1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2019 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Portions Copyright (c) The OpenSSL Project 1999 */
12 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
13 library. It is #included into the tls.c file when that library is used. The
14 code herein is based on a patch that was originally contributed by Steve
15 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
17 No cryptographic code is included in Exim. All this module does is to call
18 functions from the OpenSSL library. */
23 #include <openssl/lhash.h>
24 #include <openssl/ssl.h>
25 #include <openssl/err.h>
26 #include <openssl/rand.h>
27 #ifndef OPENSSL_NO_ECDH
28 # include <openssl/ec.h>
31 # include <openssl/ocsp.h>
39 # define EXIM_OCSP_SKEW_SECONDS (300L)
40 # define EXIM_OCSP_MAX_AGE (-1L)
43 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
44 # define EXIM_HAVE_OPENSSL_TLSEXT
46 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
47 # define EXIM_HAVE_RSA_GENKEY_EX
49 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
50 # define EXIM_HAVE_OCSP_RESP_COUNT
51 # define OPENSSL_AUTO_SHA256
52 # define OPENSSL_MIN_PROTO_VERSION
54 # define EXIM_HAVE_EPHEM_RSA_KEX
55 # define EXIM_HAVE_RAND_PSEUDO
57 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
58 # define EXIM_HAVE_SHA256
61 /* X509_check_host provides sane certificate hostname checking, but was added
62 to OpenSSL late, after other projects forked off the code-base. So in
63 addition to guarding against the base version number, beware that LibreSSL
64 does not (at this time) support this function.
66 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
67 opt to disentangle and ask a LibreSSL user to provide glue for a third
68 crypto provider for libtls instead of continuing to tie the OpenSSL glue
69 into even twistier knots. If LibreSSL gains the same API, we can just
70 change this guard and punt the issue for a while longer. */
72 #ifndef LIBRESSL_VERSION_NUMBER
73 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
74 # define EXIM_HAVE_OPENSSL_CHECKHOST
75 # define EXIM_HAVE_OPENSSL_DH_BITS
76 # define EXIM_HAVE_OPENSSL_TLS_METHOD
77 # define EXIM_HAVE_OPENSSL_KEYLOG
78 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
79 # define EXIM_HAVE_SESSION_TICKET
80 # define EXIM_HAVE_OPESSL_TRACE
81 # define EXIM_HAVE_OPESSL_GET0_SERIAL
82 # define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
83 # define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
85 # define EXIM_HAVE_OCSP
87 # define EXIM_HAVE_ALPN /* fail ret from hshake-cb is ignored by LibreSSL */
89 # define EXIM_NEED_OPENSSL_INIT
91 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
92 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
93 # define EXIM_HAVE_OPENSSL_CHECKHOST
97 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
98 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
101 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
102 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
103 # define EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
106 #if !defined(LIBRESSL_VERSION_NUMBER) \
107 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
108 # if !defined(OPENSSL_NO_ECDH)
109 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
110 # define EXIM_HAVE_ECDH
112 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
113 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
118 #ifndef LIBRESSL_VERSION_NUMBER
119 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
120 # define OPENSSL_HAVE_KEYLOG_CB
121 # define OPENSSL_HAVE_NUM_TICKETS
122 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
123 # define EXIM_HAVE_EXP_CHNL_BNGNG
124 # define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
125 # define EXIM_HAVE_OPENSSL_SET1_GROUPS
127 # define OPENSSL_BAD_SRVR_OURCERT
131 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x010002000L)
132 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
135 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
136 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
137 # define DISABLE_OCSP
140 #ifndef DISABLE_TLS_RESUME
141 # if OPENSSL_VERSION_NUMBER < 0x0101010L
142 # error OpenSSL version too old for session-resumption
146 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
147 # include <openssl/x509v3.h>
150 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
151 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
152 # define SSL_CIPHER_get_id(c) (c->id)
154 # ifndef MACRO_PREDEF
155 # include "tls-cipher-stdname.c"
159 #define TESTSUITE_TICKET_LIFE 10 /* seconds */
160 /*************************************************
161 * OpenSSL option parse *
162 *************************************************/
164 typedef struct exim_openssl_option {
167 } exim_openssl_option;
168 /* We could use a macro to expand, but we need the ifdef and not all the
169 options document which version they were introduced in. Policylet: include
170 all options unless explicitly for DTLS, let the administrator choose which
173 This list is current as of:
176 XXX could we autobuild this list, as with predefined-macros?
177 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
178 Also allow a numeric literal?
180 static exim_openssl_option exim_openssl_options[] = {
181 /* KEEP SORTED ALPHABETICALLY! */
183 { US"all", (long) SSL_OP_ALL },
185 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
186 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
188 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
189 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
191 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
192 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
194 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
195 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
197 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
198 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
200 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
201 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
203 #ifdef SSL_OP_EPHEMERAL_RSA
204 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
206 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
207 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
209 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
210 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
212 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
213 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
215 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
216 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
218 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
219 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
221 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
222 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
224 #ifdef SSL_OP_NO_ANTI_REPLAY
225 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
227 #ifdef SSL_OP_NO_COMPRESSION
228 { US"no_compression", SSL_OP_NO_COMPRESSION },
230 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
231 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
233 #ifdef SSL_OP_NO_RENEGOTIATION
234 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
236 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
237 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
239 #ifdef SSL_OP_NO_SSLv2
240 { US"no_sslv2", SSL_OP_NO_SSLv2 },
242 #ifdef SSL_OP_NO_SSLv3
243 { US"no_sslv3", SSL_OP_NO_SSLv3 },
245 #ifdef SSL_OP_NO_TICKET
246 { US"no_ticket", SSL_OP_NO_TICKET },
248 #ifdef SSL_OP_NO_TLSv1
249 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
251 #ifdef SSL_OP_NO_TLSv1_1
252 # if OPENSSL_VERSION_NUMBER < 0x30000000L
253 # if SSL_OP_NO_TLSv1_1 == 0x00000400L
254 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
255 # warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
256 # define NO_SSL_OP_NO_TLSv1_1
259 # ifndef NO_SSL_OP_NO_TLSv1_1
260 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
263 #ifdef SSL_OP_NO_TLSv1_2
264 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
266 #ifdef SSL_OP_NO_TLSv1_3
267 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
269 #ifdef SSL_OP_PRIORITIZE_CHACHA
270 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
272 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
273 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
275 #ifdef SSL_OP_SINGLE_DH_USE
276 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
278 #ifdef SSL_OP_SINGLE_ECDH_USE
279 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
281 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
282 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
284 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
285 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
287 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
288 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
290 #ifdef SSL_OP_TLS_D5_BUG
291 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
293 #ifdef SSL_OP_TLS_ROLLBACK_BUG
294 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
296 #ifdef SSL_OP_TLSEXT_PADDING
297 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
302 static int exim_openssl_options_size = nelem(exim_openssl_options);
303 static long init_options = 0;
312 for (struct exim_openssl_option * o = exim_openssl_options;
313 o < exim_openssl_options + nelem(exim_openssl_options); o++)
315 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
316 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
318 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
319 builtin_macro_create(buf);
322 # ifndef DISABLE_TLS_RESUME
323 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
325 # ifdef SSL_OP_NO_TLSv1_3
326 builtin_macro_create(US"_HAVE_TLS1_3");
328 # ifdef OPENSSL_BAD_SRVR_OURCERT
329 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
331 # ifdef EXIM_HAVE_OCSP
332 builtin_macro_create(US"_HAVE_TLS_OCSP");
333 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
335 # ifdef EXIM_HAVE_ALPN
336 builtin_macro_create(US"_HAVE_TLS_ALPN");
341 /******************************************************************************/
343 /* Structure for collecting random data for seeding. */
345 typedef struct randstuff {
350 /* Local static variables */
352 static BOOL client_verify_callback_called = FALSE;
353 static BOOL server_verify_callback_called = FALSE;
354 static const uschar *sid_ctx = US"exim";
356 /* We have three different contexts to care about.
358 Simple case: client, `client_ctx`
359 As a client, we can be doing a callout or cut-through delivery while receiving
360 a message. So we have a client context, which should have options initialised
361 from the SMTP Transport. We may also concurrently want to make TLS connections
362 to utility daemons, so client-contexts are allocated and passed around in call
363 args rather than using a gobal.
366 There are two cases: with and without ServerNameIndication from the client.
367 Given TLS SNI, we can be using different keys, certs and various other
368 configuration settings, because they're re-expanded with $tls_sni set. This
369 allows vhosting with TLS. This SNI is sent in the handshake.
370 A client might not send SNI, so we need a fallback, and an initial setup too.
371 So as a server, we start out using `server_ctx`.
372 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
373 `server_sni` from `server_ctx` and then initialise settings by re-expanding
381 } exim_openssl_client_tls_ctx;
384 /* static SSL_CTX *server_ctx = NULL; */
385 /* static SSL *server_ssl = NULL; */
387 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
388 static SSL_CTX *server_sni = NULL;
390 #ifdef EXIM_HAVE_ALPN
391 static BOOL server_seen_alpn = FALSE;
394 static char ssl_errstring[256];
396 static int ssl_session_timeout = 7200; /* Two hours */
397 static BOOL client_verify_optional = FALSE;
398 static BOOL server_verify_optional = FALSE;
400 static BOOL reexpand_tls_files_for_sni = FALSE;
403 typedef struct ocsp_resp {
404 struct ocsp_resp * next;
405 OCSP_RESPONSE * resp;
408 typedef struct exim_openssl_state {
409 exim_tlslib_state lib_state;
410 #define lib_ctx libdata0
411 #define lib_ssl libdata1
414 uschar * certificate;
421 const uschar *file_expanded;
422 ocsp_resplist *olist;
423 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
426 X509_STORE *verify_store; /* non-null if status requested */
427 uschar *verify_errstr; /* only if _required */
428 BOOL verify_required;
433 /* these are cached from first expand */
434 uschar * server_cipher_list;
435 /* only passed down to tls_error: */
437 const uschar * verify_cert_hostnames;
438 #ifndef DISABLE_EVENT
439 uschar * event_action;
441 } exim_openssl_state_st;
443 /* should figure out a cleanup of API to handle state preserved per
444 implementation, for various reasons, which can be void * in the APIs.
445 For now, we hack around it. */
446 exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */
447 exim_openssl_state_st state_server = {.is_server = TRUE};
450 setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host,
455 static int tls_server_stapling_cb(SSL *s, void *arg);
456 static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk);
457 static void x509_store_dump_cert_s_names(X509_STORE * store);
462 /* Daemon-called, before every connection, key create/rotate */
463 #ifndef DISABLE_TLS_RESUME
464 static void tk_init(void);
465 static int tls_exdata_idx = -1;
469 tls_per_lib_daemon_tick(void)
471 #ifndef DISABLE_TLS_RESUME
476 /* Called once at daemon startup */
479 tls_per_lib_daemon_init(void)
481 tls_daemon_creds_reload();
485 /*************************************************
487 *************************************************/
489 /* Called from lots of places when errors occur before actually starting to do
490 the TLS handshake, that is, while the session is still in clear. Always returns
491 DEFER for a server and FAIL for a client so that most calls can use "return
492 tls_error(...)" to do this processing and then give an appropriate return. A
493 single function is used for both server and client, because it is called from
494 some shared functions.
497 prefix text to include in the logged error
498 host NULL if setting up a server;
499 the connected host if setting up a client
500 msg error message or NULL if we should ask OpenSSL
501 errstr pointer to output error message
503 Returns: OK/DEFER/FAIL
507 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
511 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
512 msg = US ssl_errstring;
515 msg = string_sprintf("(%s): %s", prefix, msg);
516 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
517 if (errstr) *errstr = msg;
518 return host ? FAIL : DEFER;
523 /**************************************************
524 * General library initalisation *
525 **************************************************/
528 lib_rand_init(void * addr)
531 if (!RAND_status()) return TRUE;
533 gettimeofday(&r.tv, NULL);
535 RAND_seed(US (&r), sizeof(r));
536 RAND_seed(US big_buffer, big_buffer_size);
537 if (addr) RAND_seed(US addr, sizeof(addr));
539 return RAND_status();
544 tls_openssl_init(void)
546 static BOOL once = FALSE;
550 #ifdef EXIM_NEED_OPENSSL_INIT
551 SSL_load_error_strings(); /* basic set up */
552 OpenSSL_add_ssl_algorithms();
555 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
556 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
557 list of available digests. */
558 EVP_add_digest(EVP_sha256());
561 (void) lib_rand_init(NULL);
562 (void) tls_openssl_options_parse(openssl_options, &init_options);
567 /*************************************************
568 * Initialize for DH *
569 *************************************************/
571 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
575 sctx The current SSL CTX (inbound or outbound)
576 dhparam DH parameter file or fixed parameter identity string
577 errstr error string pointer
579 Returns: TRUE if OK (nothing to set up, or setup worked)
583 init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
586 #if OPENSSL_VERSION_NUMBER < 0x30000000L
595 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
598 if (!dhexpanded || !*dhexpanded)
599 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
600 else if (dhexpanded[0] == '/')
602 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
604 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
605 NULL, US strerror(errno), errstr);
611 if (Ustrcmp(dhexpanded, "none") == 0)
613 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
617 if (!(pem = std_dh_prime_named(dhexpanded)))
619 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
620 NULL, US strerror(errno), errstr);
623 bio = BIO_new_mem_buf(CS pem, -1);
627 #if OPENSSL_VERSION_NUMBER < 0x30000000L
628 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
630 pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
635 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
640 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
641 an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with 2236.
642 But older OpenSSL can only report in bytes (octets), not bits. If someone wants
643 to dance at the edge, then they can raise the limit or use current libraries. */
645 #if OPENSSL_VERSION_NUMBER < 0x30000000L
646 # ifdef EXIM_HAVE_OPENSSL_DH_BITS
647 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
648 This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
649 dh_bitsize = DH_bits(dh);
651 dh_bitsize = 8 * DH_size(dh);
654 dh_bitsize = EVP_PKEY_get_bits(pkey);
657 /* Even if it is larger, we silently return success rather than cause things to
658 fail out, so that a too-large DH will not knock out all TLS; it's a debatable
659 choice. Likewise for a failing attempt to set one. */
661 if (dh_bitsize <= tls_dh_max_bits)
664 #if OPENSSL_VERSION_NUMBER < 0x30000000L
665 SSL_CTX_set_tmp_dh(sctx, dh)
667 SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
671 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
672 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
673 dhexpanded ? dhexpanded : US"default", ssl_errstring);
674 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
675 /* EVP_PKEY_free(pkey); crashes */
680 debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n",
681 dhexpanded ? dhexpanded : US"default", dh_bitsize);
685 debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
686 dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
688 #if OPENSSL_VERSION_NUMBER < 0x30000000L
691 /* The EVP_PKEY ownership stays with the ctx; do not free it */
700 /*************************************************
701 * Initialize for ECDH *
702 *************************************************/
704 /* "auto" needs to be handled carefully.
