1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2019 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Portions Copyright (c) The OpenSSL Project 1999 */
12 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
13 library. It is #included into the tls.c file when that library is used. The
14 code herein is based on a patch that was originally contributed by Steve
15 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
17 No cryptographic code is included in Exim. All this module does is to call
18 functions from the OpenSSL library. */
23 #include <openssl/lhash.h>
24 #include <openssl/ssl.h>
25 #include <openssl/err.h>
26 #include <openssl/rand.h>
27 #ifndef OPENSSL_NO_ECDH
28 # include <openssl/ec.h>
31 # include <openssl/ocsp.h>
39 # define EXIM_OCSP_SKEW_SECONDS (300L)
40 # define EXIM_OCSP_MAX_AGE (-1L)
43 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
44 # define EXIM_HAVE_OPENSSL_TLSEXT
46 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
47 # define EXIM_HAVE_RSA_GENKEY_EX
49 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
50 # define EXIM_HAVE_OCSP_RESP_COUNT
51 # define OPENSSL_AUTO_SHA256
52 # define OPENSSL_MIN_PROTO_VERSION
54 # define EXIM_HAVE_EPHEM_RSA_KEX
55 # define EXIM_HAVE_RAND_PSEUDO
57 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
58 # define EXIM_HAVE_SHA256
61 /* X509_check_host provides sane certificate hostname checking, but was added
62 to OpenSSL late, after other projects forked off the code-base. So in
63 addition to guarding against the base version number, beware that LibreSSL
64 does not (at this time) support this function.
66 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
67 opt to disentangle and ask a LibreSSL user to provide glue for a third
68 crypto provider for libtls instead of continuing to tie the OpenSSL glue
69 into even twistier knots. If LibreSSL gains the same API, we can just
70 change this guard and punt the issue for a while longer. */
72 #ifndef LIBRESSL_VERSION_NUMBER
73 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
74 # define EXIM_HAVE_OPENSSL_CHECKHOST
75 # define EXIM_HAVE_OPENSSL_DH_BITS
76 # define EXIM_HAVE_OPENSSL_TLS_METHOD
77 # define EXIM_HAVE_OPENSSL_KEYLOG
78 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
79 # define EXIM_HAVE_SESSION_TICKET
80 # define EXIM_HAVE_OPESSL_TRACE
81 # define EXIM_HAVE_OPESSL_GET0_SERIAL
82 # define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
83 # define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
85 # define EXIM_HAVE_OCSP
87 # define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
89 # define EXIM_NEED_OPENSSL_INIT
91 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
92 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
93 # define EXIM_HAVE_OPENSSL_CHECKHOST
97 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
98 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
101 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
102 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
103 # define EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
106 #if !defined(LIBRESSL_VERSION_NUMBER) \
107 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
108 # if !defined(OPENSSL_NO_ECDH)
109 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
110 # define EXIM_HAVE_ECDH
112 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
113 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
118 #ifndef LIBRESSL_VERSION_NUMBER
119 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
120 # define OPENSSL_HAVE_KEYLOG_CB
121 # define OPENSSL_HAVE_NUM_TICKETS
122 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
123 # define EXIM_HAVE_EXP_CHNL_BNGNG
124 # define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
126 # define OPENSSL_BAD_SRVR_OURCERT
130 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x010002000L)
131 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
134 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
135 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
136 # define DISABLE_OCSP
139 #ifndef DISABLE_TLS_RESUME
140 # if OPENSSL_VERSION_NUMBER < 0x0101010L
141 # error OpenSSL version too old for session-resumption
145 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
146 # include <openssl/x509v3.h>
149 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
150 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
151 # define SSL_CIPHER_get_id(c) (c->id)
153 # ifndef MACRO_PREDEF
154 # include "tls-cipher-stdname.c"
158 #define TESTSUITE_TICKET_LIFE 10 /* seconds */
159 /*************************************************
160 * OpenSSL option parse *
161 *************************************************/
163 typedef struct exim_openssl_option {
166 } exim_openssl_option;
167 /* We could use a macro to expand, but we need the ifdef and not all the
168 options document which version they were introduced in. Policylet: include
169 all options unless explicitly for DTLS, let the administrator choose which
172 This list is current as of:
175 XXX could we autobuild this list, as with predefined-macros?
176 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
177 Also allow a numeric literal?
179 static exim_openssl_option exim_openssl_options[] = {
180 /* KEEP SORTED ALPHABETICALLY! */
182 { US"all", (long) SSL_OP_ALL },
184 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
185 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
187 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
188 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
190 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
191 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
193 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
194 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
196 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
197 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
199 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
200 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
202 #ifdef SSL_OP_EPHEMERAL_RSA
203 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
205 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
206 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
208 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
209 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
211 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
212 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
214 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
215 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
217 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
218 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
220 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
221 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
223 #ifdef SSL_OP_NO_ANTI_REPLAY
224 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
226 #ifdef SSL_OP_NO_COMPRESSION
227 { US"no_compression", SSL_OP_NO_COMPRESSION },
229 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
230 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
232 #ifdef SSL_OP_NO_RENEGOTIATION
233 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
235 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
236 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
238 #ifdef SSL_OP_NO_SSLv2
239 { US"no_sslv2", SSL_OP_NO_SSLv2 },
241 #ifdef SSL_OP_NO_SSLv3
242 { US"no_sslv3", SSL_OP_NO_SSLv3 },
244 #ifdef SSL_OP_NO_TICKET
245 { US"no_ticket", SSL_OP_NO_TICKET },
247 #ifdef SSL_OP_NO_TLSv1
248 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
250 #ifdef SSL_OP_NO_TLSv1_1
251 # if OPENSSL_VERSION_NUMBER < 0x30000000L
252 # if SSL_OP_NO_TLSv1_1 == 0x00000400L
253 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
254 # warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
255 # define NO_SSL_OP_NO_TLSv1_1
258 # ifndef NO_SSL_OP_NO_TLSv1_1
259 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
262 #ifdef SSL_OP_NO_TLSv1_2
263 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
265 #ifdef SSL_OP_NO_TLSv1_3
266 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
268 #ifdef SSL_OP_PRIORITIZE_CHACHA
269 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
271 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
272 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
274 #ifdef SSL_OP_SINGLE_DH_USE
275 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
277 #ifdef SSL_OP_SINGLE_ECDH_USE
278 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
280 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
281 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
283 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
284 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
286 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
287 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
289 #ifdef SSL_OP_TLS_D5_BUG
290 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
292 #ifdef SSL_OP_TLS_ROLLBACK_BUG
293 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
295 #ifdef SSL_OP_TLSEXT_PADDING
296 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
301 static int exim_openssl_options_size = nelem(exim_openssl_options);
302 static long init_options = 0;
311 for (struct exim_openssl_option * o = exim_openssl_options;
312 o < exim_openssl_options + nelem(exim_openssl_options); o++)
314 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
315 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
317 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
318 builtin_macro_create(buf);
321 # ifndef DISABLE_TLS_RESUME
322 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
324 # ifdef SSL_OP_NO_TLSv1_3
325 builtin_macro_create(US"_HAVE_TLS1_3");
327 # ifdef OPENSSL_BAD_SRVR_OURCERT
328 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
330 # ifdef EXIM_HAVE_OCSP
331 builtin_macro_create(US"_HAVE_TLS_OCSP");
332 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
334 # ifdef EXIM_HAVE_ALPN
335 builtin_macro_create(US"_HAVE_TLS_ALPN");
340 /******************************************************************************/
342 /* Structure for collecting random data for seeding. */
344 typedef struct randstuff {
349 /* Local static variables */
351 static BOOL client_verify_callback_called = FALSE;
352 static BOOL server_verify_callback_called = FALSE;
353 static const uschar *sid_ctx = US"exim";
355 /* We have three different contexts to care about.
357 Simple case: client, `client_ctx`
358 As a client, we can be doing a callout or cut-through delivery while receiving
359 a message. So we have a client context, which should have options initialised
360 from the SMTP Transport. We may also concurrently want to make TLS connections
361 to utility daemons, so client-contexts are allocated and passed around in call
362 args rather than using a gobal.
365 There are two cases: with and without ServerNameIndication from the client.
366 Given TLS SNI, we can be using different keys, certs and various other
367 configuration settings, because they're re-expanded with $tls_sni set. This
368 allows vhosting with TLS. This SNI is sent in the handshake.
369 A client might not send SNI, so we need a fallback, and an initial setup too.
370 So as a server, we start out using `server_ctx`.
371 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
372 `server_sni` from `server_ctx` and then initialise settings by re-expanding
380 } exim_openssl_client_tls_ctx;
383 /* static SSL_CTX *server_ctx = NULL; */
384 /* static SSL *server_ssl = NULL; */
386 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
387 static SSL_CTX *server_sni = NULL;
389 #ifdef EXIM_HAVE_ALPN
390 static BOOL server_seen_alpn = FALSE;
393 static char ssl_errstring[256];
395 static int ssl_session_timeout = 7200; /* Two hours */
396 static BOOL client_verify_optional = FALSE;
397 static BOOL server_verify_optional = FALSE;
399 static BOOL reexpand_tls_files_for_sni = FALSE;
402 typedef struct ocsp_resp {
403 struct ocsp_resp * next;
404 OCSP_RESPONSE * resp;
407 typedef struct exim_openssl_state {
408 exim_tlslib_state lib_state;
409 #define lib_ctx libdata0
410 #define lib_ssl libdata1
413 uschar * certificate;
420 const uschar *file_expanded;
421 ocsp_resplist *olist;
422 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
425 X509_STORE *verify_store; /* non-null if status requested */
426 uschar *verify_errstr; /* only if _required */
427 BOOL verify_required;
432 /* these are cached from first expand */
433 uschar * server_cipher_list;
434 /* only passed down to tls_error: */
436 const uschar * verify_cert_hostnames;
437 #ifndef DISABLE_EVENT
438 uschar * event_action;
440 } exim_openssl_state_st;
442 /* should figure out a cleanup of API to handle state preserved per
443 implementation, for various reasons, which can be void * in the APIs.
444 For now, we hack around it. */
445 exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */
446 exim_openssl_state_st state_server = {.is_server = TRUE};
449 setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
454 static int tls_server_stapling_cb(SSL *s, void *arg);
455 static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
456 static void x509_store_dump_cert_s_names(X509_STORE * store);
461 /* Daemon-called, before every connection, key create/rotate */
462 #ifndef DISABLE_TLS_RESUME
463 static void tk_init(void);
464 static int tls_exdata_idx = -1;
468 tls_per_lib_daemon_tick(void)
470 #ifndef DISABLE_TLS_RESUME
475 /* Called once at daemon startup */
478 tls_per_lib_daemon_init(void)
480 tls_daemon_creds_reload();
484 /*************************************************
486 *************************************************/
488 /* Called from lots of places when errors occur before actually starting to do
489 the TLS handshake, that is, while the session is still in clear. Always returns
490 DEFER for a server and FAIL for a client so that most calls can use "return
491 tls_error(...)" to do this processing and then give an appropriate return. A
492 single function is used for both server and client, because it is called from
493 some shared functions.
496 prefix text to include in the logged error
497 host NULL if setting up a server;
498 the connected host if setting up a client
499 msg error message or NULL if we should ask OpenSSL
500 errstr pointer to output error message
502 Returns: OK/DEFER/FAIL
506 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
510 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
511 msg = US ssl_errstring;
514 msg = string_sprintf("(%s): %s", prefix, msg);
515 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
516 if (errstr) *errstr = msg;
517 return host ? FAIL : DEFER;
522 /**************************************************
523 * General library initalisation *
524 **************************************************/
527 lib_rand_init(void * addr)
530 if (!RAND_status()) return TRUE;
532 gettimeofday(&r.tv, NULL);
534 RAND_seed(US (&r), sizeof(r));
535 RAND_seed(US big_buffer, big_buffer_size);
536 if (addr) RAND_seed(US addr, sizeof(addr));
538 return RAND_status();
543 tls_openssl_init(void)
545 static BOOL once = FALSE;
549 #ifdef EXIM_NEED_OPENSSL_INIT
550 SSL_load_error_strings(); /* basic set up */
551 OpenSSL_add_ssl_algorithms();
554 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
555 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
556 list of available digests. */
557 EVP_add_digest(EVP_sha256());
560 (void) lib_rand_init(NULL);
561 (void) tls_openssl_options_parse(openssl_options, &init_options);
566 /*************************************************
567 * Initialize for DH *
568 *************************************************/
570 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
574 sctx The current SSL CTX (inbound or outbound)
575 dhparam DH parameter file or fixed parameter identity string
576 errstr error string pointer
578 Returns: TRUE if OK (nothing to set up, or setup worked)
582 init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
585 #if OPENSSL_VERSION_NUMBER < 0x30000000L
594 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
597 if (!dhexpanded || !*dhexpanded)
598 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
599 else if (dhexpanded[0] == '/')
601 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
603 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
604 NULL, US strerror(errno), errstr);
610 if (Ustrcmp(dhexpanded, "none") == 0)
612 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
616 if (!(pem = std_dh_prime_named(dhexpanded)))
618 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
619 NULL, US strerror(errno), errstr);
622 bio = BIO_new_mem_buf(CS pem, -1);
626 #if OPENSSL_VERSION_NUMBER < 0x30000000L
627 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
629 pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
634 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
639 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
640 an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with 2236.
