1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # define EXIM_HAVE_OPENSSL_DH_BITS
73 # define EXIM_HAVE_OPENSSL_TLS_METHOD
75 # define EXIM_NEED_OPENSSL_INIT
77 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
78 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
79 # define EXIM_HAVE_OPENSSL_CHECKHOST
83 #if !defined(LIBRESSL_VERSION_NUMBER) \
84 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
85 # if !defined(OPENSSL_NO_ECDH)
86 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
87 # define EXIM_HAVE_ECDH
89 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
90 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
95 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
96 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
100 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
101 # include <openssl/x509v3.h>
104 /*************************************************
105 * OpenSSL option parse *
106 *************************************************/
108 typedef struct exim_openssl_option {
111 } exim_openssl_option;
112 /* We could use a macro to expand, but we need the ifdef and not all the
113 options document which version they were introduced in. Policylet: include
114 all options unless explicitly for DTLS, let the administrator choose which
117 This list is current as of:
119 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
120 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
122 static exim_openssl_option exim_openssl_options[] = {
123 /* KEEP SORTED ALPHABETICALLY! */
125 { US"all", SSL_OP_ALL },
127 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
128 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
130 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
131 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
133 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
134 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
136 #ifdef SSL_OP_EPHEMERAL_RSA
137 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
139 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
140 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
142 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
143 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
145 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
146 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
148 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
149 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
151 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
152 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
154 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
155 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
157 #ifdef SSL_OP_NO_COMPRESSION
158 { US"no_compression", SSL_OP_NO_COMPRESSION },
160 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
161 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
163 #ifdef SSL_OP_NO_SSLv2
164 { US"no_sslv2", SSL_OP_NO_SSLv2 },
166 #ifdef SSL_OP_NO_SSLv3
167 { US"no_sslv3", SSL_OP_NO_SSLv3 },
169 #ifdef SSL_OP_NO_TICKET
170 { US"no_ticket", SSL_OP_NO_TICKET },
172 #ifdef SSL_OP_NO_TLSv1
173 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
175 #ifdef SSL_OP_NO_TLSv1_1
176 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
177 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
178 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
180 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
183 #ifdef SSL_OP_NO_TLSv1_2
184 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
186 #ifdef SSL_OP_NO_TLSv1_3
187 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
189 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
190 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
192 #ifdef SSL_OP_SINGLE_DH_USE
193 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
195 #ifdef SSL_OP_SINGLE_ECDH_USE
196 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
198 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
199 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
201 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
202 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
204 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
205 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
207 #ifdef SSL_OP_TLS_D5_BUG
208 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
210 #ifdef SSL_OP_TLS_ROLLBACK_BUG
211 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
216 static int exim_openssl_options_size = nelem(exim_openssl_options);
223 struct exim_openssl_option * o;
226 for (o = exim_openssl_options;
227 o < exim_openssl_options + nelem(exim_openssl_options); o++)
229 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
230 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
232 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
233 builtin_macro_create(buf);
238 /******************************************************************************/
240 /* Structure for collecting random data for seeding. */
242 typedef struct randstuff {
247 /* Local static variables */
249 static BOOL client_verify_callback_called = FALSE;
250 static BOOL server_verify_callback_called = FALSE;
251 static const uschar *sid_ctx = US"exim";
253 /* We have three different contexts to care about.
255 Simple case: client, `client_ctx`
256 As a client, we can be doing a callout or cut-through delivery while receiving
257 a message. So we have a client context, which should have options initialised
258 from the SMTP Transport. We may also concurrently want to make TLS connections
259 to utility daemons, so client-contexts are allocated and passed around in call
260 args rather than using a gobal.
263 There are two cases: with and without ServerNameIndication from the client.
264 Given TLS SNI, we can be using different keys, certs and various other
265 configuration settings, because they're re-expanded with $tls_sni set. This
266 allows vhosting with TLS. This SNI is sent in the handshake.
267 A client might not send SNI, so we need a fallback, and an initial setup too.
268 So as a server, we start out using `server_ctx`.
269 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
270 `server_sni` from `server_ctx` and then initialise settings by re-expanding
278 } exim_openssl_client_tls_ctx;
280 static SSL_CTX *server_ctx = NULL;
281 static SSL *server_ssl = NULL;
283 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
284 static SSL_CTX *server_sni = NULL;
287 static char ssl_errstring[256];
289 static int ssl_session_timeout = 200;
290 static BOOL client_verify_optional = FALSE;
291 static BOOL server_verify_optional = FALSE;
293 static BOOL reexpand_tls_files_for_sni = FALSE;
296 typedef struct tls_ext_ctx_cb {
301 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
305 uschar *file_expanded;
306 OCSP_RESPONSE *response;
309 X509_STORE *verify_store; /* non-null if status requested */
310 BOOL verify_required;
315 /* these are cached from first expand */
316 uschar *server_cipher_list;
317 /* only passed down to tls_error: */
319 const uschar * verify_cert_hostnames;
320 #ifndef DISABLE_EVENT
321 uschar * event_action;
325 /* should figure out a cleanup of API to handle state preserved per
326 implementation, for various reasons, which can be void * in the APIs.
327 For now, we hack around it. */
328 tls_ext_ctx_cb *client_static_cbinfo = NULL;
329 tls_ext_ctx_cb *server_static_cbinfo = NULL;
332 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
333 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
336 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
337 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
340 static int tls_server_stapling_cb(SSL *s, void *arg);
344 /*************************************************
346 *************************************************/
348 /* Called from lots of places when errors occur before actually starting to do
349 the TLS handshake, that is, while the session is still in clear. Always returns
350 DEFER for a server and FAIL for a client so that most calls can use "return
351 tls_error(...)" to do this processing and then give an appropriate return. A
352 single function is used for both server and client, because it is called from
353 some shared functions.
356 prefix text to include in the logged error
357 host NULL if setting up a server;
358 the connected host if setting up a client
359 msg error message or NULL if we should ask OpenSSL
360 errstr pointer to output error message
362 Returns: OK/DEFER/FAIL
366 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
370 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
371 msg = US ssl_errstring;
374 msg = string_sprintf("(%s): %s", prefix, msg);
375 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
376 if (errstr) *errstr = msg;
377 return host ? FAIL : DEFER;
382 /*************************************************
383 * Callback to generate RSA key *
384 *************************************************/
388 s SSL connection (not used)
392 Returns: pointer to generated key
396 rsa_callback(SSL *s, int export, int keylength)
399 #ifdef EXIM_HAVE_RSA_GENKEY_EX
400 BIGNUM *bn = BN_new();
403 export = export; /* Shut picky compilers up */
404 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
406 #ifdef EXIM_HAVE_RSA_GENKEY_EX
407 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
408 || !(rsa_key = RSA_new())
409 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
412 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
416 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
417 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
429 x509_store_dump_cert_s_names(X509_STORE * store)
431 STACK_OF(X509_OBJECT) * roots= store->objs;
433 static uschar name[256];
435 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
437 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
438 if(tmp_obj->type == X509_LU_X509)
440 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
441 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
443 name[sizeof(name)-1] = '\0';
444 debug_printf(" %s\n", name);
453 #ifndef DISABLE_EVENT
455 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
456 BOOL *calledp, const BOOL *optionalp, const uschar * what)
462 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
465 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
466 old_cert = tlsp->peercert;
467 tlsp->peercert = X509_dup(cert);
468 /* NB we do not bother setting peerdn */
469 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
471 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
472 "depth=%d cert=%s: %s",
473 tlsp == &tls_out ? deliver_host_address : sender_host_address,
474 what, depth, dn, yield);
478 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
479 return 1; /* reject (leaving peercert set) */
481 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
482 "(host in tls_try_verify_hosts)\n");
484 X509_free(tlsp->peercert);
485 tlsp->peercert = old_cert;
491 /*************************************************
492 * Callback for verification *
493 *************************************************/
495 /* The SSL library does certificate verification if set up to do so. This
496 callback has the current yes/no state is in "state". If verification succeeded,
497 we set the certificate-verified flag. If verification failed, what happens
498 depends on whether the client is required to present a verifiable certificate
501 If verification is optional, we change the state to yes, but still log the
502 verification error. For some reason (it really would help to have proper
503 documentation of OpenSSL), this callback function then gets called again, this
504 time with state = 1. We must take care not to set the private verified flag on
505 the second time through.