705 OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
706 OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
707 (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
708 OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
709 https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
714 init_ecdh_auto(SSL_CTX * sctx)
716 #if OPENSSL_VERSION_NUMBER < 0x10002000L
717 DEBUG(D_tls) debug_printf(
718 " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
719 return US"prime256v1";
722 # if defined SSL_CTRL_SET_ECDH_AUTO
724 DEBUG(D_tls) debug_printf(
725 " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n");
726 SSL_CTX_set_ecdh_auto(sctx, 1);
731 DEBUG(D_tls) debug_printf(
732 " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n");
739 /* Load parameters for ECDH encryption. Server only.
741 For now, we stick to NIST P-256 because: it's simple and easy to configure;
742 it avoids any patent issues that might bite redistributors; despite events in
743 the news and concerns over curve choices, we're not cryptographers, we're not
744 pretending to be, and this is "good enough" to be better than no support,
745 protecting against most adversaries. Given another year or two, there might
746 be sufficient clarity about a "right" way forward to let us make an informed
747 decision, instead of a knee-jerk reaction.
749 Longer-term, we should look at supporting both various named curves and
750 external files generated with "openssl ecparam", much as we do for init_dh().
751 We should also support "none" as a value, to explicitly avoid initialisation.
756 sctx The current SSL CTX (inbound or outbound)
757 errstr error string pointer
759 Returns: TRUE if OK (nothing to set up, or setup worked)
763 init_ecdh(SSL_CTX * sctx, uschar ** errstr)
765 #ifdef OPENSSL_NO_ECDH
769 # ifndef EXIM_HAVE_ECDH
771 debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
776 int ngroups, rc, sep;
777 const uschar * curves_list, * curve;
778 # ifdef EXIM_HAVE_OPENSSL_SET1_GROUPS
784 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
787 /* Is the option deliberately empty? */
789 if (!exp_curve || !*exp_curve)
792 /* Limit the list to hardwired array size. Drop out if any element is "suto". */
794 curves_list = exp_curve;
797 ngroups < nelem(nids)
798 && (curve = string_nextinlist(&curves_list, &sep, NULL, 0));
800 if (Ustrcmp(curve, "auto") == 0)
802 DEBUG(D_tls) if (ngroups > 0)
803 debug_printf(" tls_eccurve 'auto' item takes precedence\n");
804 if ((exp_curve = init_ecdh_auto(sctx))) break; /* have a curve name to set */
805 return TRUE; /* all done */
810 /* Translate to NIDs */
812 curves_list = exp_curve;
813 for (ngroups = 0; curve = string_nextinlist(&curves_list, &sep, NULL, 0);
815 if ( (nids[ngroups] = OBJ_sn2nid (CCS curve)) == NID_undef
816 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
817 && (nids[ngroups] = EC_curve_nist2nid(CCS curve)) == NID_undef
821 uschar * s = string_sprintf("Unknown curve name in tls_eccurve '%s'", curve);
822 DEBUG(D_tls) debug_printf("TLS error: %s\n", s);
823 if (errstr) *errstr = s;
827 # ifdef EXIM_HAVE_OPENSSL_SET1_GROUPS
830 if ((rc = SSL_CTX_set1_groups(sctx, nids, ngroups)) == 0)
831 tls_error(string_sprintf("Error enabling '%s' group(s)", exp_curve), NULL, NULL, errstr);
833 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group(s)\n", exp_curve);
835 # else /* Cannot handle a list; only 1 element nids array */
838 if (!(ecdh = EC_KEY_new_by_curve_name(nids[0])))
840 tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
844 /* The "tmp" in the name here refers to setting a temporary key
845 not to the stability of the interface. */
847 if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
848 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
850 DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
853 # endif /*!EXIM_HAVE_OPENSSL_SET1_GROUPS*/
857 # endif /*EXIM_HAVE_ECDH*/
858 #endif /*OPENSSL_NO_ECDH*/
863 /*************************************************
864 * Expand key and cert file specs *
865 *************************************************/
867 #if OPENSSL_VERSION_NUMBER < 0x30000000L
870 s SSL connection (not used)
874 Returns: pointer to generated key
878 rsa_callback(SSL *s, int export, int keylength)
881 #ifdef EXIM_HAVE_RSA_GENKEY_EX
882 BIGNUM *bn = BN_new();
885 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
887 # ifdef EXIM_HAVE_RSA_GENKEY_EX
888 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
889 || !(rsa_key = RSA_new())
890 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
893 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
897 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
898 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
904 #endif /* pre-3.0.0 */
908 /* Create and install a selfsigned certificate, for use in server mode */
909 /*XXX we could arrange to call this during prelo for a null tls_certificate option.
910 The normal cache inval + relo will suffice.
911 Just need a timer for inval. */
914 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
921 DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n");
922 where = US"allocating pkey";
923 if (!(pkey = EVP_PKEY_new()))
926 where = US"allocating cert";
927 if (!(x509 = X509_new()))
930 where = US"generating pkey";
931 #if OPENSSL_VERSION_NUMBER < 0x30000000L
934 if (!(rsa = rsa_callback(NULL, 0, 2048)))
937 where = US"assigning pkey";
938 if (!EVP_PKEY_assign_RSA(pkey, rsa))
942 pkey = EVP_RSA_gen(2048);
945 X509_set_version(x509, 2); /* N+1 - version 3 */
946 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
947 X509_gmtime_adj(X509_get_notBefore(x509), 0);
948 X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */
949 X509_set_pubkey(x509, pkey);
951 name = X509_get_subject_name(x509);
952 X509_NAME_add_entry_by_txt(name, "C",
953 MBSTRING_ASC, CUS "UK", -1, -1, 0);
954 X509_NAME_add_entry_by_txt(name, "O",
955 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
956 X509_NAME_add_entry_by_txt(name, "CN",
957 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
958 X509_set_issuer_name(x509, name);
960 where = US"signing cert";
961 if (!X509_sign(x509, pkey, EVP_md5()))
964 where = US"installing selfsign cert";
965 if (!SSL_CTX_use_certificate(sctx, x509))
968 where = US"installing selfsign key";
969 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
975 (void) tls_error(where, NULL, NULL, errstr);
976 if (x509) X509_free(x509);
977 if (pkey) EVP_PKEY_free(pkey);
987 /*************************************************
988 * Information callback *
989 *************************************************/
991 /* The SSL library functions call this from time to time to indicate what they
992 are doing. We copy the string to the debugging output when TLS debugging has
1004 info_callback(const SSL * s, int where, int ret)
1010 if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
1011 if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept");
1012 if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg");
1013 if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit");
1014 if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read");
1015 if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write");
1016 if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert");
1017 if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
1018 if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done");
1020 if (where & SSL_CB_LOOP)
1021 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
1022 else if (where & SSL_CB_ALERT)
1023 debug_printf("SSL %s %s:%s\n", g->s,
1024 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
1025 else if (where & SSL_CB_EXIT)
1028 debug_printf("SSL %s: %s in %s\n", g->s,
1029 ret == 0 ? "failed" : "error", SSL_state_string_long(s));
1031 else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
1032 debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
1036 #ifdef OPENSSL_HAVE_KEYLOG_CB
1038 keylog_callback(const SSL *ssl, const char *line)
1042 DEBUG(D_tls) debug_printf("%.200s\n", line);
1043 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
1044 if (!(fp = fopen(filename, "a"))) return;
1045 fprintf(fp, "%s\n", line);
1054 #ifndef DISABLE_EVENT
1056 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
1057 BOOL *calledp, const BOOL *optionalp, const uschar * what)
1063 ev = tlsp == &tls_out ? client_static_state->event_action : event_action;
1066 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
1067 old_cert = tlsp->peercert;
1068 tlsp->peercert = X509_dup(cert);
1069 /* NB we do not bother setting peerdn */
1070 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno)))
1072 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
1073 "depth=%d cert=%s: %s",
1074 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1075 what, depth, dn, yield);
1079 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
1080 return 1; /* reject (leaving peercert set) */
1082 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
1083 "(host in tls_try_verify_hosts)\n");
1084 tlsp->verify_override = TRUE;
1086 X509_free(tlsp->peercert);
1087 tlsp->peercert = old_cert;
1093 /*************************************************
1094 * Callback for verification *
1095 *************************************************/
1097 /* The SSL library does certificate verification if set up to do so. This
1098 callback has the current yes/no state is in "state". If verification succeeded,
1099 we set the certificate-verified flag. If verification failed, what happens
1100 depends on whether the client is required to present a verifiable certificate
1103 If verification is optional, we change the state to yes, but still log the
1104 verification error. For some reason (it really would help to have proper
1105 documentation of OpenSSL), this callback function then gets called again, this
1106 time with state = 1. We must take care not to set the private verified flag on
1107 the second time through.
1109 Note: this function is not called if the client fails to present a certificate
1110 when asked. We get here only if a certificate has been received. Handling of
1111 optional verification for this case is done when requesting SSL to verify, by
1112 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
1114 May be called multiple times for different issues with a certificate, even
1115 for a given "depth" in the certificate chain.
1118 preverify_ok current yes/no state as 1/0
1119 x509ctx certificate information.
1120 tlsp per-direction (client vs. server) support data
1121 calledp has-been-called flag
1122 optionalp verification-is-optional flag
1124 Returns: 0 if verification should fail, otherwise 1
1128 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
1129 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
1131 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1132 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1135 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1137 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1138 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1139 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1142 dn[sizeof(dn)-1] = '\0';
1144 tlsp->verify_override = FALSE;
1145 if (preverify_ok == 0)
1147 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
1148 *verify_mode, sender_host_address)
1150 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
1151 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1153 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
1157 if (!tlsp->peercert)
1158 tlsp->peercert = X509_dup(cert); /* record failing cert */
1159 return 0; /* reject */
1161 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
1162 "tls_try_verify_hosts)\n");
1163 tlsp->verify_override = TRUE;
1166 else if (depth != 0)
1168 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
1169 #ifndef DISABLE_EVENT
1170 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1171 return 0; /* reject, with peercert set */
1176 const uschar * verify_cert_hostnames;
1178 if ( tlsp == &tls_out
1179 && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
1180 /* client, wanting hostname check */
1183 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
1184 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1185 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
1187 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
1188 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
1191 const uschar * list = verify_cert_hostnames;
1194 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
1195 if ((rc = X509_check_host(cert, CCS name, 0,
1196 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
1197 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
1202 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1203 tlsp == &tls_out ? deliver_host_address : sender_host_address);
1210 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
1213 uschar * extra = verify_mode
1214 ? string_sprintf(" (during %c-verify for [%s])",
1215 *verify_mode, sender_host_address)
1217 log_write(0, LOG_MAIN,
1218 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
1219 tlsp == &tls_out ? deliver_host_address : sender_host_address,
1220 extra, dn, verify_cert_hostnames);
1224 if (!tlsp->peercert)
1225 tlsp->peercert = X509_dup(cert); /* record failing cert */
1226 return 0; /* reject */
1228 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
1229 "tls_try_verify_hosts)\n");
1230 tlsp->verify_override = TRUE;
1234 #ifndef DISABLE_EVENT
1235 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
1236 return 0; /* reject, with peercert set */
1239 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
1240 *calledp ? "" : " authenticated", dn);
1244 return 1; /* accept, at least for this level */
1248 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
1250 return verify_callback(preverify_ok, x509ctx, &tls_out,
1251 &client_verify_callback_called, &client_verify_optional);
1255 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
1257 return verify_callback(preverify_ok, x509ctx, &tls_in,
1258 &server_verify_callback_called, &server_verify_optional);
1264 /* This gets called *by* the dane library verify callback, which interposes
1268 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
1270 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
1272 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
1273 #ifndef DISABLE_EVENT
1274 BOOL dummy_called, optional = FALSE;
1277 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
1279 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
1280 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
1281 deliver_host_address);
1284 dn[sizeof(dn)-1] = '\0';
1286 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
1287 preverify_ok ? "ok":"BAD", depth, dn);
1289 #ifndef DISABLE_EVENT
1290 if (verify_event(&tls_out, cert, depth, dn,
1291 &dummy_called, &optional, US"DANE"))
1292 return 0; /* reject, with peercert set */
1295 if (preverify_ok == 1)
1296 tls_out.dane_verified = TRUE;
1299 int err = X509_STORE_CTX_get_error(x509ctx);
1301 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
1302 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
1305 return preverify_ok;
1308 #endif /*SUPPORT_DANE*/
1311 #ifndef DISABLE_OCSP
1313 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1315 BIO_printf(bp, "\t%s: ", str);
1316 ASN1_GENERALIZEDTIME_print(bp, time);
1320 /*************************************************
1321 * Load OCSP information into state *
1322 *************************************************/
1323 /* Called to load the server OCSP response from the given file into memory, once
1324 caller has determined this is needed. Checks validity. Debugs a message
1327 ASSUMES: single response, for single cert.
1330 state various parts of session state
1331 filename the filename putatively holding an OCSP response
1332 is_pem file is PEM format; otherwise is DER
1336 ocsp_load_response(exim_openssl_state_st * state, const uschar * filename,
1340 OCSP_RESPONSE * resp;
1341 OCSP_BASICRESP * basic_response;
1342 OCSP_SINGLERESP * single_response;
1343 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1344 STACK_OF(X509) * sk;
1345 int status, reason, i;
1348 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1350 if (!filename || !*filename) return;
1353 if (!(bio = BIO_new_file(CS filename, "rb")))
1355 log_write(0, LOG_MAIN|LOG_PANIC,
1356 "Failed to open OCSP response file \"%s\": %.100s",
1357 filename, ERR_reason_error_string(ERR_get_error()));
1363 uschar * data, * freep;
1366 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1368 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to read PEM file \"%s\": %.100s",
1369 filename, ERR_reason_error_string(ERR_get_error()));
1373 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1374 OPENSSL_free(freep);
1377 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1382 log_write(0, LOG_MAIN|LOG_PANIC, "Error reading OCSP response from \"%s\": %s",
1383 filename, ERR_reason_error_string(ERR_get_error()));
1387 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1389 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1390 OCSP_response_status_str(status), status);
1396 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1397 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1402 if (!(basic_response = OCSP_response_get1_basic(resp)))
1405 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1409 sk = state->u_ocsp.server.verify_stack; /* set by setup_certs() / chain_from_pem_file() */
1411 /* May need to expose ability to adjust those flags?
