP_response_status(resp);
832 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
834 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
835 OCSP_response_status_str(status), status);
839 basic_response = OCSP_response_get1_basic(resp);
843 debug_printf("OCSP response parse error: unable to extract basic response.\n");
847 store = SSL_CTX_get_cert_store(sctx);
848 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
850 /* May need to expose ability to adjust those flags?
851 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
852 OCSP_TRUSTOTHER OCSP_NOINTERN */
854 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
858 ERR_error_string(ERR_get_error(), ssl_errstring);
859 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
864 /* Here's the simplifying assumption: there's only one response, for the
865 one certificate we use, and nothing for anything else in a chain. If this
866 proves false, we need to extract a cert id from our issued cert
867 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
868 right cert in the stack and then calls OCSP_single_get0_status()).
870 I'm hoping to avoid reworking a bunch more of how we handle state here. */
871 single_response = OCSP_resp_get0(basic_response, 0);
872 if (!single_response)
875 debug_printf("Unable to get first response from OCSP basic response.\n");
879 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
880 if (status != V_OCSP_CERTSTATUS_GOOD)
882 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
883 OCSP_cert_status_str(status), status,
884 OCSP_crl_reason_str(reason), reason);
888 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
890 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
895 cbinfo->u_ocsp.server.response = resp;
899 if (running_in_test_harness)
901 extern char ** environ;
903 if (environ) for (p = USS environ; *p != NULL; p++)
904 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
906 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
907 goto supply_response;
912 #endif /*!DISABLE_OCSP*/
917 /* Create and install a selfsigned certificate, for use in server mode */
920 tls_install_selfsign(SSL_CTX * sctx)
928 where = US"allocating pkey";
929 if (!(pkey = EVP_PKEY_new()))
932 where = US"allocating cert";
933 if (!(x509 = X509_new()))
936 where = US"generating pkey";
937 /* deprecated, use RSA_generate_key_ex() */
938 if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
941 where = US"assiging pkey";
942 if (!EVP_PKEY_assign_RSA(pkey, rsa))
945 X509_set_version(x509, 2); /* N+1 - version 3 */
946 ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
947 X509_gmtime_adj(X509_get_notBefore(x509), 0);
948 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
949 X509_set_pubkey(x509, pkey);
951 name = X509_get_subject_name(x509);
952 X509_NAME_add_entry_by_txt(name, "C",
953 MBSTRING_ASC, CUS "UK", -1, -1, 0);
954 X509_NAME_add_entry_by_txt(name, "O",
955 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
956 X509_NAME_add_entry_by_txt(name, "CN",
957 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
958 X509_set_issuer_name(x509, name);
960 where = US"signing cert";
961 if (!X509_sign(x509, pkey, EVP_md5()))
964 where = US"installing selfsign cert";
965 if (!SSL_CTX_use_certificate(sctx, x509))
968 where = US"installing selfsign key";
969 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
975 (void) tls_error(where, NULL, NULL);
976 if (x509) X509_free(x509);
977 if (pkey) EVP_PKEY_free(pkey);
984 /*************************************************
985 * Expand key and cert file specs *
986 *************************************************/
988 /* Called once during tls_init and possibly again during TLS setup, for a
989 new context, if Server Name Indication was used and tls_sni was seen in
990 the certificate string.
993 sctx the SSL_CTX* to update
994 cbinfo various parts of session state
996 Returns: OK/DEFER/FAIL
1000 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
1004 if (!cbinfo->certificate)
1006 if (cbinfo->host) /* client */
1009 if (tls_install_selfsign(sctx) != OK)
1014 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1015 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1016 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1018 reexpand_tls_files_for_sni = TRUE;
1020 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
1023 if (expanded != NULL)
1025 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1026 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1027 return tls_error(string_sprintf(
1028 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
1029 cbinfo->host, NULL);
1032 if (cbinfo->privatekey != NULL &&
1033 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
1036 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1037 of the expansion is an empty string, ignore it also, and assume the private
1038 key is in the same file as the certificate. */
1040 if (expanded && *expanded)
1042 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1043 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1044 return tls_error(string_sprintf(
1045 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
1049 #ifndef DISABLE_OCSP
1050 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1052 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
1055 if (expanded && *expanded)
1057 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1058 if ( cbinfo->u_ocsp.server.file_expanded
1059 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1061 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1065 ocsp_load_response(sctx, cbinfo, expanded);
1077 /*************************************************
1078 * Callback to handle SNI *
1079 *************************************************/
1081 /* Called when acting as server during the TLS session setup if a Server Name
1082 Indication extension was sent by the client.
1084 API documentation is OpenSSL s_server.c implementation.
1087 s SSL* of the current session
1088 ad unknown (part of OpenSSL API) (unused)
1089 arg Callback of "our" registered data
1091 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1094 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1096 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1098 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1099 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1101 int old_pool = store_pool;
1104 return SSL_TLSEXT_ERR_OK;
1106 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1107 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1109 /* Make the extension value available for expansion */
1110 store_pool = POOL_PERM;
1111 tls_in.sni = string_copy(US servername);
1112 store_pool = old_pool;
1114 if (!reexpand_tls_files_for_sni)
1115 return SSL_TLSEXT_ERR_OK;
1117 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1118 not confident that memcpy wouldn't break some internal reference counting.