641 But older OpenSSL can only report in bytes (octets), not bits. If someone wants
642 to dance at the edge, then they can raise the limit or use current libraries. */
644 #if OPENSSL_VERSION_NUMBER < 0x30000000L
645 # ifdef EXIM_HAVE_OPENSSL_DH_BITS
646 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
647 This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
648 dh_bitsize = DH_bits(dh);
650 dh_bitsize = 8 * DH_size(dh);
653 dh_bitsize = EVP_PKEY_get_bits(pkey);
656 /* Even if it is larger, we silently return success rather than cause things to
657 fail out, so that a too-large DH will not knock out all TLS; it's a debatable
658 choice. Likewise for a failing attempt to set one. */
660 if (dh_bitsize <= tls_dh_max_bits)
663 #if OPENSSL_VERSION_NUMBER < 0x30000000L
664 SSL_CTX_set_tmp_dh(sctx, dh)
666 SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
670 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
671 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
672 dhexpanded ? dhexpanded : US"default", ssl_errstring);
673 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
674 /* EVP_PKEY_free(pkey); crashes */
679 debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n",
680 dhexpanded ? dhexpanded : US"default", dh_bitsize);
684 debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
685 dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
687 #if OPENSSL_VERSION_NUMBER < 0x30000000L
690 /* The EVP_PKEY ownership stays with the ctx; do not free it */
699 /*************************************************
700 * Initialize for ECDH *
701 *************************************************/
703 /* Load parameters for ECDH encryption. Server only.
705 For now, we stick to NIST P-256 because: it's simple and easy to configure;
706 it avoids any patent issues that might bite redistributors; despite events in
707 the news and concerns over curve choices, we're not cryptographers, we're not
708 pretending to be, and this is "good enough" to be better than no support,
709 protecting against most adversaries. Given another year or two, there might
710 be sufficient clarity about a "right" way forward to let us make an informed
711 decision, instead of a knee-jerk reaction.
713 Longer-term, we should look at supporting both various named curves and
714 external files generated with "openssl ecparam", much as we do for init_dh().
715 We should also support "none" as a value, to explicitly avoid initialisation.
720 sctx The current SSL CTX (inbound or outbound)
721 errstr error string pointer
723 Returns: TRUE if OK (nothing to set up, or setup worked)
727 init_ecdh(SSL_CTX * sctx, uschar ** errstr)
729 #ifdef OPENSSL_NO_ECDH
736 # ifndef EXIM_HAVE_ECDH
738 debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
742 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
745 /* Is the option deliberately empty? */
747 if (!exp_curve || !*exp_curve)
749 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
750 DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
751 (void) SSL_CTX_set1_curves(sctx, &nid, 0);
756 /* "auto" needs to be handled carefully.
757 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
758 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
759 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
760 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
761 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
763 if (Ustrcmp(exp_curve, "auto") == 0)
765 #if OPENSSL_VERSION_NUMBER < 0x10002000L
766 DEBUG(D_tls) debug_printf(
767 " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
768 exp_curve = US"prime256v1";
770 # if defined SSL_CTRL_SET_ECDH_AUTO
771 DEBUG(D_tls) debug_printf(
772 " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
773 SSL_CTX_set_ecdh_auto(sctx, 1);
776 DEBUG(D_tls) debug_printf(
777 " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n");
783 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
784 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
785 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
789 uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
790 DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
791 if (errstr) *errstr = s;
795 # if OPENSSL_VERSION_NUMBER < 0x30000000L
798 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
800 tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
804 /* The "tmp" in the name here refers to setting a temporary key
805 not to the stability of the interface. */
807 if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
808 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
810 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
814 #else /* v 3.0.0 + */
816 if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
817 tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
819 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
825 # endif /*EXIM_HAVE_ECDH*/
826 #endif /*OPENSSL_NO_ECDH*/
831 /*************************************************
832 * Expand key and cert file specs *
833 *************************************************/
835 #if OPENSSL_VERSION_NUMBER < 0x30000000L
838 s SSL connection (not used)
842 Returns: pointer to generated key
846 rsa_callback(SSL *s, int export, int keylength)
849 #ifdef EXIM_HAVE_RSA_GENKEY_EX
850 BIGNUM *bn = BN_new();
853 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
855 # ifdef EXIM_HAVE_RSA_GENKEY_EX
856 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
857 || !(rsa_key = RSA_new())
858 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
861 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
865 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
866 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
872 #endif /* pre-3.0.0 */
876 /* Create and install a selfsigned certificate, for use in server mode */
877 /*XXX we could arrange to call this during prelo for a null tls_certificate option.
878 The normal cache inval + relo will suffice.
879 Just need a timer for inval. */
882 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
889 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
890 where = US"allocating pkey";
891 if (!(pkey = EVP_PKEY_new()))
894 where = US"allocating cert";
895 if (!(x509 = X509_new()))
898 where = US"generating pkey";
899 #if OPENSSL_VERSION_NUMBER < 0x30000000L
902 if (!(rsa = rsa_callback(NULL, 0, 2048)))
905 where = US"assigning pkey";
906 if (!EVP_PKEY_assign_RSA(pkey, rsa))
910 pkey = EVP_RSA_gen(2048);
913 X509_set_version(x509, 2); /* N+1 - version 3 */
914 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
915 X509_gmtime_adj(X509_get_notBefore(x509), 0);
916 X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */
917 X509_set_pubkey(x509, pkey);
919 name = X509_get_subject_name(x509);
920 X509_NAME_add_entry_by_txt(name, "C",
921 MBSTRING_ASC, CUS "UK", -1, -1, 0);
922 X509_NAME_add_entry_by_txt(name, "O",
923 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
924 X509_NAME_add_entry_by_txt(name, "CN",
925 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
926 X509_set_issuer_name(x509, name);
928 where = US"signing cert";
929 if (!X509_sign(x509, pkey, EVP_md5()))
932 where = US"installing selfsign cert";
933 if (!SSL_CTX_use_certificate(sctx, x509))
936 where = US"installing selfsign key";
937 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
943 (void) tls_error(where, NULL, NULL, errstr);
944 if (x509) X509_free(x509);
945 if (pkey) EVP_PKEY_free(pkey);
955 /*************************************************
956 * Information callback *
957 *************************************************/
959 /* The SSL library functions call this from time to time to indicate what they
960 are doing. We copy the string to the debugging output when TLS debugging has
972 info_callback(SSL * s, int where, int ret)
978 if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
979 if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept");
980 if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg");
981 if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit");
982 if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read");
983 if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write");
984 if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert");
985 if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
986 if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done");
988 if (where & SSL_CB_LOOP)
989 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
990 else if (where & SSL_CB_ALERT)
991 debug_printf("SSL %s %s:%s\n", g->s,
992 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
993 else if (where & SSL_CB_EXIT)
996 debug_printf("SSL %s: %s in %s\n", g->s,
997 ret == 0 ? "failed" : "error", SSL_state_string_long(s));
999 else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
1000 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
1004 #ifdef OPENSSL_HAVE_KEYLOG_CB
1006 keylog_callback(const SSL *ssl, const char *line)
1010 DEBUG(D_tls) debug_printf("%.200s\n", line);
1011 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
1012 if (!(fp = fopen(filename, "a"))) return;
1013 fprintf(fp, "%s\n", line);
1022 #ifndef DISABLE_EVENT
1024 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
1025 BOOL *calledp, const BOOL *optionalp, const uschar * what)
1031 ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
1034 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
1035 old_cert = tlsp->peercert;
1036 tlsp->peercert = X509_dup(cert);
1037 /* NB we do not bother setting peerdn */
1038 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno)))
1040 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
1041 "depth=%d cert=%s: %s",
1042 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1043 what, depth, dn, yield);
1047 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
1048 return 1; /* reject (leaving peercert set) */
1050 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
1051 "(host in tls_try_verify_hosts)\n");
1052 tlsp->verify_override = TRUE;
1054 X509_free(tlsp->peercert);
1055 tlsp->peercert = old_cert;
1061 /*************************************************
1062 * Callback for verification *
1063 *************************************************/
1065 /* The SSL library does certificate verification if set up to do so. This
1066 callback has the current yes/no state is in "state". If verification succeeded,
1067 we set the certificate-verified flag. If verification failed, what happens
1068 depends on whether the client is required to present a verifiable certificate
1071 If verification is optional, we change the state to yes, but still log the
1072 verification error. For some reason (it really would help to have proper
1073 documentation of OpenSSL), this callback function then gets called again, this
1074 time with state = 1. We must take care not to set the private verified flag on
1075 the second time through.
1077 Note: this function is not called if the client fails to present a certificate
1078 when asked. We get here only if a certificate has been received. Handling of
1079 optional verification for this case is done when requesting SSL to verify, by
1080 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
1082 May be called multiple times for different issues with a certificate, even
1083 for a given "depth" in the certificate chain.
1086 preverify_ok current yes/no state as 1/0
1087 x509ctx certificate information.
1088 tlsp per-direction (client vs. server) support data
1089 calledp has-been-called flag
1090 optionalp verification-is-optional flag
1092 Returns: 0 if verification should fail, otherwise 1
1096 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
1097 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
1099 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1100 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1103 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1105 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1106 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1107 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1110 dn[sizeof(dn)-1] = '\0';
1112 tlsp->verify_override = FALSE;
1113 if (preverify_ok == 0)
1115 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
1116 *verify_mode, sender_host_address)
1118 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
1119 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1121 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
1125 if (!tlsp->peercert)
1126 tlsp->peercert = X509_dup(cert); /* record failing cert */
1127 return 0; /* reject */
1129 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
1130 "tls_try_verify_hosts)\n");
1131 tlsp->verify_override = TRUE;
1134 else if (depth != 0)
1136 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
1137 #ifndef DISABLE_EVENT
1138 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1139 return 0; /* reject, with peercert set */
1144 const uschar * verify_cert_hostnames;
1146 if ( tlsp == &tls_out
1147 && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
1148 /* client, wanting hostname check */
1151 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
1152 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1153 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
1155 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
1156 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
1159 const uschar * list = verify_cert_hostnames;
1162 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
1163 if ((rc = X509_check_host(cert, CCS name, 0,
1164 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1165 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
1170 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1171 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1178 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
1181 uschar * extra = verify_mode
1182 ? string_sprintf(" (during %c-verify for [%s])",
1183 *verify_mode, sender_host_address)
1185 log_write(0, LOG_MAIN,
1186 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
1187 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1188 extra, dn, verify_cert_hostnames);
1192 if (!tlsp->peercert)
1193 tlsp->peercert = X509_dup(cert); /* record failing cert */
1194 return 0; /* reject */
1196 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
1197 "tls_try_verify_hosts)\n");
1198 tlsp->verify_override = TRUE;
1202 #ifndef DISABLE_EVENT
1203 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1204 return 0; /* reject, with peercert set */
1207 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
1208 *calledp ? "" : " authenticated", dn);
1212 return 1; /* accept, at least for this level */
1216 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
1218 return verify_callback(preverify_ok, x509ctx, &tls_out,
1219 &client_verify_callback_called, &client_verify_optional);
1223 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
1225 return verify_callback(preverify_ok, x509ctx, &tls_in,
1226 &server_verify_callback_called, &server_verify_optional);
1232 /* This gets called *by* the dane library verify callback, which interposes
1236 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
1238 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1240 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1241 #ifndef DISABLE_EVENT
1242 BOOL dummy_called, optional = FALSE;
1245 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1247 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1248 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1249 deliver_host_address);
1252 dn[sizeof(dn)-1] = '\0';
1254 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
1255 preverify_ok ? "ok":"BAD", depth, dn);
1257 #ifndef DISABLE_EVENT
1258 if (verify_event(&tls_out, cert, depth, dn,
1259 &dummy_called, &optional, US"DANE"))
1260 return 0; /* reject, with peercert set */
1263 if (preverify_ok == 1)
1264 tls_out.dane_verified = TRUE;
1267 int err = X509_STORE_CTX_get_error(x509ctx);
1269 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
1270 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
1273 return preverify_ok;
1276 #endif /*SUPPORT_DANE*/
1279 #ifndef DISABLE_OCSP
1281 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1283 BIO_printf(bp, "\t%s: ", str);
1284 ASN1_GENERALIZEDTIME_print(bp, time);
1288 /*************************************************
1289 * Load OCSP information into state *
1290 *************************************************/
1291 /* Called to load the server OCSP response from the given file into memory, once
1292 caller has determined this is needed. Checks validity. Debugs a message
1295 ASSUMES: single response, for single cert.
1298 state various parts of session state
1299 filename the filename putatively holding an OCSP response
1300 is_pem file is PEM format; otherwise is DER
1304 ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
1308 OCSP_RESPONSE * resp;
1309 OCSP_BASICRESP * basic_response;
1310 OCSP_SINGLERESP * single_response;
1311 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1312 STACK_OF(X509) * sk;
1313 int status, reason, i;
1316 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1318 if (!filename || !*filename) return;
1321 if (!(bio = BIO_new_file(CS filename, "rb")))
1323 log_write(0, LOG_MAIN|LOG_PANIC,
1324 "Failed to open OCSP response file \"%s\": %.100s",
1325 filename, ERR_reason_error_string(ERR_get_error()));
1331 uschar * data, * freep;
1334 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1336 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
1337 filename, ERR_reason_error_string(ERR_get_error()));
1341 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1342 OPENSSL_free(freep);
1345 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1350 log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
1351 filename, ERR_reason_error_string(ERR_get_error()));
1355 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1357 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1358 OCSP_response_status_str(status), status);
1364 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1365 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1370 if (!(basic_response = OCSP_response_get1_basic(resp)))
1373 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1377 sk = state->u_ocsp.server.verify_stack; /* set by setup_certs() / chain_from_pem_file() */
1379 /* May need to expose ability to adjust those flags?
1380 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1381 OCSP_TRUSTOTHER OCSP_NOINTERN */
1383 /* This does a partial verify (only the signer link, not the whole chain-to-CA)
1384 on the OCSP proof before we load it for serving up; possibly overkill -
1385 just date-checks might be nice enough.
1387 OCSP_basic_verify takes a "store" arg, but does not
1388 use it for the chain verification, when OCSP_NOVERIFY is set.
1389 The content from the wire "basic_response" and a cert-stack "sk" are all
1392 We have a stack, loaded in setup_certs() if tls_verify_certificates
1393 was a file (not a directory, or "system"). It is unfortunate we
1394 cannot used the connection context store, as that would neatly
1395 handle the "system" case too, but there seems to be no library
1396 function for getting a stack from a store.
1397 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1398 [ 3.0.0 - sk = X509_STORE_get1_all_certs(store) ]
1399 We do not free the stack since it could be needed a second time for
1402 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1403 be a public interface into the OpenSSL library (there's no manual entry) -
1404 (in 3.0.0 + is is public)
1405 But what with? We also use OCSP_basic_verify in the client stapling callback.
1406 And there we NEED it; we must verify that status... unless the
1407 library does it for us anyway? */
1409 if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
1413 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1414 debug_printf("OCSP response has bad signature: %s\n", US ssl_errstring);
1419 /* Here's the simplifying assumption: there's only one response, for the
1420 one certificate we use, and nothing for anything else in a chain. If this
1421 proves false, we need to extract a cert id from our issued cert
1422 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1423 right cert in the stack and then calls OCSP_single_get0_status()).
1425 I'm hoping to avoid reworking a bunch more of how we handle state here.
1427 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1430 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1433 debug_printf("Unable to get first response from OCSP basic response.\n");
1437 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1438 if (status != V_OCSP_CERTSTATUS_GOOD)
1440 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1441 OCSP_cert_status_str(status), status,
1442 OCSP_crl_reason_str(reason), reason);
1446 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1450 BIO * bp = BIO_new(BIO_s_mem());
1453 time_print(bp, "This OCSP Update", thisupd);
1454 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
1455 if ((len = (int) BIO_get_mem_data(bp, CSS &s)) > 0) debug_printf("%.*s", len, s);
1456 debug_printf("OCSP status invalid times.\n");
1462 /* Add the resp to the list used by tls_server_stapling_cb() */
1464 ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
1465 while (oentry = *op)
1467 *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED);
1468 oentry->next = NULL;
1469 oentry->resp = resp;
1474 if (f.running_in_test_harness)
1476 extern char ** environ;
1477 if (environ) for (uschar ** p = USS environ; *p; p++)
1478 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1480 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1481 goto supply_response;
1489 ocsp_free_response_list(exim_openssl_state_st * state)
1491 for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
1492 olist = olist->next)
1493 OCSP_RESPONSE_free(olist->resp);
1494 state->u_ocsp.server.olist = NULL;
1496 #endif /*!DISABLE_OCSP*/
1503 tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1506 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1507 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1508 return tls_error(string_sprintf(
1509 "SSL_CTX_use_certificate_chain_file file=%s", file),
1510 cbinfo->host, NULL, errstr);
1515 tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1518 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1519 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1520 return tls_error(string_sprintf(
1521 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1528 /* Called once during tls_init and possibly again during TLS setup, for a
1529 new context, if Server Name Indication was used and tls_sni was seen in
1530 the certificate string.
1533 sctx the SSL_CTX* to update
1534 state various parts of session state
1535 errstr error string pointer
1537 Returns: OK/DEFER/FAIL
1541 tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
1546 if (!state->certificate)
1548 if (!state->is_server) /* client */
1551 if (tls_install_selfsign(sctx, errstr) != OK)
1558 if ( !reexpand_tls_files_for_sni
1559 && ( Ustrstr(state->certificate, US"tls_sni")
1560 || Ustrstr(state->certificate, US"tls_in_sni")
1561 || Ustrstr(state->certificate, US"tls_out_sni")
1563 reexpand_tls_files_for_sni = TRUE;
1565 if ( !expand_check(state->certificate, US"tls_certificate", &expanded, errstr)
1566 || f.expand_string_forcedfail)
1568 if (f.expand_string_forcedfail)
1569 *errstr = US"expansion of tls_certificate failed";
1574 if (state->is_server)
1576 const uschar * file_list = expanded;
1579 #ifndef DISABLE_OCSP
1580 const uschar * olist = state->u_ocsp.server.file;
1583 BOOL fmt_pem = FALSE;
1586 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1588 if (olist && !*olist)
1591 /* If doing a re-expand after SNI, avoid reloading the OCSP
1592 responses when the list of filenames has not changed.
1593 The creds-invali on content change wipes file_expanded, so that
1594 always reloads here. */
1596 if ( state->u_ocsp.server.file_expanded && olist
1597 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
1599 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1604 ocsp_free_response_list(state);
1605 state->u_ocsp.server.file_expanded = olist;
1609 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1611 if ((err = tls_add_certfile(sctx, state, file, errstr)))
1614 #ifndef DISABLE_OCSP
1616 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1618 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1623 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1628 ocsp_load_response(state, ofile, fmt_pem);
1631 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1635 else /* would there ever be a need for multiple client certs? */
1636 if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
1639 if ( state->privatekey
1640 && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr)
1641 || f.expand_string_forcedfail)
1643 if (f.expand_string_forcedfail)
1644 *errstr = US"expansion of tls_privatekey failed";
1648 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1649 of the expansion is an empty string, ignore it also, and assume the private
1650 key is in the same file as the certificate. */
1652 if (expanded && *expanded)
1653 if (state->is_server)
1655 const uschar * file_list = expanded;
1659 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1660 if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
1663 else /* would there ever be a need for multiple client certs? */
1664 if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
1674 /**************************************************
1675 * One-time init credentials for server and client *
1676 **************************************************/
1679 normalise_ciphers(uschar ** ciphers, const uschar * pre_expansion_ciphers)
1681 uschar * s = *ciphers;
1683 if (!s || !Ustrchr(s, '_')) return; /* no change needed */
1685 if (s == pre_expansion_ciphers)
1686 s = string_copy(s); /* get writable copy */
1688 for (uschar * t = s; *t; t++) if (*t == '_') *t = '-';
1693 server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
1694 uschar * ciphers, uschar ** errstr)
1696 DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
1697 if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
1698 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1699 state->server_cipher_list = ciphers;
1706 lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
1709 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1710 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1712 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1714 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1716 /* Set up the information callback, which outputs if debugging is at a suitable
1721 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1722 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1723 /* this needs a debug build of OpenSSL */
1724 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1726 #ifdef OPENSSL_HAVE_KEYLOG_CB
1727 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1731 /* Automatically re-try reads/writes after renegotiation. */
1732 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1739 tls_server_creds_init(void)
1742 uschar * dummy_errstr;
1743 unsigned lifetime = 0;
1747 state_server.lib_state = null_tls_preload;
1749 if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
1751 state_server.lib_state.lib_ctx = ctx;
1753 /* Preload DH params and EC curve */
1755 if (opt_unset_or_noexpand(tls_dhparam))
1757 DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam);
1758 if (init_dh(ctx, tls_dhparam, &dummy_errstr))
1759 state_server.lib_state.dh = TRUE;
1762 DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
1763 if (opt_unset_or_noexpand(tls_eccurve))
1765 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve);
1766 if (init_ecdh(ctx, &dummy_errstr))
1767 state_server.lib_state.ecdh = TRUE;
1770 DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
1772 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1773 /* If we can, preload the Authorities for checking client certs against.
1774 Actual choice to do verify is made (tls_{,try_}verify_hosts)
1775 at TLS conn startup.
1776 Do this before the server ocsp so that its info can verify the ocsp. */
1778 if ( opt_set_and_noexpand(tls_verify_certificates)
1779 && opt_unset_or_noexpand(tls_crl))
1781 /* Watch the default dir also as they are always included */
1783 if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1784 && tls_set_watch(tls_verify_certificates, FALSE)
1785 && tls_set_watch(tls_crl, FALSE))
1787 uschar * v_certs = tls_verify_certificates;
1788 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1790 if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
1791 state_server.lib_state.cabundle = TRUE;
1793 /* If we can, preload the server-side cert, key and ocsp */
1795 if ( opt_set_and_noexpand(tls_certificate)
1796 # ifndef DISABLE_OCSP
1797 && opt_unset_or_noexpand(tls_ocsp_file)
1799 && opt_unset_or_noexpand(tls_privatekey))
1801 /* Set watches on the filenames. The implementation does de-duplication
1802 so we can just blindly do them all. */
1804 if ( tls_set_watch(tls_certificate, TRUE)
1805 # ifndef DISABLE_OCSP
1806 && tls_set_watch(tls_ocsp_file, TRUE)
1808 && tls_set_watch(tls_privatekey, TRUE))
1810 state_server.certificate = tls_certificate;
1811 state_server.privatekey = tls_privatekey;
1812 #ifndef DISABLE_OCSP
1813 state_server.u_ocsp.server.file = tls_ocsp_file;
1816 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1817 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1818 state_server.lib_state.conn_certs = TRUE;
1821 else if ( !tls_certificate && !tls_privatekey
1822 # ifndef DISABLE_OCSP
1826 { /* Generate & preload a selfsigned cert. No files to watch. */
1827 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1829 state_server.lib_state.conn_certs = TRUE;
1830 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1834 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1838 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1841 #endif /* EXIM_HAVE_INOTIFY */
1844 /* If we can, preload the ciphers control string */
1846 if (opt_set_and_noexpand(tls_require_ciphers))
1848 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
1849 normalise_ciphers(&tls_require_ciphers, tls_require_ciphers);
1850 if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
1851 &dummy_errstr) == OK)
1852 state_server.lib_state.pri_string = TRUE;
1855 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1862 /* Preload whatever creds are static, onto a transport. The client can then
1863 just copy the pointer as it starts up.
1864 Called from the daemon after a cache-invalidate with watch set; called from
1865 a queue-run startup with watch clear. */
1868 tls_client_creds_init(transport_instance * t, BOOL watch)
1870 smtp_transport_options_block * ob = t->options_block;
1871 exim_openssl_state_st tpt_dummy_state;
1872 host_item * dummy_host = (host_item *)1;
1873 uschar * dummy_errstr;
1878 ob->tls_preload = null_tls_preload;
1879 if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
1881 ob->tls_preload.lib_ctx = ctx;
1883 tpt_dummy_state.lib_state = ob->tls_preload;
1885 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1886 if ( opt_set_and_noexpand(ob->tls_certificate)
1887 && opt_unset_or_noexpand(ob->tls_privatekey))
1890 || ( tls_set_watch(ob->tls_certificate, FALSE)
1891 && tls_set_watch(ob->tls_privatekey, FALSE)
1894 uschar * pkey = ob->tls_privatekey;
1897 debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
1899 if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
1901 && tls_add_pkeyfile(ctx, &tpt_dummy_state,
1902 pkey ? pkey : ob->tls_certificate,
1905 ob->tls_preload.conn_certs = TRUE;
1910 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1913 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1914 && opt_unset_or_noexpand(ob->tls_crl))
1917 || tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1918 && tls_set_watch(ob->tls_verify_certificates, FALSE)
1919 && tls_set_watch(ob->tls_crl, FALSE)
1922 uschar * v_certs = ob->tls_verify_certificates;
1924 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1926 if (setup_certs(ctx, &v_certs,
1927 ob->tls_crl, dummy_host, &dummy_errstr) == OK)
1928 ob->tls_preload.cabundle = TRUE;
1933 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1935 #endif /*EXIM_HAVE_INOTIFY*/
1939 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1940 /* Invalidate the creds cached, by dropping the current ones.
1941 Call when we notice one of the source files has changed. */
1944 tls_server_creds_invalidate(void)
1946 SSL_CTX_free(state_server.lib_state.lib_ctx);
1947 state_server.lib_state = null_tls_preload;
1948 #ifndef DISABLE_OCSP
1949 state_server.u_ocsp.server.file_expanded = NULL;
1955 tls_client_creds_invalidate(transport_instance * t)
1957 smtp_transport_options_block * ob = t->options_block;
1958 SSL_CTX_free(ob->tls_preload.lib_ctx);
1959 ob->tls_preload = null_tls_preload;
1965 tls_server_creds_invalidate(void)
1969 tls_client_creds_invalidate(transport_instance * t)
1972 #endif /*EXIM_HAVE_INOTIFY*/
1977 #ifndef DISABLE_OCSP
1979 debug_print_sn(const X509 * cert)
1981 X509_NAME * sn = X509_get_subject_name((X509 *)cert);
1982 static uschar name[256];
1983 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
1985 name[sizeof(name)-1] = '\0';
1986 debug_printf(" %s\n", name);
1991 x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk)
1994 debug_printf(" (null)\n");
1997 int idx = sk_X509_num(sk);
1999 debug_printf(" (empty)\n");
2001 while (--idx >= 0) debug_print_sn(sk_X509_value(sk, idx));
2006 x509_store_dump_cert_s_names(X509_STORE * store)
2008 # ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2010 debug_printf(" (no store)\n");
2013 STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
2014 x509_stack_dump_cert_s_names(sk);
2015 sk_X509_pop_free(sk, X509_free);
2019 #endif /*!DISABLE_OCSP*/
2024 #ifndef DISABLE_TLS_RESUME
2025 /* Manage the keysets used for encrypting the session tickets, on the server. */
2027 typedef struct { /* Session ticket encryption key */
2030 const EVP_CIPHER * aes_cipher;
2031 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
2032 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2033 const EVP_MD * hmac_hash;
2035 const uschar * hmac_hashname;
2037 uschar hmac_key[16];
2042 static exim_stek exim_tk; /* current key */
2043 static exim_stek exim_tk_old; /* previous key */
2048 time_t t = time(NULL);
2050 if (exim_tk.name[0])
2052 if (exim_tk.renew >= t) return;
2053 exim_tk_old = exim_tk;
2056 if (f.running_in_test_harness) ssl_session_timeout = TESTSUITE_TICKET_LIFE;
2058 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
2059 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
2060 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
2061 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
2063 exim_tk.name[0] = 'E';
2064 exim_tk.aes_cipher = EVP_aes_256_cbc();
2065 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2066 exim_tk.hmac_hash = EVP_sha256();
2068 exim_tk.hmac_hashname = US "sha256";
2070 exim_tk.expire = t + ssl_session_timeout;
2071 exim_tk.renew = t + ssl_session_timeout/2;
2077 if (!exim_tk.name[0]) return NULL;
2082 tk_find(const uschar * name)
2084 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
2085 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
2092 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2100 /*XXX will want these dependent on the ssl session strength */
2101 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2102 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
2103 key->hmac_hash, NULL);
2106 OSSL_PARAM params[3];
2107 uschar * hk = string_copy(key->hmac_hashname); /* need nonconst */
2108 params[0] = OSSL_PARAM_construct_octet_string("key", key->hmac_key, sizeof(key->hmac_key));
2109 params[1] = OSSL_PARAM_construct_utf8_string("digest", CS hk, 0);
2110 params[2] = OSSL_PARAM_construct_end();
2111 if (EVP_MAC_CTX_set_params(hctx, params) == 0)
2113 DEBUG(D_tls) debug_printf("EVP_MAC_CTX_set_params: %s\n",
2114 ERR_reason_error_string(ERR_get_error()));
2115 return 0; /* error in mac initialisation */
2122 /* Callback for session tickets, on server */
2124 ticket_key_callback(SSL * ssl, uschar key_name[16],
2125 uschar * iv, EVP_CIPHER_CTX * c_ctx,
2126 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2133 tls_support * tlsp = state_server.tlsp;
2138 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
2139 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2141 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
2142 return -1; /* insufficient random */
2144 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
2145 return 0; /* key couldn't be created */
2146 memcpy(key_name, key->name, 16);
2147 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
2149 if (tk_hmac_init(hctx, key) == 0) return 0;
2150 EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2152 DEBUG(D_tls) debug_printf("ticket created\n");
2157 time_t now = time(NULL);
2159 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
2160 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2162 if (!(key = tk_find(key_name)) || key->expire < now)
2166 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
2167 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
2172 if (tk_hmac_init(hctx, key) == 0) return 0;
2173 EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2175 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
2177 /* The ticket lifetime and renewal are the same as the STEK lifetime and
2178 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
2179 be better. To do that we'd have to encode ticket lifetime in the name as
2180 we don't yet see the restored session. Could check posthandshake for TLS1.3
2181 and trigger a new ticket then, but cannot do that for TLS1.2 */
2182 return key->renew < now ? 2 : 1;
2185 #endif /* !DISABLE_TLS_RESUME */
2190 setup_cert_verify(SSL_CTX * ctx, BOOL optional,
2191 int (*cert_vfy_cb)(int, X509_STORE_CTX *))
2193 /* If verification is optional, don't fail if no certificate */
2195 SSL_CTX_set_verify(ctx,
2196 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2201 /*************************************************
2202 * Callback to handle SNI *
2203 *************************************************/
2205 /* Called when acting as server during the TLS session setup if a Server Name
2206 Indication extension was sent by the client.
2208 API documentation is OpenSSL s_server.c implementation.
2211 s SSL* of the current session
2212 ad unknown (part of OpenSSL API) (unused)
2213 arg Callback of "our" registered data
2215 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
2217 XXX might need to change to using ClientHello callback,
2218 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
2221 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2223 tls_servername_cb(SSL * s, int * ad ARG_UNUSED, void * arg)
2225 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2226 exim_openssl_state_st * state = (exim_openssl_state_st *) arg;
2228 int old_pool = store_pool;
2232 return SSL_TLSEXT_ERR_OK;
2234 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
2235 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
2237 /* Make the extension value available for expansion */
2238 store_pool = POOL_PERM;
2239 tls_in.sni = string_copy_taint(US servername, GET_TAINTED);
2240 store_pool = old_pool;
2242 if (!reexpand_tls_files_for_sni)
2243 return SSL_TLSEXT_ERR_OK;
2245 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
2246 not confident that memcpy wouldn't break some internal reference counting.
2247 Especially since there's a references struct member, which would be off. */
2249 if (lib_ctx_new(&server_sni, NULL, &errstr) != OK)
2252 /* Not sure how many of these are actually needed, since SSL object
2253 already exists. Might even need this selfsame callback, for reneg? */
2256 SSL_CTX * ctx = state_server.lib_state.lib_ctx;
2257 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
2258 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
2259 #ifdef OPENSSL_MIN_PROTO_VERSION
2260 SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
2262 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
2263 SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
2264 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
2265 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
2266 SSL_CTX_set_tlsext_servername_arg(server_sni, state);
2269 if ( !init_dh(server_sni, state->dhparam, &errstr)
2270 || !init_ecdh(server_sni, &errstr)
2274 if ( state->server_cipher_list
2275 && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
2278 #ifndef DISABLE_OCSP
2279 if (state->u_ocsp.server.file)
2281 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
2282 SSL_CTX_set_tlsext_status_arg(server_sni, state);
2287 uschar * v_certs = tls_verify_certificates;
2288 if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
2292 if (v_certs && *v_certs)
2293 setup_cert_verify(server_sni, FALSE, verify_callback_server);
2296 /* do this after setup_certs, because this can require the certs for verifying
2297 OCSP information. */
2298 if ((rc = tls_expand_session_files(server_sni, state, &errstr)) != OK)
2301 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
2302 SSL_set_SSL_CTX(s, server_sni);
2303 return SSL_TLSEXT_ERR_OK;
2306 log_write(0, LOG_MAIN|LOG_PANIC, "%s", errstr);
2307 return SSL_TLSEXT_ERR_ALERT_FATAL;
2309 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
2314 #ifdef EXIM_HAVE_ALPN
2315 /*************************************************
2316 * Callback to handle ALPN *
2317 *************************************************/
2319 /* Called on server if tls_alpn nonblank after expansion,
2320 when client offers ALPN, after the SNI callback.
2321 If set and not matching the list then we dump the connection */
2324 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
2325 const uschar * in, unsigned int inlen, void * arg)
2327 server_seen_alpn = TRUE;
2330 debug_printf("Received TLS ALPN offer:");
2331 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2334 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2335 debug_printf(" '%.*s'", siz, in + pos + 1);
2337 debug_printf(". Our list: '%s'\n", tls_alpn);
2340 /* Look for an acceptable ALPN */
2342 if ( inlen > 1 /* at least one name */
2343 && in[0]+1 == inlen /* filling the vector, so exactly one name */
2346 const uschar * list = tls_alpn;
2348 for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
2349 if (Ustrncmp(in+1, name, in[0]) == 0)
2351 *out = in+1; /* we checked for exactly one, so can just point to it */
2353 return SSL_TLSEXT_ERR_OK; /* use ALPN */
2357 /* More than one name from clilent, or name did not match our list. */
2359 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
2360 Maybe as an option in future; for now leave control to the config (must-tls). */
2362 DEBUG(D_tls) debug_printf("TLS ALPN rejected\n");
2363 return SSL_TLSEXT_ERR_ALERT_FATAL;
2365 #endif /* EXIM_HAVE_ALPN */
2369 #ifndef DISABLE_OCSP
2371 /*************************************************
2372 * Callback to handle OCSP Stapling *
2373 *************************************************/
2375 /* Called when acting as server during the TLS session setup if the client
2376 requests OCSP information with a Certificate Status Request.
2378 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
2384 tls_server_stapling_cb(SSL *s, void *arg)
2386 const exim_openssl_state_st * state = arg;
2387 ocsp_resplist * olist = state->u_ocsp.server.olist;
2388 uschar * response_der; /*XXX blob */
2389 int response_der_len;
2392 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
2393 olist ? "have" : "lack");
2395 tls_in.ocsp = OCSP_NOT_RESP;
2397 return SSL_TLSEXT_ERR_NOACK;
2399 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
2401 const X509 * cert_sent = SSL_get_certificate(s);
2402 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
2403 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
2405 for (; olist; olist = olist->next)
2407 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
2408 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
2409 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
2410 ASN1_INTEGER * res_cert_serial;
2411 const BIGNUM * resp_bn;
2412 ASN1_OCTET_STRING * res_cert_iNameHash;
2415 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
2416 (OCSP_CERTID *) cid);
2417 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
2421 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
2422 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
2425 if (BN_cmp(cert_bn, resp_bn) == 0)
2427 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
2429 /*XXX TODO: check the rest of the list for duplicate matches.
2430 If any, need to also check the Issuer Name hash.
2431 Without this, we will provide the wrong status in the case of
2436 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
2440 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
2441 return SSL_TLSEXT_ERR_NOACK;
2447 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
2448 return SSL_TLSEXT_ERR_NOACK;
2452 /*XXX could we do the i2d earlier, rather than during the callback? */
2453 response_der = NULL;
2454 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
2455 if (response_der_len <= 0)
2456 return SSL_TLSEXT_ERR_NOACK;
2458 SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
2459 response_der, response_der_len);
2460 tls_in.ocsp = OCSP_VFIED;
2461 return SSL_TLSEXT_ERR_OK;
2466 add_chain_to_store(X509_STORE * store, STACK_OF(X509) * sk,
2467 const char * debug_text)
2473 debug_printf("chain for %s:\n", debug_text);
2474 x509_stack_dump_cert_s_names(sk);
2477 if ((idx = sk_X509_num(sk)) > 0)
2479 X509_STORE_add_cert(store, sk_X509_value(sk, idx));
2484 tls_client_stapling_cb(SSL * ssl, void * arg)
2486 exim_openssl_state_st * cbinfo = arg;
2487 const unsigned char * p;
2489 OCSP_RESPONSE * rsp;
2490 OCSP_BASICRESP * bs;
2493 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
2494 len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
2496 { /* Expect this when we requested ocsp but got none */
2497 if (SSL_session_reused(ssl) && tls_out.ocsp == OCSP_VFIED)
2499 DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
2503 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
2504 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
2506 DEBUG(D_tls) debug_printf(" null\n");
2508 if (!cbinfo->u_ocsp.client.verify_required)
2510 cbinfo->u_ocsp.client.verify_errstr =
2511 US"(SSL_connect) Required TLS certificate status not received";
2515 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
2517 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
2518 if (LOGGING(tls_cipher))
2519 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
2521 DEBUG(D_tls) debug_printf(" parse error\n");
2525 if (!(bs = OCSP_response_get1_basic(rsp)))
2527 tls_out.ocsp = OCSP_FAILED;
2528 if (LOGGING(tls_cipher))
2529 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
2531 DEBUG(D_tls) debug_printf(" error parsing response\n");
2532 OCSP_RESPONSE_free(rsp);
2536 /* We'd check the nonce here if we'd put one in the request. */
2537 /* However that would defeat cacheability on the server so we don't. */
2539 /* This section of code reworked from OpenSSL apps source;
2540 The OpenSSL Project retains copyright:
2541 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
2545 X509_STORE * verify_store = NULL;
2546 BOOL have_verified_OCSP_signer = FALSE;
2547 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
2548 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
2551 DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
2553 /* Use the CA & chain that verified the server cert to verify the stapled info */
2554 /*XXX could we do an event here, for observability of ocsp? What reasonable data could we give access to? */
2555 /* Dates would be a start. Do we need another opaque variable type, as for certs, plus an extract expansion? */
2558 /* If this routine is not available, we've avoided [in tls_client_start()]
2559 asking for certificate-status under DANE, so this callback won't run for
2560 that combination. It still will for non-DANE. */
2562 #ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
2565 if ( tls_out.dane_verified
2566 && (have_verified_OCSP_signer =
2567 OCSP_resp_get0_signer(bs, &signer, SSL_get0_verified_chain(ssl)) == 1))
2570 debug_printf("signer for OCSP basicres is in the verified chain;"
2571 " shortcut its verification\n");
2576 STACK_OF(X509) * verified_chain;
2578 verify_store = X509_STORE_new();
2580 SSL_get0_chain_certs(ssl, &verified_chain);
2581 add_chain_to_store(verify_store, verified_chain,
2582 "'current cert' per SSL_get0_chain_certs()");
2583 #ifdef EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
2584 verified_chain = SSL_get0_verified_chain(ssl);
2585 add_chain_to_store(verify_store, verified_chain,
2586 "SSL_get0_verified_chain()");
2593 debug_printf("Untrusted intermediate cert stack (from SSL_get_peer_cert_chain()):\n");
2594 x509_stack_dump_cert_s_names(SSL_get_peer_cert_chain(ssl));
2596 debug_printf("will use this CA store for verifying basicresp:\n");
2597 x509_store_dump_cert_s_names(verify_store);
2599 /* OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
2601 debug_printf("certs contained in basicresp:\n");
2602 x509_stack_dump_cert_s_names(
2603 #ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
2604 OCSP_resp_get0_certs(bs)
2610 #ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2611 /* could do via X509_STORE_get0_objects(); not worth it just for debug info */
2614 if (OCSP_resp_get0_signer(bs, &signer, X509_STORE_get1_all_certs(verify_store)) == 1)
2616 debug_printf("found signer for basicres:\n");
2617 debug_print_sn(signer);
2621 debug_printf("failed to find signer for basicres:\n");
2622 ERR_print_errors(bp);
2631 /* Under DANE the trust-anchor (at least in TA mode) is indicated by the TLSA
2632 record in DNS, and probably is not the root of the chain of certificates. So
2633 accept a partial chain for that case (and hope that anchor is visible for
2634 verifying the OCSP stapling).
2635 XXX for EE mode it won't even be that. Does that make OCSP useless for EE?
2637 Worse, for LetsEncrypt-mode (ocsp signer is leaf-signer) under DANE, the
2638 data used within OpenSSL for the signer has nil pointers for signing
2639 algorithms - and a crash results. Avoid this by shortcutting verification,
2640 having determined that the OCSP signer is in the (DANE-)validated set.
2643 #ifndef OCSP_PARTIAL_CHAIN /* defined for 3.0.0 onwards */
2644 # define OCSP_PARTIAL_CHAIN 0
2647 if ((i = OCSP_basic_verify(bs, SSL_get_peer_cert_chain(ssl),
2650 tls_out.dane_verified
2651 ? have_verified_OCSP_signer
2652 ? OCSP_NOVERIFY | OCSP_NOEXPLICIT
2653 : OCSP_PARTIAL_CHAIN | OCSP_NOEXPLICIT
2656 OCSP_NOEXPLICIT)) <= 0)
2658 DEBUG(D_tls) debug_printf("OCSP_basic_verify() fail: returned %d\n", i);
2659 if (ERR_peek_error())
2661 tls_out.ocsp = OCSP_FAILED;
2662 if (LOGGING(tls_cipher))
2664 static uschar peerdn[256];
2665 const uschar * errstr;;
2667 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2668 ERR_peek_error_all(NULL, NULL, NULL, CCSS &errstr, NULL);
2671 errstr = CUS ERR_reason_error_string(ERR_peek_error());
2673 X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(ssl)),
2674 CS peerdn, sizeof(peerdn));
2675 log_write(0, LOG_MAIN,
2676 "[%s] %s Received TLS cert (DN: '%.*s') status response, "
2677 "itself unverifiable: %s",
2678 deliver_host_address, deliver_host,
2679 (int)sizeof(peerdn), peerdn, errstr);
2683 BIO_printf(bp, "OCSP response verify failure\n");
2684 ERR_print_errors(bp);
2687 int len = (int) BIO_get_mem_data(bp, CSS &s);
2688 if (len > 0) debug_printf("%.*s", len, s);
2691 OCSP_RESPONSE_print(bp, rsp, 0);
2696 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
2697 " in the root CA certificate; ignoring\n");
2700 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
2702 /*XXX So we have a good stapled OCSP status. How do we know
2703 it is for the cert of interest? OpenSSL 1.1.0 has a routine
2704 OCSP_resp_find_status() which matches on a cert id, which presumably
2705 we should use. Making an id needs OCSP_cert_id_new(), which takes
2706 issuerName, issuerKey, serialNumber. Are they all in the cert?
2708 For now, carry on blindly accepting the resp. */
2711 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
2712 OCSP_resp_count(bs) - 1;
2714 sk_OCSP_SINGLERESP_num(sresp) - 1;
2718 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
2720 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
2722 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
2723 - but what happens with a GnuTLS-style input?
2725 we could do with a debug label for each singleresp
2726 - it has a certID with a serialNumber, but I see no API to get that
2728 status = OCSP_single_get0_status(single, &reason, &rev,
2729 &thisupd, &nextupd);
2733 time_print(bp, "This OCSP Update", thisupd);
2734 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
2736 if (!OCSP_check_validity(thisupd, nextupd,
2737 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
2739 tls_out.ocsp = OCSP_FAILED;
2740 DEBUG(D_tls) ERR_print_errors(bp);
2741 cbinfo->u_ocsp.client.verify_errstr =
2742 US"(SSL_connect) Server certificate status is out-of-date";
2743 log_write(0, LOG_MAIN, "OCSP dates invalid");
2747 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
2748 OCSP_cert_status_str(status));
2751 case V_OCSP_CERTSTATUS_GOOD:
2752 continue; /* the idx loop */
2753 case V_OCSP_CERTSTATUS_REVOKED:
2754 cbinfo->u_ocsp.client.verify_errstr =
2755 US"(SSL_connect) Server certificate revoked";
2756 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2757 reason != -1 ? "; reason: " : "",
2758 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2759 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2762 cbinfo->u_ocsp.client.verify_errstr =
2763 US"(SSL_connect) Server certificate has unknown status";
2764 log_write(0, LOG_MAIN,
2765 "Server certificate status unknown, in OCSP stapling");
2773 tls_out.ocsp = OCSP_VFIED;
2777 tls_out.ocsp = OCSP_FAILED;
2778 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2782 int len = (int) BIO_get_mem_data(bp, CSS &s);
2783 if (len > 0) debug_printf("%.*s", len, s);
2788 OCSP_RESPONSE_free(rsp);
2791 #endif /*!DISABLE_OCSP*/
2794 /*************************************************
2795 * Initialize for TLS *
2796 *************************************************/
2797 /* Called from both server and client code, to do preliminary initialization
2798 of the library. We allocate and return a context structure.
2801 host connected host, if client; NULL if server
2802 ob transport options block, if client; NULL if server
2803 ocsp_file file of stapling info (server); flag for require ocsp (client)
2804 addr address if client; NULL if server (for some randomness)
2805 caller_state place to put pointer to allocated state-struct
2806 errstr error string pointer
2808 Returns: OK/DEFER/FAIL
2812 tls_init(host_item * host, smtp_transport_options_block * ob,
2813 #ifndef DISABLE_OCSP
2816 address_item *addr, exim_openssl_state_st ** caller_state,
2817 tls_support * tlsp, uschar ** errstr)
2820 exim_openssl_state_st * state;
2823 if (host) /* client */
2825 state = store_malloc(sizeof(exim_openssl_state_st));
2826 memset(state, 0, sizeof(*state));
2827 state->certificate = ob->tls_certificate;
2828 state->privatekey = ob->tls_privatekey;
2829 state->is_server = FALSE;
2830 state->dhparam = NULL;
2831 state->lib_state = ob->tls_preload;
2835 state = &state_server;
2836 state->certificate = tls_certificate;
2837 state->privatekey = tls_privatekey;
2838 state->is_server = TRUE;
2839 state->dhparam = tls_dhparam;
2840 state->lib_state = state_server.lib_state;
2846 if (!state->lib_state.pri_string)
2847 state->server_cipher_list = NULL;
2849 #ifndef DISABLE_EVENT
2850 state->event_action = NULL;
2855 /* It turns out that we need to seed the random number generator this early in
2856 order to get the full complement of ciphers to work. It took me roughly a day
2857 of work to discover this by experiment.
2859 On systems that have /dev/urandom, SSL may automatically seed itself from
2860 there. Otherwise, we have to make something up as best we can. Double check
2863 Although we likely called this before, at daemon startup, this is a chance
2864 to mix in further variable info (time, pid) if needed. */
2866 if (!lib_rand_init(addr))
2867 return tls_error(US"RAND_status", host,
2868 US"unable to seed random number generator", errstr);
2870 /* Apply administrator-supplied work-arounds.
2871 Historically we applied just one requested option,
2872 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2873 moved to an administrator-controlled list of options to specify and
2874 grandfathered in the first one as the default value for "openssl_options".
2876 No OpenSSL version number checks: the options we accept depend upon the
2877 availability of the option value macros from OpenSSL. */
2880 if (!tls_openssl_options_parse(openssl_options, &init_options))
2881 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2883 /* Create a context.
2884 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2885 negotiation in the different methods; as far as I can tell, the only
2886 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2887 when OpenSSL is built without SSLv2 support.
2888 By disabling with openssl_options, we can let admins re-enable with the
2891 if (!(ctx = state->lib_state.lib_ctx))
2893 if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
2895 state->lib_state.lib_ctx = ctx;
2898 #ifndef DISABLE_TLS_RESUME
2899 tlsp->resumption = RESUME_SUPPORTED;
2903 #ifndef DISABLE_TLS_RESUME
2904 /* Should the server offer session resumption? */
2905 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2907 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2908 init_options &= ~SSL_OP_NO_TICKET;
2909 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2910 tlsp->host_resumable = TRUE;
2914 #ifdef OPENSSL_MIN_PROTO_VERSION
2915 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
2917 DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options);
2918 SSL_CTX_set_options(ctx, init_options);
2920 uint64_t readback = SSL_CTX_clear_options(ctx, ~init_options);
2921 if (readback != init_options)
2922 return tls_error(string_sprintf(
2923 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2927 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2929 /* We'd like to disable session cache unconditionally, but foolish Outlook
2930 Express clients then give up the first TLS connection and make a second one
2931 (which works). Only when there is an IMAP service on the same machine.
2932 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2933 now, until we work out a decent way of presenting control to the config. It
2934 will never be used because we use a new context every time. */
2936 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2939 /* Initialize with DH parameters if supplied */
2940 /* Initialize ECDH temp key parameter selection */
2944 if (state->lib_state.dh)
2945 { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
2947 if (!init_dh(ctx, state->dhparam, errstr)) return DEFER;
2949 if (state->lib_state.ecdh)
2950 { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
2952 if (!init_ecdh(ctx, errstr)) return DEFER;
2955 /* Set up certificate and key (and perhaps OCSP info) */
2957 if (state->lib_state.conn_certs)
2960 debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
2964 #ifndef DISABLE_OCSP
2965 if (!host) /* server */
2967 state->u_ocsp.server.file = ocsp_file;
2968 state->u_ocsp.server.file_expanded = NULL;
2969 state->u_ocsp.server.olist = NULL;
2972 if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
2975 /* If we need to handle SNI or OCSP, do so */
2977 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2978 # ifndef DISABLE_OCSP
2979 if (!host && !(state->u_ocsp.server.verify_stack = sk_X509_new_null()))
2981 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2986 if (!host) /* server */
2988 # ifndef DISABLE_OCSP
2989 /* We check u_ocsp.server.file, not server.olist, because we care about if
2990 the option exists, not what the current expansion might be, as SNI might
2991 change the certificate and OCSP file in use between now and the time the
2992 callback is invoked. */
2993 if (state->u_ocsp.server.file)
2995 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2996 SSL_CTX_set_tlsext_status_arg(ctx, state);
2999 /* We always do this, so that $tls_sni is available even if not used in
3001 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
3002 SSL_CTX_set_tlsext_servername_arg(ctx, state);
3004 # ifdef EXIM_HAVE_ALPN
3005 if (tls_alpn && *tls_alpn)
3008 if ( expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
3009 && *exp_alpn && !isblank(*exp_alpn))
3011 tls_alpn = exp_alpn; /* subprocess so ok to overwrite */
3012 SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
3019 # ifndef DISABLE_OCSP
3021 if(ocsp_file) /* wanting stapling */
3023 if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
3025 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
3029 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
3030 SSL_CTX_set_tlsext_status_arg(ctx, state);
3033 #endif /*EXIM_HAVE_OPENSSL_TLSEXT*/
3035 state->verify_cert_hostnames = NULL;
3037 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
3038 /* Set up the RSA callback */
3039 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
3042 /* Finally, set the session cache timeout, and we are done.
3043 The period appears to be also used for (server-generated) session tickets */
3045 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
3046 DEBUG(D_tls) debug_printf("Initialized TLS\n");
3048 *caller_state = state;
3056 /*************************************************
3057 * Get name of cipher in use *
3058 *************************************************/
3061 Argument: pointer to an SSL structure for the connection
3062 pointer to number of bits for cipher
3063 Returns: pointer to allocated string in perm-pool
3067 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
3069 int pool = store_pool;
3070 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
3071 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
3072 the accessor functions use const in the prototype. */
3074 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
3077 SSL_CIPHER_get_bits(c, bits);
3079 store_pool = POOL_PERM;
3080 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
3082 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
3087 /* Get IETF-standard name for ciphersuite.
3088 Argument: pointer to an SSL structure for the connection
3089 Returns: pointer to string
3092 static const uschar *
3093 cipher_stdname_ssl(SSL * ssl)
3095 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
3096 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
3098 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
3099 return cipher_stdname(id >> 8, id & 0xff);
3104 static const uschar *
3105 tlsver_name(SSL * ssl)
3108 int pool = store_pool;
3110 store_pool = POOL_PERM;
3111 s = string_copy(US SSL_get_version(ssl));
3113 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
3114 for (;; p++) if (!(*p = p[1])) break;
3120 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
3122 /*XXX we might consider a list-of-certs variable for the cert chain.
3123 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
3124 in list-handling functions, also consider the difference between the entire
3125 chain and the elements sent by the peer. */
3127 tlsp->peerdn = NULL;
3129 /* Will have already noted peercert on a verify fail; possibly not the leaf */
3130 if (!tlsp->peercert)
3131 tlsp->peercert = SSL_get_peer_certificate(ssl);
3132 /* Beware anonymous ciphers which lead to server_cert being NULL */
3134 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
3135 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
3138 int oldpool = store_pool;
3140 peerdn[siz-1] = '\0'; /* paranoia */
3141 store_pool = POOL_PERM;
3142 tlsp->peerdn = string_copy(peerdn);
3143 store_pool = oldpool;
3145 /* We used to set CV in the cert-verify callbacks (either plain or dane)
3146 but they don't get called on session-resumption. So use the official
3147 interface, which uses the resumed value. Unfortunately this claims verified
3148 when it actually failed but we're in try-verify mode, due to us wanting the
3149 knowlege that it failed so needing to have the callback and forcing a
3150 permissive return. If we don't force it, the TLS startup is failed.
3151 The extra bit of information is set in verify_override in the cb, stashed
3152 for resumption next to the TLS session, and used here. */
3154 if (!tlsp->verify_override)
3155 tlsp->certificate_verified =
3157 tlsp->dane_verified ||
3159 SSL_get_verify_result(ssl) == X509_V_OK;
3167 /*************************************************
3168 * Set up for verifying certificates *
3169 *************************************************/
3171 #ifndef DISABLE_OCSP
3172 /* In the server, load certs from file, return TRUE on success */
3175 chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
3178 STACK_OF(X509) * verify_stack = *vp;
3181 while (sk_X509_num(verify_stack) > 0)
3182 X509_free(sk_X509_pop(verify_stack));
3184 verify_stack = sk_X509_new_null();
3186 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
3187 for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
3188 sk_X509_push(verify_stack, x);
3197 /* Called by both client and server startup; on the server possibly
3198 repeated after a Server Name Indication.
3201 sctx SSL_CTX* to initialise
3202 certsp certs file, returned expanded
3203 crl CRL file or NULL
3204 host NULL in a server; the remote host in a client
3205 errstr error string pointer
3207 Returns: OK/DEFER/FAIL
3211 setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
3214 uschar * expcerts, * expcrl;
3216 if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
3218 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3221 if (expcerts && *expcerts)
3223 /* Tell the library to use its compiled-in location for the system default
3224 CA bundle. Then add the ones specified in the config, if any. */
3226 if (!SSL_CTX_set_default_verify_paths(sctx))
3227 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
3229 if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
3231 struct stat statbuf;
3233 if (Ustat(expcerts, &statbuf) < 0)
3235 log_write(0, LOG_MAIN|LOG_PANIC,
3236 "failed to stat %s for certificates", expcerts);
3242 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
3243 { file = NULL; dir = expcerts; }
3246 STACK_OF(X509) * verify_stack =
3247 #ifndef DISABLE_OCSP
3248 !host ? state_server.u_ocsp.server.verify_stack :
3251 STACK_OF(X509) ** vp = &verify_stack;
3253 file = expcerts; dir = NULL;
3254 #ifndef DISABLE_OCSP
3255 /* In the server if we will be offering an OCSP proof; load chain from
3256 file for verifying the OCSP proof at load time. */
3258 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
3259 This is inconsistent with the need to verify the OCSP proof of the server cert.
3261 /* *debug_printf("file for checking server ocsp stapling is: %s\n", file); */
3263 && statbuf.st_size > 0
3264 && state_server.u_ocsp.server.file
3265 && !chain_from_pem_file(file, vp)
3268 log_write(0, LOG_MAIN|LOG_PANIC,
3269 "failed to load cert chain from %s", file);
3275 /* If a certificate file is empty, the load function fails with an
3276 unhelpful error message. If we skip it, we get the correct behaviour (no
3277 certificates are recognized, but the error message is still misleading (it
3278 says no certificate was supplied). But this is better. */
3280 if ( (!file || statbuf.st_size > 0)
3281 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
3282 return tls_error(US"SSL_CTX_load_verify_locations",
3283 host, NULL, errstr);
3285 /* On the server load the list of CAs for which we will accept certs, for
3286 sending to the client. This is only for the one-file
3287 tls_verify_certificates variant.
3288 If a list isn't loaded into the server, but some verify locations are set,
3289 the server end appears to make a wildcard request for client certs.
3290 Meanwhile, the client library as default behaviour *ignores* the list
3291 we send over the wire - see man SSL_CTX_set_client_cert_cb.
3292 Because of this, and that the dir variant is likely only used for
3293 the public-CA bundle (not for a private CA), not worth fixing. */
3297 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
3298 int i = sk_X509_NAME_num(names);
3300 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
3301 DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
3302 i, i>1 ? "ies":"y");
3306 debug_printf("Added dir for additional certificate authorities\n");
3310 /* Handle a certificate revocation list. */
3312 #if OPENSSL_VERSION_NUMBER > 0x00907000L
3314 /* This bit of code is now the version supplied by Lars Mainka. (I have
3315 merely reformatted it into the Exim code style.)
3317 "From here I changed the code to add support for multiple crl's
3318 in pem format in one file or to support hashed directory entries in
3319 pem format instead of a file. This method now uses the library function
3320 X509_STORE_load_locations to add the CRL location to the SSL context.
3321 OpenSSL will then handle the verify against CA certs and CRLs by
3322 itself in the verify callback." */
3324 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
3325 if (expcrl && *expcrl)
3327 struct stat statbufcrl;
3328 if (Ustat(expcrl, &statbufcrl) < 0)
3330 log_write(0, LOG_MAIN|LOG_PANIC,
3331 "failed to stat %s for certificates revocation lists", expcrl);
3336 /* is it a file or directory? */
3338 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
3339 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
3343 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
3349 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
3351 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
3352 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
3354 /* setting the flags to check against the complete crl chain */
3356 X509_STORE_set_flags(cvstore,
3357 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3361 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
3370 tls_dump_keylog(SSL * ssl)
3372 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3373 BIO * bp = BIO_new(BIO_s_mem());
3376 SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
3377 len = (int) BIO_get_mem_data(bp, CSS &s);
3378 if (len > 0) debug_printf("%.*s", len, s);
3384 /* Channel-binding info for authenticators
3385 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/
3390 tls_get_channel_binding(SSL * ssl, tls_support * tlsp, const void * taintval)
3395 #ifdef EXIM_HAVE_EXPORT_CHNL_BNGNG
3396 if (SSL_version(ssl) > TLS1_2_VERSION)
3398 /* It's not documented by OpenSSL how big the output buffer must be.
3399 The OpenSSL testcases use 80 bytes but don't say why. The GnuTLS impl only
3400 serves out 32B. RFC 9266 says it is 32B.
3401 Interop fails unless we use the same each end. */
3404 tlsp->channelbind_exporter = TRUE;
3405 taintval = GET_UNTAINTED;
3406 if (SSL_export_keying_material(ssl,
3407 s = store_get((int)len, taintval), len,
3408 "EXPORTER-Channel-Binding", (size_t) 24,
3415 len = SSL_get_peer_finished(ssl, &c, 0);
3416 len = SSL_get_peer_finished(ssl, s = store_get((int)len, taintval), len);
3421 int old_pool = store_pool;
3422 store_pool = POOL_PERM;
3423 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, taintval);
3424 store_pool = old_pool;
3425 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
3430 /*************************************************
3431 * Start a TLS session in a server *
3432 *************************************************/
3433 /* This is called when Exim is running as a server, after having received
3434 the STARTTLS command. It must respond to that command, and then negotiate
3438 errstr pointer to error message
3440 Returns: OK on success
3441 DEFER for errors before the start of the negotiation
3442 FAIL for errors during the negotiation; the server can't
3447 tls_server_start(uschar ** errstr)
3450 uschar * expciphers;
3451 exim_openssl_state_st * dummy_statep;
3454 static uschar peerdn[256];
3456 /* Check for previous activation */
3458 if (tls_in.active.sock >= 0)
3460 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
3461 smtp_printf("554 Already in TLS\r\n", FALSE);
3465 /* Initialize the SSL library. If it fails, it will already have logged
3468 rc = tls_init(NULL, NULL,
3469 #ifndef DISABLE_OCSP
3472 NULL, &dummy_statep, &tls_in, errstr);
3473 if (rc != OK) return rc;
3474 ctx = state_server.lib_state.lib_ctx;
3476 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3477 were historically separated by underscores. So that I can use either form in my
3478 tests, and also for general convenience, we turn underscores into hyphens here.
3480 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
3481 for TLS 1.3 . Since we do not call it at present we get the default list:
3482 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
3485 if (state_server.lib_state.pri_string)
3486 { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
3489 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
3494 normalise_ciphers(&expciphers, tls_require_ciphers);
3495 if ((rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
3500 /* If this is a host for which certificate verification is mandatory or
3501 optional, set up appropriately. */
3503 tls_in.certificate_verified = FALSE;
3505 tls_in.dane_verified = FALSE;
3507 server_verify_callback_called = FALSE;
3509 if (verify_check_host(&tls_verify_hosts) == OK)
3510 server_verify_optional = FALSE;
3511 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3512 server_verify_optional = TRUE;
3517 uschar * v_certs = tls_verify_certificates;
3519 if (state_server.lib_state.cabundle)
3521 DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
3522 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3526 if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
3528 if (v_certs && *v_certs)
3529 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3534 #ifndef DISABLE_TLS_RESUME
3535 # if OPENSSL_VERSION_NUMBER < 0x30000000L
3536 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
3537 /* despite working, appears to always return failure, so ignoring */
3539 SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ticket_key_callback);
3540 /* despite working, appears to always return failure, so ignoring */
3544 #ifdef OPENSSL_HAVE_NUM_TICKETS
3545 # ifndef DISABLE_TLS_RESUME
3546 SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
3548 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
3553 /* Prepare for new connection */
3555 if (!(ssl = SSL_new(ctx)))
3556 return tls_error(US"SSL_new", NULL, NULL, errstr);
3557 state_server.lib_state.lib_ssl = ssl;
3559 /* Warning: we used to SSL_clear(ssl) here, it was removed.
3561 * With the SSL_clear(), we get strange interoperability bugs with
3562 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
3563 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
3565 * The SSL_clear() call is to let an existing SSL* be reused, typically after
3566 * session shutdown. In this case, we have a brand new object and there's no
3567 * obvious reason to immediately clear it. I'm guessing that this was
3568 * originally added because of incomplete initialisation which the clear fixed,
3569 * in some historic release.
3572 /* Set context and tell client to go ahead, except in the case of TLS startup
3573 on connection, where outputting anything now upsets the clients and tends to
3574 make them disconnect. We need to have an explicit fflush() here, to force out
3575 the response. Other smtp_printf() calls do not need it, because in non-TLS
3576 mode, the fflush() happens when smtp_getc() is called. */
3578 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
3579 if (!tls_in.on_connect)
3581 smtp_printf("220 TLS go ahead\r\n", FALSE);
3585 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3586 that the OpenSSL library doesn't. */
3588 SSL_set_wfd(ssl, fileno(smtp_out));
3589 SSL_set_rfd(ssl, fileno(smtp_in));
3590 SSL_set_accept_state(ssl);
3592 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
3595 sigalrm_seen = FALSE;
3596 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3597 rc = SSL_accept(ssl);
3602 int error = SSL_get_error(ssl, rc);
3605 case SSL_ERROR_NONE:
3608 case SSL_ERROR_ZERO_RETURN:
3609 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3610 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
3611 #ifndef DISABLE_EVENT
3612 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3614 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
3617 tls_close(NULL, TLS_NO_SHUTDOWN);
3620 /* Handle genuine errors */
3624 int r = ERR_GET_REASON(ERR_peek_error());
3625 if ( r == SSL_R_WRONG_VERSION_NUMBER
3626 #ifdef SSL_R_VERSION_TOO_LOW
3627 || r == SSL_R_VERSION_TOO_LOW
3629 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
3630 s = string_sprintf("(%s)", SSL_get_version(ssl));
3631 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
3632 #ifndef DISABLE_EVENT
3633 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3639 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3640 if (error == SSL_ERROR_SYSCALL)
3644 *errstr = US"SSL_accept: TCP connection closed by peer";
3645 #ifndef DISABLE_EVENT
3646 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3650 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
3652 (void) tls_error(US"SSL_accept", NULL,
3653 sigalrm_seen ? US"timed out"
3654 : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
3656 #ifndef DISABLE_EVENT
3657 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3663 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
3664 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
3665 anon-authentication ciphersuite negotiated. */
3667 #ifndef DISABLE_TLS_RESUME
3668 if (SSL_session_reused(ssl))
3670 tls_in.resumption |= RESUME_USED;
3671 DEBUG(D_tls) debug_printf("Session reused\n");
3675 #ifdef EXIM_HAVE_ALPN
3676 /* If require-alpn, check server_seen_alpn here. Else abort TLS */
3677 if (!tls_alpn || !*tls_alpn)
3678 { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
3679 else if (!server_seen_alpn)
3680 if (verify_check_host(&hosts_require_alpn) == OK)
3682 /* We'd like to send a definitive Alert but OpenSSL provides no facility */
3684 tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
3688 { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
3691 const uschar * name;
3693 SSL_get0_alpn_selected(ssl, &name, &len);
3695 debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
3697 debug_printf("ALPN: no protocol negotiated\n");
3702 /* TLS has been set up. Record data for the connection,
3703 adjust the input functions to read via TLS, and initialize things. */
3705 #ifdef SSL_get_extms_support
3706 /*XXX what does this return for tls1.3 ? */
3707 tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
3709 peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
3711 tls_in.ver = tlsver_name(ssl);
3712 tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
3713 tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
3718 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
3719 debug_printf("Shared ciphers: %s\n", buf);
3721 tls_dump_keylog(ssl);
3723 #ifdef EXIM_HAVE_SESSION_TICKET
3725 SSL_SESSION * ss = SSL_get_session(ssl);
3726 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
3727 debug_printf("The session has a ticket, life %lu seconds\n",
3728 SSL_SESSION_get_ticket_lifetime_hint(ss));
3733 /* Record the certificate we presented */
3735 X509 * crt = SSL_get_certificate(ssl);
3736 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
3739 tls_get_channel_binding(ssl, &tls_in, GET_UNTAINTED);
3741 /* Only used by the server-side tls (tls_in), including tls_getc.