1412 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1413 OCSP_TRUSTOTHER OCSP_NOINTERN */
1415 /* This does a partial verify (only the signer link, not the whole chain-to-CA)
1416 on the OCSP proof before we load it for serving up; possibly overkill -
1417 just date-checks might be nice enough.
1419 OCSP_basic_verify takes a "store" arg, but does not
1420 use it for the chain verification, when OCSP_NOVERIFY is set.
1421 The content from the wire "basic_response" and a cert-stack "sk" are all
1424 We have a stack, loaded in setup_certs() if tls_verify_certificates
1425 was a file (not a directory, or "system"). It is unfortunate we
1426 cannot used the connection context store, as that would neatly
1427 handle the "system" case too, but there seems to be no library
1428 function for getting a stack from a store.
1429 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1430 [ 3.0.0 - sk = X509_STORE_get1_all_certs(store) ]
1431 We do not free the stack since it could be needed a second time for
1434 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1435 be a public interface into the OpenSSL library (there's no manual entry) -
1436 (in 3.0.0 + is is public)
1437 But what with? We also use OCSP_basic_verify in the client stapling callback.
1438 And there we NEED it; we must verify that status... unless the
1439 library does it for us anyway? */
1441 if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0)
1445 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1446 debug_printf("OCSP response has bad signature: %s\n", US ssl_errstring);
1451 /* Here's the simplifying assumption: there's only one response, for the
1452 one certificate we use, and nothing for anything else in a chain. If this
1453 proves false, we need to extract a cert id from our issued cert
1454 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1455 right cert in the stack and then calls OCSP_single_get0_status()).
1457 I'm hoping to avoid reworking a bunch more of how we handle state here.
1459 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1462 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1465 debug_printf("Unable to get first response from OCSP basic response.\n");
1469 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1470 if (status != V_OCSP_CERTSTATUS_GOOD)
1472 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1473 OCSP_cert_status_str(status), status,
1474 OCSP_crl_reason_str(reason), reason);
1478 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1482 BIO * bp = BIO_new(BIO_s_mem());
1485 time_print(bp, "This OCSP Update", thisupd);
1486 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
1487 if ((len = (int) BIO_get_mem_data(bp, CSS &s)) > 0) debug_printf("%.*s", len, s);
1488 debug_printf("OCSP status invalid times.\n");
1494 /* Add the resp to the list used by tls_server_stapling_cb() */
1496 ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry;
1497 while (oentry = *op)
1499 *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED);
1500 oentry->next = NULL;
1501 oentry->resp = resp;
1506 if (f.running_in_test_harness)
1508 extern char ** environ;
1509 if (environ) for (uschar ** p = USS environ; *p; p++)
1510 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1512 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1513 goto supply_response;
1521 ocsp_free_response_list(exim_openssl_state_st * state)
1523 for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
1524 olist = olist->next)
1525 OCSP_RESPONSE_free(olist->resp);
1526 state->u_ocsp.server.olist = NULL;
1528 #endif /*!DISABLE_OCSP*/
1535 tls_add_certfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1538 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1539 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1540 return tls_error(string_sprintf(
1541 "SSL_CTX_use_certificate_chain_file file=%s", file),
1542 cbinfo->host, NULL, errstr);
1547 tls_add_pkeyfile(SSL_CTX * sctx, exim_openssl_state_st * cbinfo, uschar * file,
1550 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1551 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1552 return tls_error(string_sprintf(
1553 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1560 /* Called once during tls_init and possibly again during TLS setup, for a
1561 new context, if Server Name Indication was used and tls_sni was seen in
1562 the certificate string.
1565 sctx the SSL_CTX* to update
1566 state various parts of session state
1567 errstr error string pointer
1569 Returns: OK/DEFER/FAIL
1573 tls_expand_session_files(SSL_CTX * sctx, exim_openssl_state_st * state,
1578 if (!state->certificate)
1580 if (!state->is_server) /* client */
1583 if (tls_install_selfsign(sctx, errstr) != OK)
1590 if ( !reexpand_tls_files_for_sni
1591 && ( Ustrstr(state->certificate, US"tls_sni")
1592 || Ustrstr(state->certificate, US"tls_in_sni")
1593 || Ustrstr(state->certificate, US"tls_out_sni")
1595 reexpand_tls_files_for_sni = TRUE;
1597 if ( !expand_check(state->certificate, US"tls_certificate", &expanded, errstr)
1598 || f.expand_string_forcedfail)
1600 if (f.expand_string_forcedfail)
1601 *errstr = US"expansion of tls_certificate failed";
1606 if (state->is_server)
1608 const uschar * file_list = expanded;
1611 #ifndef DISABLE_OCSP
1612 const uschar * olist = state->u_ocsp.server.file;
1615 BOOL fmt_pem = FALSE;
1618 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1620 if (olist && !*olist)
1623 /* If doing a re-expand after SNI, avoid reloading the OCSP
1624 responses when the list of filenames has not changed.
1625 The creds-invali on content change wipes file_expanded, so that
1626 always reloads here. */
1628 if ( state->u_ocsp.server.file_expanded && olist
1629 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
1631 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1636 ocsp_free_response_list(state);
1637 state->u_ocsp.server.file_expanded = olist;
1641 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1643 if ((err = tls_add_certfile(sctx, state, file, errstr)))
1646 #ifndef DISABLE_OCSP
1648 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1650 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1655 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1660 ocsp_load_response(state, ofile, fmt_pem);
1663 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1667 else /* would there ever be a need for multiple client certs? */
1668 if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
1671 if ( state->privatekey
1672 && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr)
1673 || f.expand_string_forcedfail)
1675 if (f.expand_string_forcedfail)
1676 *errstr = US"expansion of tls_privatekey failed";
1680 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1681 of the expansion is an empty string, ignore it also, and assume the private
1682 key is in the same file as the certificate. */
1684 if (expanded && *expanded)
1685 if (state->is_server)
1687 const uschar * file_list = expanded;
1691 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1692 if ((err = tls_add_pkeyfile(sctx, state, file, errstr)))
1695 else /* would there ever be a need for multiple client certs? */
1696 if ((err = tls_add_pkeyfile(sctx, state, expanded, errstr)))
1706 /**************************************************
1707 * One-time init credentials for server and client *
1708 **************************************************/
1711 normalise_ciphers(uschar ** ciphers, const uschar * pre_expansion_ciphers)
1713 uschar * s = *ciphers;
1715 if (!s || !Ustrchr(s, '_')) return; /* no change needed */
1717 if (s == pre_expansion_ciphers)
1718 s = string_copy(s); /* get writable copy */
1720 for (uschar * t = s; *t; t++) if (*t == '_') *t = '-';
1725 server_load_ciphers(SSL_CTX * ctx, exim_openssl_state_st * state,
1726 uschar * ciphers, uschar ** errstr)
1728 DEBUG(D_tls) debug_printf("required ciphers: %s\n", ciphers);
1729 if (!SSL_CTX_set_cipher_list(ctx, CS ciphers))
1730 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1731 state->server_cipher_list = ciphers;
1738 lib_ctx_new(SSL_CTX ** ctxp, host_item * host, uschar ** errstr)
1741 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1742 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1744 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1746 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1748 /* Set up the information callback, which outputs if debugging is at a suitable
1753 SSL_CTX_set_info_callback(ctx, info_callback);
1754 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1755 /* this needs a debug build of OpenSSL */
1756 SSL_CTX_set_msg_callback(ctx, SSL_trace);
1758 #ifdef OPENSSL_HAVE_KEYLOG_CB
1759 SSL_CTX_set_keylog_callback(ctx, keylog_callback);
1763 /* Automatically re-try reads/writes after renegotiation. */
1764 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1771 tls_server_creds_init(void)
1774 uschar * dummy_errstr;
1775 unsigned lifetime = 0;
1779 state_server.lib_state = null_tls_preload;
1781 if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK)
1783 state_server.lib_state.lib_ctx = ctx;
1785 /* Preload DH params and EC curve */
1787 if (opt_unset_or_noexpand(tls_dhparam))
1789 DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam);
1790 if (init_dh(ctx, tls_dhparam, &dummy_errstr))
1791 state_server.lib_state.dh = TRUE;
1794 DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n");
1795 if (opt_unset_or_noexpand(tls_eccurve))
1797 DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve);
1798 if (init_ecdh(ctx, &dummy_errstr))
1799 state_server.lib_state.ecdh = TRUE;
1802 DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n");
1804 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1805 /* If we can, preload the Authorities for checking client certs against.
1806 Actual choice to do verify is made (tls_{,try_}verify_hosts)
1807 at TLS conn startup.
1808 Do this before the server ocsp so that its info can verify the ocsp. */
1810 if ( opt_set_and_noexpand(tls_verify_certificates)
1811 && opt_unset_or_noexpand(tls_crl))
1813 /* Watch the default dir also as they are always included */
1815 if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1816 && tls_set_watch(tls_verify_certificates, FALSE)
1817 && tls_set_watch(tls_crl, FALSE))
1819 uschar * v_certs = tls_verify_certificates;
1820 DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
1822 if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK)
1823 state_server.lib_state.cabundle = TRUE;
1825 /* If we can, preload the server-side cert, key and ocsp */
1827 if ( opt_set_and_noexpand(tls_certificate)
1828 # ifndef DISABLE_OCSP
1829 && opt_unset_or_noexpand(tls_ocsp_file)
1831 && opt_unset_or_noexpand(tls_privatekey))
1833 /* Set watches on the filenames. The implementation does de-duplication
1834 so we can just blindly do them all. */
1836 if ( tls_set_watch(tls_certificate, TRUE)
1837 # ifndef DISABLE_OCSP
1838 && tls_set_watch(tls_ocsp_file, TRUE)
1840 && tls_set_watch(tls_privatekey, TRUE))
1842 state_server.certificate = tls_certificate;
1843 state_server.privatekey = tls_privatekey;
1844 #ifndef DISABLE_OCSP
1845 state_server.u_ocsp.server.file = tls_ocsp_file;
1848 DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
1849 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1850 state_server.lib_state.conn_certs = TRUE;
1853 else if ( !tls_certificate && !tls_privatekey
1854 # ifndef DISABLE_OCSP
1858 { /* Generate & preload a selfsigned cert. No files to watch. */
1859 if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK)
1861 state_server.lib_state.conn_certs = TRUE;
1862 lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
1866 DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
1870 DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
1873 #endif /* EXIM_HAVE_INOTIFY */
1876 /* If we can, preload the ciphers control string */
1878 if (opt_set_and_noexpand(tls_require_ciphers))
1880 DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server\n");
1881 normalise_ciphers(&tls_require_ciphers, tls_require_ciphers);
1882 if (server_load_ciphers(ctx, &state_server, tls_require_ciphers,
1883 &dummy_errstr) == OK)
1884 state_server.lib_state.pri_string = TRUE;
1887 DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
1894 /* Preload whatever creds are static, onto a transport. The client can then
1895 just copy the pointer as it starts up.
1896 Called from the daemon after a cache-invalidate with watch set; called from
1897 a queue-run startup with watch clear. */
1900 tls_client_creds_init(transport_instance * t, BOOL watch)
1902 smtp_transport_options_block * ob = t->options_block;
1903 exim_openssl_state_st tpt_dummy_state;
1904 host_item * dummy_host = (host_item *)1;
1905 uschar * dummy_errstr;
1910 ob->tls_preload = null_tls_preload;
1911 if (lib_ctx_new(&ctx, dummy_host, &dummy_errstr) != OK)
1913 ob->tls_preload.lib_ctx = ctx;
1915 tpt_dummy_state.lib_state = ob->tls_preload;
1917 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1918 if ( opt_set_and_noexpand(ob->tls_certificate)
1919 && opt_unset_or_noexpand(ob->tls_privatekey))
1922 || ( tls_set_watch(ob->tls_certificate, FALSE)
1923 && tls_set_watch(ob->tls_privatekey, FALSE)
1926 uschar * pkey = ob->tls_privatekey;
1929 debug_printf("TLS: preloading client certs for transport '%s'\n",t->name);
1931 if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
1933 && tls_add_pkeyfile(ctx, &tpt_dummy_state,
1934 pkey ? pkey : ob->tls_certificate,
1937 ob->tls_preload.conn_certs = TRUE;
1942 debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
1945 if ( opt_set_and_noexpand(ob->tls_verify_certificates)
1946 && opt_unset_or_noexpand(ob->tls_crl))
1949 || tls_set_watch(CUS X509_get_default_cert_file(), FALSE)
1950 && tls_set_watch(ob->tls_verify_certificates, FALSE)
1951 && tls_set_watch(ob->tls_crl, FALSE)
1954 uschar * v_certs = ob->tls_verify_certificates;
1956 debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name);
1958 if (setup_certs(ctx, &v_certs,
1959 ob->tls_crl, dummy_host, &dummy_errstr) == OK)
1960 ob->tls_preload.cabundle = TRUE;
1965 debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name);
1967 #endif /*EXIM_HAVE_INOTIFY*/
1971 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
1972 /* Invalidate the creds cached, by dropping the current ones.
1973 Call when we notice one of the source files has changed. */
1976 tls_server_creds_invalidate(void)
1978 SSL_CTX_free(state_server.lib_state.lib_ctx);
1979 state_server.lib_state = null_tls_preload;
1980 #ifndef DISABLE_OCSP
1981 state_server.u_ocsp.server.file_expanded = NULL;
1987 tls_client_creds_invalidate(transport_instance * t)
1989 smtp_transport_options_block * ob = t->options_block;
1990 SSL_CTX_free(ob->tls_preload.lib_ctx);
1991 ob->tls_preload = null_tls_preload;
1997 tls_server_creds_invalidate(void)
2001 tls_client_creds_invalidate(transport_instance * t)
2004 #endif /*EXIM_HAVE_INOTIFY*/
2009 #ifndef DISABLE_OCSP
2011 debug_print_sn(const X509 * cert)
2013 X509_NAME * sn = X509_get_subject_name((X509 *)cert);
2014 static uschar name[256];
2015 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
2017 name[sizeof(name)-1] = '\0';
2018 debug_printf(" %s\n", name);
2023 x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk)
2026 debug_printf(" (null)\n");
2029 int idx = sk_X509_num(sk);
2031 debug_printf(" (empty)\n");
2033 while (--idx >= 0) debug_print_sn(sk_X509_value(sk, idx));
2038 x509_store_dump_cert_s_names(X509_STORE * store)
2040 # ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2042 debug_printf(" (no store)\n");
2045 STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
2046 x509_stack_dump_cert_s_names(sk);
2047 sk_X509_pop_free(sk, X509_free);
2051 #endif /*!DISABLE_OCSP*/
2056 #ifndef DISABLE_TLS_RESUME
2057 /* Manage the keysets used for encrypting the session tickets, on the server. */
2059 typedef struct { /* Session ticket encryption key */
2062 const EVP_CIPHER * aes_cipher;
2063 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
2064 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2065 const EVP_MD * hmac_hash;
2067 const uschar * hmac_hashname;
2069 uschar hmac_key[16];
2074 static exim_stek exim_tk; /* current key */
2075 static exim_stek exim_tk_old; /* previous key */
2080 time_t t = time(NULL);
2082 if (exim_tk.name[0])
2084 if (exim_tk.renew >= t) return;
2085 exim_tk_old = exim_tk;
2088 if (f.running_in_test_harness) ssl_session_timeout = TESTSUITE_TICKET_LIFE;
2090 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
2091 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
2092 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
2093 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
2095 exim_tk.name[0] = 'E';
2096 exim_tk.aes_cipher = EVP_aes_256_cbc();
2097 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2098 exim_tk.hmac_hash = EVP_sha256();
2100 exim_tk.hmac_hashname = US "sha256";
2102 exim_tk.expire = t + ssl_session_timeout;
2103 exim_tk.renew = t + ssl_session_timeout/2;
2109 if (!exim_tk.name[0]) return NULL;
2114 tk_find(const uschar * name)
2116 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
2117 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
2124 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2132 /*XXX will want these dependent on the ssl session strength */
2133 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2134 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
2135 key->hmac_hash, NULL);
2138 OSSL_PARAM params[3];
2139 uschar * hk = string_copy(key->hmac_hashname); /* need nonconst */
2140 params[0] = OSSL_PARAM_construct_octet_string("key", key->hmac_key, sizeof(key->hmac_key));
2141 params[1] = OSSL_PARAM_construct_utf8_string("digest", CS hk, 0);
2142 params[2] = OSSL_PARAM_construct_end();
2143 if (EVP_MAC_CTX_set_params(hctx, params) == 0)
2145 DEBUG(D_tls) debug_printf("EVP_MAC_CTX_set_params: %s\n",
2146 ERR_reason_error_string(ERR_get_error()));
2147 return 0; /* error in mac initialisation */
2154 /* Callback for session tickets, on server */
2156 ticket_key_callback(SSL * ssl, uschar key_name[16],
2157 uschar * iv, EVP_CIPHER_CTX * c_ctx,
2158 # if OPENSSL_VERSION_NUMBER < 0x30000000L
2165 tls_support * tlsp = state_server.tlsp;
2170 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
2171 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2173 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
2174 return -1; /* insufficient random */
2176 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
2177 return 0; /* key couldn't be created */
2178 memcpy(key_name, key->name, 16);
2179 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
2181 if (tk_hmac_init(hctx, key) == 0) return 0;
2182 EVP_EncryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2184 DEBUG(D_tls) debug_printf("ticket created\n");
2189 time_t now = time(NULL);
2191 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
2192 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2194 if (!(key = tk_find(key_name)) || key->expire < now)
2198 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
2199 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
2204 if (tk_hmac_init(hctx, key) == 0) return 0;
2205 EVP_DecryptInit_ex(c_ctx, key->aes_cipher, NULL, key->aes_key, iv);
2207 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
2209 /* The ticket lifetime and renewal are the same as the STEK lifetime and
2210 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
2211 be better. To do that we'd have to encode ticket lifetime in the name as
2212 we don't yet see the restored session. Could check posthandshake for TLS1.3
2213 and trigger a new ticket then, but cannot do that for TLS1.2 */
2214 return key->renew < now ? 2 : 1;
2217 #endif /* !DISABLE_TLS_RESUME */
2222 setup_cert_verify(SSL_CTX * ctx, BOOL optional,
2223 int (*cert_vfy_cb)(int, X509_STORE_CTX *))
2225 /* If verification is optional, don't fail if no certificate */
2227 SSL_CTX_set_verify(ctx,
2228 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2233 /*************************************************
2234 * Callback to handle SNI *
2235 *************************************************/
2237 /* Called when acting as server during the TLS session setup if a Server Name
2238 Indication extension was sent by the client.
2240 API documentation is OpenSSL s_server.c implementation.
2243 s SSL* of the current session
2244 ad unknown (part of OpenSSL API) (unused)
2245 arg Callback of "our" registered data
2247 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
2249 XXX might need to change to using ClientHello callback,
2250 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
2253 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2255 tls_servername_cb(SSL * s, int * ad ARG_UNUSED, void * arg)
2257 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
2258 exim_openssl_state_st * state = (exim_openssl_state_st *) arg;
2260 int old_pool = store_pool;
2264 return SSL_TLSEXT_ERR_OK;
2266 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
2267 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
2269 /* Make the extension value available for expansion */
2270 store_pool = POOL_PERM;
2271 tls_in.sni = string_copy_taint(US servername, GET_TAINTED);
2272 store_pool = old_pool;
2274 if (!reexpand_tls_files_for_sni)
2275 return SSL_TLSEXT_ERR_OK;
2277 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
2278 not confident that memcpy wouldn't break some internal reference counting.
2279 Especially since there's a references struct member, which would be off. */
2281 if (lib_ctx_new(&server_sni, NULL, &errstr) != OK)
2284 /* Not sure how many of these are actually needed, since SSL object
2285 already exists. Might even need this selfsame callback, for reneg? */
2288 SSL_CTX * ctx = state_server.lib_state.lib_ctx;
2289 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
2290 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
2291 #ifdef OPENSSL_MIN_PROTO_VERSION
2292 SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
2294 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
2295 SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
2296 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
2297 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
2298 SSL_CTX_set_tlsext_servername_arg(server_sni, state);
2301 if ( !init_dh(server_sni, state->dhparam, &errstr)
2302 || !init_ecdh(server_sni, &errstr)
2306 if ( state->server_cipher_list
2307 && !SSL_CTX_set_cipher_list(server_sni, CS state->server_cipher_list))
2310 #ifndef DISABLE_OCSP
2311 if (state->u_ocsp.server.file)
2313 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
2314 SSL_CTX_set_tlsext_status_arg(server_sni, state);
2319 uschar * v_certs = tls_verify_certificates;
2320 if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
2324 if (v_certs && *v_certs)
2325 setup_cert_verify(server_sni, FALSE, verify_callback_server);
2328 /* do this after setup_certs, because this can require the certs for verifying
2329 OCSP information. */
2330 if ((rc = tls_expand_session_files(server_sni, state, &errstr)) != OK)
2333 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
2334 SSL_set_SSL_CTX(s, server_sni);
2335 return SSL_TLSEXT_ERR_OK;
2338 log_write(0, LOG_MAIN|LOG_PANIC, "%s", errstr);
2339 return SSL_TLSEXT_ERR_ALERT_FATAL;
2341 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
2346 #ifdef EXIM_HAVE_ALPN
2347 /*************************************************
2348 * Callback to handle ALPN *
2349 *************************************************/
2351 /* Called on server if tls_alpn nonblank after expansion,
2352 when client offers ALPN, after the SNI callback.
2353 If set and not matching the list then we dump the connection */
2356 tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen,
2357 const uschar * in, unsigned int inlen, void * arg)
2361 server_seen_alpn = TRUE;
2364 debug_printf("Received TLS ALPN offer:");
2365 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2368 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2369 debug_printf(" '%.*s'", siz, in + pos + 1);
2371 debug_printf(". Our list: '%s'\n", tls_alpn);
2374 /* Look for an acceptable ALPN */
2376 if ( inlen > 1 /* at least one name */
2377 && in[0]+1 == inlen /* filling the vector, so exactly one name */
2380 const uschar * list = tls_alpn;
2382 for (uschar * name; name = string_nextinlist(&list, &sep, NULL, 0); )
2383 if (Ustrncmp(in+1, name, in[0]) == 0)
2385 *out = in+1; /* we checked for exactly one, so can just point to it */
2387 return SSL_TLSEXT_ERR_OK; /* use ALPN */
2391 /* More than one name from client, or name did not match our list. */
2393 /* This will be fatal to the TLS conn; would be nice to kill TCP also.
2394 Maybe as an option in future; for now leave control to the config (must-tls). */
2396 for (int pos = 0, siz; pos < inlen; pos += siz+1)
2399 if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
2400 g = string_append_listele_n(g, ':', in + pos + 1, siz);
2402 log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
2403 gstring_release_unused(g);
2404 return SSL_TLSEXT_ERR_ALERT_FATAL;
2406 #endif /* EXIM_HAVE_ALPN */
2410 #ifndef DISABLE_OCSP
2412 /*************************************************
2413 * Callback to handle OCSP Stapling *
2414 *************************************************/
2416 /* Called when acting as server during the TLS session setup if the client
2417 requests OCSP information with a Certificate Status Request.
2419 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
2425 tls_server_stapling_cb(SSL *s, void *arg)
2427 const exim_openssl_state_st * state = arg;
2428 ocsp_resplist * olist = state->u_ocsp.server.olist;
2429 uschar * response_der; /*XXX blob */
2430 int response_der_len;
2433 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
2434 olist ? "have" : "lack");
2436 tls_in.ocsp = OCSP_NOT_RESP;
2438 return SSL_TLSEXT_ERR_NOACK;
2440 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
2442 const X509 * cert_sent = SSL_get_certificate(s);
2443 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
2444 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
2446 for (; olist; olist = olist->next)
2448 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
2449 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
2450 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
2451 ASN1_INTEGER * res_cert_serial;
2452 const BIGNUM * resp_bn;
2453 ASN1_OCTET_STRING * res_cert_iNameHash;
2456 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
2457 (OCSP_CERTID *) cid);
2458 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
2462 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
2463 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
2466 if (BN_cmp(cert_bn, resp_bn) == 0)
2468 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
2470 /*XXX TODO: check the rest of the list for duplicate matches.
2471 If any, need to also check the Issuer Name hash.
2472 Without this, we will provide the wrong status in the case of
2477 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
2481 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
2482 return SSL_TLSEXT_ERR_NOACK;
2488 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
2489 return SSL_TLSEXT_ERR_NOACK;
2493 /*XXX could we do the i2d earlier, rather than during the callback? */
2494 response_der = NULL;
2495 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
2496 if (response_der_len <= 0)
2497 return SSL_TLSEXT_ERR_NOACK;
2499 SSL_set_tlsext_status_ocsp_resp(state_server.lib_state.lib_ssl,
2500 response_der, response_der_len);
2501 tls_in.ocsp = OCSP_VFIED;
2502 return SSL_TLSEXT_ERR_OK;
2507 add_chain_to_store(X509_STORE * store, STACK_OF(X509) * sk,
2508 const char * debug_text)
2514 debug_printf("chain for %s:\n", debug_text);
2515 x509_stack_dump_cert_s_names(sk);
2518 if ((idx = sk_X509_num(sk)) > 0)
2520 X509_STORE_add_cert(store, sk_X509_value(sk, idx));
2525 tls_client_stapling_cb(SSL * ssl, void * arg)
2527 exim_openssl_state_st * cbinfo = arg;
2528 const unsigned char * p;
2530 OCSP_RESPONSE * rsp;
2531 OCSP_BASICRESP * bs;
2534 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
2535 len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
2537 { /* Expect this when we requested ocsp but got none */
2538 if (SSL_session_reused(ssl) && tls_out.ocsp == OCSP_VFIED)
2540 DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
2544 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
2545 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
2547 DEBUG(D_tls) debug_printf(" null\n");
2549 if (!cbinfo->u_ocsp.client.verify_required)
2551 cbinfo->u_ocsp.client.verify_errstr =
2552 US"(SSL_connect) Required TLS certificate status not received";
2556 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
2558 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
2559 if (LOGGING(tls_cipher))
2560 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
2562 DEBUG(D_tls) debug_printf(" parse error\n");
2566 if (!(bs = OCSP_response_get1_basic(rsp)))
2568 tls_out.ocsp = OCSP_FAILED;
2569 if (LOGGING(tls_cipher))
2570 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
2572 DEBUG(D_tls) debug_printf(" error parsing response\n");
2573 OCSP_RESPONSE_free(rsp);
2577 /* We'd check the nonce here if we'd put one in the request. */
2578 /* However that would defeat cacheability on the server so we don't. */
2580 /* This section of code reworked from OpenSSL apps source;
2581 The OpenSSL Project retains copyright:
2582 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
2586 X509_STORE * verify_store = NULL;
2587 BOOL have_verified_OCSP_signer = FALSE;
2588 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
2589 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
2592 DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
2594 /* Use the CA & chain that verified the server cert to verify the stapled info */
2595 /*XXX could we do an event here, for observability of ocsp? What reasonable data could we give access to? */
2596 /* Dates would be a start. Do we need another opaque variable type, as for certs, plus an extract expansion? */
2599 /* If this routine is not available, we've avoided [in tls_client_start()]
2600 asking for certificate-status under DANE, so this callback won't run for
2601 that combination. It still will for non-DANE. */
2603 #ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
2606 if ( tls_out.dane_verified
2607 && (have_verified_OCSP_signer =
2608 OCSP_resp_get0_signer(bs, &signer, SSL_get0_verified_chain(ssl)) == 1))
2611 debug_printf("signer for OCSP basicres is in the verified chain;"
2612 " shortcut its verification\n");
2617 STACK_OF(X509) * verified_chain;
2619 verify_store = X509_STORE_new();
2621 SSL_get0_chain_certs(ssl, &verified_chain);
2622 add_chain_to_store(verify_store, verified_chain,
2623 "'current cert' per SSL_get0_chain_certs()");
2624 #ifdef EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
2625 verified_chain = SSL_get0_verified_chain(ssl);
2626 add_chain_to_store(verify_store, verified_chain,
2627 "SSL_get0_verified_chain()");
2634 debug_printf("Untrusted intermediate cert stack (from SSL_get_peer_cert_chain()):\n");
2635 x509_stack_dump_cert_s_names(SSL_get_peer_cert_chain(ssl));
2637 debug_printf("will use this CA store for verifying basicresp:\n");
2638 x509_store_dump_cert_s_names(verify_store);
2640 /* OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
2642 debug_printf("certs contained in basicresp:\n");
2643 x509_stack_dump_cert_s_names(
2644 #ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
2645 OCSP_resp_get0_certs(bs)
2651 #ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
2652 /* could do via X509_STORE_get0_objects(); not worth it just for debug info */
2655 if (OCSP_resp_get0_signer(bs, &signer, X509_STORE_get1_all_certs(verify_store)) == 1)
2657 debug_printf("found signer for basicres:\n");
2658 debug_print_sn(signer);
2662 debug_printf("failed to find signer for basicres:\n");
2663 ERR_print_errors(bp);
2672 /* Under DANE the trust-anchor (at least in TA mode) is indicated by the TLSA
2673 record in DNS, and probably is not the root of the chain of certificates. So
2674 accept a partial chain for that case (and hope that anchor is visible for
2675 verifying the OCSP stapling).
2676 XXX for EE mode it won't even be that. Does that make OCSP useless for EE?
2678 Worse, for LetsEncrypt-mode (ocsp signer is leaf-signer) under DANE, the
2679 data used within OpenSSL for the signer has nil pointers for signing
2680 algorithms - and a crash results. Avoid this by shortcutting verification,
2681 having determined that the OCSP signer is in the (DANE-)validated set.
2684 #ifndef OCSP_PARTIAL_CHAIN /* defined for 3.0.0 onwards */
2685 # define OCSP_PARTIAL_CHAIN 0
2688 if ((i = OCSP_basic_verify(bs, SSL_get_peer_cert_chain(ssl),
2691 tls_out.dane_verified
2692 ? have_verified_OCSP_signer
2693 ? OCSP_NOVERIFY | OCSP_NOEXPLICIT
2694 : OCSP_PARTIAL_CHAIN | OCSP_NOEXPLICIT
2697 OCSP_NOEXPLICIT)) <= 0)
2699 DEBUG(D_tls) debug_printf("OCSP_basic_verify() fail: returned %d\n", i);
2700 if (ERR_peek_error())
2702 tls_out.ocsp = OCSP_FAILED;
2703 if (LOGGING(tls_cipher))
2705 static uschar peerdn[256];
2706 const uschar * errstr;;
2708 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2709 ERR_peek_error_all(NULL, NULL, NULL, CCSS &errstr, NULL);
2712 errstr = CUS ERR_reason_error_string(ERR_peek_error());
2714 X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(ssl)),
2715 CS peerdn, sizeof(peerdn));
2716 log_write(0, LOG_MAIN,
2717 "[%s] %s Received TLS cert (DN: '%.*s') status response, "
2718 "itself unverifiable: %s",
2719 deliver_host_address, deliver_host,
2720 (int)sizeof(peerdn), peerdn, errstr);
2724 BIO_printf(bp, "OCSP response verify failure\n");
2725 ERR_print_errors(bp);
2728 int len = (int) BIO_get_mem_data(bp, CSS &s);
2729 if (len > 0) debug_printf("%.*s", len, s);
2732 OCSP_RESPONSE_print(bp, rsp, 0);
2737 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
2738 " in the root CA certificate; ignoring\n");
2741 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
2743 /*XXX So we have a good stapled OCSP status. How do we know
2744 it is for the cert of interest? OpenSSL 1.1.0 has a routine
2745 OCSP_resp_find_status() which matches on a cert id, which presumably
2746 we should use. Making an id needs OCSP_cert_id_new(), which takes
2747 issuerName, issuerKey, serialNumber. Are they all in the cert?
2749 For now, carry on blindly accepting the resp. */
2752 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
2753 OCSP_resp_count(bs) - 1;
2755 sk_OCSP_SINGLERESP_num(sresp) - 1;
2759 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
2761 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
2763 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
2764 - but what happens with a GnuTLS-style input?
2766 we could do with a debug label for each singleresp
2767 - it has a certID with a serialNumber, but I see no API to get that
2769 status = OCSP_single_get0_status(single, &reason, &rev,
2770 &thisupd, &nextupd);
2774 time_print(bp, "This OCSP Update", thisupd);
2775 if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
2777 if (!OCSP_check_validity(thisupd, nextupd,
2778 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
2780 tls_out.ocsp = OCSP_FAILED;
2781 DEBUG(D_tls) ERR_print_errors(bp);
2782 cbinfo->u_ocsp.client.verify_errstr =
2783 US"(SSL_connect) Server certificate status is out-of-date";
2784 log_write(0, LOG_MAIN, "OCSP dates invalid");
2788 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
2789 OCSP_cert_status_str(status));
2792 case V_OCSP_CERTSTATUS_GOOD:
2793 continue; /* the idx loop */
2794 case V_OCSP_CERTSTATUS_REVOKED:
2795 cbinfo->u_ocsp.client.verify_errstr =
2796 US"(SSL_connect) Server certificate revoked";
2797 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2798 reason != -1 ? "; reason: " : "",
2799 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2800 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2803 cbinfo->u_ocsp.client.verify_errstr =
2804 US"(SSL_connect) Server certificate has unknown status";
2805 log_write(0, LOG_MAIN,
2806 "Server certificate status unknown, in OCSP stapling");
2814 tls_out.ocsp = OCSP_VFIED;
2818 tls_out.ocsp = OCSP_FAILED;
2819 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2823 int len = (int) BIO_get_mem_data(bp, CSS &s);
2824 if (len > 0) debug_printf("%.*s", len, s);
2829 OCSP_RESPONSE_free(rsp);
2832 #endif /*!DISABLE_OCSP*/
2835 /*************************************************
2836 * Initialize for TLS *
2837 *************************************************/
2838 /* Called from both server and client code, to do preliminary initialization
2839 of the library. We allocate and return a context structure.
2842 host connected host, if client; NULL if server
2843 ob transport options block, if client; NULL if server
2844 ocsp_file file of stapling info (server); flag for require ocsp (client)
2845 addr address if client; NULL if server (for some randomness)
2846 caller_state place to put pointer to allocated state-struct
2847 errstr error string pointer
2849 Returns: OK/DEFER/FAIL
2853 tls_init(host_item * host, smtp_transport_options_block * ob,
2854 #ifndef DISABLE_OCSP
2857 address_item *addr, exim_openssl_state_st ** caller_state,
2858 tls_support * tlsp, uschar ** errstr)
2861 exim_openssl_state_st * state;
2864 if (host) /* client */
2866 state = store_malloc(sizeof(exim_openssl_state_st));
2867 memset(state, 0, sizeof(*state));
2868 state->certificate = ob->tls_certificate;
2869 state->privatekey = ob->tls_privatekey;
2870 state->is_server = FALSE;
2871 state->dhparam = NULL;
2872 state->lib_state = ob->tls_preload;
2876 state = &state_server;
2877 state->certificate = tls_certificate;
2878 state->privatekey = tls_privatekey;
2879 state->is_server = TRUE;
2880 state->dhparam = tls_dhparam;
2881 state->lib_state = state_server.lib_state;
2887 if (!state->lib_state.pri_string)
2888 state->server_cipher_list = NULL;
2890 #ifndef DISABLE_EVENT
2891 state->event_action = NULL;
2896 /* It turns out that we need to seed the random number generator this early in
2897 order to get the full complement of ciphers to work. It took me roughly a day
2898 of work to discover this by experiment.
2900 On systems that have /dev/urandom, SSL may automatically seed itself from
2901 there. Otherwise, we have to make something up as best we can. Double check
2904 Although we likely called this before, at daemon startup, this is a chance
2905 to mix in further variable info (time, pid) if needed. */
2907 if (!lib_rand_init(addr))
2908 return tls_error(US"RAND_status", host,
2909 US"unable to seed random number generator", errstr);
2911 /* Apply administrator-supplied work-arounds.
2912 Historically we applied just one requested option,
2913 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2914 moved to an administrator-controlled list of options to specify and
2915 grandfathered in the first one as the default value for "openssl_options".
2917 No OpenSSL version number checks: the options we accept depend upon the
2918 availability of the option value macros from OpenSSL. */
2921 if (!tls_openssl_options_parse(openssl_options, &init_options))
2922 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2924 /* Create a context.
2925 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2926 negotiation in the different methods; as far as I can tell, the only
2927 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2928 when OpenSSL is built without SSLv2 support.
2929 By disabling with openssl_options, we can let admins re-enable with the
2932 if (!(ctx = state->lib_state.lib_ctx))
2934 if ((rc = lib_ctx_new(&ctx, host, errstr)) != OK)
2936 state->lib_state.lib_ctx = ctx;
2939 #ifndef DISABLE_TLS_RESUME
2940 tlsp->resumption = RESUME_SUPPORTED;
2944 #ifndef DISABLE_TLS_RESUME
2945 /* Should the server offer session resumption? */
2946 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2948 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2949 init_options &= ~SSL_OP_NO_TICKET;
2950 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2951 tlsp->host_resumable = TRUE;
2955 #ifdef OPENSSL_MIN_PROTO_VERSION
2956 SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
2958 DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options);
2959 SSL_CTX_set_options(ctx, init_options);
2961 uint64_t readback = SSL_CTX_clear_options(ctx, ~init_options);
2962 if (readback != init_options)
2963 return tls_error(string_sprintf(
2964 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2968 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2970 /* We'd like to disable session cache unconditionally, but foolish Outlook
2971 Express clients then give up the first TLS connection and make a second one
2972 (which works). Only when there is an IMAP service on the same machine.
2973 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2974 now, until we work out a decent way of presenting control to the config. It
2975 will never be used because we use a new context every time. */
2977 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2980 /* Initialize with DH parameters if supplied */
2981 /* Initialize ECDH temp key parameter selection */
2985 if (state->lib_state.dh)
2986 { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); }
2988 if (!init_dh(ctx, state->dhparam, errstr)) return DEFER;
2990 if (state->lib_state.ecdh)
2991 { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); }
2993 if (!init_ecdh(ctx, errstr)) return DEFER;
2996 /* Set up certificate and key (and perhaps OCSP info) */
2998 if (state->lib_state.conn_certs)
3001 debug_printf("TLS: %s certs were preloaded\n", host ? "client":"server");
3005 #ifndef DISABLE_OCSP
3006 if (!host) /* server */
3008 state->u_ocsp.server.file = ocsp_file;
3009 state->u_ocsp.server.file_expanded = NULL;
3010 state->u_ocsp.server.olist = NULL;
3013 if ((rc = tls_expand_session_files(ctx, state, errstr)) != OK) return rc;
3016 /* If we need to handle SNI or OCSP, do so */
3018 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3019 # ifndef DISABLE_OCSP
3020 if (!host && !(state->u_ocsp.server.verify_stack = sk_X509_new_null()))
3022 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
3027 if (!host) /* server */
3029 # ifndef DISABLE_OCSP
3030 /* We check u_ocsp.server.file, not server.olist, because we care about if
3031 the option exists, not what the current expansion might be, as SNI might
3032 change the certificate and OCSP file in use between now and the time the
3033 callback is invoked. */
3034 if (state->u_ocsp.server.file)
3036 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
3037 SSL_CTX_set_tlsext_status_arg(ctx, state);
3040 /* We always do this, so that $tls_sni is available even if not used in
3042 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
3043 SSL_CTX_set_tlsext_servername_arg(ctx, state);
3045 # ifdef EXIM_HAVE_ALPN
3046 if (tls_alpn && *tls_alpn)
3049 if ( expand_check(tls_alpn, US"tls_alpn", &exp_alpn, errstr)
3050 && *exp_alpn && !isblank(*exp_alpn))
3052 tls_alpn = exp_alpn; /* subprocess so ok to overwrite */
3053 SSL_CTX_set_alpn_select_cb(ctx, tls_server_alpn_cb, state);
3060 # ifndef DISABLE_OCSP
3062 if(ocsp_file) /* wanting stapling */
3064 if (!(state->u_ocsp.client.verify_store = X509_STORE_new()))
3066 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
3070 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
3071 SSL_CTX_set_tlsext_status_arg(ctx, state);
3074 #endif /*EXIM_HAVE_OPENSSL_TLSEXT*/
3076 state->verify_cert_hostnames = NULL;
3078 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
3079 /* Set up the RSA callback */
3080 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
3083 /* Finally, set the session cache timeout, and we are done.
3084 The period appears to be also used for (server-generated) session tickets */
3086 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
3087 DEBUG(D_tls) debug_printf("Initialized TLS\n");
3089 *caller_state = state;
3097 /*************************************************
3098 * Get name of cipher in use *
3099 *************************************************/
3102 Argument: pointer to an SSL structure for the connection
3103 pointer to number of bits for cipher
3104 Returns: pointer to allocated string in perm-pool
3108 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
3110 int pool = store_pool;
3111 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
3112 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
3113 the accessor functions use const in the prototype. */
3115 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
3118 SSL_CIPHER_get_bits(c, bits);
3120 store_pool = POOL_PERM;
3121 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
3123 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
3128 /* Get IETF-standard name for ciphersuite.
3129 Argument: pointer to an SSL structure for the connection
3130 Returns: pointer to string
3133 static const uschar *
3134 cipher_stdname_ssl(SSL * ssl)
3136 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
3137 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
3139 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
3140 return cipher_stdname(id >> 8, id & 0xff);
3145 static const uschar *
3146 tlsver_name(SSL * ssl)
3149 int pool = store_pool;
3151 store_pool = POOL_PERM;
3152 s = string_copy(US SSL_get_version(ssl));
3154 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
3155 for (;; p++) if (!(*p = p[1])) break;
3161 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
3163 /*XXX we might consider a list-of-certs variable for the cert chain.
3164 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
3165 in list-handling functions, also consider the difference between the entire
3166 chain and the elements sent by the peer. */
3168 tlsp->peerdn = NULL;
3170 /* Will have already noted peercert on a verify fail; possibly not the leaf */
3171 if (!tlsp->peercert)
3172 tlsp->peercert = SSL_get_peer_certificate(ssl);
3173 /* Beware anonymous ciphers which lead to server_cert being NULL */
3175 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
3176 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
3179 int oldpool = store_pool;
3181 peerdn[siz-1] = '\0'; /* paranoia */
3182 store_pool = POOL_PERM;
3183 tlsp->peerdn = string_copy(peerdn);
3184 store_pool = oldpool;
3186 /* We used to set CV in the cert-verify callbacks (either plain or dane)
3187 but they don't get called on session-resumption. So use the official
3188 interface, which uses the resumed value. Unfortunately this claims verified
3189 when it actually failed but we're in try-verify mode, due to us wanting the
3190 knowlege that it failed so needing to have the callback and forcing a
3191 permissive return. If we don't force it, the TLS startup is failed.
3192 The extra bit of information is set in verify_override in the cb, stashed
3193 for resumption next to the TLS session, and used here. */
3195 if (!tlsp->verify_override)
3196 tlsp->certificate_verified =
3198 tlsp->dane_verified ||
3200 SSL_get_verify_result(ssl) == X509_V_OK;
3208 /*************************************************
3209 * Set up for verifying certificates *
3210 *************************************************/
3212 #ifndef DISABLE_OCSP
3213 /* In the server, load certs from file, return TRUE on success */
3216 chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
3219 STACK_OF(X509) * verify_stack = *vp;
3222 while (sk_X509_num(verify_stack) > 0)
3223 X509_free(sk_X509_pop(verify_stack));
3225 verify_stack = sk_X509_new_null();
3227 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
3228 for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
3229 sk_X509_push(verify_stack, x);
3238 /* Called by both client and server startup; on the server possibly
3239 repeated after a Server Name Indication.
3242 sctx SSL_CTX* to initialise
3243 certsp certs file, returned expanded
3244 crl CRL file or NULL
3245 host NULL in a server; the remote host in a client
3246 errstr error string pointer
3248 Returns: OK/DEFER/FAIL
3252 setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host,
3255 uschar * expcerts, * expcrl;
3257 if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr))
3259 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
3262 if (expcerts && *expcerts)
3264 /* Tell the library to use its compiled-in location for the system default
3265 CA bundle. Then add the ones specified in the config, if any. */
3267 if (!SSL_CTX_set_default_verify_paths(sctx))
3268 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
3270 if (Ustrcmp(expcerts, "system") != 0 && Ustrncmp(expcerts, "system,", 7) != 0)
3272 struct stat statbuf;
3274 if (Ustat(expcerts, &statbuf) < 0)
3276 log_write(0, LOG_MAIN|LOG_PANIC,
3277 "failed to stat %s for certificates", expcerts);
3283 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
3284 { file = NULL; dir = expcerts; }
3287 STACK_OF(X509) * verify_stack =
3288 #ifndef DISABLE_OCSP
3289 !host ? state_server.u_ocsp.server.verify_stack :
3292 STACK_OF(X509) ** vp = &verify_stack;
3294 file = expcerts; dir = NULL;
3295 #ifndef DISABLE_OCSP
3296 /* In the server if we will be offering an OCSP proof; load chain from
3297 file for verifying the OCSP proof at load time. */
3299 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
3300 This is inconsistent with the need to verify the OCSP proof of the server cert.
3302 /* *debug_printf("file for checking server ocsp stapling is: %s\n", file); */
3304 && statbuf.st_size > 0
3305 && state_server.u_ocsp.server.file
3306 && !chain_from_pem_file(file, vp)
3309 log_write(0, LOG_MAIN|LOG_PANIC,
3310 "failed to load cert chain from %s", file);
3316 /* If a certificate file is empty, the load function fails with an
3317 unhelpful error message. If we skip it, we get the correct behaviour (no
3318 certificates are recognized, but the error message is still misleading (it
3319 says no certificate was supplied). But this is better. */
3321 if ( (!file || statbuf.st_size > 0)
3322 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
3323 return tls_error(US"SSL_CTX_load_verify_locations",
3324 host, NULL, errstr);
3326 /* On the server load the list of CAs for which we will accept certs, for
3327 sending to the client. This is only for the one-file
3328 tls_verify_certificates variant.
3329 If a list isn't loaded into the server, but some verify locations are set,
3330 the server end appears to make a wildcard request for client certs.
3331 Meanwhile, the client library as default behaviour *ignores* the list
3332 we send over the wire - see man SSL_CTX_set_client_cert_cb.
3333 Because of this, and that the dir variant is likely only used for
3334 the public-CA bundle (not for a private CA), not worth fixing. */
3338 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
3339 int i = sk_X509_NAME_num(names);
3341 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
3342 DEBUG(D_tls) debug_printf("Added %d additional certificate authorit%s\n",
3343 i, i>1 ? "ies":"y");
3347 debug_printf("Added dir for additional certificate authorities\n");
3351 /* Handle a certificate revocation list. */
3353 #if OPENSSL_VERSION_NUMBER > 0x00907000L
3355 /* This bit of code is now the version supplied by Lars Mainka. (I have
3356 merely reformatted it into the Exim code style.)
3358 "From here I changed the code to add support for multiple crl's
3359 in pem format in one file or to support hashed directory entries in
3360 pem format instead of a file. This method now uses the library function
3361 X509_STORE_load_locations to add the CRL location to the SSL context.
3362 OpenSSL will then handle the verify against CA certs and CRLs by
3363 itself in the verify callback." */
3365 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
3366 if (expcrl && *expcrl)
3368 struct stat statbufcrl;
3369 if (Ustat(expcrl, &statbufcrl) < 0)
3371 log_write(0, LOG_MAIN|LOG_PANIC,
3372 "failed to stat %s for certificates revocation lists", expcrl);
3377 /* is it a file or directory? */
3379 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
3380 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
3384 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
3390 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
3392 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
3393 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
3395 /* setting the flags to check against the complete crl chain */
3397 X509_STORE_set_flags(cvstore,
3398 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3402 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
3411 tls_dump_keylog(SSL * ssl)
3413 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3414 BIO * bp = BIO_new(BIO_s_mem());
3417 SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
3418 len = (int) BIO_get_mem_data(bp, CSS &s);
3419 if (len > 0) debug_printf("%.*s", len, s);
3425 /* Channel-binding info for authenticators
3426 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/
3431 tls_get_channel_binding(SSL * ssl, tls_support * tlsp, const void * taintval)
3436 #ifdef EXIM_HAVE_EXPORT_CHNL_BNGNG
3437 if (SSL_version(ssl) > TLS1_2_VERSION)
3439 /* It's not documented by OpenSSL how big the output buffer must be.
3440 The OpenSSL testcases use 80 bytes but don't say why. The GnuTLS impl only
3441 serves out 32B. RFC 9266 says it is 32B.
3442 Interop fails unless we use the same each end. */
3445 tlsp->channelbind_exporter = TRUE;
3446 taintval = GET_UNTAINTED;
3447 if (SSL_export_keying_material(ssl,
3448 s = store_get((int)len, taintval), len,
3449 "EXPORTER-Channel-Binding", (size_t) 24,
3456 len = SSL_get_peer_finished(ssl, &c, 0);
3457 len = SSL_get_peer_finished(ssl, s = store_get((int)len, taintval), len);
3462 int old_pool = store_pool;
3463 store_pool = POOL_PERM;
3464 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, taintval);
3465 store_pool = old_pool;
3466 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
3471 /*************************************************
3472 * Start a TLS session in a server *
3473 *************************************************/
3474 /* This is called when Exim is running as a server, after having received
3475 the STARTTLS command. It must respond to that command, and then negotiate
3479 errstr pointer to error message
3481 Returns: OK on success
3482 DEFER for errors before the start of the negotiation
3483 FAIL for errors during the negotiation; the server can't
3488 tls_server_start(uschar ** errstr)
3491 uschar * expciphers;
3492 exim_openssl_state_st * dummy_statep;
3495 static uschar peerdn[256];
3497 /* Check for previous activation */
3499 if (tls_in.active.sock >= 0)
3501 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
3502 smtp_printf("554 Already in TLS\r\n", FALSE);
3506 /* Initialize the SSL library. If it fails, it will already have logged
3509 rc = tls_init(NULL, NULL,
3510 #ifndef DISABLE_OCSP
3513 NULL, &dummy_statep, &tls_in, errstr);
3514 if (rc != OK) return rc;
3515 ctx = state_server.lib_state.lib_ctx;
3517 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3518 were historically separated by underscores. So that I can use either form in my
3519 tests, and also for general convenience, we turn underscores into hyphens here.
3521 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
3522 for TLS 1.3 . Since we do not call it at present we get the default list:
3523 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
3526 if (state_server.lib_state.pri_string)
3527 { DEBUG(D_tls) debug_printf("TLS: cipher list was preloaded\n"); }
3530 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
3535 normalise_ciphers(&expciphers, tls_require_ciphers);
3536 if ((rc = server_load_ciphers(ctx, &state_server, expciphers, errstr)) != OK)
3541 /* If this is a host for which certificate verification is mandatory or
3542 optional, set up appropriately. */
3544 tls_in.certificate_verified = FALSE;
3546 tls_in.dane_verified = FALSE;
3548 server_verify_callback_called = FALSE;
3550 if (verify_check_host(&tls_verify_hosts) == OK)
3551 server_verify_optional = FALSE;
3552 else if (verify_check_host(&tls_try_verify_hosts) == OK)
3553 server_verify_optional = TRUE;
3558 uschar * v_certs = tls_verify_certificates;
3560 if (state_server.lib_state.cabundle)
3562 DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n");
3563 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3567 if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK)
3569 if (v_certs && *v_certs)
3570 setup_cert_verify(ctx, server_verify_optional, verify_callback_server);
3575 #ifndef DISABLE_TLS_RESUME
3576 # if OPENSSL_VERSION_NUMBER < 0x30000000L
3577 SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback);
3578 /* despite working, appears to always return failure, so ignoring */
3580 SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ticket_key_callback);
3581 /* despite working, appears to always return failure, so ignoring */
3585 #ifdef OPENSSL_HAVE_NUM_TICKETS
3586 # ifndef DISABLE_TLS_RESUME
3587 SSL_CTX_set_num_tickets(ctx, tls_in.host_resumable ? 1 : 0);
3589 SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
3594 /* Prepare for new connection */
3596 if (!(ssl = SSL_new(ctx)))
3597 return tls_error(US"SSL_new", NULL, NULL, errstr);
3598 state_server.lib_state.lib_ssl = ssl;
3600 /* Warning: we used to SSL_clear(ssl) here, it was removed.
3602 * With the SSL_clear(), we get strange interoperability bugs with
3603 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
3604 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
3606 * The SSL_clear() call is to let an existing SSL* be reused, typically after
3607 * session shutdown. In this case, we have a brand new object and there's no
3608 * obvious reason to immediately clear it. I'm guessing that this was
3609 * originally added because of incomplete initialisation which the clear fixed,
3610 * in some historic release.
3613 /* Set context and tell client to go ahead, except in the case of TLS startup
3614 on connection, where outputting anything now upsets the clients and tends to
3615 make them disconnect. We need to have an explicit fflush() here, to force out
3616 the response. Other smtp_printf() calls do not need it, because in non-TLS
3617 mode, the fflush() happens when smtp_getc() is called. */
3619 SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
3620 if (!tls_in.on_connect)
3622 smtp_printf("220 TLS go ahead\r\n", FALSE);
3626 /* Now negotiate the TLS session. We put our own timer on it, since it seems
3627 that the OpenSSL library doesn't. */
3629 SSL_set_wfd(ssl, fileno(smtp_out));
3630 SSL_set_rfd(ssl, fileno(smtp_in));
3631 SSL_set_accept_state(ssl);
3633 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
3636 sigalrm_seen = FALSE;
3637 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3638 rc = SSL_accept(ssl);
3643 int error = SSL_get_error(ssl, rc);
3646 case SSL_ERROR_NONE:
3649 case SSL_ERROR_ZERO_RETURN:
3650 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3651 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
3652 #ifndef DISABLE_EVENT
3653 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3655 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
3658 tls_close(NULL, TLS_NO_SHUTDOWN);
3661 /* Handle genuine errors */
3665 int r = ERR_GET_REASON(ERR_peek_error());
3666 if ( r == SSL_R_WRONG_VERSION_NUMBER
3667 #ifdef SSL_R_VERSION_TOO_LOW
3668 || r == SSL_R_VERSION_TOO_LOW
3670 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
3671 s = string_sprintf("(%s)", SSL_get_version(ssl));
3672 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
3673 #ifndef DISABLE_EVENT
3674 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3680 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3681 if (error == SSL_ERROR_SYSCALL)
3685 *errstr = US"SSL_accept: TCP connection closed by peer";
3686 #ifndef DISABLE_EVENT
3687 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3691 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
3693 (void) tls_error(US"SSL_accept", NULL,
3694 sigalrm_seen ? US"timed out"
3695 : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
3697 #ifndef DISABLE_EVENT
3698 (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
3704 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
3705 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
3706 anon-authentication ciphersuite negotiated. */
3708 #ifndef DISABLE_TLS_RESUME
3709 if (SSL_session_reused(ssl))
3711 tls_in.resumption |= RESUME_USED;
3712 DEBUG(D_tls) debug_printf("Session reused\n");
3716 #ifdef EXIM_HAVE_ALPN
3717 /* If require-alpn, check server_seen_alpn here. Else abort TLS */
3718 if (!tls_alpn || !*tls_alpn)
3719 { DEBUG(D_tls) debug_printf("TLS: was not watching for ALPN\n"); }
3720 else if (!server_seen_alpn)
3721 if (verify_check_host(&hosts_require_alpn) == OK)
3723 /* We'd like to send a definitive Alert but OpenSSL provides no facility */
3725 tls_error(US"handshake", NULL, US"ALPN required but not negotiated", errstr);
3729 { DEBUG(D_tls) debug_printf("TLS: no ALPN presented in handshake\n"); }
3732 const uschar * name;
3734 SSL_get0_alpn_selected(ssl, &name, &len);
3736 debug_printf("ALPN negotiated: '%.*s'\n", (int)*name, name+1);
3738 debug_printf("ALPN: no protocol negotiated\n");
3743 /* TLS has been set up. Record data for the connection,
3744 adjust the input functions to read via TLS, and initialize things. */
3746 #ifdef SSL_get_extms_support
3747 /*XXX what does this return for tls1.3 ? */
3748 tls_in.ext_master_secret = SSL_get_extms_support(ssl) == 1;
3750 peer_cert(ssl, &tls_in, peerdn, sizeof(peerdn));
3752 tls_in.ver = tlsver_name(ssl);
3753 tls_in.cipher = construct_cipher_name(ssl, tls_in.ver, &tls_in.bits);
3754 tls_in.cipher_stdname = cipher_stdname_ssl(ssl);
3759 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
3760 debug_printf("Shared ciphers: %s\n", buf);
3762 tls_dump_keylog(ssl);
3764 #ifdef EXIM_HAVE_SESSION_TICKET
3766 SSL_SESSION * ss = SSL_get_session(ssl);
3767 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
3768 debug_printf("The session has a ticket, life %lu seconds\n",
3769 SSL_SESSION_get_ticket_lifetime_hint(ss));
3774 /* Record the certificate we presented */
3776 X509 * crt = SSL_get_certificate(ssl);
3777 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
3780 tls_get_channel_binding(ssl, &tls_in, GET_UNTAINTED);
3782 /* Only used by the server-side tls (tls_in), including tls_getc.
3783 Client-side (tls_out) reads (seem to?) go via
3784 smtp_read_response()/ip_recv().
3785 Hence no need to duplicate for _in and _out.
3787 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
3788 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
3789 ssl_xfer_eof = ssl_xfer_error = FALSE;
3791 receive_getc = tls_getc;
3792 receive_getbuf = tls_getbuf;
3793 receive_get_cache = tls_get_cache;
3794 receive_hasc = tls_hasc;
3795 receive_ungetc = tls_ungetc;
3796 receive_feof = tls_feof;
3797 receive_ferror = tls_ferror;
3799 tls_in.active.sock = fileno(smtp_out);
3800 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
3808 tls_client_basic_ctx_init(SSL_CTX * ctx,
3809 host_item * host, smtp_transport_options_block * ob, exim_openssl_state_st * state,
3814 /* Back-compatible old behaviour if tls_verify_certificates is set but both
3815 tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
3816 host patterns if one of them is set with content. */
3818 if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts
3819 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3821 && ( !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
3822 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
3825 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
3827 client_verify_optional = FALSE;
3828 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
3829 client_verify_optional = TRUE;
3834 uschar * v_certs = ob->tls_verify_certificates;
3836 if (state->lib_state.cabundle)
3838 DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n");
3839 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3843 if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK)
3845 if (v_certs && *v_certs)
3846 setup_cert_verify(ctx, client_verify_optional, verify_callback_client);
3850 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
3852 state->verify_cert_hostnames =
3854 string_domain_utf8_to_alabel(host->certname, NULL);
3858 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
3859 state->verify_cert_hostnames);
3867 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
3870 const char * hostnames[2] = { CS host->name, NULL };
3873 if (DANESSL_init(ssl, NULL, hostnames) != 1)
3874 return tls_error(US"hostnames load", host, NULL, errstr);
3876 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
3877 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
3878 ) if (rr->type == T_TLSA && rr->size > 3)
3880 const uschar * p = rr->data;
3881 uint8_t usage, selector, mtype;
3882 const char * mdname;
3886 /* Only DANE-TA(2) and DANE-EE(3) are supported */
3887 if (usage != 2 && usage != 3) continue;
3894 default: continue; /* Only match-types 0, 1, 2 are supported */
3895 case 0: mdname = NULL; break;
3896 case 1: mdname = "sha256"; break;
3897 case 2: mdname = "sha512"; break;
3901 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
3904 return tls_error(US"tlsa load", host, NULL, errstr);
3905 case 0: /* action not taken */
3909 tls_out.tlsa_usage |= 1<<usage;
3915 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
3918 #endif /*SUPPORT_DANE*/
3922 #ifndef DISABLE_TLS_RESUME
3923 /* On the client, get any stashed session for the given IP from hints db
3924 and apply it to the ssl-connection for attempted resumption. */
3927 tls_retrieve_session(tls_support * tlsp, SSL * ssl)
3929 if (tlsp->host_resumable)
3931 dbdata_tls_session * dt;
3933 open_db dbblock, * dbm_file;
3935 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3937 debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
3938 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3940 if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
3942 SSL_SESSION * ss = NULL;
3943 const uschar * sess_asn1 = dt->session;
3945 len -= sizeof(dbdata_tls_session);
3946 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3950 ERR_error_string_n(ERR_get_error(),
3951 ssl_errstring, sizeof(ssl_errstring));
3952 debug_printf("decoding session: %s\n", ssl_errstring);
3957 unsigned long lifetime =
3958 #ifdef EXIM_HAVE_SESSION_TICKET
3959 SSL_SESSION_get_ticket_lifetime_hint(ss);
3960 #else /* Use, fairly arbitrilarily, what we as server would */
3961 f.running_in_test_harness ? TESTSUITE_TICKET_LIFE : ssl_session_timeout;
3963 time_t now = time(NULL), expires = lifetime + dt->time_stamp;
3966 DEBUG(D_tls) debug_printf("session expired (by " TIME_T_FMT "s from %lus)\n", now - expires, lifetime);
3967 dbfn_delete(dbm_file, tlsp->resume_index);
3969 else if (SSL_set_session(ssl, ss))
3971 DEBUG(D_tls) debug_printf("good session (" TIME_T_FMT "s left of %lus)\n", expires - now, lifetime);
3972 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3973 tlsp->verify_override = dt->verify_override;
3974 tlsp->ocsp = dt->ocsp;
3978 ERR_error_string_n(ERR_get_error(),
3979 ssl_errstring, sizeof(ssl_errstring));
3980 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3985 DEBUG(D_tls) debug_printf("no session record\n");
3986 dbfn_close(dbm_file);
3992 /* On the client, save the session for later resumption */
3995 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3997 exim_openssl_state_st * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
4000 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
4002 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
4004 # ifdef OPENSSL_HAVE_NUM_TICKETS
4005 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
4008 int len = i2d_SSL_SESSION(ss, NULL);
4009 int dlen = sizeof(dbdata_tls_session) + len;
4010 dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
4011 uschar * s = dt->session;
4012 open_db dbblock, * dbm_file;
4014 DEBUG(D_tls) debug_printf("session is resumable\n");
4015 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
4017 dt->verify_override = tlsp->verify_override;
4018 dt->ocsp = tlsp->ocsp;
4019 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
4021 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
4023 dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
4024 dbfn_close(dbm_file);
4025 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
4033 /* Construct a key for session DB lookup, and setup the SSL_CTX for resumption */
4036 tls_client_ctx_resume_prehandshake(
4037 exim_openssl_client_tls_ctx * exim_client_ctx, smtp_connect_args * conn_args,
4038 tls_support * tlsp, smtp_transport_options_block * ob)
4040 tlsp->host_resumable = TRUE;
4041 tls_client_resmption_key(tlsp, conn_args, ob);
4043 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
4044 SSL_SESS_CACHE_CLIENT
4045 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
4046 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
4050 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
4051 host_item * host, uschar ** errstr)
4053 if (tlsp->host_resumable)
4056 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
4057 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
4059 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
4060 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_state))
4062 tls_error(US"set ex_data", host, NULL, errstr);
4065 /* debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state); */
4068 tlsp->resumption = RESUME_SUPPORTED;
4069 /* Pick up a previous session, saved on an old ticket */
4070 tls_retrieve_session(tlsp, ssl);
4075 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
4078 if (SSL_session_reused(exim_client_ctx->ssl))
4080 DEBUG(D_tls) debug_printf("The session was reused\n");
4081 tlsp->resumption |= RESUME_USED;
4084 #endif /* !DISABLE_TLS_RESUME */
4087 #ifdef EXIM_HAVE_ALPN
4088 /* Expand and convert an Exim list to an ALPN list. False return for fail.
4089 NULL plist return for silent no-ALPN.
4091 Overwite the passed-in list with the expanded version.
4095 tls_alpn_plist(uschar ** tls_alpn, const uschar ** plist, unsigned * plen,
4100 if (!expand_check(*tls_alpn, US"tls_alpn", &exp_alpn, errstr))
4102 *tls_alpn = exp_alpn;
4106 DEBUG(D_tls) debug_printf("Setting TLS ALPN forced to fail, not sending\n");
4111 /* The server implementation only accepts exactly one protocol name
4112 but it's little extra code complexity in the client. */
4114 const uschar * list = exp_alpn;
4115 uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t;
4119 for (t = p; s = string_nextinlist(&list, &sep, NULL, 0); t += len)
4121 *t++ = len = (uschar) Ustrlen(s);
4124 *plist = (*plen = t - p) ? p : NULL;
4128 #endif /* EXIM_HAVE_ALPN */
4131 /*************************************************
4132 * Start a TLS session in a client *
4133 *************************************************/
4135 /* Called from the smtp transport after STARTTLS has been accepted.
4138 cctx connection context
4139 conn_args connection details
4140 cookie datum for randomness; can be NULL
4141 tlsp record details of TLS channel configuration here; must be non-NULL
4142 errstr error string pointer
4144 Returns: TRUE for success with TLS session context set in connection context,
4149 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
4150 void * cookie, tls_support * tlsp, uschar ** errstr)
4152 host_item * host = conn_args->host; /* for msgs and option-tests */
4153 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
4154 smtp_transport_options_block * ob = tb
4155 ? (smtp_transport_options_block *)tb->options_block
4156 : &smtp_transport_option_defaults;
4157 exim_openssl_client_tls_ctx * exim_client_ctx;
4158 uschar * expciphers;
4160 static uschar peerdn[256];
4162 #ifndef DISABLE_OCSP
4163 BOOL request_ocsp = FALSE;
4164 BOOL require_ocsp = FALSE;
4168 store_pool = POOL_PERM;
4169 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED);
4170 exim_client_ctx->corked = NULL;
4174 tlsp->tlsa_usage = 0;
4177 #ifndef DISABLE_OCSP
4179 # ifdef SUPPORT_DANE
4180 if ( conn_args->dane
4181 && ob->hosts_request_ocsp[0] == '*'
4182 && ob->hosts_request_ocsp[1] == '\0'
4185 /* Unchanged from default. Use a safer one under DANE */
4186 request_ocsp = TRUE;
4187 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
4188 " {= {4}{$tls_out_tlsa_usage}} } "
4194 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
4195 request_ocsp = TRUE;
4197 # ifdef SUPPORT_DANE
4201 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4203 # if defined(SUPPORT_DANE) && !defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER)
4204 if (conn_args->dane && (require_ocsp || request_ocsp))
4206 DEBUG(D_tls) debug_printf("OpenSSL version to early to combine OCSP"
4207 " and DANE; disabling OCSP\n");
4208 require_ocsp = request_ocsp = FALSE;
4214 rc = tls_init(host, ob,
4215 #ifndef DISABLE_OCSP
4216 (void *)(long)request_ocsp,
4218 cookie, &client_static_state, tlsp, errstr);
4219 if (rc != OK) return FALSE;
4221 exim_client_ctx->ctx = client_static_state->lib_state.lib_ctx;
4223 tlsp->certificate_verified = FALSE;
4224 client_verify_callback_called = FALSE;
4228 if (conn_args->dane)
4230 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
4231 other failures should be treated as problems. */
4232 if (ob->dane_require_tls_ciphers &&
4233 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
4234 &expciphers, errstr))
4236 if (expciphers && *expciphers == '\0')
4239 normalise_ciphers(&expciphers, ob->dane_require_tls_ciphers);
4244 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
4245 &expciphers, errstr))
4248 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
4249 are separated by underscores. So that I can use either form in my tests, and
4250 also for general convenience, we turn underscores into hyphens here. */
4252 normalise_ciphers(&expciphers, ob->tls_require_ciphers);
4257 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
4258 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
4260 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
4266 if (conn_args->dane)
4268 SSL_CTX_set_verify(exim_client_ctx->ctx,
4269 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
4270 verify_callback_client_dane);
4272 if (!DANESSL_library_init())
4274 tls_error(US"library init", host, NULL, errstr);
4277 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
4279 tls_error(US"context init", host, NULL, errstr);
4282 DEBUG(D_tls) debug_printf("since dane-mode conn, not loading the usual CA bundle\n");
4288 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
4289 client_static_state, errstr) != OK)
4294 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
4297 { DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); }
4298 else if (!Ustrlen(tlsp->sni))
4302 #ifndef EXIM_HAVE_OPENSSL_TLSEXT
4303 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
4311 #ifdef EXIM_HAVE_ALPN
4313 const uschar * plist;
4316 if (!tls_alpn_plist(&ob->tls_alpn, &plist, &plen, errstr))
4319 if (SSL_CTX_set_alpn_protos(exim_client_ctx->ctx, plist, plen) != 0)
4321 tls_error(US"alpn init", host, NULL, errstr);
4325 DEBUG(D_tls) debug_printf("Setting TLS ALPN '%s'\n", ob->tls_alpn);
4328 log_write(0, LOG_MAIN, "ALPN unusable with this OpenSSL library version; ignoring \"%s\"\n",
4332 #ifndef DISABLE_TLS_RESUME
4333 /*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
4334 will be very low. */
4336 if (!conn_args->have_lbserver) /* wanted for tls_client_resmption_key() */
4337 { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
4338 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
4339 tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
4343 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
4345 tls_error(US"SSL_new", host, NULL, errstr);
4348 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
4349 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
4350 SSL_set_connect_state(exim_client_ctx->ssl);
4352 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
4355 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
4356 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
4361 if (conn_args->dane)
4362 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
4366 #ifndef DISABLE_OCSP
4367 /* Request certificate status at connection-time. If the server
4368 does OCSP stapling we will get the callback (set in tls_init()) */
4369 # ifdef SUPPORT_DANE
4373 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4374 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
4376 { /* Re-eval now $tls_out_tlsa_usage is populated. If
4377 this means we avoid the OCSP request, we wasted the setup
4378 cost in tls_init(). */
4379 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
4380 request_ocsp = require_ocsp
4381 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
4388 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
4389 client_static_state->u_ocsp.client.verify_required = require_ocsp;
4390 tlsp->ocsp = OCSP_NOT_RESP;
4394 #ifndef DISABLE_TLS_RESUME
4395 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
4400 #ifndef DISABLE_EVENT
4401 client_static_state->event_action = tb ? tb->event_action : NULL;
4404 /* There doesn't seem to be a built-in timeout on connection. */
4406 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
4407 sigalrm_seen = FALSE;
4408 ALARM(ob->command_timeout);
4409 rc = SSL_connect(exim_client_ctx->ssl);
4413 if (conn_args->dane)
4414 DANESSL_cleanup(exim_client_ctx->ssl);
4419 #ifndef DISABLE_OCSP
4420 if (client_static_state->u_ocsp.client.verify_errstr)
4421 { if (errstr) *errstr = client_static_state->u_ocsp.client.verify_errstr; }
4424 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
4430 debug_printf("SSL_connect succeeded\n");
4431 tls_dump_keylog(exim_client_ctx->ssl);
4434 #ifndef DISABLE_TLS_RESUME
4435 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
4438 #ifdef EXIM_HAVE_ALPN
4439 if (ob->tls_alpn) /* We requested. See what was negotiated. */
4441 const uschar * name;
4444 SSL_get0_alpn_selected(exim_client_ctx->ssl, &name, &len);
4446 { DEBUG(D_tls) debug_printf("ALPN negotiated %u: '%.*s'\n", len, (int)*name, name+1); }
4447 else if (verify_check_given_host(CUSS &ob->hosts_require_alpn, host) == OK)
4449 /* Would like to send a relevant fatal Alert, but OpenSSL has no API */
4450 tls_error(US"handshake", host, US"ALPN required but not negotiated", errstr);
4456 #ifdef SSL_get_extms_support
4457 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
4459 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
4461 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
4462 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
4463 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
4465 /* Record the certificate we presented */
4467 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
4468 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
4471 /*XXX will this work with continued-TLS? */
4472 tls_get_channel_binding(exim_client_ctx->ssl, tlsp, GET_TAINTED);
4474 tlsp->active.sock = cctx->sock;
4475 tlsp->active.tls_ctx = exim_client_ctx;
4476 cctx->tls_ctx = exim_client_ctx;
4485 tls_refill(unsigned lim)
4487 SSL * ssl = state_server.lib_state.lib_ssl;
4491 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4492 ssl_xfer_buffer, ssl_xfer_buffer_size);
4495 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
4496 inbytes = SSL_read(ssl, CS ssl_xfer_buffer,
4497 MIN(ssl_xfer_buffer_size, lim));
4498 error = SSL_get_error(ssl, inbytes);
4499 if (smtp_receive_timeout > 0) ALARM_CLR(0);
4501 if (had_command_timeout) /* set by signal handler */
4502 smtp_command_timeout_exit(); /* does not return */
4503 if (had_command_sigterm)
4504 smtp_command_sigterm_exit();
4505 if (had_data_timeout)
4506 smtp_data_timeout_exit();
4507 if (had_data_sigint)
4508 smtp_data_sigint_exit();
4510 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
4511 closed down, not that the socket itself has been closed down. Revert to
4512 non-SSL handling. */
4516 case SSL_ERROR_NONE:
4519 case SSL_ERROR_ZERO_RETURN:
4520 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4522 if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
4525 tls_close(NULL, TLS_NO_SHUTDOWN);
4528 /* Handle genuine errors */
4530 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4531 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
4532 ssl_xfer_error = TRUE;
4536 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
4537 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
4538 debug_printf(" - syscall %s\n", strerror(errno));
4539 ssl_xfer_error = TRUE;
4543 #ifndef DISABLE_DKIM
4544 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
4546 ssl_xfer_buffer_hwm = inbytes;
4547 ssl_xfer_buffer_lwm = 0;
4552 /*************************************************
4553 * TLS version of getc *
4554 *************************************************/
4556 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
4557 it refills the buffer via the SSL reading function.
4559 Arguments: lim Maximum amount to read/buffer
4560 Returns: the next character or EOF
4562 Only used by the server-side TLS.
4566 tls_getc(unsigned lim)
4568 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4569 if (!tls_refill(lim))
4570 return ssl_xfer_error ? EOF : smtp_getc(lim);
4572 /* Something in the buffer; return next uschar */
4574 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
4580 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
4584 tls_getbuf(unsigned * len)
4589 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
4590 if (!tls_refill(*len))
4592 if (!ssl_xfer_error) return smtp_getbuf(len);
4597 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
4599 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
4600 ssl_xfer_buffer_lwm += size;
4607 tls_get_cache(unsigned lim)
4609 #ifndef DISABLE_DKIM
4610 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
4614 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
4620 tls_could_getc(void)
4622 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm
4623 || SSL_pending(state_server.lib_state.lib_ssl) > 0;
4627 /*************************************************
4628 * Read bytes from TLS channel *
4629 *************************************************/
4633 ct_ctx client context pointer, or NULL for the one global server context
4637 Returns: the number of bytes read
4638 -1 after a failed read, including EOF
4640 Only used by the client-side TLS.
4644 tls_read(void * ct_ctx, uschar *buff, size_t len)
4646 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4647 : state_server.lib_state.lib_ssl;
4651 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
4652 buff, (unsigned int)len);
4655 inbytes = SSL_read(ssl, CS buff, len);
4656 error = SSL_get_error(ssl, inbytes);
4658 if (error == SSL_ERROR_ZERO_RETURN)
4660 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
4663 else if (error != SSL_ERROR_NONE)
4673 /*************************************************
4674 * Write bytes down TLS channel *
4675 *************************************************/
4679 ct_ctx client context pointer, or NULL for the one global server context
4682 more further data expected soon
4684 Returns: the number of bytes after a successful write,
4685 -1 after a failed write
4687 Used by both server-side and client-side TLS. Calling with len zero and more unset
4688 will flush buffered writes; buff can be null for this case.
4692 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
4695 int outbytes, error;
4697 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl
4698 : state_server.lib_state.lib_ssl;
4699 static gstring * server_corked = NULL;
4700 gstring ** corkedp = ct_ctx
4701 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
4702 gstring * corked = *corkedp;
4704 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
4705 buff, (unsigned long)len, more ? ", more" : "");
4707 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
4708 "more" is notified. This hack is only ok if small amounts are involved AND only
4709 one stream does it, in one context (i.e. no store reset). Currently it is used
4710 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
4711 We support callouts done by the server process by using a separate client
4712 context for the stashed information. */
4713 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
4714 a store reset there, so use POOL_PERM. */
4715 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
4719 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
4721 int save_pool = store_pool;
4722 store_pool = POOL_PERM;
4724 corked = string_catn(corked, buff, len);
4726 store_pool = save_pool;
4733 buff = CUS corked->s;
4738 for (int left = len; left > 0;)
4740 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
4742 outbytes = SSL_write(ssl, CS buff, left);
4743 error = SSL_get_error(ssl, outbytes);
4744 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
4747 case SSL_ERROR_NONE: /* the usual case */
4753 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4754 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
4757 case SSL_ERROR_ZERO_RETURN:
4758 log_write(0, LOG_MAIN, "SSL channel closed on write");
4761 case SSL_ERROR_SYSCALL:
4762 if (ct_ctx || errno != ECONNRESET || !f.smtp_in_quit)
4763 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
4764 sender_fullhost ? sender_fullhost : US"<unknown>",
4766 else if (LOGGING(protocol_detail))
4767 log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
4768 " SMTP response and TLS close\n", sender_host_address);
4770 DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
4771 " client reset TCP before TLS close\n", sender_host_address);
4775 log_write(0, LOG_MAIN, "SSL_write error %d", error);
4786 ct_ctx client TLS context pointer, or NULL for the one global server context
4790 tls_shutdown_wr(void * ct_ctx)
4792 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4793 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4794 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4797 if (*fdp < 0) return; /* TLS was not active */
4799 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4801 HDEBUG(D_transport|D_tls|D_acl|D_v) debug_printf_indent(" SMTP(TLS shutdown)>>\n");
4802 rc = SSL_shutdown(*sslp);
4803 if (rc < 0) DEBUG(D_tls)
4805 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4806 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4810 /*************************************************
4811 * Close down a TLS session *
4812 *************************************************/
4814 /* This is also called from within a delivery subprocess forked from the
4815 daemon, to shut down the TLS library, without actually doing a shutdown (which
4816 would tamper with the SSL session in the parent process).
4819 ct_ctx client TLS context pointer, or NULL for the one global server context
4820 do_shutdown 0 no data-flush or TLS close-alert
4821 1 if TLS close-alert is to be sent,
4822 2 if also response to be waited for
4826 Used by both server-side and client-side TLS.
4830 tls_close(void * ct_ctx, int do_shutdown)
4832 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
4833 SSL ** sslp = o_ctx ? &o_ctx->ssl : (SSL **) &state_server.lib_state.lib_ssl;
4834 int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
4836 if (*fdp < 0) return; /* TLS was not active */
4838 if (do_shutdown > TLS_NO_SHUTDOWN)
4841 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
4842 do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : "");
4844 tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */
4846 if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY
4847 || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
4849 && do_shutdown > TLS_SHUTDOWN_NOWAIT
4852 #ifdef EXIM_TCP_CORK
4853 (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
4856 rc = SSL_shutdown(*sslp); /* wait for response */
4860 if (rc < 0) DEBUG(D_tls)
4862 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4863 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
4867 if (!o_ctx) /* server side */
4869 #ifndef DISABLE_OCSP
4870 sk_X509_pop_free(state_server.u_ocsp.server.verify_stack, X509_free);
4871 state_server.u_ocsp.server.verify_stack = NULL;
4874 receive_getc = smtp_getc;
4875 receive_getbuf = smtp_getbuf;
4876 receive_get_cache = smtp_get_cache;
4877 receive_hasc = smtp_hasc;
4878 receive_ungetc = smtp_ungetc;
4879 receive_feof = smtp_feof;
4880 receive_ferror = smtp_ferror;
4881 tls_in.active.tls_ctx = NULL;
4883 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
4894 /*************************************************
4895 * Let tls_require_ciphers be checked at startup *
4896 *************************************************/
4898 /* The tls_require_ciphers option, if set, must be something which the
4901 Returns: NULL on success, or error message
4905 tls_validate_require_cipher(void)
4908 uschar * expciphers, * err;
4912 if (!(tls_require_ciphers && *tls_require_ciphers))
4915 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
4917 return US"failed to expand tls_require_ciphers";
4919 if (!(expciphers && *expciphers))
4922 normalise_ciphers(&expciphers, tls_require_ciphers);
4925 if (lib_ctx_new(&ctx, NULL, &err) == OK)
4928 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
4930 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
4932 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
4933 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
4934 expciphers, ssl_errstring);
4945 /*************************************************
4946 * Report the library versions. *
4947 *************************************************/
4949 /* There have historically been some issues with binary compatibility in
4950 OpenSSL libraries; if Exim (like many other applications) is built against
4951 one version of OpenSSL but the run-time linker picks up another version,
4952 it can result in serious failures, including crashing with a SIGSEGV. So
4953 report the version found by the compiler and the run-time version.
4955 Note: some OS vendors backport security fixes without changing the version
4956 number/string, and the version date remains unchanged. The _build_ date
4957 will change, so we can more usefully assist with version diagnosis by also
4958 reporting the build date.
4960 Arguments: string to append to
4965 tls_version_report(gstring * g)
4967 return string_fmt_append(g,
4968 "Library version: OpenSSL: Compile: %s\n"
4971 OPENSSL_VERSION_TEXT,
4972 SSLeay_version(SSLEAY_VERSION),
4973 SSLeay_version(SSLEAY_BUILT_ON));
4974 /* third line is 38 characters for the %s and the line is 73 chars long;
4975 the OpenSSL output includes a "built on: " prefix already. */
4981 /*************************************************
4982 * Random number generation *
4983 *************************************************/
4985 /* Pseudo-random number generation. The result is not expected to be
4986 cryptographically strong but not so weak that someone will shoot themselves
4987 in the foot using it as a nonce in input in some email header scheme or
4988 whatever weirdness they'll twist this into. The result should handle fork()
4989 and avoid repeating sequences. OpenSSL handles that for us.
4993 Returns a random number in range [0, max-1]
4997 vaguely_random_number(int max)
5001 static pid_t pidlast = 0;
5003 uschar smallbuf[sizeof(r)];
5009 if (pidnow != pidlast)
5011 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
5012 is unique for each thread", this doesn't apparently apply across processes,
5013 so our own warning from vaguely_random_number_fallback() applies here too.
5014 Fix per PostgreSQL. */
5020 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
5024 gettimeofday(&r.tv, NULL);
5027 RAND_seed(US (&r), sizeof(r));
5029 /* We're after pseudo-random, not random; if we still don't have enough data
5030 in the internal PRNG then our options are limited. We could sleep and hope
5031 for entropy to come along (prayer technique) but if the system is so depleted
5032 in the first place then something is likely to just keep taking it. Instead,
5033 we'll just take whatever little bit of pseudo-random we can still manage to
5036 needed_len = sizeof(r);
5037 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
5038 asked for a number less than 10. */
5039 for (r = max, i = 0; r; ++i)
5045 #ifdef EXIM_HAVE_RAND_PSEUDO
5046 /* We do not care if crypto-strong */
5047 i = RAND_pseudo_bytes(smallbuf, needed_len);
5049 i = RAND_bytes(smallbuf, needed_len);
5055 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
5056 return vaguely_random_number_fallback(max);
5060 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
5063 /* We don't particularly care about weighted results; if someone wants
5064 smooth distribution and cares enough then they should submit a patch then. */
5071 /*************************************************
5072 * OpenSSL option parse *
5073 *************************************************/
5075 /* Parse one option for tls_openssl_options_parse below
5078 name one option name
5079 value place to store a value for it
5080 Returns success or failure in parsing
5086 tls_openssl_one_option_parse(uschar *name, long *value)
5089 int last = exim_openssl_options_size;
5090 while (last > first)
5092 int middle = (first + last)/2;
5093 int c = Ustrcmp(name, exim_openssl_options[middle].name);
5096 *value = exim_openssl_options[middle].value;
5110 /*************************************************
5111 * OpenSSL option parsing logic *
5112 *************************************************/
5114 /* OpenSSL has a number of compatibility options which an administrator might
5115 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
5116 we look like log_selector.
5119 option_spec the administrator-supplied string of options
5120 results ptr to long storage for the options bitmap
5121 Returns success or failure
5125 tls_openssl_options_parse(uschar *option_spec, long *results)
5128 uschar * exp, * end;
5129 BOOL adding, item_parsed;
5131 /* Server: send no (<= TLS1.2) session tickets */
5132 result = SSL_OP_NO_TICKET;
5134 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
5135 from default because it increases BEAST susceptibility. */
5136 #ifdef SSL_OP_NO_SSLv2
5137 result |= SSL_OP_NO_SSLv2;
5139 #ifdef SSL_OP_NO_SSLv3
5140 result |= SSL_OP_NO_SSLv3;
5142 #ifdef SSL_OP_SINGLE_DH_USE
5143 result |= SSL_OP_SINGLE_DH_USE;
5145 #ifdef SSL_OP_NO_RENEGOTIATION
5146 result |= SSL_OP_NO_RENEGOTIATION;
5155 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
5158 for (uschar * s = exp; *s; /**/)
5160 while (isspace(*s)) ++s;
5163 if (*s != '+' && *s != '-')
5165 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
5166 "+ or - expected but found \"%s\"\n", s);
5169 adding = *s++ == '+';
5170 for (end = s; *end && !isspace(*end); ) end++;
5171 item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
5174 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
5177 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
5178 adding ? "adding to " : "removing from", result, item, s);
5190 #endif /*!MACRO_PREDEF*/
5193 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob