1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2019 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
73 # define EXIM_HAVE_OPENSSL_KEYLOG
74 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
75 # define EXIM_HAVE_SESSION_TICKET
76 # define EXIM_HAVE_OPESSL_TRACE
78 # define EXIM_NEED_OPENSSL_INIT
80 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
82 # define EXIM_HAVE_OPENSSL_CHECKHOST
86 #if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
88 # if !defined(OPENSSL_NO_ECDH)
89 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
90 # define EXIM_HAVE_ECDH
92 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
93 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
98 #ifndef LIBRESSL_VERSION_NUMBER
99 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
100 # define OPENSSL_HAVE_KEYLOG_CB
101 # define OPENSSL_HAVE_NUM_TICKETS
102 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
106 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108 # define DISABLE_OCSP
111 #ifdef EXPERIMENTAL_TLS_RESUME
112 # if OPENSSL_VERSION_NUMBER < 0x0101010L
113 # error OpenSSL version too old for session-resumption
117 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118 # include <openssl/x509v3.h>
121 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123 # define SSL_CIPHER_get_id(c) (c->id)
125 # ifndef MACRO_PREDEF
126 # include "tls-cipher-stdname.c"
130 /*************************************************
131 * OpenSSL option parse *
132 *************************************************/
134 typedef struct exim_openssl_option {
137 } exim_openssl_option;
138 /* We could use a macro to expand, but we need the ifdef and not all the
139 options document which version they were introduced in. Policylet: include
140 all options unless explicitly for DTLS, let the administrator choose which
143 This list is current as of:
145 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
148 static exim_openssl_option exim_openssl_options[] = {
149 /* KEEP SORTED ALPHABETICALLY! */
151 { US"all", SSL_OP_ALL },
153 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
156 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
159 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
162 #ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
165 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
168 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
171 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
174 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
177 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
180 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
183 #ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
186 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
189 #ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
192 #ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
195 #ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
198 #ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
201 #ifdef SSL_OP_NO_TLSv1_1
202 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
209 #ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
212 #ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
215 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
218 #ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
221 #ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
224 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
227 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
230 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
233 #ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
236 #ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
242 static int exim_openssl_options_size = nelem(exim_openssl_options);
251 for (struct exim_openssl_option * o = exim_openssl_options;
252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
261 # ifdef EXPERIMENTAL_TLS_RESUME
262 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
267 /******************************************************************************/
269 /* Structure for collecting random data for seeding. */
271 typedef struct randstuff {
276 /* Local static variables */
278 static BOOL client_verify_callback_called = FALSE;
279 static BOOL server_verify_callback_called = FALSE;
280 static const uschar *sid_ctx = US"exim";
282 /* We have three different contexts to care about.
284 Simple case: client, `client_ctx`
285 As a client, we can be doing a callout or cut-through delivery while receiving
286 a message. So we have a client context, which should have options initialised
287 from the SMTP Transport. We may also concurrently want to make TLS connections
288 to utility daemons, so client-contexts are allocated and passed around in call
289 args rather than using a gobal.
292 There are two cases: with and without ServerNameIndication from the client.
293 Given TLS SNI, we can be using different keys, certs and various other
294 configuration settings, because they're re-expanded with $tls_sni set. This
295 allows vhosting with TLS. This SNI is sent in the handshake.
296 A client might not send SNI, so we need a fallback, and an initial setup too.
297 So as a server, we start out using `server_ctx`.
298 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
299 `server_sni` from `server_ctx` and then initialise settings by re-expanding
307 } exim_openssl_client_tls_ctx;
309 static SSL_CTX *server_ctx = NULL;
310 static SSL *server_ssl = NULL;
312 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
313 static SSL_CTX *server_sni = NULL;
316 static char ssl_errstring[256];
318 static int ssl_session_timeout = 3600;
319 static BOOL client_verify_optional = FALSE;
320 static BOOL server_verify_optional = FALSE;
322 static BOOL reexpand_tls_files_for_sni = FALSE;
325 typedef struct tls_ext_ctx_cb {
331 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
335 uschar *file_expanded;
336 OCSP_RESPONSE *response;
339 X509_STORE *verify_store; /* non-null if status requested */
340 BOOL verify_required;
345 /* these are cached from first expand */
346 uschar *server_cipher_list;
347 /* only passed down to tls_error: */
349 const uschar * verify_cert_hostnames;
350 #ifndef DISABLE_EVENT
351 uschar * event_action;
355 /* should figure out a cleanup of API to handle state preserved per
356 implementation, for various reasons, which can be void * in the APIs.
357 For now, we hack around it. */
358 tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
359 tls_ext_ctx_cb *server_static_cbinfo = NULL;
362 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
363 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
366 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
367 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
370 static int tls_server_stapling_cb(SSL *s, void *arg);
375 /* Daemon-called key create/rotate */
376 #ifdef EXPERIMENTAL_TLS_RESUME
377 static void tk_init(void);
378 static int tls_exdata_idx = -1;
382 tls_daemon_init(void)
384 #ifdef EXPERIMENTAL_TLS_RESUME
391 /*************************************************
393 *************************************************/
395 /* Called from lots of places when errors occur before actually starting to do
396 the TLS handshake, that is, while the session is still in clear. Always returns
397 DEFER for a server and FAIL for a client so that most calls can use "return
398 tls_error(...)" to do this processing and then give an appropriate return. A
399 single function is used for both server and client, because it is called from
400 some shared functions.
403 prefix text to include in the logged error
404 host NULL if setting up a server;
405 the connected host if setting up a client
406 msg error message or NULL if we should ask OpenSSL
407 errstr pointer to output error message
409 Returns: OK/DEFER/FAIL
413 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
418 msg = US ssl_errstring;
421 msg = string_sprintf("(%s): %s", prefix, msg);
422 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
423 if (errstr) *errstr = msg;
424 return host ? FAIL : DEFER;
429 /*************************************************
430 * Callback to generate RSA key *
431 *************************************************/
435 s SSL connection (not used)
439 Returns: pointer to generated key
443 rsa_callback(SSL *s, int export, int keylength)
446 #ifdef EXIM_HAVE_RSA_GENKEY_EX
447 BIGNUM *bn = BN_new();
450 export = export; /* Shut picky compilers up */
451 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
453 #ifdef EXIM_HAVE_RSA_GENKEY_EX
454 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
455 || !(rsa_key = RSA_new())
456 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
459 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
463 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
464 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
476 x509_store_dump_cert_s_names(X509_STORE * store)
478 STACK_OF(X509_OBJECT) * roots= store->objs;
479 static uschar name[256];
481 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
483 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
484 if(tmp_obj->type == X509_LU_X509)
486 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
487 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
489 name[sizeof(name)-1] = '\0';
490 debug_printf(" %s\n", name);
499 #ifndef DISABLE_EVENT
501 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
502 BOOL *calledp, const BOOL *optionalp, const uschar * what)
508 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
511 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
512 old_cert = tlsp->peercert;
513 tlsp->peercert = X509_dup(cert);
514 /* NB we do not bother setting peerdn */
515 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
517 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
518 "depth=%d cert=%s: %s",
519 tlsp == &tls_out ? deliver_host_address : sender_host_address,
520 what, depth, dn, yield);
524 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
525 return 1; /* reject (leaving peercert set) */
527 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
528 "(host in tls_try_verify_hosts)\n");
530 X509_free(tlsp->peercert);
531 tlsp->peercert = old_cert;
537 /*************************************************
538 * Callback for verification *
539 *************************************************/
541 /* The SSL library does certificate verification if set up to do so. This
542 callback has the current yes/no state is in "state". If verification succeeded,
543 we set the certificate-verified flag. If verification failed, what happens
544 depends on whether the client is required to present a verifiable certificate
547 If verification is optional, we change the state to yes, but still log the
548 verification error. For some reason (it really would help to have proper
549 documentation of OpenSSL), this callback function then gets called again, this
550 time with state = 1. We must take care not to set the private verified flag on
551 the second time through.
553 Note: this function is not called if the client fails to present a certificate
554 when asked. We get here only if a certificate has been received. Handling of
555 optional verification for this case is done when requesting SSL to verify, by
556 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
558 May be called multiple times for different issues with a certificate, even
559 for a given "depth" in the certificate chain.
562 preverify_ok current yes/no state as 1/0
563 x509ctx certificate information.
564 tlsp per-direction (client vs. server) support data
565 calledp has-been-called flag
566 optionalp verification-is-optional flag
568 Returns: 0 if verification should fail, otherwise 1
572 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
573 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
575 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
576 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
579 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
581 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
582 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
583 tlsp == &tls_out ? deliver_host_address : sender_host_address);
586 dn[sizeof(dn)-1] = '\0';
588 if (preverify_ok == 0)
590 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
591 *verify_mode, sender_host_address)
593 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
594 tlsp == &tls_out ? deliver_host_address : sender_host_address,
596 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
601 tlsp->peercert = X509_dup(cert); /* record failing cert */
602 return 0; /* reject */
604 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
605 "tls_try_verify_hosts)\n");
610 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
612 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
613 { /* client, wanting stapling */
614 /* Add the server cert's signing chain as the one
615 for the verification of the OCSP stapled information. */
617 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
620 sk_X509_push(client_static_cbinfo->verify_stack, cert);
623 #ifndef DISABLE_EVENT
624 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
625 return 0; /* reject, with peercert set */
630 const uschar * verify_cert_hostnames;
632 if ( tlsp == &tls_out
633 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
634 /* client, wanting hostname check */
637 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
638 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
639 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
641 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
642 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
645 const uschar * list = verify_cert_hostnames;
648 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
649 if ((rc = X509_check_host(cert, CCS name, 0,
650 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
651 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
656 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
657 tlsp == &tls_out ? deliver_host_address : sender_host_address);
664 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
667 uschar * extra = verify_mode
668 ? string_sprintf(" (during %c-verify for [%s])",
669 *verify_mode, sender_host_address)
671 log_write(0, LOG_MAIN,
672 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
673 tlsp == &tls_out ? deliver_host_address : sender_host_address,
674 extra, dn, verify_cert_hostnames);
679 tlsp->peercert = X509_dup(cert); /* record failing cert */
680 return 0; /* reject */
682 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
683 "tls_try_verify_hosts)\n");
687 #ifndef DISABLE_EVENT
688 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
689 return 0; /* reject, with peercert set */
692 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
693 *calledp ? "" : " authenticated", dn);
694 if (!*calledp) tlsp->certificate_verified = TRUE;
698 return 1; /* accept, at least for this level */
702 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
704 return verify_callback(preverify_ok, x509ctx, &tls_out,
705 &client_verify_callback_called, &client_verify_optional);
709 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
711 return verify_callback(preverify_ok, x509ctx, &tls_in,
712 &server_verify_callback_called, &server_verify_optional);
718 /* This gets called *by* the dane library verify callback, which interposes
722 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
724 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
726 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
727 #ifndef DISABLE_EVENT
728 BOOL dummy_called, optional = FALSE;
731 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
733 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
734 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
735 deliver_host_address);
738 dn[sizeof(dn)-1] = '\0';
740 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
741 preverify_ok ? "ok":"BAD", depth, dn);
743 #ifndef DISABLE_EVENT
744 if (verify_event(&tls_out, cert, depth, dn,
745 &dummy_called, &optional, US"DANE"))
746 return 0; /* reject, with peercert set */
749 if (preverify_ok == 1)
751 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
753 if (client_static_cbinfo->u_ocsp.client.verify_store)
754 { /* client, wanting stapling */
755 /* Add the server cert's signing chain as the one
756 for the verification of the OCSP stapled information. */
758 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
761 sk_X509_push(client_static_cbinfo->verify_stack, cert);
767 int err = X509_STORE_CTX_get_error(x509ctx);
769 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
770 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
776 #endif /*SUPPORT_DANE*/
779 /*************************************************
780 * Information callback *
781 *************************************************/
783 /* The SSL library functions call this from time to time to indicate what they
784 are doing. We copy the string to the debugging output when TLS debugging has
796 info_callback(SSL *s, int where, int ret)
802 if (where & SSL_ST_CONNECT)
803 str = US"SSL_connect";
804 else if (where & SSL_ST_ACCEPT)
805 str = US"SSL_accept";
807 str = US"SSL info (undefined)";
809 if (where & SSL_CB_LOOP)
810 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
811 else if (where & SSL_CB_ALERT)
812 debug_printf("SSL3 alert %s:%s:%s\n",
813 str = where & SSL_CB_READ ? US"read" : US"write",
814 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
815 else if (where & SSL_CB_EXIT)
817 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
819 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
820 else if (where & SSL_CB_HANDSHAKE_START)
821 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
822 else if (where & SSL_CB_HANDSHAKE_DONE)
823 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
827 #ifdef OPENSSL_HAVE_KEYLOG_CB
829 keylog_callback(const SSL *ssl, const char *line)
831 DEBUG(D_tls) debug_printf("%.200s\n", line);
836 #ifdef EXPERIMENTAL_TLS_RESUME
837 /* Manage the keysets used for encrypting the session tickets, on the server. */
839 typedef struct { /* Session ticket encryption key */
842 const EVP_CIPHER * aes_cipher;
843 uschar aes_key[16]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
844 const EVP_MD * hmac_hash;
850 /*XXX for now just always create/find the one key.
851 Worry about rotation and overlap later. */
853 static exim_stek exim_tk;
854 static exim_stek exim_tk_old;
861 if (exim_tk.renew >= time(NULL)) return;
862 exim_tk_old = exim_tk;
865 if (f.running_in_test_harness) ssl_session_timeout = 6;
867 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
868 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
869 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
870 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
872 exim_tk.name[0] = 'E';
873 exim_tk.aes_cipher = EVP_aes_128_cbc();
874 exim_tk.hmac_hash = EVP_sha256();
875 exim_tk.expire = time(NULL) + ssl_session_timeout;
876 exim_tk.renew = exim_tk.expire - ssl_session_timeout/2;
882 if (!exim_tk.name[0]) return NULL;
887 tk_find(const uschar * name)
889 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
890 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
894 /* Callback for session tickets, on server */
896 ticket_key_callback(SSL * ssl, uschar key_name[16],
897 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
899 tls_support * tlsp = server_static_cbinfo->tlsp;
904 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
905 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
907 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
908 return -1; /* insufficient random */
910 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
911 return 0; /* key couldn't be created */
912 memcpy(key_name, key->name, 16);
913 DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
915 /*XXX will want these dependent on the ssl session strength */
916 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
917 key->hmac_hash, NULL);
918 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
920 DEBUG(D_tls) debug_printf("ticket created\n");
925 time_t now = time(NULL);
927 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
928 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
930 if (!(key = tk_find(key_name)) || key->expire < now)
934 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
935 if (key) debug_printf("STEK expire %ld\n", key->expire - now);
940 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
941 key->hmac_hash, NULL);
942 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
944 DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
945 return key->renew < now ? 2 : 1;
952 /*************************************************
953 * Initialize for DH *
954 *************************************************/
956 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
959 sctx The current SSL CTX (inbound or outbound)
960 dhparam DH parameter file or fixed parameter identity string
961 host connected host, if client; NULL if server
962 errstr error string pointer
964 Returns: TRUE if OK (nothing to set up, or setup worked)
968 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
976 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
979 if (!dhexpanded || !*dhexpanded)
980 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
981 else if (dhexpanded[0] == '/')
983 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
985 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
986 host, US strerror(errno), errstr);
992 if (Ustrcmp(dhexpanded, "none") == 0)
994 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
998 if (!(pem = std_dh_prime_named(dhexpanded)))
1000 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
1001 host, US strerror(errno), errstr);
1004 bio = BIO_new_mem_buf(CS pem, -1);
1007 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1010 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1011 host, NULL, errstr);
1015 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1016 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1017 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1018 * If someone wants to dance at the edge, then they can raise the limit or use
1019 * current libraries. */
1020 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
1021 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1022 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1023 dh_bitsize = DH_bits(dh);
1025 dh_bitsize = 8 * DH_size(dh);
1028 /* Even if it is larger, we silently return success rather than cause things
1029 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1030 * debatable choice. */
1031 if (dh_bitsize > tls_dh_max_bits)
1034 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1035 dh_bitsize, tls_dh_max_bits);
1039 SSL_CTX_set_tmp_dh(sctx, dh);
1041 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1042 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1054 /*************************************************
1055 * Initialize for ECDH *
1056 *************************************************/
1058 /* Load parameters for ECDH encryption.
1060 For now, we stick to NIST P-256 because: it's simple and easy to configure;
1061 it avoids any patent issues that might bite redistributors; despite events in
1062 the news and concerns over curve choices, we're not cryptographers, we're not
1063 pretending to be, and this is "good enough" to be better than no support,
1064 protecting against most adversaries. Given another year or two, there might
1065 be sufficient clarity about a "right" way forward to let us make an informed
1066 decision, instead of a knee-jerk reaction.
1068 Longer-term, we should look at supporting both various named curves and
1069 external files generated with "openssl ecparam", much as we do for init_dh().
1070 We should also support "none" as a value, to explicitly avoid initialisation.
1075 sctx The current SSL CTX (inbound or outbound)
1076 host connected host, if client; NULL if server
1077 errstr error string pointer
1079 Returns: TRUE if OK (nothing to set up, or setup worked)
1083 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1085 #ifdef OPENSSL_NO_ECDH
1094 if (host) /* No ECDH setup for clients, only for servers */
1097 # ifndef EXIM_HAVE_ECDH
1099 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1103 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1105 if (!exp_curve || !*exp_curve)
1108 /* "auto" needs to be handled carefully.
1109 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1110 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1111 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1112 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1113 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1115 if (Ustrcmp(exp_curve, "auto") == 0)
1117 #if OPENSSL_VERSION_NUMBER < 0x10002000L
1118 DEBUG(D_tls) debug_printf(
1119 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1120 exp_curve = US"prime256v1";
1122 # if defined SSL_CTRL_SET_ECDH_AUTO
1123 DEBUG(D_tls) debug_printf(
1124 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1125 SSL_CTX_set_ecdh_auto(sctx, 1);
1128 DEBUG(D_tls) debug_printf(
1129 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1135 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1136 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1137 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1138 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1142 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1143 host, NULL, errstr);
1147 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1149 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1153 /* The "tmp" in the name here refers to setting a temporary key
1154 not to the stability of the interface. */
1156 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1157 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1159 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1164 # endif /*EXIM_HAVE_ECDH*/
1165 #endif /*OPENSSL_NO_ECDH*/
1171 #ifndef DISABLE_OCSP
1172 /*************************************************
1173 * Load OCSP information into state *
1174 *************************************************/
1175 /* Called to load the server OCSP response from the given file into memory, once
1176 caller has determined this is needed. Checks validity. Debugs a message
1179 ASSUMES: single response, for single cert.
1182 sctx the SSL_CTX* to update
1183 cbinfo various parts of session state
1184 expanded the filename putatively holding an OCSP response
1189 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1192 OCSP_RESPONSE * resp;
1193 OCSP_BASICRESP * basic_response;
1194 OCSP_SINGLERESP * single_response;
1195 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1196 STACK_OF(X509) * sk;
1197 unsigned long verify_flags;
1198 int status, reason, i;
1200 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1201 if (cbinfo->u_ocsp.server.response)
1203 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1204 cbinfo->u_ocsp.server.response = NULL;
1207 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1209 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1210 cbinfo->u_ocsp.server.file_expanded);
1214 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1218 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1222 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1224 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1225 OCSP_response_status_str(status), status);
1229 if (!(basic_response = OCSP_response_get1_basic(resp)))
1232 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1236 sk = cbinfo->verify_stack;
1237 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1239 /* May need to expose ability to adjust those flags?
1240 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1241 OCSP_TRUSTOTHER OCSP_NOINTERN */
1243 /* This does a full verify on the OCSP proof before we load it for serving
1244 up; possibly overkill - just date-checks might be nice enough.
1246 OCSP_basic_verify takes a "store" arg, but does not
1247 use it for the chain verification, which is all we do
1248 when OCSP_NOVERIFY is set. The content from the wire
1249 "basic_response" and a cert-stack "sk" are all that is used.
1251 We have a stack, loaded in setup_certs() if tls_verify_certificates
1252 was a file (not a directory, or "system"). It is unfortunate we
1253 cannot used the connection context store, as that would neatly
1254 handle the "system" case too, but there seems to be no library
1255 function for getting a stack from a store.
1256 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1257 We do not free the stack since it could be needed a second time for
1260 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1261 be a public interface into the OpenSSL library (there's no manual entry) -
1262 But what with? We also use OCSP_basic_verify in the client stapling callback.
1263 And there we NEED it; we must verify that status... unless the
1264 library does it for us anyway? */
1266 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1270 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1271 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1276 /* Here's the simplifying assumption: there's only one response, for the
1277 one certificate we use, and nothing for anything else in a chain. If this
1278 proves false, we need to extract a cert id from our issued cert
1279 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1280 right cert in the stack and then calls OCSP_single_get0_status()).
1282 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1284 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1287 debug_printf("Unable to get first response from OCSP basic response.\n");
1291 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1292 if (status != V_OCSP_CERTSTATUS_GOOD)
1294 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1295 OCSP_cert_status_str(status), status,
1296 OCSP_crl_reason_str(reason), reason);
1300 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1302 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1307 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1311 if (f.running_in_test_harness)
1313 extern char ** environ;
1314 if (environ) for (uschar ** p = USS environ; *p; p++)
1315 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1317 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1318 goto supply_response;
1323 #endif /*!DISABLE_OCSP*/
1328 /* Create and install a selfsigned certificate, for use in server mode */
1331 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1339 where = US"allocating pkey";
1340 if (!(pkey = EVP_PKEY_new()))
1343 where = US"allocating cert";
1344 if (!(x509 = X509_new()))
1347 where = US"generating pkey";
1348 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1351 where = US"assigning pkey";
1352 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1355 X509_set_version(x509, 2); /* N+1 - version 3 */
1356 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1357 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1358 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1359 X509_set_pubkey(x509, pkey);
1361 name = X509_get_subject_name(x509);
1362 X509_NAME_add_entry_by_txt(name, "C",
1363 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1364 X509_NAME_add_entry_by_txt(name, "O",
1365 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1366 X509_NAME_add_entry_by_txt(name, "CN",
1367 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1368 X509_set_issuer_name(x509, name);
1370 where = US"signing cert";
1371 if (!X509_sign(x509, pkey, EVP_md5()))
1374 where = US"installing selfsign cert";
1375 if (!SSL_CTX_use_certificate(sctx, x509))
1378 where = US"installing selfsign key";
1379 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1385 (void) tls_error(where, NULL, NULL, errstr);
1386 if (x509) X509_free(x509);
1387 if (pkey) EVP_PKEY_free(pkey);
1395 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1398 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1399 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1400 return tls_error(string_sprintf(
1401 "SSL_CTX_use_certificate_chain_file file=%s", file),
1402 cbinfo->host, NULL, errstr);
1407 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1410 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1411 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1412 return tls_error(string_sprintf(
1413 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1418 /*************************************************
1419 * Expand key and cert file specs *
1420 *************************************************/
1422 /* Called once during tls_init and possibly again during TLS setup, for a
1423 new context, if Server Name Indication was used and tls_sni was seen in
1424 the certificate string.
1427 sctx the SSL_CTX* to update
1428 cbinfo various parts of session state
1429 errstr error string pointer
1431 Returns: OK/DEFER/FAIL
1435 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1440 if (!cbinfo->certificate)
1442 if (!cbinfo->is_server) /* client */
1445 if (tls_install_selfsign(sctx, errstr) != OK)
1452 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1453 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1454 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1456 reexpand_tls_files_for_sni = TRUE;
1458 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1462 if (cbinfo->is_server)
1464 const uschar * file_list = expanded;
1468 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1469 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1472 else /* would there ever be a need for multiple client certs? */
1473 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1476 if ( cbinfo->privatekey
1477 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1480 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1481 of the expansion is an empty string, ignore it also, and assume the private
1482 key is in the same file as the certificate. */
1484 if (expanded && *expanded)
1485 if (cbinfo->is_server)
1487 const uschar * file_list = expanded;
1491 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1492 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1495 else /* would there ever be a need for multiple client certs? */
1496 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1500 #ifndef DISABLE_OCSP
1501 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1504 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1507 if (expanded && *expanded)
1509 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1510 if ( cbinfo->u_ocsp.server.file_expanded
1511 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1513 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1516 ocsp_load_response(sctx, cbinfo, expanded);
1527 /*************************************************
1528 * Callback to handle SNI *
1529 *************************************************/
1531 /* Called when acting as server during the TLS session setup if a Server Name
1532 Indication extension was sent by the client.
1534 API documentation is OpenSSL s_server.c implementation.
1537 s SSL* of the current session
1538 ad unknown (part of OpenSSL API) (unused)
1539 arg Callback of "our" registered data
1541 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1543 XXX might need to change to using ClientHello callback,
1544 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1547 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1549 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1551 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1552 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1554 int old_pool = store_pool;
1555 uschar * dummy_errstr;
1558 return SSL_TLSEXT_ERR_OK;
1560 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1561 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1563 /* Make the extension value available for expansion */
1564 store_pool = POOL_PERM;
1565 tls_in.sni = string_copy(US servername);
1566 store_pool = old_pool;
1568 if (!reexpand_tls_files_for_sni)
1569 return SSL_TLSEXT_ERR_OK;
1571 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1572 not confident that memcpy wouldn't break some internal reference counting.
1573 Especially since there's a references struct member, which would be off. */
1575 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1576 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1578 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1581 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1582 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1586 /* Not sure how many of these are actually needed, since SSL object
1587 already exists. Might even need this selfsame callback, for reneg? */
1589 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1590 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1591 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1592 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1593 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1594 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1596 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1597 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1601 if ( cbinfo->server_cipher_list
1602 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1605 #ifndef DISABLE_OCSP
1606 if (cbinfo->u_ocsp.server.file)
1608 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1609 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1613 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1614 verify_callback_server, &dummy_errstr)) != OK)
1617 /* do this after setup_certs, because this can require the certs for verifying
1618 OCSP information. */
1619 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1622 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1623 SSL_set_SSL_CTX(s, server_sni);
1624 return SSL_TLSEXT_ERR_OK;
1626 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1628 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1633 #ifndef DISABLE_OCSP
1635 /*************************************************
1636 * Callback to handle OCSP Stapling *
1637 *************************************************/
1639 /* Called when acting as server during the TLS session setup if the client
1640 requests OCSP information with a Certificate Status Request.
1642 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1648 tls_server_stapling_cb(SSL *s, void *arg)
1650 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1651 uschar *response_der; /*XXX blob */
1652 int response_der_len;
1654 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1655 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1656 buggy in current OpenSSL; it returns the last cert loaded always rather than
1657 the one actually presented. So we can't support a stack of OCSP proofs at
1661 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1662 cbinfo->u_ocsp.server.response ? "have" : "lack");
1664 tls_in.ocsp = OCSP_NOT_RESP;
1665 if (!cbinfo->u_ocsp.server.response)
1666 return SSL_TLSEXT_ERR_NOACK;
1668 response_der = NULL;
1669 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1671 if (response_der_len <= 0)
1672 return SSL_TLSEXT_ERR_NOACK;
1674 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1675 tls_in.ocsp = OCSP_VFIED;
1676 return SSL_TLSEXT_ERR_OK;
1681 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1683 BIO_printf(bp, "\t%s: ", str);
1684 ASN1_GENERALIZEDTIME_print(bp, time);
1689 tls_client_stapling_cb(SSL *s, void *arg)
1691 tls_ext_ctx_cb * cbinfo = arg;
1692 const unsigned char * p;
1694 OCSP_RESPONSE * rsp;
1695 OCSP_BASICRESP * bs;
1698 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1699 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1702 /* Expect this when we requested ocsp but got none */
1703 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1704 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1706 DEBUG(D_tls) debug_printf(" null\n");
1707 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1710 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1712 tls_out.ocsp = OCSP_FAILED;
1713 if (LOGGING(tls_cipher))
1714 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1716 DEBUG(D_tls) debug_printf(" parse error\n");
1720 if(!(bs = OCSP_response_get1_basic(rsp)))
1722 tls_out.ocsp = OCSP_FAILED;
1723 if (LOGGING(tls_cipher))
1724 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1726 DEBUG(D_tls) debug_printf(" error parsing response\n");
1727 OCSP_RESPONSE_free(rsp);
1731 /* We'd check the nonce here if we'd put one in the request. */
1732 /* However that would defeat cacheability on the server so we don't. */
1734 /* This section of code reworked from OpenSSL apps source;
1735 The OpenSSL Project retains copyright:
1736 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1741 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1743 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1745 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1747 /* Use the chain that verified the server cert to verify the stapled info */
1748 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1750 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1751 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1753 tls_out.ocsp = OCSP_FAILED;
1754 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1755 "Received TLS cert status response, itself unverifiable: %s",
1756 ERR_reason_error_string(ERR_peek_error()));
1757 BIO_printf(bp, "OCSP response verify failure\n");
1758 ERR_print_errors(bp);
1759 OCSP_RESPONSE_print(bp, rsp, 0);
1763 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1765 /*XXX So we have a good stapled OCSP status. How do we know
1766 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1767 OCSP_resp_find_status() which matches on a cert id, which presumably
1768 we should use. Making an id needs OCSP_cert_id_new(), which takes
1769 issuerName, issuerKey, serialNumber. Are they all in the cert?
1771 For now, carry on blindly accepting the resp. */
1774 OCSP_SINGLERESP * single;
1776 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1777 if (OCSP_resp_count(bs) != 1)
1779 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1780 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1783 tls_out.ocsp = OCSP_FAILED;
1784 log_write(0, LOG_MAIN, "OCSP stapling "
1785 "with multiple responses not handled");
1788 single = OCSP_resp_get0(bs, 0);
1789 status = OCSP_single_get0_status(single, &reason, &rev,
1790 &thisupd, &nextupd);
1793 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1794 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1795 if (!OCSP_check_validity(thisupd, nextupd,
1796 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1798 tls_out.ocsp = OCSP_FAILED;
1799 DEBUG(D_tls) ERR_print_errors(bp);
1800 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1804 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1805 OCSP_cert_status_str(status));
1808 case V_OCSP_CERTSTATUS_GOOD:
1809 tls_out.ocsp = OCSP_VFIED;
1812 case V_OCSP_CERTSTATUS_REVOKED:
1813 tls_out.ocsp = OCSP_FAILED;
1814 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1815 reason != -1 ? "; reason: " : "",
1816 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1817 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1820 tls_out.ocsp = OCSP_FAILED;
1821 log_write(0, LOG_MAIN,
1822 "Server certificate status unknown, in OCSP stapling");
1827 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1832 OCSP_RESPONSE_free(rsp);
1835 #endif /*!DISABLE_OCSP*/
1838 /*************************************************
1839 * Initialize for TLS *
1840 *************************************************/
1842 /* Called from both server and client code, to do preliminary initialization
1843 of the library. We allocate and return a context structure.
1846 ctxp returned SSL context
1847 host connected host, if client; NULL if server
1848 dhparam DH parameter file
1849 certificate certificate file
1850 privatekey private key
1851 ocsp_file file of stapling info (server); flag for require ocsp (client)
1852 addr address if client; NULL if server (for some randomness)
1853 cbp place to put allocated callback context
1854 errstr error string pointer
1856 Returns: OK/DEFER/FAIL
1860 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1862 #ifndef DISABLE_OCSP
1863 uschar *ocsp_file, /*XXX stack, in server*/
1865 address_item *addr, tls_ext_ctx_cb ** cbp,
1872 tls_ext_ctx_cb * cbinfo;
1874 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1875 cbinfo->tlsp = tlsp;
1876 cbinfo->certificate = certificate;
1877 cbinfo->privatekey = privatekey;
1878 cbinfo->is_server = host==NULL;
1879 #ifndef DISABLE_OCSP
1880 cbinfo->verify_stack = NULL;
1883 cbinfo->u_ocsp.server.file = ocsp_file;
1884 cbinfo->u_ocsp.server.file_expanded = NULL;
1885 cbinfo->u_ocsp.server.response = NULL;
1888 cbinfo->u_ocsp.client.verify_store = NULL;
1890 cbinfo->dhparam = dhparam;
1891 cbinfo->server_cipher_list = NULL;
1892 cbinfo->host = host;
1893 #ifndef DISABLE_EVENT
1894 cbinfo->event_action = NULL;
1897 #ifdef EXIM_NEED_OPENSSL_INIT
1898 SSL_load_error_strings(); /* basic set up */
1899 OpenSSL_add_ssl_algorithms();
1902 #ifdef EXIM_HAVE_SHA256
1903 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1904 list of available digests. */
1905 EVP_add_digest(EVP_sha256());
1908 /* Create a context.
1909 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1910 negotiation in the different methods; as far as I can tell, the only
1911 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1912 when OpenSSL is built without SSLv2 support.
1913 By disabling with openssl_options, we can let admins re-enable with the
1916 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1917 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1919 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1921 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1923 /* It turns out that we need to seed the random number generator this early in
1924 order to get the full complement of ciphers to work. It took me roughly a day
1925 of work to discover this by experiment.
1927 On systems that have /dev/urandom, SSL may automatically seed itself from
1928 there. Otherwise, we have to make something up as best we can. Double check
1934 gettimeofday(&r.tv, NULL);
1937 RAND_seed(US (&r), sizeof(r));
1938 RAND_seed(US big_buffer, big_buffer_size);
1939 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1942 return tls_error(US"RAND_status", host,
1943 US"unable to seed random number generator", errstr);
1946 /* Set up the information callback, which outputs if debugging is at a suitable
1951 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1952 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1953 /* this needs a debug build of OpenSSL */
1954 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1956 #ifdef OPENSSL_HAVE_KEYLOG_CB
1957 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1961 /* Automatically re-try reads/writes after renegotiation. */
1962 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1964 /* Apply administrator-supplied work-arounds.
1965 Historically we applied just one requested option,
1966 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1967 moved to an administrator-controlled list of options to specify and
1968 grandfathered in the first one as the default value for "openssl_options".
1970 No OpenSSL version number checks: the options we accept depend upon the
1971 availability of the option value macros from OpenSSL. */
1973 if (!tls_openssl_options_parse(openssl_options, &init_options))
1974 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1976 #ifdef EXPERIMENTAL_TLS_RESUME
1977 tlsp->resumption = RESUME_SUPPORTED;
1981 #ifdef EXPERIMENTAL_TLS_RESUME
1982 /* Should the server offer session resumption? */
1983 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1985 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1986 init_options &= ~SSL_OP_NO_TICKET;
1987 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
1988 tlsp->host_resumable = TRUE;
1992 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1993 if (!(SSL_CTX_set_options(ctx, init_options)))
1994 return tls_error(string_sprintf(
1995 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1998 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2000 /* We'd like to disable session cache unconditionally, but foolish Outlook
2001 Express clients then give up the first TLS connection and make a second one
2002 (which works). Only when there is an IMAP service on the same machine.
2003 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2004 now, until we work out a decent way of presenting control to the config. It
2005 will never be used because we use a new context every time. */
2007 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2010 /* Initialize with DH parameters if supplied */
2011 /* Initialize ECDH temp key parameter selection */
2013 if ( !init_dh(ctx, dhparam, host, errstr)
2014 || !init_ecdh(ctx, host, errstr)
2018 /* Set up certificate and key (and perhaps OCSP info) */
2020 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2023 /* If we need to handle SNI or OCSP, do so */
2025 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2026 # ifndef DISABLE_OCSP
2027 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2029 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2034 if (!host) /* server */
2036 # ifndef DISABLE_OCSP
2037 /* We check u_ocsp.server.file, not server.response, because we care about if
2038 the option exists, not what the current expansion might be, as SNI might
2039 change the certificate and OCSP file in use between now and the time the
2040 callback is invoked. */
2041 if (cbinfo->u_ocsp.server.file)
2043 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2044 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2047 /* We always do this, so that $tls_sni is available even if not used in
2049 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2050 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2052 # ifndef DISABLE_OCSP
2054 if(ocsp_file) /* wanting stapling */
2056 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2058 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2061 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2062 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2067 cbinfo->verify_cert_hostnames = NULL;
2069 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
2070 /* Set up the RSA callback */
2071 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2074 /* Finally, set the session cache timeout, and we are done.
2075 The period appears to be also used for (server-generated) session tickets */
2077 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2078 DEBUG(D_tls) debug_printf("Initialized TLS\n");
2089 /*************************************************
2090 * Get name of cipher in use *
2091 *************************************************/
2094 Argument: pointer to an SSL structure for the connection
2095 pointer to number of bits for cipher
2096 Returns: pointer to allocated string in perm-pool
2100 construct_cipher_name(SSL * ssl, int * bits)
2102 int pool = store_pool;
2103 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2104 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2105 the accessor functions use const in the prototype. */
2107 const uschar * ver = CUS SSL_get_version(ssl);
2108 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2111 SSL_CIPHER_get_bits(c, bits);
2113 store_pool = POOL_PERM;
2114 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2116 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2121 /* Get IETF-standard name for ciphersuite.
2122 Argument: pointer to an SSL structure for the connection
2123 Returns: pointer to string
2126 static const uschar *
2127 cipher_stdname_ssl(SSL * ssl)
2129 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2130 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2132 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2133 return cipher_stdname(id >> 8, id & 0xff);
2139 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2141 /*XXX we might consider a list-of-certs variable for the cert chain.
2142 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2143 in list-handling functions, also consider the difference between the entire
2144 chain and the elements sent by the peer. */
2146 tlsp->peerdn = NULL;
2148 /* Will have already noted peercert on a verify fail; possibly not the leaf */
2149 if (!tlsp->peercert)
2150 tlsp->peercert = SSL_get_peer_certificate(ssl);
2151 /* Beware anonymous ciphers which lead to server_cert being NULL */
2153 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2154 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2157 peerdn[siz-1] = '\0';
2158 tlsp->peerdn = peerdn; /*XXX a static buffer... */
2166 /*************************************************
2167 * Set up for verifying certificates *
2168 *************************************************/
2170 #ifndef DISABLE_OCSP
2171 /* Load certs from file, return TRUE on success */
2174 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2179 while (sk_X509_num(verify_stack) > 0)
2180 X509_free(sk_X509_pop(verify_stack));
2182 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2183 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2184 sk_X509_push(verify_stack, x);
2192 /* Called by both client and server startup; on the server possibly
2193 repeated after a Server Name Indication.
2196 sctx SSL_CTX* to initialise
2197 certs certs file or NULL
2198 crl CRL file or NULL
2199 host NULL in a server; the remote host in a client
2200 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2201 otherwise passed as FALSE
2202 cert_vfy_cb Callback function for certificate verification
2203 errstr error string pointer
2205 Returns: OK/DEFER/FAIL
2209 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2210 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2212 uschar *expcerts, *expcrl;
2214 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2216 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2218 if (expcerts && *expcerts)
2220 /* Tell the library to use its compiled-in location for the system default
2221 CA bundle. Then add the ones specified in the config, if any. */
2223 if (!SSL_CTX_set_default_verify_paths(sctx))
2224 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2226 if (Ustrcmp(expcerts, "system") != 0)
2228 struct stat statbuf;
2230 if (Ustat(expcerts, &statbuf) < 0)
2232 log_write(0, LOG_MAIN|LOG_PANIC,
2233 "failed to stat %s for certificates", expcerts);
2239 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2240 { file = NULL; dir = expcerts; }
2243 file = expcerts; dir = NULL;
2244 #ifndef DISABLE_OCSP
2245 /* In the server if we will be offering an OCSP proof, load chain from
2246 file for verifying the OCSP proof at load time. */
2249 && statbuf.st_size > 0
2250 && server_static_cbinfo->u_ocsp.server.file
2251 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2254 log_write(0, LOG_MAIN|LOG_PANIC,
2255 "failed to load cert chain from %s", file);
2261 /* If a certificate file is empty, the next function fails with an
2262 unhelpful error message. If we skip it, we get the correct behaviour (no
2263 certificates are recognized, but the error message is still misleading (it
2264 says no certificate was supplied). But this is better. */
2266 if ( (!file || statbuf.st_size > 0)
2267 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2268 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2270 /* Load the list of CAs for which we will accept certs, for sending
2271 to the client. This is only for the one-file tls_verify_certificates
2273 If a list isn't loaded into the server, but some verify locations are set,
2274 the server end appears to make a wildcard request for client certs.
2275 Meanwhile, the client library as default behaviour *ignores* the list
2276 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2277 Because of this, and that the dir variant is likely only used for
2278 the public-CA bundle (not for a private CA), not worth fixing. */
2282 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2284 SSL_CTX_set_client_CA_list(sctx, names);
2285 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2286 sk_X509_NAME_num(names));
2291 /* Handle a certificate revocation list. */
2293 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2295 /* This bit of code is now the version supplied by Lars Mainka. (I have
2296 merely reformatted it into the Exim code style.)
2298 "From here I changed the code to add support for multiple crl's
2299 in pem format in one file or to support hashed directory entries in
2300 pem format instead of a file. This method now uses the library function
2301 X509_STORE_load_locations to add the CRL location to the SSL context.
2302 OpenSSL will then handle the verify against CA certs and CRLs by
2303 itself in the verify callback." */
2305 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2306 if (expcrl && *expcrl)
2308 struct stat statbufcrl;
2309 if (Ustat(expcrl, &statbufcrl) < 0)
2311 log_write(0, LOG_MAIN|LOG_PANIC,
2312 "failed to stat %s for certificates revocation lists", expcrl);
2317 /* is it a file or directory? */
2319 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2320 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2324 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2330 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2332 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2333 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2335 /* setting the flags to check against the complete crl chain */
2337 X509_STORE_set_flags(cvstore,
2338 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2342 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2344 /* If verification is optional, don't fail if no certificate */
2346 SSL_CTX_set_verify(sctx,
2347 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2356 /*************************************************
2357 * Start a TLS session in a server *
2358 *************************************************/
2360 /* This is called when Exim is running as a server, after having received
2361 the STARTTLS command. It must respond to that command, and then negotiate
2365 require_ciphers allowed ciphers
2366 errstr pointer to error message
2368 Returns: OK on success
2369 DEFER for errors before the start of the negotiation
2370 FAIL for errors during the negotiation; the server can't
2375 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2378 uschar * expciphers;
2379 tls_ext_ctx_cb * cbinfo;
2380 static uschar peerdn[256];
2382 /* Check for previous activation */
2384 if (tls_in.active.sock >= 0)
2386 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2387 smtp_printf("554 Already in TLS\r\n", FALSE);
2391 /* Initialize the SSL library. If it fails, it will already have logged
2394 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2395 #ifndef DISABLE_OCSP
2396 tls_ocsp_file, /*XXX stack*/
2398 NULL, &server_static_cbinfo, &tls_in, errstr);
2399 if (rc != OK) return rc;
2400 cbinfo = server_static_cbinfo;
2402 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2405 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2406 were historically separated by underscores. So that I can use either form in my
2407 tests, and also for general convenience, we turn underscores into hyphens here.
2409 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2410 for TLS 1.3 . Since we do not call it at present we get the default list:
2411 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2416 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2417 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2418 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2419 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2420 cbinfo->server_cipher_list = expciphers;
2423 /* If this is a host for which certificate verification is mandatory or
2424 optional, set up appropriately. */
2426 tls_in.certificate_verified = FALSE;
2428 tls_in.dane_verified = FALSE;
2430 server_verify_callback_called = FALSE;
2432 if (verify_check_host(&tls_verify_hosts) == OK)
2434 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2435 FALSE, verify_callback_server, errstr);
2436 if (rc != OK) return rc;
2437 server_verify_optional = FALSE;
2439 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2441 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2442 TRUE, verify_callback_server, errstr);
2443 if (rc != OK) return rc;
2444 server_verify_optional = TRUE;
2447 #ifdef EXPERIMENTAL_TLS_RESUME
2448 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2449 /* despite working, appears to always return failure, so ignoring */
2451 #ifdef OPENSSL_HAVE_NUM_TICKETS
2452 # ifdef EXPERIMENTAL_TLS_RESUME
2453 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2455 SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2460 /* Prepare for new connection */
2462 if (!(server_ssl = SSL_new(server_ctx)))
2463 return tls_error(US"SSL_new", NULL, NULL, errstr);
2465 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2467 * With the SSL_clear(), we get strange interoperability bugs with
2468 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2469 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2471 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2472 * session shutdown. In this case, we have a brand new object and there's no
2473 * obvious reason to immediately clear it. I'm guessing that this was
2474 * originally added because of incomplete initialisation which the clear fixed,
2475 * in some historic release.
2478 /* Set context and tell client to go ahead, except in the case of TLS startup
2479 on connection, where outputting anything now upsets the clients and tends to
2480 make them disconnect. We need to have an explicit fflush() here, to force out
2481 the response. Other smtp_printf() calls do not need it, because in non-TLS
2482 mode, the fflush() happens when smtp_getc() is called. */
2484 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2485 if (!tls_in.on_connect)
2487 smtp_printf("220 TLS go ahead\r\n", FALSE);
2491 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2492 that the OpenSSL library doesn't. */
2494 SSL_set_wfd(server_ssl, fileno(smtp_out));
2495 SSL_set_rfd(server_ssl, fileno(smtp_in));
2496 SSL_set_accept_state(server_ssl);
2498 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2500 sigalrm_seen = FALSE;
2501 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2502 rc = SSL_accept(server_ssl);
2507 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2511 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2512 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2513 anon-authentication ciphersuite negotiated. */
2515 #ifdef EXPERIMENTAL_TLS_RESUME
2516 if (SSL_session_reused(server_ssl))
2518 tls_in.resumption |= RESUME_USED;
2519 DEBUG(D_tls) debug_printf("Session reused\n");
2523 /* TLS has been set up. Adjust the input functions to read via TLS,
2524 and initialize things. */
2526 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2528 tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2529 tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2534 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2535 debug_printf("Shared ciphers: %s\n", buf);
2537 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2539 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2540 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2545 #ifdef EXIM_HAVE_SESSION_TICKET
2547 SSL_SESSION * ss = SSL_get_session(server_ssl);
2548 if (SSL_SESSION_has_ticket(ss))
2549 debug_printf("The session has a ticket, life %lu seconds\n",
2550 SSL_SESSION_get_ticket_lifetime_hint(ss));
2555 /* Record the certificate we presented */
2557 X509 * crt = SSL_get_certificate(server_ssl);
2558 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2561 /* Only used by the server-side tls (tls_in), including tls_getc.
2562 Client-side (tls_out) reads (seem to?) go via
2563 smtp_read_response()/ip_recv().
2564 Hence no need to duplicate for _in and _out.
2566 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2567 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2568 ssl_xfer_eof = ssl_xfer_error = FALSE;
2570 receive_getc = tls_getc;
2571 receive_getbuf = tls_getbuf;
2572 receive_get_cache = tls_get_cache;
2573 receive_ungetc = tls_ungetc;
2574 receive_feof = tls_feof;
2575 receive_ferror = tls_ferror;
2576 receive_smtp_buffered = tls_smtp_buffered;
2578 tls_in.active.sock = fileno(smtp_out);
2579 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2587 tls_client_basic_ctx_init(SSL_CTX * ctx,
2588 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2592 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2593 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2594 the specified host patterns if one of them is defined */
2596 if ( ( !ob->tls_verify_hosts
2597 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2599 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2601 client_verify_optional = FALSE;
2602 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2603 client_verify_optional = TRUE;
2607 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2608 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2612 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2614 cbinfo->verify_cert_hostnames =
2616 string_domain_utf8_to_alabel(host->name, NULL);
2620 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2621 cbinfo->verify_cert_hostnames);
2629 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2632 const char * hostnames[2] = { CS host->name, NULL };
2635 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2636 return tls_error(US"hostnames load", host, NULL, errstr);
2638 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2639 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2640 ) if (rr->type == T_TLSA && rr->size > 3)
2642 const uschar * p = rr->data;
2643 uint8_t usage, selector, mtype;
2644 const char * mdname;
2648 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2649 if (usage != 2 && usage != 3) continue;
2656 default: continue; /* Only match-types 0, 1, 2 are supported */
2657 case 0: mdname = NULL; break;
2658 case 1: mdname = "sha256"; break;
2659 case 2: mdname = "sha512"; break;
2663 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2666 return tls_error(US"tlsa load", host, NULL, errstr);
2667 case 0: /* action not taken */
2671 tls_out.tlsa_usage |= 1<<usage;
2677 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2680 #endif /*SUPPORT_DANE*/
2684 #ifdef EXPERIMENTAL_TLS_RESUME
2685 /* On the client, get any stashed session for the given IP from hints db
2686 and apply it to the ssl-connection for attempted resumption. */
2689 tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2691 tlsp->resumption |= RESUME_SUPPORTED;
2692 if (tlsp->host_resumable)
2694 dbdata_tls_session * dt;
2696 open_db dbblock, * dbm_file;
2698 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2699 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2700 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2702 /* key for the db is the IP */
2703 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2705 SSL_SESSION * ss = NULL;
2706 const uschar * sess_asn1 = dt->session;
2708 len -= sizeof(dbdata_tls_session);
2709 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2713 ERR_error_string_n(ERR_get_error(),
2714 ssl_errstring, sizeof(ssl_errstring));
2715 debug_printf("decoding session: %s\n", ssl_errstring);
2718 else if (!SSL_set_session(ssl, ss))
2722 ERR_error_string_n(ERR_get_error(),
2723 ssl_errstring, sizeof(ssl_errstring));
2724 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2729 DEBUG(D_tls) debug_printf("good session\n");
2730 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2734 DEBUG(D_tls) debug_printf("no session record\n");
2735 dbfn_close(dbm_file);
2741 /* On the client, save the session for later resumption */
2744 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2746 tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2749 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2751 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2753 # ifdef EXIM_HAVE_SESSION_TICKET
2755 if (SSL_SESSION_is_resumable(ss))
2757 int len = i2d_SSL_SESSION(ss, NULL);
2758 int dlen = sizeof(dbdata_tls_session) + len;
2759 dbdata_tls_session * dt = store_get(dlen);
2760 uschar * s = dt->session;
2761 open_db dbblock, * dbm_file;
2763 DEBUG(D_tls) debug_printf("session is resumable\n");
2764 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2766 len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
2768 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2770 const uschar * key = cbinfo->host->address;
2771 dbfn_delete(dbm_file, key);
2772 dbfn_write(dbm_file, key, dt, dlen);
2773 dbfn_close(dbm_file);
2774 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2784 tls_client_ctx_resume_prehandshake(
2785 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2786 smtp_transport_options_block * ob, host_item * host)
2788 /* Should the client request a session resumption ticket? */
2789 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2791 tlsp->host_resumable = TRUE;
2793 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2794 SSL_SESS_CACHE_CLIENT
2795 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2796 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2801 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2802 host_item * host, uschar ** errstr)
2804 if (tlsp->host_resumable)
2807 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2808 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2810 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2811 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2813 tls_error(US"set ex_data", host, NULL, errstr);
2816 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2819 tlsp->resumption = RESUME_SUPPORTED;
2820 /* Pick up a previous session, saved on an old ticket */
2821 tls_retrieve_session(tlsp, ssl, host->address);
2826 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2829 if (SSL_session_reused(exim_client_ctx->ssl))
2831 DEBUG(D_tls) debug_printf("The session was reused\n");
2832 tlsp->resumption |= RESUME_USED;
2835 #endif /* EXPERIMENTAL_TLS_RESUME */
2838 /*************************************************
2839 * Start a TLS session in a client *
2840 *************************************************/
2842 /* Called from the smtp transport after STARTTLS has been accepted.
2845 cctx connection context
2846 conn_args connection details
2847 cookie datum for randomness; can be NULL
2848 tlsp record details of TLS channel configuration here; must be non-NULL
2849 errstr error string pointer
2851 Returns: TRUE for success with TLS session context set in connection context,
2856 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2857 void * cookie, tls_support * tlsp, uschar ** errstr)
2859 host_item * host = conn_args->host; /* for msgs and option-tests */
2860 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
2861 smtp_transport_options_block * ob = tb
2862 ? (smtp_transport_options_block *)tb->options_block
2863 : &smtp_transport_option_defaults;
2864 exim_openssl_client_tls_ctx * exim_client_ctx;
2865 uschar * expciphers;
2867 static uschar peerdn[256];
2869 #ifndef DISABLE_OCSP
2870 BOOL request_ocsp = FALSE;
2871 BOOL require_ocsp = FALSE;
2875 store_pool = POOL_PERM;
2876 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2877 exim_client_ctx->corked = NULL;
2881 tlsp->tlsa_usage = 0;
2884 #ifndef DISABLE_OCSP
2886 # ifdef SUPPORT_DANE
2887 if ( conn_args->dane
2888 && ob->hosts_request_ocsp[0] == '*'
2889 && ob->hosts_request_ocsp[1] == '\0'
2892 /* Unchanged from default. Use a safer one under DANE */
2893 request_ocsp = TRUE;
2894 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2895 " {= {4}{$tls_out_tlsa_usage}} } "
2901 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2902 request_ocsp = TRUE;
2904 # ifdef SUPPORT_DANE
2908 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2912 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2913 ob->tls_certificate, ob->tls_privatekey,
2914 #ifndef DISABLE_OCSP
2915 (void *)(long)request_ocsp,
2917 cookie, &client_static_cbinfo, tlsp, errstr);
2918 if (rc != OK) return FALSE;
2920 tlsp->certificate_verified = FALSE;
2921 client_verify_callback_called = FALSE;
2925 if (conn_args->dane)
2927 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2928 other failures should be treated as problems. */
2929 if (ob->dane_require_tls_ciphers &&
2930 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2931 &expciphers, errstr))
2933 if (expciphers && *expciphers == '\0')
2938 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2939 &expciphers, errstr))
2942 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2943 are separated by underscores. So that I can use either form in my tests, and
2944 also for general convenience, we turn underscores into hyphens here. */
2948 uschar *s = expciphers;
2949 while (*s) { if (*s == '_') *s = '-'; s++; }
2950 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2951 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2953 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2959 if (conn_args->dane)
2961 SSL_CTX_set_verify(exim_client_ctx->ctx,
2962 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2963 verify_callback_client_dane);
2965 if (!DANESSL_library_init())
2967 tls_error(US"library init", host, NULL, errstr);
2970 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2972 tls_error(US"context init", host, NULL, errstr);
2980 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2981 client_static_cbinfo, errstr) != OK)
2984 #ifdef EXPERIMENTAL_TLS_RESUME
2985 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
2989 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2991 tls_error(US"SSL_new", host, NULL, errstr);
2994 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2996 #ifdef EXPERIMENTAL_TLS_RESUME
2997 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3002 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3003 SSL_set_connect_state(exim_client_ctx->ssl);
3007 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3011 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3013 else if (!Ustrlen(tlsp->sni))
3017 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3018 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3019 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3021 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3028 if (conn_args->dane)
3029 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3033 #ifndef DISABLE_OCSP
3034 /* Request certificate status at connection-time. If the server
3035 does OCSP stapling we will get the callback (set in tls_init()) */
3036 # ifdef SUPPORT_DANE
3040 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3041 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3043 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3044 this means we avoid the OCSP request, we wasted the setup
3045 cost in tls_init(). */
3046 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3047 request_ocsp = require_ocsp
3048 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3055 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3056 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3057 tlsp->ocsp = OCSP_NOT_RESP;
3061 #ifndef DISABLE_EVENT
3062 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3065 /* There doesn't seem to be a built-in timeout on connection. */
3067 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3068 sigalrm_seen = FALSE;
3069 ALARM(ob->command_timeout);
3070 rc = SSL_connect(exim_client_ctx->ssl);
3074 if (conn_args->dane)
3075 DANESSL_cleanup(exim_client_ctx->ssl);
3080 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3086 debug_printf("SSL_connect succeeded\n");
3087 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3089 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3090 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3096 #ifdef EXPERIMENTAL_TLS_RESUME
3097 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3100 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3102 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3103 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3105 /* Record the certificate we presented */
3107 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3108 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3111 tlsp->active.sock = cctx->sock;
3112 tlsp->active.tls_ctx = exim_client_ctx;
3113 cctx->tls_ctx = exim_client_ctx;
3122 tls_refill(unsigned lim)
3127 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3128 ssl_xfer_buffer, ssl_xfer_buffer_size);
3130 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3131 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3132 MIN(ssl_xfer_buffer_size, lim));
3133 error = SSL_get_error(server_ssl, inbytes);
3134 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3136 if (had_command_timeout) /* set by signal handler */
3137 smtp_command_timeout_exit(); /* does not return */
3138 if (had_command_sigterm)
3139 smtp_command_sigterm_exit();
3140 if (had_data_timeout)
3141 smtp_data_timeout_exit();
3142 if (had_data_sigint)
3143 smtp_data_sigint_exit();
3145 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3146 closed down, not that the socket itself has been closed down. Revert to
3147 non-SSL handling. */
3151 case SSL_ERROR_NONE:
3154 case SSL_ERROR_ZERO_RETURN:
3155 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3157 receive_getc = smtp_getc;
3158 receive_getbuf = smtp_getbuf;
3159 receive_get_cache = smtp_get_cache;
3160 receive_ungetc = smtp_ungetc;
3161 receive_feof = smtp_feof;
3162 receive_ferror = smtp_ferror;
3163 receive_smtp_buffered = smtp_buffered;
3165 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3166 SSL_shutdown(server_ssl);
3168 #ifndef DISABLE_OCSP
3169 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3170 server_static_cbinfo->verify_stack = NULL;
3172 SSL_free(server_ssl);
3173 SSL_CTX_free(server_ctx);
3176 tls_in.active.sock = -1;
3177 tls_in.active.tls_ctx = NULL;
3179 tls_in.cipher = NULL;
3180 tls_in.peerdn = NULL;
3185 /* Handle genuine errors */
3187 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3188 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3189 ssl_xfer_error = TRUE;
3193 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3194 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3195 debug_printf(" - syscall %s\n", strerror(errno));
3196 ssl_xfer_error = TRUE;
3200 #ifndef DISABLE_DKIM
3201 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3203 ssl_xfer_buffer_hwm = inbytes;
3204 ssl_xfer_buffer_lwm = 0;
3209 /*************************************************
3210 * TLS version of getc *
3211 *************************************************/
3213 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3214 it refills the buffer via the SSL reading function.
3216 Arguments: lim Maximum amount to read/buffer
3217 Returns: the next character or EOF
3219 Only used by the server-side TLS.
3223 tls_getc(unsigned lim)
3225 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3226 if (!tls_refill(lim))
3227 return ssl_xfer_error ? EOF : smtp_getc(lim);
3229 /* Something in the buffer; return next uschar */
3231 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3235 tls_getbuf(unsigned * len)
3240 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3241 if (!tls_refill(*len))
3243 if (!ssl_xfer_error) return smtp_getbuf(len);
3248 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3250 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3251 ssl_xfer_buffer_lwm += size;
3260 #ifndef DISABLE_DKIM
3261 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3263 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3269 tls_could_read(void)
3271 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3275 /*************************************************
3276 * Read bytes from TLS channel *
3277 *************************************************/
3281 ct_ctx client context pointer, or NULL for the one global server context
3285 Returns: the number of bytes read
3286 -1 after a failed read, including EOF
3288 Only used by the client-side TLS.
3292 tls_read(void * ct_ctx, uschar *buff, size_t len)
3294 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3298 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3299 buff, (unsigned int)len);
3301 inbytes = SSL_read(ssl, CS buff, len);
3302 error = SSL_get_error(ssl, inbytes);
3304 if (error == SSL_ERROR_ZERO_RETURN)
3306 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3309 else if (error != SSL_ERROR_NONE)
3319 /*************************************************
3320 * Write bytes down TLS channel *
3321 *************************************************/
3325 ct_ctx client context pointer, or NULL for the one global server context
3328 more further data expected soon
3330 Returns: the number of bytes after a successful write,
3331 -1 after a failed write
3333 Used by both server-side and client-side TLS.
3337 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
3340 int outbytes, error;
3342 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3343 static gstring * server_corked = NULL;
3344 gstring ** corkedp = ct_ctx
3345 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3346 gstring * corked = *corkedp;
3348 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3349 buff, (unsigned long)len, more ? ", more" : "");
3351 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3352 "more" is notified. This hack is only ok if small amounts are involved AND only
3353 one stream does it, in one context (i.e. no store reset). Currently it is used
3354 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3355 We support callouts done by the server process by using a separate client
3356 context for the stashed information. */
3357 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3358 a store reset there, so use POOL_PERM. */
3359 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3361 if ((more || corked))
3363 #ifdef EXPERIMENTAL_PIPE_CONNECT
3364 int save_pool = store_pool;
3365 store_pool = POOL_PERM;
3368 corked = string_catn(corked, buff, len);
3370 #ifdef EXPERIMENTAL_PIPE_CONNECT
3371 store_pool = save_pool;
3379 buff = CUS corked->s;
3384 for (int left = len; left > 0;)
3386 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3387 outbytes = SSL_write(ssl, CS buff, left);
3388 error = SSL_get_error(ssl, outbytes);
3389 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3393 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3394 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3397 case SSL_ERROR_NONE:
3402 case SSL_ERROR_ZERO_RETURN:
3403 log_write(0, LOG_MAIN, "SSL channel closed on write");
3406 case SSL_ERROR_SYSCALL:
3407 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3408 sender_fullhost ? sender_fullhost : US"<unknown>",
3413 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3422 /*************************************************
3423 * Close down a TLS session *
3424 *************************************************/
3426 /* This is also called from within a delivery subprocess forked from the
3427 daemon, to shut down the TLS library, without actually doing a shutdown (which
3428 would tamper with the SSL session in the parent process).
3431 ct_ctx client TLS context pointer, or NULL for the one global server context
3432 shutdown 1 if TLS close-alert is to be sent,
3433 2 if also response to be waited for
3437 Used by both server-side and client-side TLS.
3441 tls_close(void * ct_ctx, int shutdown)
3443 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3444 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3445 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3446 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3448 if (*fdp < 0) return; /* TLS was not active */
3453 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3454 shutdown > 1 ? " (with response-wait)" : "");
3456 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3460 rc = SSL_shutdown(*sslp); /* wait for response */
3464 if (rc < 0) DEBUG(D_tls)
3466 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3467 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3471 #ifndef DISABLE_OCSP
3472 if (!o_ctx) /* server side */
3474 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3475 server_static_cbinfo->verify_stack = NULL;
3479 SSL_CTX_free(*ctxp);
3489 /*************************************************
3490 * Let tls_require_ciphers be checked at startup *
3491 *************************************************/
3493 /* The tls_require_ciphers option, if set, must be something which the
3496 Returns: NULL on success, or error message
3500 tls_validate_require_cipher(void)
3503 uschar *s, *expciphers, *err;
3505 /* this duplicates from tls_init(), we need a better "init just global
3506 state, for no specific purpose" singleton function of our own */
3508 #ifdef EXIM_NEED_OPENSSL_INIT
3509 SSL_load_error_strings();
3510 OpenSSL_add_ssl_algorithms();
3512 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3513 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3514 list of available digests. */
3515 EVP_add_digest(EVP_sha256());
3518 if (!(tls_require_ciphers && *tls_require_ciphers))
3521 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3523 return US"failed to expand tls_require_ciphers";
3525 if (!(expciphers && *expciphers))
3528 /* normalisation ripped from above */
3530 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3534 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3535 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3537 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3540 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3541 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3545 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3547 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3549 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3550 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3551 expciphers, ssl_errstring);
3562 /*************************************************
3563 * Report the library versions. *
3564 *************************************************/
3566 /* There have historically been some issues with binary compatibility in
3567 OpenSSL libraries; if Exim (like many other applications) is built against
3568 one version of OpenSSL but the run-time linker picks up another version,
3569 it can result in serious failures, including crashing with a SIGSEGV. So
3570 report the version found by the compiler and the run-time version.
3572 Note: some OS vendors backport security fixes without changing the version
3573 number/string, and the version date remains unchanged. The _build_ date
3574 will change, so we can more usefully assist with version diagnosis by also
3575 reporting the build date.
3577 Arguments: a FILE* to print the results to
3582 tls_version_report(FILE *f)
3584 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3587 OPENSSL_VERSION_TEXT,
3588 SSLeay_version(SSLEAY_VERSION),
3589 SSLeay_version(SSLEAY_BUILT_ON));
3590 /* third line is 38 characters for the %s and the line is 73 chars long;
3591 the OpenSSL output includes a "built on: " prefix already. */
3597 /*************************************************
3598 * Random number generation *
3599 *************************************************/
3601 /* Pseudo-random number generation. The result is not expected to be
3602 cryptographically strong but not so weak that someone will shoot themselves
3603 in the foot using it as a nonce in input in some email header scheme or
3604 whatever weirdness they'll twist this into. The result should handle fork()
3605 and avoid repeating sequences. OpenSSL handles that for us.
3609 Returns a random number in range [0, max-1]
3613 vaguely_random_number(int max)
3617 static pid_t pidlast = 0;
3619 uschar smallbuf[sizeof(r)];
3625 if (pidnow != pidlast)
3627 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3628 is unique for each thread", this doesn't apparently apply across processes,
3629 so our own warning from vaguely_random_number_fallback() applies here too.
3630 Fix per PostgreSQL. */
3636 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3640 gettimeofday(&r.tv, NULL);
3643 RAND_seed(US (&r), sizeof(r));
3645 /* We're after pseudo-random, not random; if we still don't have enough data
3646 in the internal PRNG then our options are limited. We could sleep and hope
3647 for entropy to come along (prayer technique) but if the system is so depleted
3648 in the first place then something is likely to just keep taking it. Instead,
3649 we'll just take whatever little bit of pseudo-random we can still manage to
3652 needed_len = sizeof(r);
3653 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3654 asked for a number less than 10. */
3655 for (r = max, i = 0; r; ++i)
3661 #ifdef EXIM_HAVE_RAND_PSEUDO
3662 /* We do not care if crypto-strong */
3663 i = RAND_pseudo_bytes(smallbuf, needed_len);
3665 i = RAND_bytes(smallbuf, needed_len);
3671 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3672 return vaguely_random_number_fallback(max);
3676 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3679 /* We don't particularly care about weighted results; if someone wants
3680 smooth distribution and cares enough then they should submit a patch then. */
3687 /*************************************************
3688 * OpenSSL option parse *
3689 *************************************************/
3691 /* Parse one option for tls_openssl_options_parse below
3694 name one option name
3695 value place to store a value for it
3696 Returns success or failure in parsing
3702 tls_openssl_one_option_parse(uschar *name, long *value)
3705 int last = exim_openssl_options_size;
3706 while (last > first)
3708 int middle = (first + last)/2;
3709 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3712 *value = exim_openssl_options[middle].value;
3726 /*************************************************
3727 * OpenSSL option parsing logic *
3728 *************************************************/
3730 /* OpenSSL has a number of compatibility options which an administrator might
3731 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3732 we look like log_selector.
3735 option_spec the administrator-supplied string of options
3736 results ptr to long storage for the options bitmap
3737 Returns success or failure
3741 tls_openssl_options_parse(uschar *option_spec, long *results)
3746 BOOL adding, item_parsed;
3748 /* Server: send no (<= TLS1.2) session tickets */
3749 result = SSL_OP_NO_TICKET;
3751 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3752 * from default because it increases BEAST susceptibility. */
3753 #ifdef SSL_OP_NO_SSLv2
3754 result |= SSL_OP_NO_SSLv2;
3756 #ifdef SSL_OP_NO_SSLv3
3757 result |= SSL_OP_NO_SSLv3;
3759 #ifdef SSL_OP_SINGLE_DH_USE
3760 result |= SSL_OP_SINGLE_DH_USE;
3769 for (uschar * s = option_spec; *s; /**/)
3771 while (isspace(*s)) ++s;
3774 if (*s != '+' && *s != '-')
3776 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3777 "+ or - expected but found \"%s\"\n", s);
3780 adding = *s++ == '+';
3781 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3784 item_parsed = tls_openssl_one_option_parse(s, &item);
3788 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3791 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3792 adding ? "adding to " : "removing from", result, item, s);
3804 #endif /*!MACRO_PREDEF*/
3807 /* End of tls-openssl.c */