1119 Especially since there's a references struct member, which would be off. */
1121 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1123 ERR_error_string(ERR_get_error(), ssl_errstring);
1124 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1125 return SSL_TLSEXT_ERR_NOACK;
1128 /* Not sure how many of these are actually needed, since SSL object
1129 already exists. Might even need this selfsame callback, for reneg? */
1131 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1132 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1133 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1134 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1135 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1136 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1138 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1139 || !init_ecdh(server_sni, NULL)
1141 return SSL_TLSEXT_ERR_NOACK;
1143 if (cbinfo->server_cipher_list)
1144 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1145 #ifndef DISABLE_OCSP
1146 if (cbinfo->u_ocsp.server.file)
1148 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1149 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1153 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1154 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1156 /* do this after setup_certs, because this can require the certs for verifying
1157 OCSP information. */
1158 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1159 return SSL_TLSEXT_ERR_NOACK;
1161 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1162 SSL_set_SSL_CTX(s, server_sni);
1164 return SSL_TLSEXT_ERR_OK;
1166 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1171 #ifndef DISABLE_OCSP
1173 /*************************************************
1174 * Callback to handle OCSP Stapling *
1175 *************************************************/
1177 /* Called when acting as server during the TLS session setup if the client
1178 requests OCSP information with a Certificate Status Request.
1180 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1186 tls_server_stapling_cb(SSL *s, void *arg)
1188 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1189 uschar *response_der;
1190 int response_der_len;
1193 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1194 cbinfo->u_ocsp.server.response ? "have" : "lack");
1196 tls_in.ocsp = OCSP_NOT_RESP;
1197 if (!cbinfo->u_ocsp.server.response)
1198 return SSL_TLSEXT_ERR_NOACK;
1200 response_der = NULL;
1201 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1203 if (response_der_len <= 0)
1204 return SSL_TLSEXT_ERR_NOACK;
1206 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1207 tls_in.ocsp = OCSP_VFIED;
1208 return SSL_TLSEXT_ERR_OK;
1213 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1215 BIO_printf(bp, "\t%s: ", str);
1216 ASN1_GENERALIZEDTIME_print(bp, time);
1221 tls_client_stapling_cb(SSL *s, void *arg)
1223 tls_ext_ctx_cb * cbinfo = arg;
1224 const unsigned char * p;
1226 OCSP_RESPONSE * rsp;
1227 OCSP_BASICRESP * bs;
1230 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1231 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1234 /* Expect this when we requested ocsp but got none */
1235 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1236 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1238 DEBUG(D_tls) debug_printf(" null\n");
1239 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1242 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1244 tls_out.ocsp = OCSP_FAILED;
1245 if (LOGGING(tls_cipher))
1246 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1248 DEBUG(D_tls) debug_printf(" parse error\n");
1252 if(!(bs = OCSP_response_get1_basic(rsp)))
1254 tls_out.ocsp = OCSP_FAILED;
1255 if (LOGGING(tls_cipher))
1256 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1258 DEBUG(D_tls) debug_printf(" error parsing response\n");
1259 OCSP_RESPONSE_free(rsp);
1263 /* We'd check the nonce here if we'd put one in the request. */
1264 /* However that would defeat cacheability on the server so we don't. */
1266 /* This section of code reworked from OpenSSL apps source;
1267 The OpenSSL Project retains copyright:
1268 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1273 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1275 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1277 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1279 /* Use the chain that verified the server cert to verify the stapled info */
1280 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1282 if ((i = OCSP_basic_verify(bs, NULL,
1283 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1285 tls_out.ocsp = OCSP_FAILED;
1286 if (LOGGING(tls_cipher))
1287 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1288 BIO_printf(bp, "OCSP response verify failure\n");
1289 ERR_print_errors(bp);
1293 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1295 /*XXX So we have a good stapled OCSP status. How do we know
1296 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1297 OCSP_resp_find_status() which matches on a cert id, which presumably
1298 we should use. Making an id needs OCSP_cert_id_new(), which takes
1299 issuerName, issuerKey, serialNumber. Are they all in the cert?
1301 For now, carry on blindly accepting the resp. */
1304 OCSP_SINGLERESP * single;
1306 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1307 if (OCSP_resp_count(bs) != 1)
1309 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1310 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1313 tls_out.ocsp = OCSP_FAILED;
1314 log_write(0, LOG_MAIN, "OCSP stapling "
1315 "with multiple responses not handled");
1318 single = OCSP_resp_get0(bs, 0);
1319 status = OCSP_single_get0_status(single, &reason, &rev,
1320 &thisupd, &nextupd);
1323 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1324 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1325 if (!OCSP_check_validity(thisupd, nextupd,
1326 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1328 tls_out.ocsp = OCSP_FAILED;
1329 DEBUG(D_tls) ERR_print_errors(bp);
1330 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1334 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1335 OCSP_cert_status_str(status));
1338 case V_OCSP_CERTSTATUS_GOOD:
1339 tls_out.ocsp = OCSP_VFIED;
1342 case V_OCSP_CERTSTATUS_REVOKED:
1343 tls_out.ocsp = OCSP_FAILED;
1344 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1345 reason != -1 ? "; reason: " : "",
1346 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1347 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1350 tls_out.ocsp = OCSP_FAILED;
1351 log_write(0, LOG_MAIN,
1352 "Server certificate status unknown, in OCSP stapling");
1357 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1362 OCSP_RESPONSE_free(rsp);
1365 #endif /*!DISABLE_OCSP*/
1368 /*************************************************
1369 * Initialize for TLS *
1370 *************************************************/
1372 /* Called from both server and client code, to do preliminary initialization
1373 of the library. We allocate and return a context structure.
1376 ctxp returned SSL context
1377 host connected host, if client; NULL if server
1378 dhparam DH parameter file
1379 certificate certificate file
1380 privatekey private key
1381 ocsp_file file of stapling info (server); flag for require ocsp (client)
1382 addr address if client; NULL if server (for some randomness)
1383 cbp place to put allocated callback context
1385 Returns: OK/DEFER/FAIL
1389 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1391 #ifndef DISABLE_OCSP
1394 address_item *addr, tls_ext_ctx_cb ** cbp)
1399 tls_ext_ctx_cb * cbinfo;
1401 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1402 cbinfo->certificate = certificate;
1403 cbinfo->privatekey = privatekey;
1404 #ifndef DISABLE_OCSP
1405 if ((cbinfo->is_server = host==NULL))
1407 cbinfo->u_ocsp.server.file = ocsp_file;
1408 cbinfo->u_ocsp.server.file_expanded = NULL;
1409 cbinfo->u_ocsp.server.response = NULL;
1412 cbinfo->u_ocsp.client.verify_store = NULL;
1414 cbinfo->dhparam = dhparam;
1415 cbinfo->server_cipher_list = NULL;
1416 cbinfo->host = host;
1417 #ifndef DISABLE_EVENT
1418 cbinfo->event_action = NULL;
1421 SSL_load_error_strings(); /* basic set up */
1422 OpenSSL_add_ssl_algorithms();
1424 #ifdef EXIM_HAVE_SHA256
1425 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1426 list of available digests. */
1427 EVP_add_digest(EVP_sha256());
1430 /* Create a context.
1431 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1432 negotiation in the different methods; as far as I can tell, the only
1433 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1434 when OpenSSL is built without SSLv2 support.
1435 By disabling with openssl_options, we can let admins re-enable with the
1438 *ctxp = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method());
1440 if (!*ctxp) return tls_error(US"SSL_CTX_new", host, NULL);
1442 /* It turns out that we need to seed the random number generator this early in
1443 order to get the full complement of ciphers to work. It took me roughly a day
1444 of work to discover this by experiment.
1446 On systems that have /dev/urandom, SSL may automatically seed itself from
1447 there. Otherwise, we have to make something up as best we can. Double check
1453 gettimeofday(&r.tv, NULL);
1456 RAND_seed((uschar *)(&r), sizeof(r));
1457 RAND_seed((uschar *)big_buffer, big_buffer_size);
1458 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1461 return tls_error(US"RAND_status", host,
1462 US"unable to seed random number generator");
1465 /* Set up the information callback, which outputs if debugging is at a suitable
1468 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1470 /* Automatically re-try reads/writes after renegotiation. */
1471 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1473 /* Apply administrator-supplied work-arounds.
1474 Historically we applied just one requested option,
1475 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1476 moved to an administrator-controlled list of options to specify and
1477 grandfathered in the first one as the default value for "openssl_options".
1479 No OpenSSL version number checks: the options we accept depend upon the
1480 availability of the option value macros from OpenSSL. */
1482 okay = tls_openssl_options_parse(openssl_options, &init_options);
1484 return tls_error(US"openssl_options parsing failed", host, NULL);
1488 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1489 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1490 return tls_error(string_sprintf(
1491 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1494 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1496 /* Initialize with DH parameters if supplied */
1497 /* Initialize ECDH temp key parameter selection */
1499 if ( !init_dh(*ctxp, dhparam, host)
1500 || !init_ecdh(*ctxp, host)
1504 /* Set up certificate and key (and perhaps OCSP info) */
1506 if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
1509 /* If we need to handle SNI, do so */
1510 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1511 if (host == NULL) /* server */
1513 # ifndef DISABLE_OCSP
1514 /* We check u_ocsp.server.file, not server.response, because we care about if
1515 the option exists, not what the current expansion might be, as SNI might
1516 change the certificate and OCSP file in use between now and the time the
1517 callback is invoked. */
1518 if (cbinfo->u_ocsp.server.file)
1520 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1521 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1524 /* We always do this, so that $tls_sni is available even if not used in
1526 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1527 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1529 # ifndef DISABLE_OCSP
1531 if(ocsp_file) /* wanting stapling */
1533 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1535 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1538 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1539 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1544 cbinfo->verify_cert_hostnames = NULL;
1546 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1547 /* Set up the RSA callback */
1548 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1551 /* Finally, set the timeout, and we are done */
1553 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1554 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1564 /*************************************************
1565 * Get name of cipher in use *
1566 *************************************************/
1569 Argument: pointer to an SSL structure for the connection
1570 buffer to use for answer
1572 pointer to number of bits for cipher
1577 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1579 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1580 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1581 the accessor functions use const in the prototype. */
1582 const SSL_CIPHER *c;
1585 ver = (const uschar *)SSL_get_version(ssl);
1587 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1588 SSL_CIPHER_get_bits(c, bits);
1590 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1591 SSL_CIPHER_get_name(c), *bits);
1593 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1598 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1600 /*XXX we might consider a list-of-certs variable for the cert chain.
1601 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1602 in list-handling functions, also consider the difference between the entire
1603 chain and the elements sent by the peer. */
1605 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1606 if (!tlsp->peercert)
1607 tlsp->peercert = SSL_get_peer_certificate(ssl);
1608 /* Beware anonymous ciphers which lead to server_cert being NULL */
1611 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1612 peerdn[bsize-1] = '\0';
1613 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1616 tlsp->peerdn = NULL;
1623 /*************************************************
1624 * Set up for verifying certificates *
1625 *************************************************/
1627 /* Called by both client and server startup
1630 sctx SSL_CTX* to initialise
1631 certs certs file or NULL
1632 crl CRL file or NULL
1633 host NULL in a server; the remote host in a client
1634 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1635 otherwise passed as FALSE
1636 cert_vfy_cb Callback function for certificate verification
1638 Returns: OK/DEFER/FAIL
1642 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1643 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1645 uschar *expcerts, *expcrl;
1647 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1650 if (expcerts && *expcerts)
1652 /* Tell the library to use its compiled-in location for the system default
1653 CA bundle. Then add the ones specified in the config, if any. */
1655 if (!SSL_CTX_set_default_verify_paths(sctx))
1656 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1658 if (Ustrcmp(expcerts, "system") != 0)
1660 struct stat statbuf;
1662 if (Ustat(expcerts, &statbuf) < 0)
1664 log_write(0, LOG_MAIN|LOG_PANIC,
1665 "failed to stat %s for certificates", expcerts);
1671 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1672 { file = NULL; dir = expcerts; }
1674 { file = expcerts; dir = NULL; }
1676 /* If a certificate file is empty, the next function fails with an
1677 unhelpful error message. If we skip it, we get the correct behaviour (no
1678 certificates are recognized, but the error message is still misleading (it
1679 says no certificate was supplied.) But this is better. */
1681 if ( (!file || statbuf.st_size > 0)
1682 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1683 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1685 /* Load the list of CAs for which we will accept certs, for sending
1686 to the client. This is only for the one-file tls_verify_certificates
1688 If a list isn't loaded into the server, but
1689 some verify locations are set, the server end appears to make
1690 a wildcard reqest for client certs.
1691 Meanwhile, the client library as default behaviour *ignores* the list
1692 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1693 Because of this, and that the dir variant is likely only used for
1694 the public-CA bundle (not for a private CA), not worth fixing.
1698 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1700 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1701 sk_X509_NAME_num(names));
1702 SSL_CTX_set_client_CA_list(sctx, names);
1707 /* Handle a certificate revocation list. */
1709 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1711 /* This bit of code is now the version supplied by Lars Mainka. (I have
1712 merely reformatted it into the Exim code style.)
1714 "From here I changed the code to add support for multiple crl's
1715 in pem format in one file or to support hashed directory entries in
1716 pem format instead of a file. This method now uses the library function
1717 X509_STORE_load_locations to add the CRL location to the SSL context.
1718 OpenSSL will then handle the verify against CA certs and CRLs by
1719 itself in the verify callback." */
1721 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1722 if (expcrl && *expcrl)
1724 struct stat statbufcrl;
1725 if (Ustat(expcrl, &statbufcrl) < 0)
1727 log_write(0, LOG_MAIN|LOG_PANIC,
1728 "failed to stat %s for certificates revocation lists", expcrl);
1733 /* is it a file or directory? */
1735 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1736 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1740 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1746 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1748 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1749 return tls_error(US"X509_STORE_load_locations", host, NULL);
1751 /* setting the flags to check against the complete crl chain */
1753 X509_STORE_set_flags(cvstore,
1754 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1758 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1760 /* If verification is optional, don't fail if no certificate */
1762 SSL_CTX_set_verify(sctx,
1763 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1772 /*************************************************
1773 * Start a TLS session in a server *
1774 *************************************************/
1776 /* This is called when Exim is running as a server, after having received
1777 the STARTTLS command. It must respond to that command, and then negotiate
1781 require_ciphers allowed ciphers
1783 Returns: OK on success
1784 DEFER for errors before the start of the negotiation
1785 FAIL for errors during the negotation; the server can't
1790 tls_server_start(const uschar *require_ciphers)
1794 tls_ext_ctx_cb *cbinfo;
1795 static uschar peerdn[256];
1796 static uschar cipherbuf[256];
1798 /* Check for previous activation */
1800 if (tls_in.active >= 0)
1802 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1803 smtp_printf("554 Already in TLS\r\n");
1807 /* Initialize the SSL library. If it fails, it will already have logged
1810 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1811 #ifndef DISABLE_OCSP
1814 NULL, &server_static_cbinfo);
1815 if (rc != OK) return rc;
1816 cbinfo = server_static_cbinfo;
1818 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1821 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1822 were historically separated by underscores. So that I can use either form in my
1823 tests, and also for general convenience, we turn underscores into hyphens here.
1826 if (expciphers != NULL)
1828 uschar *s = expciphers;
1829 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1830 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1831 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1832 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1833 cbinfo->server_cipher_list = expciphers;
1836 /* If this is a host for which certificate verification is mandatory or
1837 optional, set up appropriately. */
1839 tls_in.certificate_verified = FALSE;
1840 #ifdef EXPERIMENTAL_DANE
1841 tls_in.dane_verified = FALSE;
1843 server_verify_callback_called = FALSE;
1845 if (verify_check_host(&tls_verify_hosts) == OK)
1847 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1848 FALSE, verify_callback_server);
1849 if (rc != OK) return rc;
1850 server_verify_optional = FALSE;
1852 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1854 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1855 TRUE, verify_callback_server);
1856 if (rc != OK) return rc;
1857 server_verify_optional = TRUE;
1860 /* Prepare for new connection */
1862 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1864 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1866 * With the SSL_clear(), we get strange interoperability bugs with
1867 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1868 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1870 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1871 * session shutdown. In this case, we have a brand new object and there's no
1872 * obvious reason to immediately clear it. I'm guessing that this was
1873 * originally added because of incomplete initialisation which the clear fixed,
1874 * in some historic release.
1877 /* Set context and tell client to go ahead, except in the case of TLS startup
1878 on connection, where outputting anything now upsets the clients and tends to
1879 make them disconnect. We need to have an explicit fflush() here, to force out
1880 the response. Other smtp_printf() calls do not need it, because in non-TLS
1881 mode, the fflush() happens when smtp_getc() is called. */
1883 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1884 if (!tls_in.on_connect)
1886 smtp_printf("220 TLS go ahead\r\n");
1890 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1891 that the OpenSSL library doesn't. */
1893 SSL_set_wfd(server_ssl, fileno(smtp_out));
1894 SSL_set_rfd(server_ssl, fileno(smtp_in));
1895 SSL_set_accept_state(server_ssl);
1897 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1899 sigalrm_seen = FALSE;
1900 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1901 rc = SSL_accept(server_ssl);
1906 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1907 if (ERR_get_error() == 0)
1908 log_write(0, LOG_MAIN,
1909 "TLS client disconnected cleanly (rejected our certificate?)");
1913 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1915 /* TLS has been set up. Adjust the input functions to read via TLS,
1916 and initialize things. */
1918 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1920 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1921 tls_in.cipher = cipherbuf;
1926 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1927 debug_printf("Shared ciphers: %s\n", buf);
1930 /* Record the certificate we presented */
1932 X509 * crt = SSL_get_certificate(server_ssl);
1933 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1936 /* Only used by the server-side tls (tls_in), including tls_getc.
1937 Client-side (tls_out) reads (seem to?) go via
1938 smtp_read_response()/ip_recv().
1939 Hence no need to duplicate for _in and _out.
1941 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1942 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1943 ssl_xfer_eof = ssl_xfer_error = 0;
1945 receive_getc = tls_getc;
1946 receive_get_cache = tls_get_cache;
1947 receive_ungetc = tls_ungetc;
1948 receive_feof = tls_feof;
1949 receive_ferror = tls_ferror;
1950 receive_smtp_buffered = tls_smtp_buffered;
1952 tls_in.active = fileno(smtp_out);
1960 tls_client_basic_ctx_init(SSL_CTX * ctx,
1961 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1965 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1966 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1967 the specified host patterns if one of them is defined */
1969 if ( ( !ob->tls_verify_hosts
1970 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1972 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1974 client_verify_optional = FALSE;
1975 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1976 client_verify_optional = TRUE;
1980 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1981 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1984 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1986 cbinfo->verify_cert_hostnames =
1988 string_domain_utf8_to_alabel(host->name, NULL);
1992 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1993 cbinfo->verify_cert_hostnames);
1999 #ifdef EXPERIMENTAL_DANE
2001 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
2005 const char * hostnames[2] = { CS host->name, NULL };
2008 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2009 return tls_error(US"hostnames load", host, NULL);
2011 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2013 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2014 ) if (rr->type == T_TLSA)
2016 uschar * p = rr->data;
2017 uint8_t usage, selector, mtype;
2018 const char * mdname;
2022 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2023 if (usage != 2 && usage != 3) continue;
2030 default: continue; /* Only match-types 0, 1, 2 are supported */
2031 case 0: mdname = NULL; break;
2032 case 1: mdname = "sha256"; break;
2033 case 2: mdname = "sha512"; break;
2037 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2040 return tls_error(US"tlsa load", host, NULL);
2041 case 0: /* action not taken */
2045 tls_out.tlsa_usage |= 1<<usage;
2051 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2054 #endif /*EXPERIMENTAL_DANE*/
2058 /*************************************************
2059 * Start a TLS session in a client *
2060 *************************************************/
2062 /* Called from the smtp transport after STARTTLS has been accepted.
2065 fd the fd of the connection
2066 host connected host (for messages)
2067 addr the first address
2068 tb transport (always smtp)
2069 tlsa_dnsa tlsa lookup, if DANE, else null
2071 Returns: OK on success
2072 FAIL otherwise - note that tls_error() will not give DEFER
2073 because this is not a server
2077 tls_client_start(int fd, host_item *host, address_item *addr,
2078 transport_instance *tb
2079 #ifdef EXPERIMENTAL_DANE
2080 , dns_answer * tlsa_dnsa
2084 smtp_transport_options_block * ob =
2085 (smtp_transport_options_block *)tb->options_block;
2086 static uschar peerdn[256];
2087 uschar * expciphers;
2089 static uschar cipherbuf[256];
2091 #ifndef DISABLE_OCSP
2092 BOOL request_ocsp = FALSE;
2093 BOOL require_ocsp = FALSE;
2096 #ifdef EXPERIMENTAL_DANE
2097 tls_out.tlsa_usage = 0;
2100 #ifndef DISABLE_OCSP
2102 # ifdef EXPERIMENTAL_DANE
2104 && ob->hosts_request_ocsp[0] == '*'
2105 && ob->hosts_request_ocsp[1] == '\0'
2108 /* Unchanged from default. Use a safer one under DANE */
2109 request_ocsp = TRUE;
2110 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2111 " {= {4}{$tls_out_tlsa_usage}} } "
2117 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2118 request_ocsp = TRUE;
2120 # ifdef EXPERIMENTAL_DANE
2124 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2128 rc = tls_init(&client_ctx, host, NULL,
2129 ob->tls_certificate, ob->tls_privatekey,
2130 #ifndef DISABLE_OCSP
2131 (void *)(long)request_ocsp,
2133 addr, &client_static_cbinfo);
2134 if (rc != OK) return rc;
2136 tls_out.certificate_verified = FALSE;
2137 client_verify_callback_called = FALSE;
2139 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2143 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2144 are separated by underscores. So that I can use either form in my tests, and
2145 also for general convenience, we turn underscores into hyphens here. */
2147 if (expciphers != NULL)
2149 uschar *s = expciphers;
2150 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2151 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2152 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2153 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2156 #ifdef EXPERIMENTAL_DANE
2159 SSL_CTX_set_verify(client_ctx,
2160 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2161 verify_callback_client_dane);
2163 if (!DANESSL_library_init())
2164 return tls_error(US"library init", host, NULL);
2165 if (DANESSL_CTX_init(client_ctx) <= 0)
2166 return tls_error(US"context init", host, NULL);
2172 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2176 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2177 return tls_error(US"SSL_new", host, NULL);
2178 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2179 SSL_set_fd(client_ssl, fd);
2180 SSL_set_connect_state(client_ssl);
2184 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2186 if (tls_out.sni == NULL)
2188 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2190 else if (!Ustrlen(tls_out.sni))
2194 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2195 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2196 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2198 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2204 #ifdef EXPERIMENTAL_DANE
2206 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2210 #ifndef DISABLE_OCSP
2211 /* Request certificate status at connection-time. If the server
2212 does OCSP stapling we will get the callback (set in tls_init()) */
2213 # ifdef EXPERIMENTAL_DANE
2217 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2218 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2220 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2221 this means we avoid the OCSP request, we wasted the setup
2222 cost in tls_init(). */
2223 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2224 request_ocsp = require_ocsp
2225 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2232 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2233 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2234 tls_out.ocsp = OCSP_NOT_RESP;
2238 #ifndef DISABLE_EVENT
2239 client_static_cbinfo->event_action = tb->event_action;
2242 /* There doesn't seem to be a built-in timeout on connection. */
2244 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2245 sigalrm_seen = FALSE;
2246 alarm(ob->command_timeout);
2247 rc = SSL_connect(client_ssl);
2250 #ifdef EXPERIMENTAL_DANE
2252 DANESSL_cleanup(client_ssl);
2256 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2258 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2260 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2262 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2263 tls_out.cipher = cipherbuf;
2265 /* Record the certificate we presented */
2267 X509 * crt = SSL_get_certificate(client_ssl);
2268 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2271 tls_out.active = fd;
2279 /*************************************************
2280 * TLS version of getc *
2281 *************************************************/
2283 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2284 it refills the buffer via the SSL reading function.
2287 Returns: the next character or EOF
2289 Only used by the server-side TLS.
2295 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2300 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2301 ssl_xfer_buffer, ssl_xfer_buffer_size);
2303 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2304 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2305 error = SSL_get_error(server_ssl, inbytes);
2308 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2309 closed down, not that the socket itself has been closed down. Revert to
2310 non-SSL handling. */
2312 if (error == SSL_ERROR_ZERO_RETURN)
2314 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2316 receive_getc = smtp_getc;
2317 receive_get_cache = smtp_get_cache;
2318 receive_ungetc = smtp_ungetc;
2319 receive_feof = smtp_feof;
2320 receive_ferror = smtp_ferror;
2321 receive_smtp_buffered = smtp_buffered;
2323 SSL_free(server_ssl);
2327 tls_in.cipher = NULL;
2328 tls_in.peerdn = NULL;
2334 /* Handle genuine errors */
2336 else if (error == SSL_ERROR_SSL)
2338 ERR_error_string(ERR_get_error(), ssl_errstring);
2339 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2344 else if (error != SSL_ERROR_NONE)
2346 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2351 #ifndef DISABLE_DKIM
2352 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2354 ssl_xfer_buffer_hwm = inbytes;
2355 ssl_xfer_buffer_lwm = 0;
2358 /* Something in the buffer; return next uschar */
2360 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2366 #ifndef DISABLE_DKIM
2367 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2369 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2375 /*************************************************
2376 * Read bytes from TLS channel *
2377 *************************************************/
2384 Returns: the number of bytes read
2385 -1 after a failed read
2387 Only used by the client-side TLS.
2391 tls_read(BOOL is_server, uschar *buff, size_t len)
2393 SSL *ssl = is_server ? server_ssl : client_ssl;
2397 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2398 buff, (unsigned int)len);
2400 inbytes = SSL_read(ssl, CS buff, len);
2401 error = SSL_get_error(ssl, inbytes);
2403 if (error == SSL_ERROR_ZERO_RETURN)
2405 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2408 else if (error != SSL_ERROR_NONE)
2420 /*************************************************
2421 * Write bytes down TLS channel *
2422 *************************************************/
2426 is_server channel specifier
2430 Returns: the number of bytes after a successful write,
2431 -1 after a failed write
2433 Used by both server-side and client-side TLS.
2437 tls_write(BOOL is_server, const uschar *buff, size_t len)
2442 SSL *ssl = is_server ? server_ssl : client_ssl;
2444 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2447 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2448 outbytes = SSL_write(ssl, CS buff, left);
2449 error = SSL_get_error(ssl, outbytes);
2450 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2454 ERR_error_string(ERR_get_error(), ssl_errstring);
2455 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2458 case SSL_ERROR_NONE:
2463 case SSL_ERROR_ZERO_RETURN:
2464 log_write(0, LOG_MAIN, "SSL channel closed on write");
2467 case SSL_ERROR_SYSCALL:
2468 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2469 sender_fullhost ? sender_fullhost : US"<unknown>",
2474 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2483 /*************************************************
2484 * Close down a TLS session *
2485 *************************************************/
2487 /* This is also called from within a delivery subprocess forked from the
2488 daemon, to shut down the TLS library, without actually doing a shutdown (which
2489 would tamper with the SSL session in the parent process).
2491 Arguments: TRUE if SSL_shutdown is to be called
2494 Used by both server-side and client-side TLS.
2498 tls_close(BOOL is_server, BOOL shutdown)
2500 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2501 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2503 if (*fdp < 0) return; /* TLS was not active */
2507 DEBUG(D_tls) debug_printf("tls_close() from '%s': shutting down SSL\n");
2508 SSL_shutdown(*sslp);
2520 /*************************************************
2521 * Let tls_require_ciphers be checked at startup *
2522 *************************************************/
2524 /* The tls_require_ciphers option, if set, must be something which the
2527 Returns: NULL on success, or error message
2531 tls_validate_require_cipher(void)
2534 uschar *s, *expciphers, *err;
2536 /* this duplicates from tls_init(), we need a better "init just global
2537 state, for no specific purpose" singleton function of our own */
2539 SSL_load_error_strings();
2540 OpenSSL_add_ssl_algorithms();
2541 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2542 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2543 list of available digests. */
2544 EVP_add_digest(EVP_sha256());
2547 if (!(tls_require_ciphers && *tls_require_ciphers))
2550 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2551 return US"failed to expand tls_require_ciphers";
2553 if (!(expciphers && *expciphers))
2556 /* normalisation ripped from above */
2558 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2562 ctx = SSL_CTX_new(SSLv23_server_method());
2565 ERR_error_string(ERR_get_error(), ssl_errstring);
2566 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2570 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2572 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2574 ERR_error_string(ERR_get_error(), ssl_errstring);
2575 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2586 /*************************************************
2587 * Report the library versions. *
2588 *************************************************/
2590 /* There have historically been some issues with binary compatibility in
2591 OpenSSL libraries; if Exim (like many other applications) is built against
2592 one version of OpenSSL but the run-time linker picks up another version,
2593 it can result in serious failures, including crashing with a SIGSEGV. So
2594 report the version found by the compiler and the run-time version.
2596 Note: some OS vendors backport security fixes without changing the version
2597 number/string, and the version date remains unchanged. The _build_ date
2598 will change, so we can more usefully assist with version diagnosis by also
2599 reporting the build date.
2601 Arguments: a FILE* to print the results to
2606 tls_version_report(FILE *f)
2608 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2611 OPENSSL_VERSION_TEXT,
2612 SSLeay_version(SSLEAY_VERSION),
2613 SSLeay_version(SSLEAY_BUILT_ON));
2614 /* third line is 38 characters for the %s and the line is 73 chars long;
2615 the OpenSSL output includes a "built on: " prefix already. */
2621 /*************************************************
2622 * Random number generation *
2623 *************************************************/
2625 /* Pseudo-random number generation. The result is not expected to be
2626 cryptographically strong but not so weak that someone will shoot themselves
2627 in the foot using it as a nonce in input in some email header scheme or
2628 whatever weirdness they'll twist this into. The result should handle fork()
2629 and avoid repeating sequences. OpenSSL handles that for us.
2633 Returns a random number in range [0, max-1]
2637 vaguely_random_number(int max)
2641 static pid_t pidlast = 0;
2644 uschar smallbuf[sizeof(r)];
2650 if (pidnow != pidlast)
2652 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2653 is unique for each thread", this doesn't apparently apply across processes,
2654 so our own warning from vaguely_random_number_fallback() applies here too.
2655 Fix per PostgreSQL. */
2661 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2665 gettimeofday(&r.tv, NULL);
2668 RAND_seed((uschar *)(&r), sizeof(r));
2670 /* We're after pseudo-random, not random; if we still don't have enough data
2671 in the internal PRNG then our options are limited. We could sleep and hope
2672 for entropy to come along (prayer technique) but if the system is so depleted
2673 in the first place then something is likely to just keep taking it. Instead,
2674 we'll just take whatever little bit of pseudo-random we can still manage to
2677 needed_len = sizeof(r);
2678 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2679 asked for a number less than 10. */
2680 for (r = max, i = 0; r; ++i)
2686 #ifdef EXIM_HAVE_RAND_PSEUDO
2687 /* We do not care if crypto-strong */
2688 i = RAND_pseudo_bytes(smallbuf, needed_len);
2690 i = RAND_bytes(smallbuf, needed_len);
2696 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2697 return vaguely_random_number_fallback(max);
2701 for (p = smallbuf; needed_len; --needed_len, ++p)
2707 /* We don't particularly care about weighted results; if someone wants
2708 smooth distribution and cares enough then they should submit a patch then. */
2715 /*************************************************
2716 * OpenSSL option parse *
2717 *************************************************/
2719 /* Parse one option for tls_openssl_options_parse below
2722 name one option name
2723 value place to store a value for it
2724 Returns success or failure in parsing
2727 struct exim_openssl_option {
2731 /* We could use a macro to expand, but we need the ifdef and not all the
2732 options document which version they were introduced in. Policylet: include
2733 all options unless explicitly for DTLS, let the administrator choose which
2736 This list is current as of:
2738 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2740 static struct exim_openssl_option exim_openssl_options[] = {
2741 /* KEEP SORTED ALPHABETICALLY! */
2743 { US"all", SSL_OP_ALL },
2745 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2746 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2748 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2749 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2751 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2752 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2754 #ifdef SSL_OP_EPHEMERAL_RSA
2755 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2757 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2758 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2760 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2761 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2763 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2764 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2766 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2767 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2769 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2770 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2772 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2773 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2775 #ifdef SSL_OP_NO_COMPRESSION
2776 { US"no_compression", SSL_OP_NO_COMPRESSION },
2778 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2779 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2781 #ifdef SSL_OP_NO_SSLv2
2782 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2784 #ifdef SSL_OP_NO_SSLv3
2785 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2787 #ifdef SSL_OP_NO_TICKET
2788 { US"no_ticket", SSL_OP_NO_TICKET },
2790 #ifdef SSL_OP_NO_TLSv1
2791 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2793 #ifdef SSL_OP_NO_TLSv1_1
2794 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2795 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2796 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2798 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2801 #ifdef SSL_OP_NO_TLSv1_2
2802 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2804 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2805 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2807 #ifdef SSL_OP_SINGLE_DH_USE
2808 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2810 #ifdef SSL_OP_SINGLE_ECDH_USE
2811 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2813 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2814 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2816 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2817 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2819 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2820 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2822 #ifdef SSL_OP_TLS_D5_BUG
2823 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2825 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2826 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2829 static int exim_openssl_options_size =
2830 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2834 tls_openssl_one_option_parse(uschar *name, long *value)
2837 int last = exim_openssl_options_size;
2838 while (last > first)
2840 int middle = (first + last)/2;
2841 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2844 *value = exim_openssl_options[middle].value;
2858 /*************************************************
2859 * OpenSSL option parsing logic *
2860 *************************************************/
2862 /* OpenSSL has a number of compatibility options which an administrator might
2863 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2864 we look like log_selector.
2867 option_spec the administrator-supplied string of options
2868 results ptr to long storage for the options bitmap
2869 Returns success or failure
2873 tls_openssl_options_parse(uschar *option_spec, long *results)
2878 BOOL adding, item_parsed;
2881 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2882 * from default because it increases BEAST susceptibility. */
2883 #ifdef SSL_OP_NO_SSLv2
2884 result |= SSL_OP_NO_SSLv2;
2886 #ifdef SSL_OP_SINGLE_DH_USE
2887 result |= SSL_OP_SINGLE_DH_USE;
2890 if (option_spec == NULL)
2896 for (s=option_spec; *s != '\0'; /**/)
2898 while (isspace(*s)) ++s;
2901 if (*s != '+' && *s != '-')
2903 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2904 "+ or - expected but found \"%s\"\n", s);
2907 adding = *s++ == '+';
2908 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2911 item_parsed = tls_openssl_one_option_parse(s, &item);
2915 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2918 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2919 adding ? "adding" : "removing", result, item, s);
2933 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob