1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # define EXIM_HAVE_OPENSSL_DH_BITS
73 # define EXIM_HAVE_OPENSSL_TLS_METHOD
75 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
76 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
77 # define EXIM_HAVE_OPENSSL_CHECKHOST
81 #if !defined(LIBRESSL_VERSION_NUMBER) \
82 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
83 # if !defined(OPENSSL_NO_ECDH)
84 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
85 # define EXIM_HAVE_ECDH
87 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
88 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
93 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
94 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
98 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
99 # include <openssl/x509v3.h>
102 /*************************************************
103 * OpenSSL option parse *
104 *************************************************/
106 typedef struct exim_openssl_option {
109 } exim_openssl_option;
110 /* We could use a macro to expand, but we need the ifdef and not all the
111 options document which version they were introduced in. Policylet: include
112 all options unless explicitly for DTLS, let the administrator choose which
115 This list is current as of:
117 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
118 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
120 static exim_openssl_option exim_openssl_options[] = {
121 /* KEEP SORTED ALPHABETICALLY! */
123 { US"all", SSL_OP_ALL },
125 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
126 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
128 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
129 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
131 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
132 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
134 #ifdef SSL_OP_EPHEMERAL_RSA
135 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
137 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
138 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
140 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
141 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
143 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
144 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
146 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
147 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
149 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
150 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
152 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
153 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
155 #ifdef SSL_OP_NO_COMPRESSION
156 { US"no_compression", SSL_OP_NO_COMPRESSION },
158 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
159 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
161 #ifdef SSL_OP_NO_SSLv2
162 { US"no_sslv2", SSL_OP_NO_SSLv2 },
164 #ifdef SSL_OP_NO_SSLv3
165 { US"no_sslv3", SSL_OP_NO_SSLv3 },
167 #ifdef SSL_OP_NO_TICKET
168 { US"no_ticket", SSL_OP_NO_TICKET },
170 #ifdef SSL_OP_NO_TLSv1
171 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
173 #ifdef SSL_OP_NO_TLSv1_1
174 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
175 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
176 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
178 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
181 #ifdef SSL_OP_NO_TLSv1_2
182 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
184 #ifdef SSL_OP_NO_TLSv1_3
185 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
187 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
188 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
190 #ifdef SSL_OP_SINGLE_DH_USE
191 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
193 #ifdef SSL_OP_SINGLE_ECDH_USE
194 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
196 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
197 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
199 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
200 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
202 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
203 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
205 #ifdef SSL_OP_TLS_D5_BUG
206 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
208 #ifdef SSL_OP_TLS_ROLLBACK_BUG
209 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
214 static int exim_openssl_options_size = nelem(exim_openssl_options);
221 struct exim_openssl_option * o;
224 for (o = exim_openssl_options;
225 o < exim_openssl_options + nelem(exim_openssl_options); o++)
227 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
228 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
230 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
231 builtin_macro_create(buf);
236 /******************************************************************************/
238 /* Structure for collecting random data for seeding. */
240 typedef struct randstuff {
245 /* Local static variables */
247 static BOOL client_verify_callback_called = FALSE;
248 static BOOL server_verify_callback_called = FALSE;
249 static const uschar *sid_ctx = US"exim";
251 /* We have three different contexts to care about.
253 Simple case: client, `client_ctx`
254 As a client, we can be doing a callout or cut-through delivery while receiving
255 a message. So we have a client context, which should have options initialised
256 from the SMTP Transport. We may also concurrently want to make TLS connections
257 to utility daemons, so client-contexts are allocated and passed around in call
258 args rather than using a gobal.
261 There are two cases: with and without ServerNameIndication from the client.
262 Given TLS SNI, we can be using different keys, certs and various other
263 configuration settings, because they're re-expanded with $tls_sni set. This
264 allows vhosting with TLS. This SNI is sent in the handshake.
265 A client might not send SNI, so we need a fallback, and an initial setup too.
266 So as a server, we start out using `server_ctx`.
267 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
268 `server_sni` from `server_ctx` and then initialise settings by re-expanding
275 } exim_openssl_client_tls_ctx;
277 static SSL_CTX *server_ctx = NULL;
278 static SSL *server_ssl = NULL;
280 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
281 static SSL_CTX *server_sni = NULL;
284 static char ssl_errstring[256];
286 static int ssl_session_timeout = 200;
287 static BOOL client_verify_optional = FALSE;
288 static BOOL server_verify_optional = FALSE;
290 static BOOL reexpand_tls_files_for_sni = FALSE;
293 typedef struct tls_ext_ctx_cb {
298 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
302 uschar *file_expanded;
303 OCSP_RESPONSE *response;
306 X509_STORE *verify_store; /* non-null if status requested */
307 BOOL verify_required;
312 /* these are cached from first expand */
313 uschar *server_cipher_list;
314 /* only passed down to tls_error: */
316 const uschar * verify_cert_hostnames;
317 #ifndef DISABLE_EVENT
318 uschar * event_action;
322 /* should figure out a cleanup of API to handle state preserved per
323 implementation, for various reasons, which can be void * in the APIs.
324 For now, we hack around it. */
325 tls_ext_ctx_cb *client_static_cbinfo = NULL;
326 tls_ext_ctx_cb *server_static_cbinfo = NULL;
329 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
330 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
333 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
334 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
337 static int tls_server_stapling_cb(SSL *s, void *arg);
341 /*************************************************
343 *************************************************/
345 /* Called from lots of places when errors occur before actually starting to do
346 the TLS handshake, that is, while the session is still in clear. Always returns
347 DEFER for a server and FAIL for a client so that most calls can use "return
348 tls_error(...)" to do this processing and then give an appropriate return. A
349 single function is used for both server and client, because it is called from
350 some shared functions.
353 prefix text to include in the logged error
354 host NULL if setting up a server;
355 the connected host if setting up a client
356 msg error message or NULL if we should ask OpenSSL
357 errstr pointer to output error message
359 Returns: OK/DEFER/FAIL
363 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
367 ERR_error_string(ERR_get_error(), ssl_errstring);
368 msg = US ssl_errstring;
371 if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
372 return host ? FAIL : DEFER;
377 /*************************************************
378 * Callback to generate RSA key *
379 *************************************************/
383 s SSL connection (not used)
387 Returns: pointer to generated key
391 rsa_callback(SSL *s, int export, int keylength)
394 #ifdef EXIM_HAVE_RSA_GENKEY_EX
395 BIGNUM *bn = BN_new();
398 export = export; /* Shut picky compilers up */
399 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
401 #ifdef EXIM_HAVE_RSA_GENKEY_EX
402 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
403 || !(rsa_key = RSA_new())
404 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
407 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
411 ERR_error_string(ERR_get_error(), ssl_errstring);
412 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
424 x509_store_dump_cert_s_names(X509_STORE * store)
426 STACK_OF(X509_OBJECT) * roots= store->objs;
428 static uschar name[256];
430 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
432 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
433 if(tmp_obj->type == X509_LU_X509)
435 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
436 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
438 name[sizeof(name)-1] = '\0';
439 debug_printf(" %s\n", name);
448 #ifndef DISABLE_EVENT
450 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
451 BOOL *calledp, const BOOL *optionalp, const uschar * what)
457 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
460 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
461 old_cert = tlsp->peercert;
462 tlsp->peercert = X509_dup(cert);
463 /* NB we do not bother setting peerdn */
464 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
466 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
467 "depth=%d cert=%s: %s",
468 tlsp == &tls_out ? deliver_host_address : sender_host_address,
469 what, depth, dn, yield);
473 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
474 return 1; /* reject (leaving peercert set) */
476 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
477 "(host in tls_try_verify_hosts)\n");
479 X509_free(tlsp->peercert);
480 tlsp->peercert = old_cert;
486 /*************************************************
487 * Callback for verification *
488 *************************************************/
490 /* The SSL library does certificate verification if set up to do so. This
491 callback has the current yes/no state is in "state". If verification succeeded,
492 we set the certificate-verified flag. If verification failed, what happens
493 depends on whether the client is required to present a verifiable certificate
496 If verification is optional, we change the state to yes, but still log the
497 verification error. For some reason (it really would help to have proper
498 documentation of OpenSSL), this callback function then gets called again, this
499 time with state = 1. We must take care not to set the private verified flag on
500 the second time through.
502 Note: this function is not called if the client fails to present a certificate
503 when asked. We get here only if a certificate has been received. Handling of
504 optional verification for this case is done when requesting SSL to verify, by
505 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
507 May be called multiple times for different issues with a certificate, even
508 for a given "depth" in the certificate chain.
511 preverify_ok current yes/no state as 1/0
512 x509ctx certificate information.
513 tlsp per-direction (client vs. server) support data
514 calledp has-been-called flag
515 optionalp verification-is-optional flag
517 Returns: 0 if verification should fail, otherwise 1
521 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
522 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
524 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
525 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
528 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
530 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
531 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
532 tlsp == &tls_out ? deliver_host_address : sender_host_address);
535 dn[sizeof(dn)-1] = '\0';
537 if (preverify_ok == 0)
539 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
540 *verify_mode, sender_host_address)
542 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
543 tlsp == &tls_out ? deliver_host_address : sender_host_address,
545 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
550 tlsp->peercert = X509_dup(cert); /* record failing cert */
551 return 0; /* reject */
553 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
554 "tls_try_verify_hosts)\n");
559 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
561 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
562 { /* client, wanting stapling */
563 /* Add the server cert's signing chain as the one
564 for the verification of the OCSP stapled information. */
566 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
569 sk_X509_push(client_static_cbinfo->verify_stack, cert);
572 #ifndef DISABLE_EVENT
573 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
574 return 0; /* reject, with peercert set */
579 const uschar * verify_cert_hostnames;
581 if ( tlsp == &tls_out
582 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
583 /* client, wanting hostname check */
586 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
587 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
588 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
590 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
591 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
594 const uschar * list = verify_cert_hostnames;
597 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
598 if ((rc = X509_check_host(cert, CCS name, 0,
599 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
600 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
605 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
606 tlsp == &tls_out ? deliver_host_address : sender_host_address);
613 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
616 uschar * extra = verify_mode
617 ? string_sprintf(" (during %c-verify for [%s])",
618 *verify_mode, sender_host_address)
620 log_write(0, LOG_MAIN,
621 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
622 tlsp == &tls_out ? deliver_host_address : sender_host_address,
623 extra, dn, verify_cert_hostnames);
628 tlsp->peercert = X509_dup(cert); /* record failing cert */
629 return 0; /* reject */
631 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
632 "tls_try_verify_hosts)\n");
636 #ifndef DISABLE_EVENT
637 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
638 return 0; /* reject, with peercert set */
641 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
642 *calledp ? "" : " authenticated", dn);
643 if (!*calledp) tlsp->certificate_verified = TRUE;
647 return 1; /* accept, at least for this level */
651 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
653 return verify_callback(preverify_ok, x509ctx, &tls_out,
654 &client_verify_callback_called, &client_verify_optional);
658 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
660 return verify_callback(preverify_ok, x509ctx, &tls_in,
661 &server_verify_callback_called, &server_verify_optional);
667 /* This gets called *by* the dane library verify callback, which interposes
671 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
673 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
675 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
676 #ifndef DISABLE_EVENT
677 BOOL dummy_called, optional = FALSE;
680 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
682 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
683 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
684 deliver_host_address);
687 dn[sizeof(dn)-1] = '\0';
689 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
690 preverify_ok ? "ok":"BAD", depth, dn);
692 #ifndef DISABLE_EVENT
693 if (verify_event(&tls_out, cert, depth, dn,
694 &dummy_called, &optional, US"DANE"))
695 return 0; /* reject, with peercert set */
698 if (preverify_ok == 1)
700 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
702 if (client_static_cbinfo->u_ocsp.client.verify_store)
703 { /* client, wanting stapling */
704 /* Add the server cert's signing chain as the one
705 for the verification of the OCSP stapled information. */
707 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
710 sk_X509_push(client_static_cbinfo->verify_stack, cert);
716 int err = X509_STORE_CTX_get_error(x509ctx);
718 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
719 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
725 #endif /*SUPPORT_DANE*/
728 /*************************************************
729 * Information callback *
730 *************************************************/
732 /* The SSL library functions call this from time to time to indicate what they
733 are doing. We copy the string to the debugging output when TLS debugging has
745 info_callback(SSL *s, int where, int ret)
749 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
754 /*************************************************
755 * Initialize for DH *
756 *************************************************/
758 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
761 sctx The current SSL CTX (inbound or outbound)
762 dhparam DH parameter file or fixed parameter identity string
763 host connected host, if client; NULL if server
764 errstr error string pointer
766 Returns: TRUE if OK (nothing to set up, or setup worked)
770 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
778 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
781 if (!dhexpanded || !*dhexpanded)
782 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
783 else if (dhexpanded[0] == '/')
785 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
787 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
788 host, US strerror(errno), errstr);
794 if (Ustrcmp(dhexpanded, "none") == 0)
796 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
800 if (!(pem = std_dh_prime_named(dhexpanded)))
802 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
803 host, US strerror(errno), errstr);
806 bio = BIO_new_mem_buf(CS pem, -1);
809 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
812 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
817 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
818 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
819 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
820 * If someone wants to dance at the edge, then they can raise the limit or use
821 * current libraries. */
822 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
823 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
824 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
825 dh_bitsize = DH_bits(dh);
827 dh_bitsize = 8 * DH_size(dh);
830 /* Even if it is larger, we silently return success rather than cause things
831 * to fail out, so that a too-large DH will not knock out all TLS; it's a
832 * debatable choice. */
833 if (dh_bitsize > tls_dh_max_bits)
836 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
837 dh_bitsize, tls_dh_max_bits);
841 SSL_CTX_set_tmp_dh(sctx, dh);
843 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
844 dhexpanded ? dhexpanded : US"default", dh_bitsize);
856 /*************************************************
857 * Initialize for ECDH *
858 *************************************************/
860 /* Load parameters for ECDH encryption.
862 For now, we stick to NIST P-256 because: it's simple and easy to configure;
863 it avoids any patent issues that might bite redistributors; despite events in
864 the news and concerns over curve choices, we're not cryptographers, we're not
865 pretending to be, and this is "good enough" to be better than no support,
866 protecting against most adversaries. Given another year or two, there might
867 be sufficient clarity about a "right" way forward to let us make an informed
868 decision, instead of a knee-jerk reaction.
870 Longer-term, we should look at supporting both various named curves and
871 external files generated with "openssl ecparam", much as we do for init_dh().
872 We should also support "none" as a value, to explicitly avoid initialisation.
877 sctx The current SSL CTX (inbound or outbound)
878 host connected host, if client; NULL if server
879 errstr error string pointer
881 Returns: TRUE if OK (nothing to set up, or setup worked)
885 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
887 #ifdef OPENSSL_NO_ECDH
896 if (host) /* No ECDH setup for clients, only for servers */
899 # ifndef EXIM_HAVE_ECDH
901 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
905 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
907 if (!exp_curve || !*exp_curve)
910 /* "auto" needs to be handled carefully.
911 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
912 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
913 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
914 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
915 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
917 if (Ustrcmp(exp_curve, "auto") == 0)
919 #if OPENSSL_VERSION_NUMBER < 0x10002000L
920 DEBUG(D_tls) debug_printf(
921 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
922 exp_curve = US"prime256v1";
924 # if defined SSL_CTRL_SET_ECDH_AUTO
925 DEBUG(D_tls) debug_printf(
926 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
927 SSL_CTX_set_ecdh_auto(sctx, 1);
930 DEBUG(D_tls) debug_printf(
931 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
937 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
938 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
939 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
940 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
944 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
949 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
951 tls_error(US"Unable to create ec curve", host, NULL, errstr);
955 /* The "tmp" in the name here refers to setting a temporary key
956 not to the stability of the interface. */
958 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
959 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
961 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
966 # endif /*EXIM_HAVE_ECDH*/
967 #endif /*OPENSSL_NO_ECDH*/
974 /*************************************************
975 * Load OCSP information into state *
976 *************************************************/
977 /* Called to load the server OCSP response from the given file into memory, once
978 caller has determined this is needed. Checks validity. Debugs a message
981 ASSUMES: single response, for single cert.
984 sctx the SSL_CTX* to update
985 cbinfo various parts of session state
986 expanded the filename putatively holding an OCSP response
991 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
994 OCSP_RESPONSE * resp;
995 OCSP_BASICRESP * basic_response;
996 OCSP_SINGLERESP * single_response;
997 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
999 unsigned long verify_flags;
1000 int status, reason, i;
1002 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1003 if (cbinfo->u_ocsp.server.response)
1005 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1006 cbinfo->u_ocsp.server.response = NULL;
1009 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1011 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1012 cbinfo->u_ocsp.server.file_expanded);
1016 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1020 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1024 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1026 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1027 OCSP_response_status_str(status), status);
1031 if (!(basic_response = OCSP_response_get1_basic(resp)))
1034 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1038 sk = cbinfo->verify_stack;
1039 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1041 /* May need to expose ability to adjust those flags?
1042 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1043 OCSP_TRUSTOTHER OCSP_NOINTERN */
1045 /* This does a full verify on the OCSP proof before we load it for serving
1046 up; possibly overkill - just date-checks might be nice enough.
1048 OCSP_basic_verify takes a "store" arg, but does not
1049 use it for the chain verification, which is all we do
1050 when OCSP_NOVERIFY is set. The content from the wire
1051 "basic_response" and a cert-stack "sk" are all that is used.
1053 We have a stack, loaded in setup_certs() if tls_verify_certificates
1054 was a file (not a directory, or "system"). It is unfortunate we
1055 cannot used the connection context store, as that would neatly
1056 handle the "system" case too, but there seems to be no library
1057 function for getting a stack from a store.
1058 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1059 We do not free the stack since it could be needed a second time for
1062 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1063 be a public interface into the OpenSSL library (there's no manual entry) -
1064 But what with? We also use OCSP_basic_verify in the client stapling callback.
1065 And there we NEED it; we must verify that status... unless the
1066 library does it for us anyway? */
1068 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1072 ERR_error_string(ERR_get_error(), ssl_errstring);
1073 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1078 /* Here's the simplifying assumption: there's only one response, for the
1079 one certificate we use, and nothing for anything else in a chain. If this
1080 proves false, we need to extract a cert id from our issued cert
1081 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1082 right cert in the stack and then calls OCSP_single_get0_status()).
1084 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1086 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1089 debug_printf("Unable to get first response from OCSP basic response.\n");
1093 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1094 if (status != V_OCSP_CERTSTATUS_GOOD)
1096 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1097 OCSP_cert_status_str(status), status,
1098 OCSP_crl_reason_str(reason), reason);
1102 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1104 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1109 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1113 if (f.running_in_test_harness)
1115 extern char ** environ;
1117 if (environ) for (p = USS environ; *p; p++)
1118 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1120 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1121 goto supply_response;
1126 #endif /*!DISABLE_OCSP*/
1131 /* Create and install a selfsigned certificate, for use in server mode */
1134 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1142 where = US"allocating pkey";
1143 if (!(pkey = EVP_PKEY_new()))
1146 where = US"allocating cert";
1147 if (!(x509 = X509_new()))
1150 where = US"generating pkey";
1151 if (!(rsa = rsa_callback(NULL, 0, 1024)))
1154 where = US"assigning pkey";
1155 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1158 X509_set_version(x509, 2); /* N+1 - version 3 */
1159 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1160 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1161 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1162 X509_set_pubkey(x509, pkey);
1164 name = X509_get_subject_name(x509);
1165 X509_NAME_add_entry_by_txt(name, "C",
1166 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1167 X509_NAME_add_entry_by_txt(name, "O",
1168 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1169 X509_NAME_add_entry_by_txt(name, "CN",
1170 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1171 X509_set_issuer_name(x509, name);
1173 where = US"signing cert";
1174 if (!X509_sign(x509, pkey, EVP_md5()))
1177 where = US"installing selfsign cert";
1178 if (!SSL_CTX_use_certificate(sctx, x509))
1181 where = US"installing selfsign key";
1182 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1188 (void) tls_error(where, NULL, NULL, errstr);
1189 if (x509) X509_free(x509);
1190 if (pkey) EVP_PKEY_free(pkey);
1198 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1201 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1202 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1203 return tls_error(string_sprintf(
1204 "SSL_CTX_use_certificate_chain_file file=%s", file),
1205 cbinfo->host, NULL, errstr);
1210 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1213 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1214 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1215 return tls_error(string_sprintf(
1216 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1221 /*************************************************
1222 * Expand key and cert file specs *
1223 *************************************************/
1225 /* Called once during tls_init and possibly again during TLS setup, for a
1226 new context, if Server Name Indication was used and tls_sni was seen in
1227 the certificate string.
1230 sctx the SSL_CTX* to update
1231 cbinfo various parts of session state
1232 errstr error string pointer
1234 Returns: OK/DEFER/FAIL
1238 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1243 if (!cbinfo->certificate)
1245 if (!cbinfo->is_server) /* client */
1248 if (tls_install_selfsign(sctx, errstr) != OK)
1255 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1256 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1257 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1259 reexpand_tls_files_for_sni = TRUE;
1261 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1265 if (cbinfo->is_server)
1267 const uschar * file_list = expanded;
1271 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1272 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1275 else /* would there ever be a need for multiple client certs? */
1276 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1279 if (cbinfo->privatekey != NULL &&
1280 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1283 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1284 of the expansion is an empty string, ignore it also, and assume the private
1285 key is in the same file as the certificate. */
1287 if (expanded && *expanded)
1288 if (cbinfo->is_server)
1290 const uschar * file_list = expanded;
1294 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1295 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1298 else /* would there ever be a need for multiple client certs? */
1299 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1303 #ifndef DISABLE_OCSP
1304 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1307 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1310 if (expanded && *expanded)
1312 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1313 if ( cbinfo->u_ocsp.server.file_expanded
1314 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1316 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1319 ocsp_load_response(sctx, cbinfo, expanded);
1330 /*************************************************
1331 * Callback to handle SNI *
1332 *************************************************/
1334 /* Called when acting as server during the TLS session setup if a Server Name
1335 Indication extension was sent by the client.
1337 API documentation is OpenSSL s_server.c implementation.
1340 s SSL* of the current session
1341 ad unknown (part of OpenSSL API) (unused)
1342 arg Callback of "our" registered data
1344 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1347 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1349 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1351 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1352 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1354 int old_pool = store_pool;
1355 uschar * dummy_errstr;
1358 return SSL_TLSEXT_ERR_OK;
1360 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1361 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1363 /* Make the extension value available for expansion */
1364 store_pool = POOL_PERM;
1365 tls_in.sni = string_copy(US servername);
1366 store_pool = old_pool;
1368 if (!reexpand_tls_files_for_sni)
1369 return SSL_TLSEXT_ERR_OK;
1371 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1372 not confident that memcpy wouldn't break some internal reference counting.
1373 Especially since there's a references struct member, which would be off. */
1375 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1376 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1378 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1381 ERR_error_string(ERR_get_error(), ssl_errstring);
1382 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1383 return SSL_TLSEXT_ERR_NOACK;
1386 /* Not sure how many of these are actually needed, since SSL object
1387 already exists. Might even need this selfsame callback, for reneg? */
1389 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1390 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1391 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1392 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1393 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1394 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1396 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1397 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1399 return SSL_TLSEXT_ERR_NOACK;
1401 if ( cbinfo->server_cipher_list
1402 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1403 return SSL_TLSEXT_ERR_NOACK;
1405 #ifndef DISABLE_OCSP
1406 if (cbinfo->u_ocsp.server.file)
1408 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1409 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1413 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1414 verify_callback_server, &dummy_errstr)) != OK)
1415 return SSL_TLSEXT_ERR_NOACK;
1417 /* do this after setup_certs, because this can require the certs for verifying
1418 OCSP information. */
1419 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1420 return SSL_TLSEXT_ERR_NOACK;
1422 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1423 SSL_set_SSL_CTX(s, server_sni);
1425 return SSL_TLSEXT_ERR_OK;
1427 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1432 #ifndef DISABLE_OCSP
1434 /*************************************************
1435 * Callback to handle OCSP Stapling *
1436 *************************************************/
1438 /* Called when acting as server during the TLS session setup if the client
1439 requests OCSP information with a Certificate Status Request.
1441 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1447 tls_server_stapling_cb(SSL *s, void *arg)
1449 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1450 uschar *response_der; /*XXX blob */
1451 int response_der_len;
1453 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1454 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1455 buggy in current OpenSSL; it returns the last cert loaded always rather than
1456 the one actually presented. So we can't support a stack of OCSP proofs at
1460 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1461 cbinfo->u_ocsp.server.response ? "have" : "lack");
1463 tls_in.ocsp = OCSP_NOT_RESP;
1464 if (!cbinfo->u_ocsp.server.response)
1465 return SSL_TLSEXT_ERR_NOACK;
1467 response_der = NULL;
1468 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1470 if (response_der_len <= 0)
1471 return SSL_TLSEXT_ERR_NOACK;
1473 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1474 tls_in.ocsp = OCSP_VFIED;
1475 return SSL_TLSEXT_ERR_OK;
1480 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1482 BIO_printf(bp, "\t%s: ", str);
1483 ASN1_GENERALIZEDTIME_print(bp, time);
1488 tls_client_stapling_cb(SSL *s, void *arg)
1490 tls_ext_ctx_cb * cbinfo = arg;
1491 const unsigned char * p;
1493 OCSP_RESPONSE * rsp;
1494 OCSP_BASICRESP * bs;
1497 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1498 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1501 /* Expect this when we requested ocsp but got none */
1502 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1503 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1505 DEBUG(D_tls) debug_printf(" null\n");
1506 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1509 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1511 tls_out.ocsp = OCSP_FAILED;
1512 if (LOGGING(tls_cipher))
1513 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1515 DEBUG(D_tls) debug_printf(" parse error\n");
1519 if(!(bs = OCSP_response_get1_basic(rsp)))
1521 tls_out.ocsp = OCSP_FAILED;
1522 if (LOGGING(tls_cipher))
1523 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1525 DEBUG(D_tls) debug_printf(" error parsing response\n");
1526 OCSP_RESPONSE_free(rsp);
1530 /* We'd check the nonce here if we'd put one in the request. */
1531 /* However that would defeat cacheability on the server so we don't. */
1533 /* This section of code reworked from OpenSSL apps source;
1534 The OpenSSL Project retains copyright:
1535 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1540 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1542 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1544 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1546 /* Use the chain that verified the server cert to verify the stapled info */
1547 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1549 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1550 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1552 tls_out.ocsp = OCSP_FAILED;
1553 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1554 "Received TLS cert status response, itself unverifiable: %s",
1555 ERR_reason_error_string(ERR_peek_error()));
1556 BIO_printf(bp, "OCSP response verify failure\n");
1557 ERR_print_errors(bp);
1558 OCSP_RESPONSE_print(bp, rsp, 0);
1562 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1564 /*XXX So we have a good stapled OCSP status. How do we know
1565 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1566 OCSP_resp_find_status() which matches on a cert id, which presumably
1567 we should use. Making an id needs OCSP_cert_id_new(), which takes
1568 issuerName, issuerKey, serialNumber. Are they all in the cert?
1570 For now, carry on blindly accepting the resp. */
1573 OCSP_SINGLERESP * single;
1575 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1576 if (OCSP_resp_count(bs) != 1)
1578 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1579 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1582 tls_out.ocsp = OCSP_FAILED;
1583 log_write(0, LOG_MAIN, "OCSP stapling "
1584 "with multiple responses not handled");
1587 single = OCSP_resp_get0(bs, 0);
1588 status = OCSP_single_get0_status(single, &reason, &rev,
1589 &thisupd, &nextupd);
1592 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1593 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1594 if (!OCSP_check_validity(thisupd, nextupd,
1595 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1597 tls_out.ocsp = OCSP_FAILED;
1598 DEBUG(D_tls) ERR_print_errors(bp);
1599 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1603 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1604 OCSP_cert_status_str(status));
1607 case V_OCSP_CERTSTATUS_GOOD:
1608 tls_out.ocsp = OCSP_VFIED;
1611 case V_OCSP_CERTSTATUS_REVOKED:
1612 tls_out.ocsp = OCSP_FAILED;
1613 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1614 reason != -1 ? "; reason: " : "",
1615 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1616 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1619 tls_out.ocsp = OCSP_FAILED;
1620 log_write(0, LOG_MAIN,
1621 "Server certificate status unknown, in OCSP stapling");
1626 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1631 OCSP_RESPONSE_free(rsp);
1634 #endif /*!DISABLE_OCSP*/
1637 /*************************************************
1638 * Initialize for TLS *
1639 *************************************************/
1641 /* Called from both server and client code, to do preliminary initialization
1642 of the library. We allocate and return a context structure.
1645 ctxp returned SSL context
1646 host connected host, if client; NULL if server
1647 dhparam DH parameter file
1648 certificate certificate file
1649 privatekey private key
1650 ocsp_file file of stapling info (server); flag for require ocsp (client)
1651 addr address if client; NULL if server (for some randomness)
1652 cbp place to put allocated callback context
1653 errstr error string pointer
1655 Returns: OK/DEFER/FAIL
1659 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1661 #ifndef DISABLE_OCSP
1662 uschar *ocsp_file, /*XXX stack, in server*/
1664 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1669 tls_ext_ctx_cb * cbinfo;
1671 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1672 cbinfo->certificate = certificate;
1673 cbinfo->privatekey = privatekey;
1674 cbinfo->is_server = host==NULL;
1675 #ifndef DISABLE_OCSP
1676 cbinfo->verify_stack = NULL;
1679 cbinfo->u_ocsp.server.file = ocsp_file;
1680 cbinfo->u_ocsp.server.file_expanded = NULL;
1681 cbinfo->u_ocsp.server.response = NULL;
1684 cbinfo->u_ocsp.client.verify_store = NULL;
1686 cbinfo->dhparam = dhparam;
1687 cbinfo->server_cipher_list = NULL;
1688 cbinfo->host = host;
1689 #ifndef DISABLE_EVENT
1690 cbinfo->event_action = NULL;
1693 SSL_load_error_strings(); /* basic set up */
1694 OpenSSL_add_ssl_algorithms();
1696 #ifdef EXIM_HAVE_SHA256
1697 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1698 list of available digests. */
1699 EVP_add_digest(EVP_sha256());
1702 /* Create a context.
1703 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1704 negotiation in the different methods; as far as I can tell, the only
1705 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1706 when OpenSSL is built without SSLv2 support.
1707 By disabling with openssl_options, we can let admins re-enable with the
1710 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1711 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1713 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1715 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1717 /* It turns out that we need to seed the random number generator this early in
1718 order to get the full complement of ciphers to work. It took me roughly a day
1719 of work to discover this by experiment.
1721 On systems that have /dev/urandom, SSL may automatically seed itself from
1722 there. Otherwise, we have to make something up as best we can. Double check
1728 gettimeofday(&r.tv, NULL);
1731 RAND_seed(US (&r), sizeof(r));
1732 RAND_seed(US big_buffer, big_buffer_size);
1733 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1736 return tls_error(US"RAND_status", host,
1737 US"unable to seed random number generator", errstr);
1740 /* Set up the information callback, which outputs if debugging is at a suitable
1743 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1745 /* Automatically re-try reads/writes after renegotiation. */
1746 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1748 /* Apply administrator-supplied work-arounds.
1749 Historically we applied just one requested option,
1750 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1751 moved to an administrator-controlled list of options to specify and
1752 grandfathered in the first one as the default value for "openssl_options".
1754 No OpenSSL version number checks: the options we accept depend upon the
1755 availability of the option value macros from OpenSSL. */
1757 if (!tls_openssl_options_parse(openssl_options, &init_options))
1758 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1762 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1763 if (!(SSL_CTX_set_options(ctx, init_options)))
1764 return tls_error(string_sprintf(
1765 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1768 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1770 /* We'd like to disable session cache unconditionally, but foolish Outlook
1771 Express clients then give up the first TLS connection and make a second one
1772 (which works). Only when there is an IMAP service on the same machine.
1773 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1774 now, until we work out a decent way of presenting control to the config. It
1775 will never be used because we use a new context every time. */
1777 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1780 /* Initialize with DH parameters if supplied */
1781 /* Initialize ECDH temp key parameter selection */
1783 if ( !init_dh(ctx, dhparam, host, errstr)
1784 || !init_ecdh(ctx, host, errstr)
1788 /* Set up certificate and key (and perhaps OCSP info) */
1790 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1793 /* If we need to handle SNI or OCSP, do so */
1795 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1796 # ifndef DISABLE_OCSP
1797 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1799 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1804 if (!host) /* server */
1806 # ifndef DISABLE_OCSP
1807 /* We check u_ocsp.server.file, not server.response, because we care about if
1808 the option exists, not what the current expansion might be, as SNI might
1809 change the certificate and OCSP file in use between now and the time the
1810 callback is invoked. */
1811 if (cbinfo->u_ocsp.server.file)
1813 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1814 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1817 /* We always do this, so that $tls_sni is available even if not used in
1819 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1820 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1822 # ifndef DISABLE_OCSP
1824 if(ocsp_file) /* wanting stapling */
1826 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1828 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1831 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1832 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1837 cbinfo->verify_cert_hostnames = NULL;
1839 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1840 /* Set up the RSA callback */
1841 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1844 /* Finally, set the timeout, and we are done */
1846 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1847 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1858 /*************************************************
1859 * Get name of cipher in use *
1860 *************************************************/
1863 Argument: pointer to an SSL structure for the connection
1864 buffer to use for answer
1866 pointer to number of bits for cipher
1871 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1873 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1874 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1875 the accessor functions use const in the prototype. */
1877 const uschar * ver = CUS SSL_get_version(ssl);
1878 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1880 SSL_CIPHER_get_bits(c, bits);
1882 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1883 SSL_CIPHER_get_name(c), *bits);
1885 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1890 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1892 /*XXX we might consider a list-of-certs variable for the cert chain.
1893 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1894 in list-handling functions, also consider the difference between the entire
1895 chain and the elements sent by the peer. */
1897 tlsp->peerdn = NULL;
1899 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1900 if (!tlsp->peercert)
1901 tlsp->peercert = SSL_get_peer_certificate(ssl);
1902 /* Beware anonymous ciphers which lead to server_cert being NULL */
1904 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1905 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1908 peerdn[siz-1] = '\0';
1909 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1917 /*************************************************
1918 * Set up for verifying certificates *
1919 *************************************************/
1921 #ifndef DISABLE_OCSP
1922 /* Load certs from file, return TRUE on success */
1925 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1930 while (sk_X509_num(verify_stack) > 0)
1931 X509_free(sk_X509_pop(verify_stack));
1933 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1934 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1935 sk_X509_push(verify_stack, x);
1943 /* Called by both client and server startup; on the server possibly
1944 repeated after a Server Name Indication.
1947 sctx SSL_CTX* to initialise
1948 certs certs file or NULL
1949 crl CRL file or NULL
1950 host NULL in a server; the remote host in a client
1951 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1952 otherwise passed as FALSE
1953 cert_vfy_cb Callback function for certificate verification
1954 errstr error string pointer
1956 Returns: OK/DEFER/FAIL
1960 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1961 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1963 uschar *expcerts, *expcrl;
1965 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1967 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1969 if (expcerts && *expcerts)
1971 /* Tell the library to use its compiled-in location for the system default
1972 CA bundle. Then add the ones specified in the config, if any. */
1974 if (!SSL_CTX_set_default_verify_paths(sctx))
1975 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
1977 if (Ustrcmp(expcerts, "system") != 0)
1979 struct stat statbuf;
1981 if (Ustat(expcerts, &statbuf) < 0)
1983 log_write(0, LOG_MAIN|LOG_PANIC,
1984 "failed to stat %s for certificates", expcerts);
1990 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1991 { file = NULL; dir = expcerts; }
1994 file = expcerts; dir = NULL;
1995 #ifndef DISABLE_OCSP
1996 /* In the server if we will be offering an OCSP proof, load chain from
1997 file for verifying the OCSP proof at load time. */
2000 && statbuf.st_size > 0
2001 && server_static_cbinfo->u_ocsp.server.file
2002 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2005 log_write(0, LOG_MAIN|LOG_PANIC,
2006 "failed to load cert chain from %s", file);
2012 /* If a certificate file is empty, the next function fails with an
2013 unhelpful error message. If we skip it, we get the correct behaviour (no
2014 certificates are recognized, but the error message is still misleading (it
2015 says no certificate was supplied). But this is better. */
2017 if ( (!file || statbuf.st_size > 0)
2018 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2019 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2021 /* Load the list of CAs for which we will accept certs, for sending
2022 to the client. This is only for the one-file tls_verify_certificates
2024 If a list isn't loaded into the server, but
2025 some verify locations are set, the server end appears to make
2026 a wildcard request for client certs.
2027 Meanwhile, the client library as default behaviour *ignores* the list
2028 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2029 Because of this, and that the dir variant is likely only used for
2030 the public-CA bundle (not for a private CA), not worth fixing.
2034 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2036 SSL_CTX_set_client_CA_list(sctx, names);
2037 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2038 sk_X509_NAME_num(names));
2043 /* Handle a certificate revocation list. */
2045 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2047 /* This bit of code is now the version supplied by Lars Mainka. (I have
2048 merely reformatted it into the Exim code style.)
2050 "From here I changed the code to add support for multiple crl's
2051 in pem format in one file or to support hashed directory entries in
2052 pem format instead of a file. This method now uses the library function
2053 X509_STORE_load_locations to add the CRL location to the SSL context.
2054 OpenSSL will then handle the verify against CA certs and CRLs by
2055 itself in the verify callback." */
2057 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2058 if (expcrl && *expcrl)
2060 struct stat statbufcrl;
2061 if (Ustat(expcrl, &statbufcrl) < 0)
2063 log_write(0, LOG_MAIN|LOG_PANIC,
2064 "failed to stat %s for certificates revocation lists", expcrl);
2069 /* is it a file or directory? */
2071 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2072 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2076 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2082 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2084 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2085 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2087 /* setting the flags to check against the complete crl chain */
2089 X509_STORE_set_flags(cvstore,
2090 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2094 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2096 /* If verification is optional, don't fail if no certificate */
2098 SSL_CTX_set_verify(sctx,
2099 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2108 /*************************************************
2109 * Start a TLS session in a server *
2110 *************************************************/
2112 /* This is called when Exim is running as a server, after having received
2113 the STARTTLS command. It must respond to that command, and then negotiate
2117 require_ciphers allowed ciphers
2118 errstr pointer to error message
2120 Returns: OK on success
2121 DEFER for errors before the start of the negotiation
2122 FAIL for errors during the negotiation; the server can't
2127 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2130 uschar * expciphers;
2131 tls_ext_ctx_cb * cbinfo;
2132 static uschar peerdn[256];
2133 static uschar cipherbuf[256];
2135 /* Check for previous activation */
2137 if (tls_in.active.sock >= 0)
2139 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2140 smtp_printf("554 Already in TLS\r\n", FALSE);
2144 /* Initialize the SSL library. If it fails, it will already have logged
2147 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2148 #ifndef DISABLE_OCSP
2149 tls_ocsp_file, /*XXX stack*/
2151 NULL, &server_static_cbinfo, errstr);
2152 if (rc != OK) return rc;
2153 cbinfo = server_static_cbinfo;
2155 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2158 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2159 were historically separated by underscores. So that I can use either form in my
2160 tests, and also for general convenience, we turn underscores into hyphens here.
2162 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2163 for TLS 1.3 . Since we do not call it at present we get the default list:
2164 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2169 uschar * s = expciphers;
2170 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2171 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2172 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2173 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2174 cbinfo->server_cipher_list = expciphers;
2177 /* If this is a host for which certificate verification is mandatory or
2178 optional, set up appropriately. */
2180 tls_in.certificate_verified = FALSE;
2182 tls_in.dane_verified = FALSE;
2184 server_verify_callback_called = FALSE;
2186 if (verify_check_host(&tls_verify_hosts) == OK)
2188 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2189 FALSE, verify_callback_server, errstr);
2190 if (rc != OK) return rc;
2191 server_verify_optional = FALSE;
2193 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2195 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2196 TRUE, verify_callback_server, errstr);
2197 if (rc != OK) return rc;
2198 server_verify_optional = TRUE;
2201 /* Prepare for new connection */
2203 if (!(server_ssl = SSL_new(server_ctx)))
2204 return tls_error(US"SSL_new", NULL, NULL, errstr);
2206 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2208 * With the SSL_clear(), we get strange interoperability bugs with
2209 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2210 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2212 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2213 * session shutdown. In this case, we have a brand new object and there's no
2214 * obvious reason to immediately clear it. I'm guessing that this was
2215 * originally added because of incomplete initialisation which the clear fixed,
2216 * in some historic release.
2219 /* Set context and tell client to go ahead, except in the case of TLS startup
2220 on connection, where outputting anything now upsets the clients and tends to
2221 make them disconnect. We need to have an explicit fflush() here, to force out
2222 the response. Other smtp_printf() calls do not need it, because in non-TLS
2223 mode, the fflush() happens when smtp_getc() is called. */
2225 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2226 if (!tls_in.on_connect)
2228 smtp_printf("220 TLS go ahead\r\n", FALSE);
2232 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2233 that the OpenSSL library doesn't. */
2235 SSL_set_wfd(server_ssl, fileno(smtp_out));
2236 SSL_set_rfd(server_ssl, fileno(smtp_in));
2237 SSL_set_accept_state(server_ssl);
2239 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2241 sigalrm_seen = FALSE;
2242 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2243 rc = SSL_accept(server_ssl);
2248 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2252 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2254 /* TLS has been set up. Adjust the input functions to read via TLS,
2255 and initialize things. */
2257 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2259 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2260 tls_in.cipher = cipherbuf;
2265 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2266 debug_printf("Shared ciphers: %s\n", buf);
2269 /* Record the certificate we presented */
2271 X509 * crt = SSL_get_certificate(server_ssl);
2272 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2275 /* Only used by the server-side tls (tls_in), including tls_getc.
2276 Client-side (tls_out) reads (seem to?) go via
2277 smtp_read_response()/ip_recv().
2278 Hence no need to duplicate for _in and _out.
2280 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2281 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2282 ssl_xfer_eof = ssl_xfer_error = FALSE;
2284 receive_getc = tls_getc;
2285 receive_getbuf = tls_getbuf;
2286 receive_get_cache = tls_get_cache;
2287 receive_ungetc = tls_ungetc;
2288 receive_feof = tls_feof;
2289 receive_ferror = tls_ferror;
2290 receive_smtp_buffered = tls_smtp_buffered;
2292 tls_in.active.sock = fileno(smtp_out);
2293 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2301 tls_client_basic_ctx_init(SSL_CTX * ctx,
2302 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2306 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2307 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2308 the specified host patterns if one of them is defined */
2310 if ( ( !ob->tls_verify_hosts
2311 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2313 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2315 client_verify_optional = FALSE;
2316 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2317 client_verify_optional = TRUE;
2321 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2322 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2326 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2328 cbinfo->verify_cert_hostnames =
2330 string_domain_utf8_to_alabel(host->name, NULL);
2334 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2335 cbinfo->verify_cert_hostnames);
2343 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2347 const char * hostnames[2] = { CS host->name, NULL };
2350 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2351 return tls_error(US"hostnames load", host, NULL, errstr);
2353 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2355 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2356 ) if (rr->type == T_TLSA && rr->size > 3)
2358 const uschar * p = rr->data;
2359 uint8_t usage, selector, mtype;
2360 const char * mdname;
2364 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2365 if (usage != 2 && usage != 3) continue;
2372 default: continue; /* Only match-types 0, 1, 2 are supported */
2373 case 0: mdname = NULL; break;
2374 case 1: mdname = "sha256"; break;
2375 case 2: mdname = "sha512"; break;
2379 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2382 return tls_error(US"tlsa load", host, NULL, errstr);
2383 case 0: /* action not taken */
2387 tls_out.tlsa_usage |= 1<<usage;
2393 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2396 #endif /*SUPPORT_DANE*/
2400 /*************************************************
2401 * Start a TLS session in a client *
2402 *************************************************/
2404 /* Called from the smtp transport after STARTTLS has been accepted.
2407 fd the fd of the connection
2408 host connected host (for messages and option-tests)
2409 addr the first address (for some randomness; can be NULL)
2410 tb transport (always smtp)
2411 tlsa_dnsa tlsa lookup, if DANE, else null
2412 tlsp record details of channel configuration here; must be non-NULL
2413 errstr error string pointer
2415 Returns: Pointer to TLS session context, or NULL on error
2419 tls_client_start(int fd, host_item *host, address_item *addr,
2420 transport_instance * tb,
2422 dns_answer * tlsa_dnsa,
2424 tls_support * tlsp, uschar ** errstr)
2426 smtp_transport_options_block * ob = tb
2427 ? (smtp_transport_options_block *)tb->options_block
2428 : &smtp_transport_option_defaults;
2429 exim_openssl_client_tls_ctx * exim_client_ctx;
2430 static uschar peerdn[256];
2431 uschar * expciphers;
2433 static uschar cipherbuf[256];
2435 #ifndef DISABLE_OCSP
2436 BOOL request_ocsp = FALSE;
2437 BOOL require_ocsp = FALSE;
2441 store_pool = POOL_PERM;
2442 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2446 tlsp->tlsa_usage = 0;
2449 #ifndef DISABLE_OCSP
2451 # ifdef SUPPORT_DANE
2453 && ob->hosts_request_ocsp[0] == '*'
2454 && ob->hosts_request_ocsp[1] == '\0'
2457 /* Unchanged from default. Use a safer one under DANE */
2458 request_ocsp = TRUE;
2459 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2460 " {= {4}{$tls_out_tlsa_usage}} } "
2466 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2467 request_ocsp = TRUE;
2469 # ifdef SUPPORT_DANE
2473 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2477 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2478 ob->tls_certificate, ob->tls_privatekey,
2479 #ifndef DISABLE_OCSP
2480 (void *)(long)request_ocsp,
2482 addr, &client_static_cbinfo, errstr);
2483 if (rc != OK) return NULL;
2485 tlsp->certificate_verified = FALSE;
2486 client_verify_callback_called = FALSE;
2492 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2493 other failures should be treated as problems. */
2494 if (ob->dane_require_tls_ciphers &&
2495 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2496 &expciphers, errstr))
2498 if (expciphers && *expciphers == '\0')
2503 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2504 &expciphers, errstr))
2507 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2508 are separated by underscores. So that I can use either form in my tests, and
2509 also for general convenience, we turn underscores into hyphens here. */
2513 uschar *s = expciphers;
2514 while (*s) { if (*s == '_') *s = '-'; s++; }
2515 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2516 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2518 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2526 SSL_CTX_set_verify(exim_client_ctx->ctx,
2527 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2528 verify_callback_client_dane);
2530 if (!DANESSL_library_init())
2532 tls_error(US"library init", host, NULL, errstr);
2535 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2537 tls_error(US"context init", host, NULL, errstr);
2545 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2546 client_static_cbinfo, errstr) != OK)
2549 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2551 tls_error(US"SSL_new", host, NULL, errstr);
2554 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2555 SSL_set_fd(exim_client_ctx->ssl, fd);
2556 SSL_set_connect_state(exim_client_ctx->ssl);
2560 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2564 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2566 else if (!Ustrlen(tlsp->sni))
2570 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2571 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2572 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2574 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2582 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2586 #ifndef DISABLE_OCSP
2587 /* Request certificate status at connection-time. If the server
2588 does OCSP stapling we will get the callback (set in tls_init()) */
2589 # ifdef SUPPORT_DANE
2593 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2594 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2596 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2597 this means we avoid the OCSP request, we wasted the setup
2598 cost in tls_init(). */
2599 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2600 request_ocsp = require_ocsp
2601 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2608 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2609 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2610 tlsp->ocsp = OCSP_NOT_RESP;
2614 #ifndef DISABLE_EVENT
2615 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2618 /* There doesn't seem to be a built-in timeout on connection. */
2620 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2621 sigalrm_seen = FALSE;
2622 alarm(ob->command_timeout);
2623 rc = SSL_connect(exim_client_ctx->ssl);
2628 DANESSL_cleanup(exim_client_ctx->ssl);
2633 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2637 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2639 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2641 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2642 tlsp->cipher = cipherbuf;
2644 /* Record the certificate we presented */
2646 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2647 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2650 tlsp->active.sock = fd;
2651 tlsp->active.tls_ctx = exim_client_ctx;
2652 return exim_client_ctx;
2660 tls_refill(unsigned lim)
2665 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2666 ssl_xfer_buffer, ssl_xfer_buffer_size);
2668 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2669 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2670 MIN(ssl_xfer_buffer_size, lim));
2671 error = SSL_get_error(server_ssl, inbytes);
2672 if (smtp_receive_timeout > 0) alarm(0);
2674 if (had_command_timeout) /* set by signal handler */
2675 smtp_command_timeout_exit(); /* does not return */
2676 if (had_command_sigterm)
2677 smtp_command_sigterm_exit();
2678 if (had_data_timeout)
2679 smtp_data_timeout_exit();
2680 if (had_data_sigint)
2681 smtp_data_sigint_exit();
2683 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2684 closed down, not that the socket itself has been closed down. Revert to
2685 non-SSL handling. */
2689 case SSL_ERROR_NONE:
2692 case SSL_ERROR_ZERO_RETURN:
2693 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2695 receive_getc = smtp_getc;
2696 receive_getbuf = smtp_getbuf;
2697 receive_get_cache = smtp_get_cache;
2698 receive_ungetc = smtp_ungetc;
2699 receive_feof = smtp_feof;
2700 receive_ferror = smtp_ferror;
2701 receive_smtp_buffered = smtp_buffered;
2703 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2704 SSL_shutdown(server_ssl);
2706 #ifndef DISABLE_OCSP
2707 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2708 server_static_cbinfo->verify_stack = NULL;
2710 SSL_free(server_ssl);
2711 SSL_CTX_free(server_ctx);
2714 tls_in.active.sock = -1;
2715 tls_in.active.tls_ctx = NULL;
2717 tls_in.cipher = NULL;
2718 tls_in.peerdn = NULL;
2723 /* Handle genuine errors */
2725 ERR_error_string(ERR_get_error(), ssl_errstring);
2726 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2727 ssl_xfer_error = TRUE;
2731 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2732 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2733 debug_printf(" - syscall %s\n", strerror(errno));
2734 ssl_xfer_error = TRUE;
2738 #ifndef DISABLE_DKIM
2739 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2741 ssl_xfer_buffer_hwm = inbytes;
2742 ssl_xfer_buffer_lwm = 0;
2747 /*************************************************
2748 * TLS version of getc *
2749 *************************************************/
2751 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2752 it refills the buffer via the SSL reading function.
2754 Arguments: lim Maximum amount to read/buffer
2755 Returns: the next character or EOF
2757 Only used by the server-side TLS.
2761 tls_getc(unsigned lim)
2763 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2764 if (!tls_refill(lim))
2765 return ssl_xfer_error ? EOF : smtp_getc(lim);
2767 /* Something in the buffer; return next uschar */
2769 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2773 tls_getbuf(unsigned * len)
2778 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2779 if (!tls_refill(*len))
2781 if (!ssl_xfer_error) return smtp_getbuf(len);
2786 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2788 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2789 ssl_xfer_buffer_lwm += size;
2798 #ifndef DISABLE_DKIM
2799 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2801 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2807 tls_could_read(void)
2809 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2813 /*************************************************
2814 * Read bytes from TLS channel *
2815 *************************************************/
2819 ct_ctx client context pointer, or NULL for the one global server context
2823 Returns: the number of bytes read
2824 -1 after a failed read, including EOF
2826 Only used by the client-side TLS.
2830 tls_read(void * ct_ctx, uschar *buff, size_t len)
2832 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2836 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2837 buff, (unsigned int)len);
2839 inbytes = SSL_read(ssl, CS buff, len);
2840 error = SSL_get_error(ssl, inbytes);
2842 if (error == SSL_ERROR_ZERO_RETURN)
2844 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2847 else if (error != SSL_ERROR_NONE)
2857 /*************************************************
2858 * Write bytes down TLS channel *
2859 *************************************************/
2863 ct_ctx client context pointer, or NULL for the one global server context
2866 more further data expected soon
2868 Returns: the number of bytes after a successful write,
2869 -1 after a failed write
2871 Used by both server-side and client-side TLS.
2875 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2877 int outbytes, error, left;
2878 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2879 static gstring * corked = NULL;
2881 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2882 buff, (unsigned long)len, more ? ", more" : "");
2884 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2885 "more" is notified. This hack is only ok if small amounts are involved AND only
2886 one stream does it, in one context (i.e. no store reset). Currently it is used
2887 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2889 if (!ct_ctx && (more || corked))
2891 corked = string_catn(corked, buff, len);
2894 buff = CUS corked->s;
2899 for (left = len; left > 0;)
2901 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2902 outbytes = SSL_write(ssl, CS buff, left);
2903 error = SSL_get_error(ssl, outbytes);
2904 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2908 ERR_error_string(ERR_get_error(), ssl_errstring);
2909 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2912 case SSL_ERROR_NONE:
2917 case SSL_ERROR_ZERO_RETURN:
2918 log_write(0, LOG_MAIN, "SSL channel closed on write");
2921 case SSL_ERROR_SYSCALL:
2922 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2923 sender_fullhost ? sender_fullhost : US"<unknown>",
2928 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2937 /*************************************************
2938 * Close down a TLS session *
2939 *************************************************/
2941 /* This is also called from within a delivery subprocess forked from the
2942 daemon, to shut down the TLS library, without actually doing a shutdown (which
2943 would tamper with the SSL session in the parent process).
2946 ct_ctx client TLS context pointer, or NULL for the one global server context
2947 shutdown 1 if TLS close-alert is to be sent,
2948 2 if also response to be waited for
2952 Used by both server-side and client-side TLS.
2956 tls_close(void * ct_ctx, int shutdown)
2958 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
2959 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
2960 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
2961 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
2963 if (*fdp < 0) return; /* TLS was not active */
2968 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2969 shutdown > 1 ? " (with response-wait)" : "");
2971 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
2975 rc = SSL_shutdown(*sslp); /* wait for response */
2979 if (rc < 0) DEBUG(D_tls)
2981 ERR_error_string(ERR_get_error(), ssl_errstring);
2982 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
2986 #ifndef DISABLE_OCSP
2987 if (!o_ctx) /* server side */
2989 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2990 server_static_cbinfo->verify_stack = NULL;
2994 SSL_CTX_free(*ctxp);
3004 /*************************************************
3005 * Let tls_require_ciphers be checked at startup *
3006 *************************************************/
3008 /* The tls_require_ciphers option, if set, must be something which the
3011 Returns: NULL on success, or error message
3015 tls_validate_require_cipher(void)
3018 uschar *s, *expciphers, *err;
3020 /* this duplicates from tls_init(), we need a better "init just global
3021 state, for no specific purpose" singleton function of our own */
3023 SSL_load_error_strings();
3024 OpenSSL_add_ssl_algorithms();
3025 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3026 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3027 list of available digests. */
3028 EVP_add_digest(EVP_sha256());
3031 if (!(tls_require_ciphers && *tls_require_ciphers))
3034 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3036 return US"failed to expand tls_require_ciphers";
3038 if (!(expciphers && *expciphers))
3041 /* normalisation ripped from above */
3043 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3047 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3048 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3050 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3053 ERR_error_string(ERR_get_error(), ssl_errstring);
3054 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3058 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3060 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3062 ERR_error_string(ERR_get_error(), ssl_errstring);
3063 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3064 expciphers, ssl_errstring);
3075 /*************************************************
3076 * Report the library versions. *
3077 *************************************************/
3079 /* There have historically been some issues with binary compatibility in
3080 OpenSSL libraries; if Exim (like many other applications) is built against
3081 one version of OpenSSL but the run-time linker picks up another version,
3082 it can result in serious failures, including crashing with a SIGSEGV. So
3083 report the version found by the compiler and the run-time version.
3085 Note: some OS vendors backport security fixes without changing the version
3086 number/string, and the version date remains unchanged. The _build_ date
3087 will change, so we can more usefully assist with version diagnosis by also
3088 reporting the build date.
3090 Arguments: a FILE* to print the results to
3095 tls_version_report(FILE *f)
3097 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3100 OPENSSL_VERSION_TEXT,
3101 SSLeay_version(SSLEAY_VERSION),
3102 SSLeay_version(SSLEAY_BUILT_ON));
3103 /* third line is 38 characters for the %s and the line is 73 chars long;
3104 the OpenSSL output includes a "built on: " prefix already. */
3110 /*************************************************
3111 * Random number generation *
3112 *************************************************/
3114 /* Pseudo-random number generation. The result is not expected to be
3115 cryptographically strong but not so weak that someone will shoot themselves
3116 in the foot using it as a nonce in input in some email header scheme or
3117 whatever weirdness they'll twist this into. The result should handle fork()
3118 and avoid repeating sequences. OpenSSL handles that for us.
3122 Returns a random number in range [0, max-1]
3126 vaguely_random_number(int max)
3130 static pid_t pidlast = 0;
3133 uschar smallbuf[sizeof(r)];
3139 if (pidnow != pidlast)
3141 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3142 is unique for each thread", this doesn't apparently apply across processes,
3143 so our own warning from vaguely_random_number_fallback() applies here too.
3144 Fix per PostgreSQL. */
3150 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3154 gettimeofday(&r.tv, NULL);
3157 RAND_seed(US (&r), sizeof(r));
3159 /* We're after pseudo-random, not random; if we still don't have enough data
3160 in the internal PRNG then our options are limited. We could sleep and hope
3161 for entropy to come along (prayer technique) but if the system is so depleted
3162 in the first place then something is likely to just keep taking it. Instead,
3163 we'll just take whatever little bit of pseudo-random we can still manage to
3166 needed_len = sizeof(r);
3167 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3168 asked for a number less than 10. */
3169 for (r = max, i = 0; r; ++i)
3175 #ifdef EXIM_HAVE_RAND_PSEUDO
3176 /* We do not care if crypto-strong */
3177 i = RAND_pseudo_bytes(smallbuf, needed_len);
3179 i = RAND_bytes(smallbuf, needed_len);
3185 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3186 return vaguely_random_number_fallback(max);
3190 for (p = smallbuf; needed_len; --needed_len, ++p)
3196 /* We don't particularly care about weighted results; if someone wants
3197 smooth distribution and cares enough then they should submit a patch then. */
3204 /*************************************************
3205 * OpenSSL option parse *
3206 *************************************************/
3208 /* Parse one option for tls_openssl_options_parse below
3211 name one option name
3212 value place to store a value for it
3213 Returns success or failure in parsing
3219 tls_openssl_one_option_parse(uschar *name, long *value)
3222 int last = exim_openssl_options_size;
3223 while (last > first)
3225 int middle = (first + last)/2;
3226 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3229 *value = exim_openssl_options[middle].value;
3243 /*************************************************
3244 * OpenSSL option parsing logic *
3245 *************************************************/
3247 /* OpenSSL has a number of compatibility options which an administrator might
3248 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3249 we look like log_selector.
3252 option_spec the administrator-supplied string of options
3253 results ptr to long storage for the options bitmap
3254 Returns success or failure
3258 tls_openssl_options_parse(uschar *option_spec, long *results)
3263 BOOL adding, item_parsed;
3265 result = SSL_OP_NO_TICKET;
3266 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3267 * from default because it increases BEAST susceptibility. */
3268 #ifdef SSL_OP_NO_SSLv2
3269 result |= SSL_OP_NO_SSLv2;
3271 #ifdef SSL_OP_SINGLE_DH_USE
3272 result |= SSL_OP_SINGLE_DH_USE;
3281 for (s=option_spec; *s != '\0'; /**/)
3283 while (isspace(*s)) ++s;
3286 if (*s != '+' && *s != '-')
3288 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3289 "+ or - expected but found \"%s\"\n", s);
3292 adding = *s++ == '+';
3293 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3296 item_parsed = tls_openssl_one_option_parse(s, &item);
3300 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3303 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3304 adding ? "adding" : "removing", result, item, s);
3316 #endif /*!MACRO_PREDEF*/
3319 /* End of tls-openssl.c */