3742 Client-side (tls_out) reads (seem to?) go via
3743 smtp_read_response()/ip_recv().
3744 Hence no need to duplicate for _in and _out.
3746 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3747 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
3748 ssl_xfer_eof = ssl_xfer_error = FALSE;
3750 receive_getc = tls_getc;
3751 receive_getbuf = tls_getbuf;
3752 receive_get_cache = tls_get_cache;
3753 receive_hasc = tls_hasc;
3754 receive_ungetc = tls_ungetc;
3755 receive_feof = tls_feof;
3756 receive_ferror = tls_ferror;
3758 tls_in.active.sock = fileno(smtp_out);
3759 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
3767 tls_client_basic_ctx_init(SSL_CTX * ctx,
3768 host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
3773 /* Back-compatible old behaviour if tls_verify_certificates is set but both
3774 tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
3775 host patterns if one of them is set with content. */
3777 if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts
3778 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3780 && ( !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
3781 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3784 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3786 client_verify_optional = FALSE;
3787 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3788 client_verify_optional = TRUE;
3793 uschar * v_certs = ob->tls_verify_certificates;
3795 if (state->lib_state.cabundle)
3797 DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
3798 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3802 if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
3804 if (v_certs && *v_certs)
3805 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3809 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3811 state->verify_cert_hostnames =
3813 string_domain_utf8_to_alabel(host->certname, NULL);
3817 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
3818 state->verify_cert_hostnames);
3826 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
3829 const char * hostnames[2] = { CS host->name, NULL };
3832 if (DANESSL_init(ssl, NULL, hostnames) != 1)
3833 return tls_error(US"hostnames load", host, NULL, errstr);
3835 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3836 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3837 ) if (rr->type == T_TLSA && rr->size > 3)
3839 const uschar * p = rr->data;
3840 uint8_t usage, selector, mtype;
3841 const char * mdname;
3845 /* Only DANE-TA(2) and DANE-EE(3) are supported */
3846 if (usage != 2 && usage != 3) continue;
3853 default: continue; /* Only match-types 0, 1, 2 are supported */
3854 case 0: mdname = NULL; break;
3855 case 1: mdname = "sha256"; break;
3856 case 2: mdname = "sha512"; break;
3860 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
3863 return tls_error(US"tlsa load", host, NULL, errstr);
3864 case 0: /* action not taken */
3868 tls_out.tlsa_usage |= 1<<usage;
3874 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
3877 #endif /*SUPPORT_DANE*/
3881 #ifndef DISABLE_TLS_RESUME
3882 /* On the client, get any stashed session for the given IP from hints db
3883 and apply it to the ssl-connection for attempted resumption. */
3886 tls_retrieve_session(tls_support * tlsp, SSL * ssl)
3888 if (tlsp->host_resumable)
3890 dbdata_tls_session * dt;
3892 open_db dbblock, * dbm_file;
3894 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3896 debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
3897 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3899 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3901 SSL_SESSION * ss = NULL;
3902 const uschar * sess_asn1 = dt->session;
3904 len -= sizeof(dbdata_tls_session);
3905 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3909 ERR_error_string_n(ERR_get_error(),
3910 ssl_errstring, sizeof(ssl_errstring));
3911 debug_printf("decoding session: %s\n", ssl_errstring);
3916 unsigned long lifetime =
3917 #ifdef EXIM_HAVE_SESSION_TICKET
3918 SSL_SESSION_get_ticket_lifetime_hint(ss);
3919 #else /* Use, fairly arbitrilarily, what we as server would */
3920 f.running_in_test_harness ? TESTSUITE_TICKET_LIFE : ssl_session_timeout;
3922 time_t now = time(NULL), expires = lifetime + dt->time_stamp;
3925 DEBUG(D_tls) debug_printf("session expired (by " TIME_T_FMT "s from %lus)\n", now - expires, lifetime);
3926 dbfn_delete(dbm_file, tlsp->resume_index);
3928 else if (SSL_set_session(ssl, ss))
3930 DEBUG(D_tls) debug_printf("good session (" TIME_T_FMT "s left of %lus)\n", expires - now, lifetime);
3931 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3932 tlsp->verify_override = dt->verify_override;
3933 tlsp->ocsp = dt->ocsp;
3937 ERR_error_string_n(ERR_get_error(),
3938 ssl_errstring, sizeof(ssl_errstring));
3939 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3944 DEBUG(D_tls) debug_printf("no session record\n");
3945 dbfn_close(dbm_file);
3951 /* On the client, save the session for later resumption */
3954 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3956 exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3959 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3961 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3963 # ifdef OPENSSL_HAVE_NUM_TICKETS
3964 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3967 int len = i2d_SSL_SESSION(ss, NULL);
3968 int dlen = sizeof(dbdata_tls_session) + len;
3969 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
3970 uschar * s = dt->session;
3971 open_db dbblock, * dbm_file;
3973 DEBUG(D_tls) debug_printf("session is resumable\n");
3974 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3976 dt->verify_override = tlsp->verify_override;
3977 dt->ocsp = tlsp->ocsp;
3978 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3980 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3982 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
3983 dbfn_close(dbm_file);
3984 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3992 /* Construct a key for session DB lookup, and setup the SSL_CTX for resumption */
3995 tls_client_ctx_resume_prehandshake(
3996 exim_openssl_client_tls_ctx * exim_client_ctx, smtp_connect_args * conn_args,
3997 tls_support * tlsp, smtp_transport_options_block * ob)
3999 tlsp->host_resumable = TRUE;
4000 tls_client_resmption_key(tlsp, conn_args, ob);
4002 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
4003 SSL_SESS_CACHE_CLIENT
4004 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
4005 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
4009 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
4010 host_item * host, uschar ** errstr)
4012 if (tlsp->host_resumable)
4015 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
4016 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
4018 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
4019 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
4021 tls_error(US"set ex_data", host, NULL, errstr);
4024 /* debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state); */
4027 tlsp->resumption = RESUME_SUPPORTED;
4028 /* Pick up a previous session, saved on an old ticket */
4029 tls_retrieve_session(tlsp, ssl);
4034 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
4037 if (SSL_session_reused(exim_client_ctx->ssl))
4039 DEBUG(D_tls) debug_printf("The session was reused\n");
4040 tlsp->resumption |= RESUME_USED;
4043 #endif /* !DISABLE_TLS_RESUME */
4046 #ifdef EXIM_HAVE_ALPN
4047 /* Expand and convert an Exim list to an ALPN list. False return for fail.
4048 NULL plist return for silent no-ALPN.
4050 Overwite the passed-in list with the expanded version.
4054 tls_alpn_plist(uschar ** tls_alpn, const uschar ** plist, unsigned * plen,
4059 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
4061 *tls_alpn = exp_alpn;
4065 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
4070 /* The server implementation only accepts exactly one protocol name
4071 but it's little extra code complexity in the client. */
4073 const uschar * list = exp_alpn;
4074 uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t;
4078 for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
4080 *t++ = len = (uschar) Ustrlen(s);
4083 *plist = (*plen = t - p) ? p : NULL;
4087 #endif /* EXIM_HAVE_ALPN */
4090 /*************************************************
4091 * Start a TLS session in a client *
4092 *************************************************/
4094 /* Called from the smtp transport after STARTTLS has been accepted.
4097 cctx connection context
4098 conn_args connection details
4099 cookie datum for randomness; can be NULL
4100 tlsp record details of TLS channel configuration here; must be non-NULL
4101 errstr error string pointer
4103 Returns: TRUE for success with TLS session context set in connection context,
4108 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
4109 void * cookie, tls_support * tlsp, uschar ** errstr)
4111 host_item * host = conn_args->host; /* for msgs and option-tests */
4112 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
4113 smtp_transport_options_block * ob = tb
4114 ? (smtp_transport_options_block *)tb->options_block
4115 : &smtp_transport_option_defaults;
4116 exim_openssl_client_tls_ctx * exim_client_ctx;
4117 uschar * expciphers;
4119 static uschar peerdn[256];
4121 #ifndef DISABLE_OCSP
4122 BOOL request_ocsp = FALSE;
4123 BOOL require_ocsp = FALSE;
4127 store_pool = POOL_PERM;
4128 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED);
4129 exim_client_ctx->corked = NULL;
4133 tlsp->tlsa_usage = 0;
4136 #ifndef DISABLE_OCSP
4138 # ifdef SUPPORT_DANE
4139 if ( conn_args->dane
4140 && ob->hosts_request_ocsp[0] == '*'
4141 && ob->hosts_request_ocsp[1] == '\0'
4144 /* Unchanged from default. Use a safer one under DANE */
4145 request_ocsp = TRUE;
4146 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
4147 " {= {4}{$tls_out_tlsa_usage}} } "
4153 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
4154 request_ocsp = TRUE;
4156 # ifdef SUPPORT_DANE
4160 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4162 # if defined(SUPPORT_DANE) && !defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER)
4163 if (conn_args->dane && (require_ocsp || request_ocsp))
4165 DEBUG(D_tls) debug_printf("OpenSSL version to early to combine OCSP"
4166 " and DANE; disabling OCSP\n");
4167 require_ocsp = request_ocsp = FALSE;
4173 rc = tls_init(host, ob,
4174 #ifndef DISABLE_OCSP
4175 (void *)(long)request_ocsp,
4177 cookie, &client_static_state, tlsp, errstr);
4178 if (rc != OK) return FALSE;
4180 exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
4182 tlsp->certificate_verified = FALSE;
4183 client_verify_callback_called = FALSE;
4187 if (conn_args->dane)
4189 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
4190 other failures should be treated as problems. */
4191 if (ob->dane_require_tls_ciphers &&
4192 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
4193 &expciphers, errstr))
4195 if (expciphers && *expciphers == '\0')
4198 normalise_ciphers(&expciphers, ob->dane_require_tls_ciphers);
4203 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
4204 &expciphers, errstr))
4207 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
4208 are separated by underscores. So that I can use either form in my tests, and
4209 also for general convenience, we turn underscores into hyphens here. */
4211 normalise_ciphers(&expciphers, ob->tls_require_ciphers);
4216 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
4217 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
4219 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
4225 if (conn_args->dane)
4227 SSL_CTX_set_verify(exim_client_ctx->ctx,
4228 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4229 verify_callback_client_dane);
4231 if (!DANESSL_library_init())
4233 tls_error(US"library init", host, NULL, errstr);
4236 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
4238 tls_error(US"context init", host, NULL, errstr);
4241 DEBUG(D_tls) debug_printf("since dane-mode conn, not loading the usual CA bundle\n");
4247 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
4248 client_static_state, errstr) != OK)
4253 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
4256 { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); }
4257 else if (!Ustrlen(tlsp->sni))
4261 #ifndef EXIM_HAVE_OPENSSL_TLSEXT
4262 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
4270 #ifdef EXIM_HAVE_ALPN
4272 const uschar * plist;
4275 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
4278 if (SSL_CTX_set_alpn_protos(exim_client_ctx->ctx, plist, plen) != 0)
4280 tls_error(US"alpn init", host, NULL, errstr);
4284 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
4287 log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
4291 #ifndef DISABLE_TLS_RESUME
4292 /*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
4293 will be very low. */
4295 if (!conn_args->have_lbserver) /* wanted for tls_client_resmption_key() */
4296 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
4297 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
4298 tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
4302 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
4304 tls_error(US"SSL_new", host, NULL, errstr);
4307 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
4308 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
4309 SSL_set_connect_state(exim_client_ctx->ssl);
4311 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
4314 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
4315 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
4320 if (conn_args->dane)
4321 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
4325 #ifndef DISABLE_OCSP
4326 /* Request certificate status at connection-time. If the server
4327 does OCSP stapling we will get the callback (set in tls_init()) */
4328 # ifdef SUPPORT_DANE
4332 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4333 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4335 { /* Re-eval now $tls_out_tlsa_usage is populated. If
4336 this means we avoid the OCSP request, we wasted the setup
4337 cost in tls_init(). */
4338 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
4339 request_ocsp = require_ocsp
4340 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4347 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
4348 client_static_state->u_ocsp.client.verify_required = require_ocsp;
4349 tlsp->ocsp = OCSP_NOT_RESP;
4353 #ifndef DISABLE_TLS_RESUME
4354 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
4359 #ifndef DISABLE_EVENT
4360 client_static_state->event_action = tb ? tb->event_action : NULL;
4363 /* There doesn't seem to be a built-in timeout on connection. */
4365 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
4366 sigalrm_seen = FALSE;
4367 ALARM(ob->command_timeout);
4368 rc = SSL_connect(exim_client_ctx->ssl);
4372 if (conn_args->dane)
4373 DANESSL_cleanup(exim_client_ctx->ssl);
4378 #ifndef DISABLE_OCSP
4379 if (client_static_state->u_ocsp.client.verify_errstr)
4380 { if (errstr) *errstr = client_static_state->u_ocsp.client.verify_errstr; }
4383 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
4389 debug_printf("SSL_connect succeeded\n");
4390 tls_dump_keylog(exim_client_ctx->ssl);
4393 #ifndef DISABLE_TLS_RESUME
4394 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
4397 #ifdef EXIM_HAVE_ALPN
4398 if (ob->tls_alpn) /* We requested. See what was negotiated. */
4400 const uschar * name;
4403 SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
4405 { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
4406 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
4408 /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
4409 tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
4415 #ifdef SSL_get_extms_support
4416 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
4418 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
4420 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
4421 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
4422 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
4424 /* Record the certificate we presented */
4426 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
4427 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
4430 /*XXX will this work with continued-TLS? */
4431 tls_get_channel_binding(exim_client_ctx->ssl, tlsp, GET_TAINTED);
4433 tlsp->active.sock = cctx->sock;
4434 tlsp->active.tls_ctx = exim_client_ctx;
4435 cctx->tls_ctx = exim_client_ctx;
4444 tls_refill(unsigned lim)
4446 SSL * ssl = state_server.lib_state.lib_ssl;
4450 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4451 ssl_xfer_buffer, ssl_xfer_buffer_size);
4454 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4455 inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
4456 MIN(ssl_xfer_buffer_size, lim));
4457 error = SSL_get_error(ssl, inbytes);
4458 if (smtp_receive_timeout > 0) ALARM_CLR(0);
4460 if (had_command_timeout) /* set by signal handler */
4461 smtp_command_timeout_exit(); /* does not return */
4462 if (had_command_sigterm)
4463 smtp_command_sigterm_exit();
4464 if (had_data_timeout)
4465 smtp_data_timeout_exit();
4466 if (had_data_sigint)
4467 smtp_data_sigint_exit();
4469 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
4470 closed down, not that the socket itself has been closed down. Revert to
4471 non-SSL handling. */
4475 case SSL_ERROR_NONE:
4478 case SSL_ERROR_ZERO_RETURN:
4479 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4481 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
4484 tls_close(NULL, TLS_NO_SHUTDOWN);
4487 /* Handle genuine errors */
4489 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4490 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
4491 ssl_xfer_error = TRUE;
4495 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
4496 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
4497 debug_printf(" - syscall %s\n", strerror(errno));
4498 ssl_xfer_error = TRUE;
4502 #ifndef DISABLE_DKIM
4503 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
4505 ssl_xfer_buffer_hwm = inbytes;
4506 ssl_xfer_buffer_lwm = 0;
4511 /*************************************************
4512 * TLS version of getc *
4513 *************************************************/
4515 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
4516 it refills the buffer via the SSL reading function.
4518 Arguments: lim Maximum amount to read/buffer
4519 Returns: the next character or EOF
4521 Only used by the server-side TLS.
4525 tls_getc(unsigned lim)
4527 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4528 if (!tls_refill(lim))
4529 return ssl_xfer_error ? EOF : smtp_getc(lim);
4531 /* Something in the buffer; return next uschar */
4533 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
4539 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
4543 tls_getbuf(unsigned * len)
4548 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4549 if (!tls_refill(*len))
4551 if (!ssl_xfer_error) return smtp_getbuf(len);
4556 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
4558 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
4559 ssl_xfer_buffer_lwm += size;
4566 tls_get_cache(unsigned lim)
4568 #ifndef DISABLE_DKIM
4569 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
4573 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
4579 tls_could_getc(void)
4581 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
4582 || SSL_pending(state_server.lib_state.lib_ssl) > 0;
4586 /*************************************************
4587 * Read bytes from TLS channel *
4588 *************************************************/
4592 ct_ctx client context pointer, or NULL for the one global server context
4596 Returns: the number of bytes read
4597 -1 after a failed read, including EOF
4599 Only used by the client-side TLS.
4603 tls_read(void * ct_ctx, uschar *buff, size_t len)
4605 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4606 : state_server.lib_state.lib_ssl;
4610 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4611 buff, (unsigned int)len);
4614 inbytes = SSL_read(ssl, CS buff, len);
4615 error = SSL_get_error(ssl, inbytes);
4617 if (error == SSL_ERROR_ZERO_RETURN)
4619 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4622 else if (error != SSL_ERROR_NONE)
4632 /*************************************************
4633 * Write bytes down TLS channel *
4634 *************************************************/
4638 ct_ctx client context pointer, or NULL for the one global server context
4641 more further data expected soon
4643 Returns: the number of bytes after a successful write,
4644 -1 after a failed write
4646 Used by both server-side and client-side TLS. Calling with len zero and more unset
4647 will flush buffered writes; buff can be null for this case.
4651 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4654 int outbytes, error;
4656 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4657 : state_server.lib_state.lib_ssl;
4658 static gstring * server_corked = NULL;
4659 gstring ** corkedp = ct_ctx
4660 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
4661 gstring * corked = *corkedp;
4663 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
4664 buff, (unsigned long)len, more ? ", more" : "");
4666 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
4667 "more" is notified. This hack is only ok if small amounts are involved AND only
4668 one stream does it, in one context (i.e. no store reset). Currently it is used
4669 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
4670 We support callouts done by the server process by using a separate client
4671 context for the stashed information. */
4672 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
4673 a store reset there, so use POOL_PERM. */
4674 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
4678 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
4680 int save_pool = store_pool;
4681 store_pool = POOL_PERM;
4683 corked = string_catn(corked, buff, len);
4685 store_pool = save_pool;
4692 buff = CUS corked->s;
4697 for (int left = len; left > 0;)
4699 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
4701 outbytes = SSL_write(ssl, CS buff, left);
4702 error = SSL_get_error(ssl, outbytes);
4703 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
4706 case SSL_ERROR_NONE: /* the usual case */
4712 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4713 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
4716 case SSL_ERROR_ZERO_RETURN:
4717 log_write(0, LOG_MAIN, "SSL channel closed on write");
4720 case SSL_ERROR_SYSCALL:
4721 if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
4722 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
4723 sender_fullhost ? sender_fullhost : US"<unknown>",
4725 else if (LOGGING(protocol_detail))
4726 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4727 " SMTP response and TLS close\n", sender_host_address);
4729 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4730 " client reset TCP before TLS close\n", sender_host_address);
4734 log_write(0, LOG_MAIN, "SSL_write error %d", error);
4745 ct_ctx client TLS context pointer, or NULL for the one global server context
4749 tls_shutdown_wr(void * ct_ctx)
4751 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4752 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4753 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4756 if (*fdp < 0) return; /* TLS was not active */
4758 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4760 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
4761 rc = SSL_shutdown(*sslp);
4762 if (rc < 0) DEBUG(D_tls)
4764 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4765 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4769 /*************************************************
4770 * Close down a TLS session *
4771 *************************************************/
4773 /* This is also called from within a delivery subprocess forked from the
4774 daemon, to shut down the TLS library, without actually doing a shutdown (which
4775 would tamper with the SSL session in the parent process).
4778 ct_ctx client TLS context pointer, or NULL for the one global server context
4779 do_shutdown 0 no data-flush or TLS close-alert
4780 1 if TLS close-alert is to be sent,
4781 2 if also response to be waited for
4785 Used by both server-side and client-side TLS.
4789 tls_close(void * ct_ctx, int do_shutdown)
4791 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4792 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4793 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4795 if (*fdp < 0) return; /* TLS was not active */
4797 if (do_shutdown > TLS_NO_SHUTDOWN)
4800 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
4801 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
4803 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4805 if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY
4806 || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
4808 && do_shutdown > TLS_SHUTDOWN_NOWAIT
4811 #ifdef EXIM_TCP_CORK
4812 (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
4815 rc = SSL_shutdown(*sslp); /* wait for response */
4819 if (rc < 0) DEBUG(D_tls)
4821 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4822 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4826 if (!o_ctx) /* server side */
4828 #ifndef DISABLE_OCSP
4829 sk_X509_pop_free(state_server.u_ocsp.server.verify_stack, X509_free);
4830 state_server.u_ocsp.server.verify_stack = NULL;
4833 receive_getc = smtp_getc;
4834 receive_getbuf = smtp_getbuf;
4835 receive_get_cache = smtp_get_cache;
4836 receive_hasc = smtp_hasc;
4837 receive_ungetc = smtp_ungetc;
4838 receive_feof = smtp_feof;
4839 receive_ferror = smtp_ferror;
4840 tls_in.active.tls_ctx = NULL;
4842 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
4853 /*************************************************
4854 * Let tls_require_ciphers be checked at startup *
4855 *************************************************/
4857 /* The tls_require_ciphers option, if set, must be something which the
4860 Returns: NULL on success, or error message
4864 tls_validate_require_cipher(void)
4867 uschar * expciphers, * err;
4871 if (!(tls_require_ciphers && *tls_require_ciphers))
4874 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4876 return US"failed to expand tls_require_ciphers";
4878 if (!(expciphers && *expciphers))
4881 normalise_ciphers(&expciphers, tls_require_ciphers);
4884 if (lib_ctx_new(&ctx, NULL, &err) == OK)
4887 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4889 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
4891 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4892 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
4893 expciphers, ssl_errstring);
4904 /*************************************************
4905 * Report the library versions. *
4906 *************************************************/
4908 /* There have historically been some issues with binary compatibility in
4909 OpenSSL libraries; if Exim (like many other applications) is built against
4910 one version of OpenSSL but the run-time linker picks up another version,
4911 it can result in serious failures, including crashing with a SIGSEGV. So
4912 report the version found by the compiler and the run-time version.
4914 Note: some OS vendors backport security fixes without changing the version
4915 number/string, and the version date remains unchanged. The _build_ date
4916 will change, so we can more usefully assist with version diagnosis by also
4917 reporting the build date.
4919 Arguments: string to append to
4924 tls_version_report(gstring * g)
4926 return string_fmt_append(g,
4927 "Library version: OpenSSL: Compile: %s\n"
4930 OPENSSL_VERSION_TEXT,
4931 SSLeay_version(SSLEAY_VERSION),
4932 SSLeay_version(SSLEAY_BUILT_ON));
4933 /* third line is 38 characters for the %s and the line is 73 chars long;
4934 the OpenSSL output includes a "built on: " prefix already. */
4940 /*************************************************
4941 * Random number generation *
4942 *************************************************/
4944 /* Pseudo-random number generation. The result is not expected to be
4945 cryptographically strong but not so weak that someone will shoot themselves
4946 in the foot using it as a nonce in input in some email header scheme or
4947 whatever weirdness they'll twist this into. The result should handle fork()
4948 and avoid repeating sequences. OpenSSL handles that for us.
4952 Returns a random number in range [0, max-1]
4956 vaguely_random_number(int max)
4960 static pid_t pidlast = 0;
4962 uschar smallbuf[sizeof(r)];
4968 if (pidnow != pidlast)
4970 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
4971 is unique for each thread", this doesn't apparently apply across processes,
4972 so our own warning from vaguely_random_number_fallback() applies here too.
4973 Fix per PostgreSQL. */
4979 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
4983 gettimeofday(&r.tv, NULL);
4986 RAND_seed(US (&r), sizeof(r));
4988 /* We're after pseudo-random, not random; if we still don't have enough data
4989 in the internal PRNG then our options are limited. We could sleep and hope
4990 for entropy to come along (prayer technique) but if the system is so depleted
4991 in the first place then something is likely to just keep taking it. Instead,
4992 we'll just take whatever little bit of pseudo-random we can still manage to
4995 needed_len = sizeof(r);
4996 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
4997 asked for a number less than 10. */
4998 for (r = max, i = 0; r; ++i)
5004 #ifdef EXIM_HAVE_RAND_PSEUDO
5005 /* We do not care if crypto-strong */
5006 i = RAND_pseudo_bytes(smallbuf, needed_len);
5008 i = RAND_bytes(smallbuf, needed_len);
5014 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
5015 return vaguely_random_number_fallback(max);
5019 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
5022 /* We don't particularly care about weighted results; if someone wants
5023 smooth distribution and cares enough then they should submit a patch then. */
5030 /*************************************************
5031 * OpenSSL option parse *
5032 *************************************************/
5034 /* Parse one option for tls_openssl_options_parse below
5037 name one option name
5038 value place to store a value for it
5039 Returns success or failure in parsing
5045 tls_openssl_one_option_parse(uschar *name, long *value)
5048 int last = exim_openssl_options_size;
5049 while (last > first)
5051 int middle = (first + last)/2;
5052 int c = Ustrcmp(name, exim_openssl_options[middle].name);
5055 *value = exim_openssl_options[middle].value;
5069 /*************************************************
5070 * OpenSSL option parsing logic *
5071 *************************************************/
5073 /* OpenSSL has a number of compatibility options which an administrator might
5074 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
5075 we look like log_selector.
5078 option_spec the administrator-supplied string of options
5079 results ptr to long storage for the options bitmap
5080 Returns success or failure
5084 tls_openssl_options_parse(uschar *option_spec, long *results)
5087 uschar * exp, * end;
5088 BOOL adding, item_parsed;
5090 /* Server: send no (<= TLS1.2) session tickets */
5091 result = SSL_OP_NO_TICKET;
5093 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
5094 from default because it increases BEAST susceptibility. */
5095 #ifdef SSL_OP_NO_SSLv2
5096 result |= SSL_OP_NO_SSLv2;
5098 #ifdef SSL_OP_NO_SSLv3
5099 result |= SSL_OP_NO_SSLv3;
5101 #ifdef SSL_OP_SINGLE_DH_USE
5102 result |= SSL_OP_SINGLE_DH_USE;
5104 #ifdef SSL_OP_NO_RENEGOTIATION
5105 result |= SSL_OP_NO_RENEGOTIATION;
5114 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
5117 for (uschar * s = exp; *s; /**/)
5119 while (isspace(*s)) ++s;
5122 if (*s != '+' && *s != '-')
5124 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
5125 "+ or - expected but found \"%s\"\n", s);
5128 adding = *s++ == '+';
5129 for (end = s; *end && !isspace(*end); ) end++;
5130 item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
5133 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
5136 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
5137 adding ? "adding to " : "removing from", result, item, s);
5149 #endif /*!MACRO_PREDEF*/
5152 /* End of tls-openssl.c */