507 Note: this function is not called if the client fails to present a certificate
508 when asked. We get here only if a certificate has been received. Handling of
509 optional verification for this case is done when requesting SSL to verify, by
510 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
512 May be called multiple times for different issues with a certificate, even
513 for a given "depth" in the certificate chain.
516 preverify_ok current yes/no state as 1/0
517 x509ctx certificate information.
518 tlsp per-direction (client vs. server) support data
519 calledp has-been-called flag
520 optionalp verification-is-optional flag
522 Returns: 0 if verification should fail, otherwise 1
526 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
527 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
529 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
530 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
533 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
535 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
536 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
537 tlsp == &tls_out ? deliver_host_address : sender_host_address);
540 dn[sizeof(dn)-1] = '\0';
542 if (preverify_ok == 0)
544 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
545 *verify_mode, sender_host_address)
547 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
548 tlsp == &tls_out ? deliver_host_address : sender_host_address,
550 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
555 tlsp->peercert = X509_dup(cert); /* record failing cert */
556 return 0; /* reject */
558 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
559 "tls_try_verify_hosts)\n");
564 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
566 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
567 { /* client, wanting stapling */
568 /* Add the server cert's signing chain as the one
569 for the verification of the OCSP stapled information. */
571 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
574 sk_X509_push(client_static_cbinfo->verify_stack, cert);
577 #ifndef DISABLE_EVENT
578 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
579 return 0; /* reject, with peercert set */
584 const uschar * verify_cert_hostnames;
586 if ( tlsp == &tls_out
587 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
588 /* client, wanting hostname check */
591 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
592 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
593 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
595 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
596 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
599 const uschar * list = verify_cert_hostnames;
602 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
603 if ((rc = X509_check_host(cert, CCS name, 0,
604 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
605 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
610 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
611 tlsp == &tls_out ? deliver_host_address : sender_host_address);
618 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
621 uschar * extra = verify_mode
622 ? string_sprintf(" (during %c-verify for [%s])",
623 *verify_mode, sender_host_address)
625 log_write(0, LOG_MAIN,
626 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
627 tlsp == &tls_out ? deliver_host_address : sender_host_address,
628 extra, dn, verify_cert_hostnames);
633 tlsp->peercert = X509_dup(cert); /* record failing cert */
634 return 0; /* reject */
636 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
637 "tls_try_verify_hosts)\n");
641 #ifndef DISABLE_EVENT
642 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
643 return 0; /* reject, with peercert set */
646 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
647 *calledp ? "" : " authenticated", dn);
648 if (!*calledp) tlsp->certificate_verified = TRUE;
652 return 1; /* accept, at least for this level */
656 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
658 return verify_callback(preverify_ok, x509ctx, &tls_out,
659 &client_verify_callback_called, &client_verify_optional);
663 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
665 return verify_callback(preverify_ok, x509ctx, &tls_in,
666 &server_verify_callback_called, &server_verify_optional);
672 /* This gets called *by* the dane library verify callback, which interposes
676 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
678 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
680 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
681 #ifndef DISABLE_EVENT
682 BOOL dummy_called, optional = FALSE;
685 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
687 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
688 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
689 deliver_host_address);
692 dn[sizeof(dn)-1] = '\0';
694 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
695 preverify_ok ? "ok":"BAD", depth, dn);
697 #ifndef DISABLE_EVENT
698 if (verify_event(&tls_out, cert, depth, dn,
699 &dummy_called, &optional, US"DANE"))
700 return 0; /* reject, with peercert set */
703 if (preverify_ok == 1)
705 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
707 if (client_static_cbinfo->u_ocsp.client.verify_store)
708 { /* client, wanting stapling */
709 /* Add the server cert's signing chain as the one
710 for the verification of the OCSP stapled information. */
712 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
715 sk_X509_push(client_static_cbinfo->verify_stack, cert);
721 int err = X509_STORE_CTX_get_error(x509ctx);
723 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
724 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
730 #endif /*SUPPORT_DANE*/
733 /*************************************************
734 * Information callback *
735 *************************************************/
737 /* The SSL library functions call this from time to time to indicate what they
738 are doing. We copy the string to the debugging output when TLS debugging has
750 info_callback(SSL *s, int where, int ret)
756 if (where & SSL_ST_CONNECT)
757 str = US"SSL_connect";
758 else if (where & SSL_ST_ACCEPT)
759 str = US"SSL_accept";
761 str = US"SSL info (undefined)";
763 if (where & SSL_CB_LOOP)
764 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
765 else if (where & SSL_CB_ALERT)
766 debug_printf("SSL3 alert %s:%s:%s\n",
767 str = where & SSL_CB_READ ? US"read" : US"write",
768 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
769 else if (where & SSL_CB_EXIT)
771 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
773 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
774 else if (where & SSL_CB_HANDSHAKE_START)
775 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
776 else if (where & SSL_CB_HANDSHAKE_DONE)
777 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
783 /*************************************************
784 * Initialize for DH *
785 *************************************************/
787 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
790 sctx The current SSL CTX (inbound or outbound)
791 dhparam DH parameter file or fixed parameter identity string
792 host connected host, if client; NULL if server
793 errstr error string pointer
795 Returns: TRUE if OK (nothing to set up, or setup worked)
799 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
807 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
810 if (!dhexpanded || !*dhexpanded)
811 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
812 else if (dhexpanded[0] == '/')
814 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
816 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
817 host, US strerror(errno), errstr);
823 if (Ustrcmp(dhexpanded, "none") == 0)
825 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
829 if (!(pem = std_dh_prime_named(dhexpanded)))
831 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
832 host, US strerror(errno), errstr);
835 bio = BIO_new_mem_buf(CS pem, -1);
838 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
841 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
846 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
847 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
848 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
849 * If someone wants to dance at the edge, then they can raise the limit or use
850 * current libraries. */
851 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
852 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
853 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
854 dh_bitsize = DH_bits(dh);
856 dh_bitsize = 8 * DH_size(dh);
859 /* Even if it is larger, we silently return success rather than cause things
860 * to fail out, so that a too-large DH will not knock out all TLS; it's a
861 * debatable choice. */
862 if (dh_bitsize > tls_dh_max_bits)
865 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
866 dh_bitsize, tls_dh_max_bits);
870 SSL_CTX_set_tmp_dh(sctx, dh);
872 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
873 dhexpanded ? dhexpanded : US"default", dh_bitsize);
885 /*************************************************
886 * Initialize for ECDH *
887 *************************************************/
889 /* Load parameters for ECDH encryption.
891 For now, we stick to NIST P-256 because: it's simple and easy to configure;
892 it avoids any patent issues that might bite redistributors; despite events in
893 the news and concerns over curve choices, we're not cryptographers, we're not
894 pretending to be, and this is "good enough" to be better than no support,
895 protecting against most adversaries. Given another year or two, there might
896 be sufficient clarity about a "right" way forward to let us make an informed
897 decision, instead of a knee-jerk reaction.
899 Longer-term, we should look at supporting both various named curves and
900 external files generated with "openssl ecparam", much as we do for init_dh().
901 We should also support "none" as a value, to explicitly avoid initialisation.
906 sctx The current SSL CTX (inbound or outbound)
907 host connected host, if client; NULL if server
908 errstr error string pointer
910 Returns: TRUE if OK (nothing to set up, or setup worked)
914 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
916 #ifdef OPENSSL_NO_ECDH
925 if (host) /* No ECDH setup for clients, only for servers */
928 # ifndef EXIM_HAVE_ECDH
930 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
934 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
936 if (!exp_curve || !*exp_curve)
939 /* "auto" needs to be handled carefully.
940 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
941 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
942 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
943 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
944 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
946 if (Ustrcmp(exp_curve, "auto") == 0)
948 #if OPENSSL_VERSION_NUMBER < 0x10002000L
949 DEBUG(D_tls) debug_printf(
950 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
951 exp_curve = US"prime256v1";
953 # if defined SSL_CTRL_SET_ECDH_AUTO
954 DEBUG(D_tls) debug_printf(
955 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
956 SSL_CTX_set_ecdh_auto(sctx, 1);
959 DEBUG(D_tls) debug_printf(
960 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
966 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
967 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
968 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
969 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
973 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
978 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
980 tls_error(US"Unable to create ec curve", host, NULL, errstr);
984 /* The "tmp" in the name here refers to setting a temporary key
985 not to the stability of the interface. */
987 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
988 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
990 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
995 # endif /*EXIM_HAVE_ECDH*/
996 #endif /*OPENSSL_NO_ECDH*/
1002 #ifndef DISABLE_OCSP
1003 /*************************************************
1004 * Load OCSP information into state *
1005 *************************************************/
1006 /* Called to load the server OCSP response from the given file into memory, once
1007 caller has determined this is needed. Checks validity. Debugs a message
1010 ASSUMES: single response, for single cert.
1013 sctx the SSL_CTX* to update
1014 cbinfo various parts of session state
1015 expanded the filename putatively holding an OCSP response
1020 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1023 OCSP_RESPONSE * resp;
1024 OCSP_BASICRESP * basic_response;
1025 OCSP_SINGLERESP * single_response;
1026 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1027 STACK_OF(X509) * sk;
1028 unsigned long verify_flags;
1029 int status, reason, i;
1031 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1032 if (cbinfo->u_ocsp.server.response)
1034 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1035 cbinfo->u_ocsp.server.response = NULL;
1038 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1040 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1041 cbinfo->u_ocsp.server.file_expanded);
1045 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1049 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1053 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1055 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1056 OCSP_response_status_str(status), status);
1060 if (!(basic_response = OCSP_response_get1_basic(resp)))
1063 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1067 sk = cbinfo->verify_stack;
1068 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1070 /* May need to expose ability to adjust those flags?
1071 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1072 OCSP_TRUSTOTHER OCSP_NOINTERN */
1074 /* This does a full verify on the OCSP proof before we load it for serving
1075 up; possibly overkill - just date-checks might be nice enough.
1077 OCSP_basic_verify takes a "store" arg, but does not
1078 use it for the chain verification, which is all we do
1079 when OCSP_NOVERIFY is set. The content from the wire
1080 "basic_response" and a cert-stack "sk" are all that is used.
1082 We have a stack, loaded in setup_certs() if tls_verify_certificates
1083 was a file (not a directory, or "system"). It is unfortunate we
1084 cannot used the connection context store, as that would neatly
1085 handle the "system" case too, but there seems to be no library
1086 function for getting a stack from a store.
1087 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1088 We do not free the stack since it could be needed a second time for
1091 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1092 be a public interface into the OpenSSL library (there's no manual entry) -
1093 But what with? We also use OCSP_basic_verify in the client stapling callback.
1094 And there we NEED it; we must verify that status... unless the
1095 library does it for us anyway? */
1097 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1101 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1102 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1107 /* Here's the simplifying assumption: there's only one response, for the
1108 one certificate we use, and nothing for anything else in a chain. If this
1109 proves false, we need to extract a cert id from our issued cert
1110 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1111 right cert in the stack and then calls OCSP_single_get0_status()).
1113 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1115 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1118 debug_printf("Unable to get first response from OCSP basic response.\n");
1122 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1123 if (status != V_OCSP_CERTSTATUS_GOOD)
1125 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1126 OCSP_cert_status_str(status), status,
1127 OCSP_crl_reason_str(reason), reason);
1131 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1133 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1138 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1142 if (f.running_in_test_harness)
1144 extern char ** environ;
1146 if (environ) for (p = USS environ; *p; p++)
1147 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1149 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1150 goto supply_response;
1155 #endif /*!DISABLE_OCSP*/
1160 /* Create and install a selfsigned certificate, for use in server mode */
1163 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1171 where = US"allocating pkey";
1172 if (!(pkey = EVP_PKEY_new()))
1175 where = US"allocating cert";
1176 if (!(x509 = X509_new()))
1179 where = US"generating pkey";
1180 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1183 where = US"assigning pkey";
1184 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1187 X509_set_version(x509, 2); /* N+1 - version 3 */
1188 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1189 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1190 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1191 X509_set_pubkey(x509, pkey);
1193 name = X509_get_subject_name(x509);
1194 X509_NAME_add_entry_by_txt(name, "C",
1195 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1196 X509_NAME_add_entry_by_txt(name, "O",
1197 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1198 X509_NAME_add_entry_by_txt(name, "CN",
1199 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1200 X509_set_issuer_name(x509, name);
1202 where = US"signing cert";
1203 if (!X509_sign(x509, pkey, EVP_md5()))
1206 where = US"installing selfsign cert";
1207 if (!SSL_CTX_use_certificate(sctx, x509))
1210 where = US"installing selfsign key";
1211 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1217 (void) tls_error(where, NULL, NULL, errstr);
1218 if (x509) X509_free(x509);
1219 if (pkey) EVP_PKEY_free(pkey);
1227 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1230 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1231 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1232 return tls_error(string_sprintf(
1233 "SSL_CTX_use_certificate_chain_file file=%s", file),
1234 cbinfo->host, NULL, errstr);
1239 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1242 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1243 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1244 return tls_error(string_sprintf(
1245 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1250 /*************************************************
1251 * Expand key and cert file specs *
1252 *************************************************/
1254 /* Called once during tls_init and possibly again during TLS setup, for a
1255 new context, if Server Name Indication was used and tls_sni was seen in
1256 the certificate string.
1259 sctx the SSL_CTX* to update
1260 cbinfo various parts of session state
1261 errstr error string pointer
1263 Returns: OK/DEFER/FAIL
1267 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1272 if (!cbinfo->certificate)
1274 if (!cbinfo->is_server) /* client */
1277 if (tls_install_selfsign(sctx, errstr) != OK)
1284 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1285 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1286 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1288 reexpand_tls_files_for_sni = TRUE;
1290 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1294 if (cbinfo->is_server)
1296 const uschar * file_list = expanded;
1300 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1301 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1304 else /* would there ever be a need for multiple client certs? */
1305 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1308 if ( cbinfo->privatekey
1309 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1312 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1313 of the expansion is an empty string, ignore it also, and assume the private
1314 key is in the same file as the certificate. */
1316 if (expanded && *expanded)
1317 if (cbinfo->is_server)
1319 const uschar * file_list = expanded;
1323 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1324 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1327 else /* would there ever be a need for multiple client certs? */
1328 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1332 #ifndef DISABLE_OCSP
1333 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1336 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1339 if (expanded && *expanded)
1341 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1342 if ( cbinfo->u_ocsp.server.file_expanded
1343 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1345 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1348 ocsp_load_response(sctx, cbinfo, expanded);
1359 /*************************************************
1360 * Callback to handle SNI *
1361 *************************************************/
1363 /* Called when acting as server during the TLS session setup if a Server Name
1364 Indication extension was sent by the client.
1366 API documentation is OpenSSL s_server.c implementation.
1369 s SSL* of the current session
1370 ad unknown (part of OpenSSL API) (unused)
1371 arg Callback of "our" registered data
1373 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1376 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1378 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1380 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1381 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1383 int old_pool = store_pool;
1384 uschar * dummy_errstr;
1387 return SSL_TLSEXT_ERR_OK;
1389 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1390 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1392 /* Make the extension value available for expansion */
1393 store_pool = POOL_PERM;
1394 tls_in.sni = string_copy(US servername);
1395 store_pool = old_pool;
1397 if (!reexpand_tls_files_for_sni)
1398 return SSL_TLSEXT_ERR_OK;
1400 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1401 not confident that memcpy wouldn't break some internal reference counting.
1402 Especially since there's a references struct member, which would be off. */
1404 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1405 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1407 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1410 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1411 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1415 /* Not sure how many of these are actually needed, since SSL object
1416 already exists. Might even need this selfsame callback, for reneg? */
1418 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1419 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1420 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1421 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1422 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1423 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1425 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1426 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1430 if ( cbinfo->server_cipher_list
1431 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1434 #ifndef DISABLE_OCSP
1435 if (cbinfo->u_ocsp.server.file)
1437 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1438 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1442 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1443 verify_callback_server, &dummy_errstr)) != OK)
1446 /* do this after setup_certs, because this can require the certs for verifying
1447 OCSP information. */
1448 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1451 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1452 SSL_set_SSL_CTX(s, server_sni);
1453 return SSL_TLSEXT_ERR_OK;
1455 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1457 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1462 #ifndef DISABLE_OCSP
1464 /*************************************************
1465 * Callback to handle OCSP Stapling *
1466 *************************************************/
1468 /* Called when acting as server during the TLS session setup if the client
1469 requests OCSP information with a Certificate Status Request.
1471 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1477 tls_server_stapling_cb(SSL *s, void *arg)
1479 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1480 uschar *response_der; /*XXX blob */
1481 int response_der_len;
1483 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1484 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1485 buggy in current OpenSSL; it returns the last cert loaded always rather than
1486 the one actually presented. So we can't support a stack of OCSP proofs at
1490 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1491 cbinfo->u_ocsp.server.response ? "have" : "lack");
1493 tls_in.ocsp = OCSP_NOT_RESP;
1494 if (!cbinfo->u_ocsp.server.response)
1495 return SSL_TLSEXT_ERR_NOACK;
1497 response_der = NULL;
1498 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1500 if (response_der_len <= 0)
1501 return SSL_TLSEXT_ERR_NOACK;
1503 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1504 tls_in.ocsp = OCSP_VFIED;
1505 return SSL_TLSEXT_ERR_OK;
1510 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1512 BIO_printf(bp, "\t%s: ", str);
1513 ASN1_GENERALIZEDTIME_print(bp, time);
1518 tls_client_stapling_cb(SSL *s, void *arg)
1520 tls_ext_ctx_cb * cbinfo = arg;
1521 const unsigned char * p;
1523 OCSP_RESPONSE * rsp;
1524 OCSP_BASICRESP * bs;
1527 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1528 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1531 /* Expect this when we requested ocsp but got none */
1532 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1533 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1535 DEBUG(D_tls) debug_printf(" null\n");
1536 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1539 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1541 tls_out.ocsp = OCSP_FAILED;
1542 if (LOGGING(tls_cipher))
1543 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1545 DEBUG(D_tls) debug_printf(" parse error\n");
1549 if(!(bs = OCSP_response_get1_basic(rsp)))
1551 tls_out.ocsp = OCSP_FAILED;
1552 if (LOGGING(tls_cipher))
1553 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1555 DEBUG(D_tls) debug_printf(" error parsing response\n");
1556 OCSP_RESPONSE_free(rsp);
1560 /* We'd check the nonce here if we'd put one in the request. */
1561 /* However that would defeat cacheability on the server so we don't. */
1563 /* This section of code reworked from OpenSSL apps source;
1564 The OpenSSL Project retains copyright:
1565 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1570 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1572 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1574 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1576 /* Use the chain that verified the server cert to verify the stapled info */
1577 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1579 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1580 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1582 tls_out.ocsp = OCSP_FAILED;
1583 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1584 "Received TLS cert status response, itself unverifiable: %s",
1585 ERR_reason_error_string(ERR_peek_error()));
1586 BIO_printf(bp, "OCSP response verify failure\n");
1587 ERR_print_errors(bp);
1588 OCSP_RESPONSE_print(bp, rsp, 0);
1592 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1594 /*XXX So we have a good stapled OCSP status. How do we know
1595 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1596 OCSP_resp_find_status() which matches on a cert id, which presumably
1597 we should use. Making an id needs OCSP_cert_id_new(), which takes
1598 issuerName, issuerKey, serialNumber. Are they all in the cert?
1600 For now, carry on blindly accepting the resp. */
1603 OCSP_SINGLERESP * single;
1605 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1606 if (OCSP_resp_count(bs) != 1)
1608 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1609 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1612 tls_out.ocsp = OCSP_FAILED;
1613 log_write(0, LOG_MAIN, "OCSP stapling "
1614 "with multiple responses not handled");
1617 single = OCSP_resp_get0(bs, 0);
1618 status = OCSP_single_get0_status(single, &reason, &rev,
1619 &thisupd, &nextupd);
1622 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1623 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1624 if (!OCSP_check_validity(thisupd, nextupd,
1625 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1627 tls_out.ocsp = OCSP_FAILED;
1628 DEBUG(D_tls) ERR_print_errors(bp);
1629 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1633 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1634 OCSP_cert_status_str(status));
1637 case V_OCSP_CERTSTATUS_GOOD:
1638 tls_out.ocsp = OCSP_VFIED;
1641 case V_OCSP_CERTSTATUS_REVOKED:
1642 tls_out.ocsp = OCSP_FAILED;
1643 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1644 reason != -1 ? "; reason: " : "",
1645 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1646 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1649 tls_out.ocsp = OCSP_FAILED;
1650 log_write(0, LOG_MAIN,
1651 "Server certificate status unknown, in OCSP stapling");
1656 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1661 OCSP_RESPONSE_free(rsp);
1664 #endif /*!DISABLE_OCSP*/
1667 /*************************************************
1668 * Initialize for TLS *
1669 *************************************************/
1671 /* Called from both server and client code, to do preliminary initialization
1672 of the library. We allocate and return a context structure.
1675 ctxp returned SSL context
1676 host connected host, if client; NULL if server
1677 dhparam DH parameter file
1678 certificate certificate file
1679 privatekey private key
1680 ocsp_file file of stapling info (server); flag for require ocsp (client)
1681 addr address if client; NULL if server (for some randomness)
1682 cbp place to put allocated callback context
1683 errstr error string pointer
1685 Returns: OK/DEFER/FAIL
1689 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1691 #ifndef DISABLE_OCSP
1692 uschar *ocsp_file, /*XXX stack, in server*/
1694 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1699 tls_ext_ctx_cb * cbinfo;
1701 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1702 cbinfo->certificate = certificate;
1703 cbinfo->privatekey = privatekey;
1704 cbinfo->is_server = host==NULL;
1705 #ifndef DISABLE_OCSP
1706 cbinfo->verify_stack = NULL;
1709 cbinfo->u_ocsp.server.file = ocsp_file;
1710 cbinfo->u_ocsp.server.file_expanded = NULL;
1711 cbinfo->u_ocsp.server.response = NULL;
1714 cbinfo->u_ocsp.client.verify_store = NULL;
1716 cbinfo->dhparam = dhparam;
1717 cbinfo->server_cipher_list = NULL;
1718 cbinfo->host = host;
1719 #ifndef DISABLE_EVENT
1720 cbinfo->event_action = NULL;
1723 #ifdef EXIM_NEED_OPENSSL_INIT
1724 SSL_load_error_strings(); /* basic set up */
1725 OpenSSL_add_ssl_algorithms();
1728 #ifdef EXIM_HAVE_SHA256
1729 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1730 list of available digests. */
1731 EVP_add_digest(EVP_sha256());
1734 /* Create a context.
1735 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1736 negotiation in the different methods; as far as I can tell, the only
1737 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1738 when OpenSSL is built without SSLv2 support.
1739 By disabling with openssl_options, we can let admins re-enable with the
1742 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1743 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1745 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1747 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1749 /* It turns out that we need to seed the random number generator this early in
1750 order to get the full complement of ciphers to work. It took me roughly a day
1751 of work to discover this by experiment.
1753 On systems that have /dev/urandom, SSL may automatically seed itself from
1754 there. Otherwise, we have to make something up as best we can. Double check
1760 gettimeofday(&r.tv, NULL);
1763 RAND_seed(US (&r), sizeof(r));
1764 RAND_seed(US big_buffer, big_buffer_size);
1765 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1768 return tls_error(US"RAND_status", host,
1769 US"unable to seed random number generator", errstr);
1772 /* Set up the information callback, which outputs if debugging is at a suitable
1775 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1777 /* Automatically re-try reads/writes after renegotiation. */
1778 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1780 /* Apply administrator-supplied work-arounds.
1781 Historically we applied just one requested option,
1782 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1783 moved to an administrator-controlled list of options to specify and
1784 grandfathered in the first one as the default value for "openssl_options".
1786 No OpenSSL version number checks: the options we accept depend upon the
1787 availability of the option value macros from OpenSSL. */
1789 if (!tls_openssl_options_parse(openssl_options, &init_options))
1790 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1794 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1795 if (!(SSL_CTX_set_options(ctx, init_options)))
1796 return tls_error(string_sprintf(
1797 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1800 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1802 /* We'd like to disable session cache unconditionally, but foolish Outlook
1803 Express clients then give up the first TLS connection and make a second one
1804 (which works). Only when there is an IMAP service on the same machine.
1805 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1806 now, until we work out a decent way of presenting control to the config. It
1807 will never be used because we use a new context every time. */
1809 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1812 /* Initialize with DH parameters if supplied */
1813 /* Initialize ECDH temp key parameter selection */
1815 if ( !init_dh(ctx, dhparam, host, errstr)
1816 || !init_ecdh(ctx, host, errstr)
1820 /* Set up certificate and key (and perhaps OCSP info) */
1822 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1825 /* If we need to handle SNI or OCSP, do so */
1827 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1828 # ifndef DISABLE_OCSP
1829 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1831 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1836 if (!host) /* server */
1838 # ifndef DISABLE_OCSP
1839 /* We check u_ocsp.server.file, not server.response, because we care about if
1840 the option exists, not what the current expansion might be, as SNI might
1841 change the certificate and OCSP file in use between now and the time the
1842 callback is invoked. */
1843 if (cbinfo->u_ocsp.server.file)
1845 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1846 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1849 /* We always do this, so that $tls_sni is available even if not used in
1851 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1852 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1854 # ifndef DISABLE_OCSP
1856 if(ocsp_file) /* wanting stapling */
1858 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1860 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1863 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1864 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1869 cbinfo->verify_cert_hostnames = NULL;
1871 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1872 /* Set up the RSA callback */
1873 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1876 /* Finally, set the timeout, and we are done */
1878 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1879 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1890 /*************************************************
1891 * Get name of cipher in use *
1892 *************************************************/
1895 Argument: pointer to an SSL structure for the connection
1896 buffer to use for answer
1898 pointer to number of bits for cipher
1903 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1905 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1906 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1907 the accessor functions use const in the prototype. */
1909 const uschar * ver = CUS SSL_get_version(ssl);
1910 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1912 SSL_CIPHER_get_bits(c, bits);
1914 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1915 SSL_CIPHER_get_name(c), *bits);
1917 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1922 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1924 /*XXX we might consider a list-of-certs variable for the cert chain.
1925 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1926 in list-handling functions, also consider the difference between the entire
1927 chain and the elements sent by the peer. */
1929 tlsp->peerdn = NULL;
1931 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1932 if (!tlsp->peercert)
1933 tlsp->peercert = SSL_get_peer_certificate(ssl);
1934 /* Beware anonymous ciphers which lead to server_cert being NULL */
1936 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1937 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1940 peerdn[siz-1] = '\0';
1941 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1949 /*************************************************
1950 * Set up for verifying certificates *
1951 *************************************************/
1953 #ifndef DISABLE_OCSP
1954 /* Load certs from file, return TRUE on success */
1957 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1962 while (sk_X509_num(verify_stack) > 0)
1963 X509_free(sk_X509_pop(verify_stack));
1965 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1966 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1967 sk_X509_push(verify_stack, x);
1975 /* Called by both client and server startup; on the server possibly
1976 repeated after a Server Name Indication.
1979 sctx SSL_CTX* to initialise
1980 certs certs file or NULL
1981 crl CRL file or NULL
1982 host NULL in a server; the remote host in a client
1983 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1984 otherwise passed as FALSE
1985 cert_vfy_cb Callback function for certificate verification
1986 errstr error string pointer
1988 Returns: OK/DEFER/FAIL
1992 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1993 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1995 uschar *expcerts, *expcrl;
1997 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1999 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2001 if (expcerts && *expcerts)
2003 /* Tell the library to use its compiled-in location for the system default
2004 CA bundle. Then add the ones specified in the config, if any. */
2006 if (!SSL_CTX_set_default_verify_paths(sctx))
2007 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2009 if (Ustrcmp(expcerts, "system") != 0)
2011 struct stat statbuf;
2013 if (Ustat(expcerts, &statbuf) < 0)
2015 log_write(0, LOG_MAIN|LOG_PANIC,
2016 "failed to stat %s for certificates", expcerts);
2022 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2023 { file = NULL; dir = expcerts; }
2026 file = expcerts; dir = NULL;
2027 #ifndef DISABLE_OCSP
2028 /* In the server if we will be offering an OCSP proof, load chain from
2029 file for verifying the OCSP proof at load time. */
2032 && statbuf.st_size > 0
2033 && server_static_cbinfo->u_ocsp.server.file
2034 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2037 log_write(0, LOG_MAIN|LOG_PANIC,
2038 "failed to load cert chain from %s", file);
2044 /* If a certificate file is empty, the next function fails with an
2045 unhelpful error message. If we skip it, we get the correct behaviour (no
2046 certificates are recognized, but the error message is still misleading (it
2047 says no certificate was supplied). But this is better. */
2049 if ( (!file || statbuf.st_size > 0)
2050 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2051 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2053 /* Load the list of CAs for which we will accept certs, for sending
2054 to the client. This is only for the one-file tls_verify_certificates
2056 If a list isn't loaded into the server, but
2057 some verify locations are set, the server end appears to make
2058 a wildcard request for client certs.
2059 Meanwhile, the client library as default behaviour *ignores* the list
2060 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2061 Because of this, and that the dir variant is likely only used for
2062 the public-CA bundle (not for a private CA), not worth fixing.
2066 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2068 SSL_CTX_set_client_CA_list(sctx, names);
2069 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2070 sk_X509_NAME_num(names));
2075 /* Handle a certificate revocation list. */
2077 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2079 /* This bit of code is now the version supplied by Lars Mainka. (I have
2080 merely reformatted it into the Exim code style.)
2082 "From here I changed the code to add support for multiple crl's
2083 in pem format in one file or to support hashed directory entries in
2084 pem format instead of a file. This method now uses the library function
2085 X509_STORE_load_locations to add the CRL location to the SSL context.
2086 OpenSSL will then handle the verify against CA certs and CRLs by
2087 itself in the verify callback." */
2089 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2090 if (expcrl && *expcrl)
2092 struct stat statbufcrl;
2093 if (Ustat(expcrl, &statbufcrl) < 0)
2095 log_write(0, LOG_MAIN|LOG_PANIC,
2096 "failed to stat %s for certificates revocation lists", expcrl);
2101 /* is it a file or directory? */
2103 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2104 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2108 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2114 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2116 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2117 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2119 /* setting the flags to check against the complete crl chain */
2121 X509_STORE_set_flags(cvstore,
2122 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2126 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2128 /* If verification is optional, don't fail if no certificate */
2130 SSL_CTX_set_verify(sctx,
2131 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2140 /*************************************************
2141 * Start a TLS session in a server *
2142 *************************************************/
2144 /* This is called when Exim is running as a server, after having received
2145 the STARTTLS command. It must respond to that command, and then negotiate
2149 require_ciphers allowed ciphers
2150 errstr pointer to error message
2152 Returns: OK on success
2153 DEFER for errors before the start of the negotiation
2154 FAIL for errors during the negotiation; the server can't
2159 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2162 uschar * expciphers;
2163 tls_ext_ctx_cb * cbinfo;
2164 static uschar peerdn[256];
2165 static uschar cipherbuf[256];
2167 /* Check for previous activation */
2169 if (tls_in.active.sock >= 0)
2171 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2172 smtp_printf("554 Already in TLS\r\n", FALSE);
2176 /* Initialize the SSL library. If it fails, it will already have logged
2179 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2180 #ifndef DISABLE_OCSP
2181 tls_ocsp_file, /*XXX stack*/
2183 NULL, &server_static_cbinfo, errstr);
2184 if (rc != OK) return rc;
2185 cbinfo = server_static_cbinfo;
2187 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2190 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2191 were historically separated by underscores. So that I can use either form in my
2192 tests, and also for general convenience, we turn underscores into hyphens here.
2194 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2195 for TLS 1.3 . Since we do not call it at present we get the default list:
2196 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2201 uschar * s = expciphers;
2202 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2203 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2204 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2205 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2206 cbinfo->server_cipher_list = expciphers;
2209 /* If this is a host for which certificate verification is mandatory or
2210 optional, set up appropriately. */
2212 tls_in.certificate_verified = FALSE;
2214 tls_in.dane_verified = FALSE;
2216 server_verify_callback_called = FALSE;
2218 if (verify_check_host(&tls_verify_hosts) == OK)
2220 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2221 FALSE, verify_callback_server, errstr);
2222 if (rc != OK) return rc;
2223 server_verify_optional = FALSE;
2225 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2227 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2228 TRUE, verify_callback_server, errstr);
2229 if (rc != OK) return rc;
2230 server_verify_optional = TRUE;
2233 /* Prepare for new connection */
2235 if (!(server_ssl = SSL_new(server_ctx)))
2236 return tls_error(US"SSL_new", NULL, NULL, errstr);
2238 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2240 * With the SSL_clear(), we get strange interoperability bugs with
2241 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2242 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2244 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2245 * session shutdown. In this case, we have a brand new object and there's no
2246 * obvious reason to immediately clear it. I'm guessing that this was
2247 * originally added because of incomplete initialisation which the clear fixed,
2248 * in some historic release.
2251 /* Set context and tell client to go ahead, except in the case of TLS startup
2252 on connection, where outputting anything now upsets the clients and tends to
2253 make them disconnect. We need to have an explicit fflush() here, to force out
2254 the response. Other smtp_printf() calls do not need it, because in non-TLS
2255 mode, the fflush() happens when smtp_getc() is called. */
2257 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2258 if (!tls_in.on_connect)
2260 smtp_printf("220 TLS go ahead\r\n", FALSE);
2264 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2265 that the OpenSSL library doesn't. */
2267 SSL_set_wfd(server_ssl, fileno(smtp_out));
2268 SSL_set_rfd(server_ssl, fileno(smtp_in));
2269 SSL_set_accept_state(server_ssl);
2271 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2273 sigalrm_seen = FALSE;
2274 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2275 rc = SSL_accept(server_ssl);
2280 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2284 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2285 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2286 anon-authentication ciphersuite negociated. */
2288 /* TLS has been set up. Adjust the input functions to read via TLS,
2289 and initialize things. */
2291 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2293 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2294 tls_in.cipher = cipherbuf;
2299 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2300 debug_printf("Shared ciphers: %s\n", buf);
2303 /* Record the certificate we presented */
2305 X509 * crt = SSL_get_certificate(server_ssl);
2306 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2309 /* Only used by the server-side tls (tls_in), including tls_getc.
2310 Client-side (tls_out) reads (seem to?) go via
2311 smtp_read_response()/ip_recv().
2312 Hence no need to duplicate for _in and _out.
2314 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2315 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2316 ssl_xfer_eof = ssl_xfer_error = FALSE;
2318 receive_getc = tls_getc;
2319 receive_getbuf = tls_getbuf;
2320 receive_get_cache = tls_get_cache;
2321 receive_ungetc = tls_ungetc;
2322 receive_feof = tls_feof;
2323 receive_ferror = tls_ferror;
2324 receive_smtp_buffered = tls_smtp_buffered;
2326 tls_in.active.sock = fileno(smtp_out);
2327 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2335 tls_client_basic_ctx_init(SSL_CTX * ctx,
2336 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2340 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2341 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2342 the specified host patterns if one of them is defined */
2344 if ( ( !ob->tls_verify_hosts
2345 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2347 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2349 client_verify_optional = FALSE;
2350 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2351 client_verify_optional = TRUE;
2355 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2356 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2360 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2362 cbinfo->verify_cert_hostnames =
2364 string_domain_utf8_to_alabel(host->name, NULL);
2368 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2369 cbinfo->verify_cert_hostnames);
2377 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2381 const char * hostnames[2] = { CS host->name, NULL };
2384 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2385 return tls_error(US"hostnames load", host, NULL, errstr);
2387 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2389 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2390 ) if (rr->type == T_TLSA && rr->size > 3)
2392 const uschar * p = rr->data;
2393 uint8_t usage, selector, mtype;
2394 const char * mdname;
2398 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2399 if (usage != 2 && usage != 3) continue;
2406 default: continue; /* Only match-types 0, 1, 2 are supported */
2407 case 0: mdname = NULL; break;
2408 case 1: mdname = "sha256"; break;
2409 case 2: mdname = "sha512"; break;
2413 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2416 return tls_error(US"tlsa load", host, NULL, errstr);
2417 case 0: /* action not taken */
2421 tls_out.tlsa_usage |= 1<<usage;
2427 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2430 #endif /*SUPPORT_DANE*/
2434 /*************************************************
2435 * Start a TLS session in a client *
2436 *************************************************/
2438 /* Called from the smtp transport after STARTTLS has been accepted.
2441 fd the fd of the connection
2442 host connected host (for messages and option-tests)
2443 addr the first address (for some randomness; can be NULL)
2444 tb transport (always smtp)
2445 tlsa_dnsa tlsa lookup, if DANE, else null
2446 tlsp record details of channel configuration here; must be non-NULL
2447 errstr error string pointer
2449 Returns: Pointer to TLS session context, or NULL on error
2453 tls_client_start(int fd, host_item *host, address_item *addr,
2454 transport_instance * tb,
2456 dns_answer * tlsa_dnsa,
2458 tls_support * tlsp, uschar ** errstr)
2460 smtp_transport_options_block * ob = tb
2461 ? (smtp_transport_options_block *)tb->options_block
2462 : &smtp_transport_option_defaults;
2463 exim_openssl_client_tls_ctx * exim_client_ctx;
2464 static uschar peerdn[256];
2465 uschar * expciphers;
2467 static uschar cipherbuf[256];
2469 #ifndef DISABLE_OCSP
2470 BOOL request_ocsp = FALSE;
2471 BOOL require_ocsp = FALSE;
2475 store_pool = POOL_PERM;
2476 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2477 exim_client_ctx->corked = NULL;
2481 tlsp->tlsa_usage = 0;
2484 #ifndef DISABLE_OCSP
2486 # ifdef SUPPORT_DANE
2488 && ob->hosts_request_ocsp[0] == '*'
2489 && ob->hosts_request_ocsp[1] == '\0'
2492 /* Unchanged from default. Use a safer one under DANE */
2493 request_ocsp = TRUE;
2494 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2495 " {= {4}{$tls_out_tlsa_usage}} } "
2501 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2502 request_ocsp = TRUE;
2504 # ifdef SUPPORT_DANE
2508 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2512 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2513 ob->tls_certificate, ob->tls_privatekey,
2514 #ifndef DISABLE_OCSP
2515 (void *)(long)request_ocsp,
2517 addr, &client_static_cbinfo, errstr);
2518 if (rc != OK) return NULL;
2520 tlsp->certificate_verified = FALSE;
2521 client_verify_callback_called = FALSE;
2527 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2528 other failures should be treated as problems. */
2529 if (ob->dane_require_tls_ciphers &&
2530 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2531 &expciphers, errstr))
2533 if (expciphers && *expciphers == '\0')
2538 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2539 &expciphers, errstr))
2542 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2543 are separated by underscores. So that I can use either form in my tests, and
2544 also for general convenience, we turn underscores into hyphens here. */
2548 uschar *s = expciphers;
2549 while (*s) { if (*s == '_') *s = '-'; s++; }
2550 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2551 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2553 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2561 SSL_CTX_set_verify(exim_client_ctx->ctx,
2562 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2563 verify_callback_client_dane);
2565 if (!DANESSL_library_init())
2567 tls_error(US"library init", host, NULL, errstr);
2570 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2572 tls_error(US"context init", host, NULL, errstr);
2580 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2581 client_static_cbinfo, errstr) != OK)
2584 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2586 tls_error(US"SSL_new", host, NULL, errstr);
2589 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2590 SSL_set_fd(exim_client_ctx->ssl, fd);
2591 SSL_set_connect_state(exim_client_ctx->ssl);
2595 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2599 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2601 else if (!Ustrlen(tlsp->sni))
2605 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2606 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2607 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2609 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2617 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2621 #ifndef DISABLE_OCSP
2622 /* Request certificate status at connection-time. If the server
2623 does OCSP stapling we will get the callback (set in tls_init()) */
2624 # ifdef SUPPORT_DANE
2628 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2629 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2631 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2632 this means we avoid the OCSP request, we wasted the setup
2633 cost in tls_init(). */
2634 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2635 request_ocsp = require_ocsp
2636 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2643 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2644 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2645 tlsp->ocsp = OCSP_NOT_RESP;
2649 #ifndef DISABLE_EVENT
2650 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2653 /* There doesn't seem to be a built-in timeout on connection. */
2655 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2656 sigalrm_seen = FALSE;
2657 ALARM(ob->command_timeout);
2658 rc = SSL_connect(exim_client_ctx->ssl);
2663 DANESSL_cleanup(exim_client_ctx->ssl);
2668 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2672 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2674 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2676 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2677 tlsp->cipher = cipherbuf;
2679 /* Record the certificate we presented */
2681 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2682 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2685 tlsp->active.sock = fd;
2686 tlsp->active.tls_ctx = exim_client_ctx;
2687 return exim_client_ctx;
2695 tls_refill(unsigned lim)
2700 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2701 ssl_xfer_buffer, ssl_xfer_buffer_size);
2703 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2704 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2705 MIN(ssl_xfer_buffer_size, lim));
2706 error = SSL_get_error(server_ssl, inbytes);
2707 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2709 if (had_command_timeout) /* set by signal handler */
2710 smtp_command_timeout_exit(); /* does not return */
2711 if (had_command_sigterm)
2712 smtp_command_sigterm_exit();
2713 if (had_data_timeout)
2714 smtp_data_timeout_exit();
2715 if (had_data_sigint)
2716 smtp_data_sigint_exit();
2718 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2719 closed down, not that the socket itself has been closed down. Revert to
2720 non-SSL handling. */
2724 case SSL_ERROR_NONE:
2727 case SSL_ERROR_ZERO_RETURN:
2728 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2730 receive_getc = smtp_getc;
2731 receive_getbuf = smtp_getbuf;
2732 receive_get_cache = smtp_get_cache;
2733 receive_ungetc = smtp_ungetc;
2734 receive_feof = smtp_feof;
2735 receive_ferror = smtp_ferror;
2736 receive_smtp_buffered = smtp_buffered;
2738 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2739 SSL_shutdown(server_ssl);
2741 #ifndef DISABLE_OCSP
2742 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2743 server_static_cbinfo->verify_stack = NULL;
2745 SSL_free(server_ssl);
2746 SSL_CTX_free(server_ctx);
2749 tls_in.active.sock = -1;
2750 tls_in.active.tls_ctx = NULL;
2752 tls_in.cipher = NULL;
2753 tls_in.peerdn = NULL;
2758 /* Handle genuine errors */
2760 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2761 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2762 ssl_xfer_error = TRUE;
2766 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2767 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2768 debug_printf(" - syscall %s\n", strerror(errno));
2769 ssl_xfer_error = TRUE;
2773 #ifndef DISABLE_DKIM
2774 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2776 ssl_xfer_buffer_hwm = inbytes;
2777 ssl_xfer_buffer_lwm = 0;
2782 /*************************************************
2783 * TLS version of getc *
2784 *************************************************/
2786 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2787 it refills the buffer via the SSL reading function.
2789 Arguments: lim Maximum amount to read/buffer
2790 Returns: the next character or EOF
2792 Only used by the server-side TLS.
2796 tls_getc(unsigned lim)
2798 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2799 if (!tls_refill(lim))
2800 return ssl_xfer_error ? EOF : smtp_getc(lim);
2802 /* Something in the buffer; return next uschar */
2804 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2808 tls_getbuf(unsigned * len)
2813 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2814 if (!tls_refill(*len))
2816 if (!ssl_xfer_error) return smtp_getbuf(len);
2821 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2823 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2824 ssl_xfer_buffer_lwm += size;
2833 #ifndef DISABLE_DKIM
2834 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2836 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2842 tls_could_read(void)
2844 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2848 /*************************************************
2849 * Read bytes from TLS channel *
2850 *************************************************/
2854 ct_ctx client context pointer, or NULL for the one global server context
2858 Returns: the number of bytes read
2859 -1 after a failed read, including EOF
2861 Only used by the client-side TLS.
2865 tls_read(void * ct_ctx, uschar *buff, size_t len)
2867 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2871 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2872 buff, (unsigned int)len);
2874 inbytes = SSL_read(ssl, CS buff, len);
2875 error = SSL_get_error(ssl, inbytes);
2877 if (error == SSL_ERROR_ZERO_RETURN)
2879 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2882 else if (error != SSL_ERROR_NONE)
2892 /*************************************************
2893 * Write bytes down TLS channel *
2894 *************************************************/
2898 ct_ctx client context pointer, or NULL for the one global server context
2901 more further data expected soon
2903 Returns: the number of bytes after a successful write,
2904 -1 after a failed write
2906 Used by both server-side and client-side TLS.
2910 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2912 int outbytes, error, left;
2914 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2915 static gstring * server_corked = NULL;
2916 gstring ** corkedp = ct_ctx
2917 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
2918 gstring * corked = *corkedp;
2920 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2921 buff, (unsigned long)len, more ? ", more" : "");
2923 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2924 "more" is notified. This hack is only ok if small amounts are involved AND only
2925 one stream does it, in one context (i.e. no store reset). Currently it is used
2926 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
2927 We support callouts done by the server process by using a separate client
2928 context for the stashed information. */
2929 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2930 a store reset there, so use POOL_PERM. */
2931 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
2933 if (!ct_ctx && (more || corked))
2935 #ifdef EXPERIMENTAL_PIPE_CONNECT
2936 int save_pool = store_pool;
2937 store_pool = POOL_PERM;
2940 corked = string_catn(corked, buff, len);
2942 #ifdef EXPERIMENTAL_PIPE_CONNECT
2943 store_pool = save_pool;
2951 buff = CUS corked->s;
2956 for (left = len; left > 0;)
2958 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2959 outbytes = SSL_write(ssl, CS buff, left);
2960 error = SSL_get_error(ssl, outbytes);
2961 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2965 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2966 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2969 case SSL_ERROR_NONE:
2974 case SSL_ERROR_ZERO_RETURN:
2975 log_write(0, LOG_MAIN, "SSL channel closed on write");
2978 case SSL_ERROR_SYSCALL:
2979 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2980 sender_fullhost ? sender_fullhost : US"<unknown>",
2985 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2994 /*************************************************
2995 * Close down a TLS session *
2996 *************************************************/
2998 /* This is also called from within a delivery subprocess forked from the
2999 daemon, to shut down the TLS library, without actually doing a shutdown (which
3000 would tamper with the SSL session in the parent process).
3003 ct_ctx client TLS context pointer, or NULL for the one global server context
3004 shutdown 1 if TLS close-alert is to be sent,
3005 2 if also response to be waited for
3009 Used by both server-side and client-side TLS.
3013 tls_close(void * ct_ctx, int shutdown)
3015 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3016 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3017 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3018 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3020 if (*fdp < 0) return; /* TLS was not active */
3025 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3026 shutdown > 1 ? " (with response-wait)" : "");
3028 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3032 rc = SSL_shutdown(*sslp); /* wait for response */
3036 if (rc < 0) DEBUG(D_tls)
3038 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3039 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3043 #ifndef DISABLE_OCSP
3044 if (!o_ctx) /* server side */
3046 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3047 server_static_cbinfo->verify_stack = NULL;
3051 SSL_CTX_free(*ctxp);
3061 /*************************************************
3062 * Let tls_require_ciphers be checked at startup *
3063 *************************************************/
3065 /* The tls_require_ciphers option, if set, must be something which the
3068 Returns: NULL on success, or error message
3072 tls_validate_require_cipher(void)
3075 uschar *s, *expciphers, *err;
3077 /* this duplicates from tls_init(), we need a better "init just global
3078 state, for no specific purpose" singleton function of our own */
3080 #ifdef EXIM_NEED_OPENSSL_INIT
3081 SSL_load_error_strings();
3082 OpenSSL_add_ssl_algorithms();
3084 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3085 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3086 list of available digests. */
3087 EVP_add_digest(EVP_sha256());
3090 if (!(tls_require_ciphers && *tls_require_ciphers))
3093 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3095 return US"failed to expand tls_require_ciphers";
3097 if (!(expciphers && *expciphers))
3100 /* normalisation ripped from above */
3102 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3106 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3107 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3109 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3112 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3113 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3117 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3119 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3121 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3122 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3123 expciphers, ssl_errstring);
3134 /*************************************************
3135 * Report the library versions. *
3136 *************************************************/
3138 /* There have historically been some issues with binary compatibility in
3139 OpenSSL libraries; if Exim (like many other applications) is built against
3140 one version of OpenSSL but the run-time linker picks up another version,
3141 it can result in serious failures, including crashing with a SIGSEGV. So
3142 report the version found by the compiler and the run-time version.
3144 Note: some OS vendors backport security fixes without changing the version
3145 number/string, and the version date remains unchanged. The _build_ date
3146 will change, so we can more usefully assist with version diagnosis by also
3147 reporting the build date.
3149 Arguments: a FILE* to print the results to
3154 tls_version_report(FILE *f)
3156 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3159 OPENSSL_VERSION_TEXT,
3160 SSLeay_version(SSLEAY_VERSION),
3161 SSLeay_version(SSLEAY_BUILT_ON));
3162 /* third line is 38 characters for the %s and the line is 73 chars long;
3163 the OpenSSL output includes a "built on: " prefix already. */
3169 /*************************************************
3170 * Random number generation *
3171 *************************************************/
3173 /* Pseudo-random number generation. The result is not expected to be
3174 cryptographically strong but not so weak that someone will shoot themselves
3175 in the foot using it as a nonce in input in some email header scheme or
3176 whatever weirdness they'll twist this into. The result should handle fork()
3177 and avoid repeating sequences. OpenSSL handles that for us.
3181 Returns a random number in range [0, max-1]
3185 vaguely_random_number(int max)
3189 static pid_t pidlast = 0;
3192 uschar smallbuf[sizeof(r)];
3198 if (pidnow != pidlast)
3200 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3201 is unique for each thread", this doesn't apparently apply across processes,
3202 so our own warning from vaguely_random_number_fallback() applies here too.
3203 Fix per PostgreSQL. */
3209 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3213 gettimeofday(&r.tv, NULL);
3216 RAND_seed(US (&r), sizeof(r));
3218 /* We're after pseudo-random, not random; if we still don't have enough data
3219 in the internal PRNG then our options are limited. We could sleep and hope
3220 for entropy to come along (prayer technique) but if the system is so depleted
3221 in the first place then something is likely to just keep taking it. Instead,
3222 we'll just take whatever little bit of pseudo-random we can still manage to
3225 needed_len = sizeof(r);
3226 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3227 asked for a number less than 10. */
3228 for (r = max, i = 0; r; ++i)
3234 #ifdef EXIM_HAVE_RAND_PSEUDO
3235 /* We do not care if crypto-strong */
3236 i = RAND_pseudo_bytes(smallbuf, needed_len);
3238 i = RAND_bytes(smallbuf, needed_len);
3244 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3245 return vaguely_random_number_fallback(max);
3249 for (p = smallbuf; needed_len; --needed_len, ++p)
3255 /* We don't particularly care about weighted results; if someone wants
3256 smooth distribution and cares enough then they should submit a patch then. */
3263 /*************************************************
3264 * OpenSSL option parse *
3265 *************************************************/
3267 /* Parse one option for tls_openssl_options_parse below
3270 name one option name
3271 value place to store a value for it
3272 Returns success or failure in parsing
3278 tls_openssl_one_option_parse(uschar *name, long *value)
3281 int last = exim_openssl_options_size;
3282 while (last > first)
3284 int middle = (first + last)/2;
3285 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3288 *value = exim_openssl_options[middle].value;
3302 /*************************************************
3303 * OpenSSL option parsing logic *
3304 *************************************************/
3306 /* OpenSSL has a number of compatibility options which an administrator might
3307 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3308 we look like log_selector.
3311 option_spec the administrator-supplied string of options
3312 results ptr to long storage for the options bitmap
3313 Returns success or failure
3317 tls_openssl_options_parse(uschar *option_spec, long *results)
3322 BOOL adding, item_parsed;
3324 result = SSL_OP_NO_TICKET;
3325 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3326 * from default because it increases BEAST susceptibility. */
3327 #ifdef SSL_OP_NO_SSLv2
3328 result |= SSL_OP_NO_SSLv2;
3330 #ifdef SSL_OP_SINGLE_DH_USE
3331 result |= SSL_OP_SINGLE_DH_USE;
3340 for (s=option_spec; *s != '\0'; /**/)
3342 while (isspace(*s)) ++s;
3345 if (*s != '+' && *s != '-')
3347 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3348 "+ or - expected but found \"%s\"\n", s);
3351 adding = *s++ == '+';
3352 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3355 item_parsed = tls_openssl_one_option_parse(s, &item);
3359 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3362 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3363 adding ? "adding" : "removing", result, item, s);
3375 #endif /*!MACRO_PREDEF*/
3378 /* End of tls-openssl.c */