1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2017 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # define EXIM_HAVE_OPENSSL_DH_BITS
74 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
76 # define EXIM_HAVE_OPENSSL_CHECKHOST
80 #if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
82 # if !defined(OPENSSL_NO_ECDH)
83 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84 # define EXIM_HAVE_ECDH
86 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
87 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
92 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
97 /* Structure for collecting random data for seeding. */
99 typedef struct randstuff {
104 /* Local static variables */
106 static BOOL client_verify_callback_called = FALSE;
107 static BOOL server_verify_callback_called = FALSE;
108 static const uschar *sid_ctx = US"exim";
110 /* We have three different contexts to care about.
112 Simple case: client, `client_ctx`
113 As a client, we can be doing a callout or cut-through delivery while receiving
114 a message. So we have a client context, which should have options initialised
115 from the SMTP Transport.
118 There are two cases: with and without ServerNameIndication from the client.
119 Given TLS SNI, we can be using different keys, certs and various other
120 configuration settings, because they're re-expanded with $tls_sni set. This
121 allows vhosting with TLS. This SNI is sent in the handshake.
122 A client might not send SNI, so we need a fallback, and an initial setup too.
123 So as a server, we start out using `server_ctx`.
124 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
125 `server_sni` from `server_ctx` and then initialise settings by re-expanding
129 static SSL_CTX *client_ctx = NULL;
130 static SSL_CTX *server_ctx = NULL;
131 static SSL *client_ssl = NULL;
132 static SSL *server_ssl = NULL;
134 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
135 static SSL_CTX *server_sni = NULL;
138 static char ssl_errstring[256];
140 static int ssl_session_timeout = 200;
141 static BOOL client_verify_optional = FALSE;
142 static BOOL server_verify_optional = FALSE;
144 static BOOL reexpand_tls_files_for_sni = FALSE;
147 typedef struct tls_ext_ctx_cb {
152 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
156 uschar *file_expanded;
157 OCSP_RESPONSE *response;
160 X509_STORE *verify_store; /* non-null if status requested */
161 BOOL verify_required;
166 /* these are cached from first expand */
167 uschar *server_cipher_list;
168 /* only passed down to tls_error: */
170 const uschar * verify_cert_hostnames;
171 #ifndef DISABLE_EVENT
172 uschar * event_action;
176 /* should figure out a cleanup of API to handle state preserved per
177 implementation, for various reasons, which can be void * in the APIs.
178 For now, we hack around it. */
179 tls_ext_ctx_cb *client_static_cbinfo = NULL;
180 tls_ext_ctx_cb *server_static_cbinfo = NULL;
183 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
184 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
187 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
188 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
191 static int tls_server_stapling_cb(SSL *s, void *arg);
195 /*************************************************
197 *************************************************/
199 /* Called from lots of places when errors occur before actually starting to do
200 the TLS handshake, that is, while the session is still in clear. Always returns
201 DEFER for a server and FAIL for a client so that most calls can use "return
202 tls_error(...)" to do this processing and then give an appropriate return. A
203 single function is used for both server and client, because it is called from
204 some shared functions.
207 prefix text to include in the logged error
208 host NULL if setting up a server;
209 the connected host if setting up a client
210 msg error message or NULL if we should ask OpenSSL
211 errstr pointer to output error message
213 Returns: OK/DEFER/FAIL
217 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
221 ERR_error_string(ERR_get_error(), ssl_errstring);
222 msg = US ssl_errstring;
225 if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
226 return host ? FAIL : DEFER;
231 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
232 /*************************************************
233 * Callback to generate RSA key *
234 *************************************************/
242 Returns: pointer to generated key
246 rsa_callback(SSL *s, int export, int keylength)
249 #ifdef EXIM_HAVE_RSA_GENKEY_EX
250 BIGNUM *bn = BN_new();
253 export = export; /* Shut picky compilers up */
254 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
256 #ifdef EXIM_HAVE_RSA_GENKEY_EX
257 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
258 || !(rsa_key = RSA_new())
259 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
262 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
266 ERR_error_string(ERR_get_error(), ssl_errstring);
267 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
280 x509_store_dump_cert_s_names(X509_STORE * store)
282 STACK_OF(X509_OBJECT) * roots= store->objs;
284 static uschar name[256];
286 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
288 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
289 if(tmp_obj->type == X509_LU_X509)
291 X509 * current_cert= tmp_obj->data.x509;
292 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
293 name[sizeof(name)-1] = '\0';
294 debug_printf(" %s\n", name);
302 #ifndef DISABLE_EVENT
304 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
305 BOOL *calledp, const BOOL *optionalp, const uschar * what)
311 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
314 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
315 old_cert = tlsp->peercert;
316 tlsp->peercert = X509_dup(cert);
317 /* NB we do not bother setting peerdn */
318 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
320 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
321 "depth=%d cert=%s: %s",
322 tlsp == &tls_out ? deliver_host_address : sender_host_address,
323 what, depth, dn, yield);
327 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
328 return 1; /* reject (leaving peercert set) */
330 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
331 "(host in tls_try_verify_hosts)\n");
333 X509_free(tlsp->peercert);
334 tlsp->peercert = old_cert;
340 /*************************************************
341 * Callback for verification *
342 *************************************************/
344 /* The SSL library does certificate verification if set up to do so. This
345 callback has the current yes/no state is in "state". If verification succeeded,
346 we set the certificate-verified flag. If verification failed, what happens
347 depends on whether the client is required to present a verifiable certificate
350 If verification is optional, we change the state to yes, but still log the
351 verification error. For some reason (it really would help to have proper
352 documentation of OpenSSL), this callback function then gets called again, this
353 time with state = 1. We must take care not to set the private verified flag on
354 the second time through.
356 Note: this function is not called if the client fails to present a certificate
357 when asked. We get here only if a certificate has been received. Handling of
358 optional verification for this case is done when requesting SSL to verify, by
359 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
361 May be called multiple times for different issues with a certificate, even
362 for a given "depth" in the certificate chain.
365 preverify_ok current yes/no state as 1/0
366 x509ctx certificate information.
367 tlsp per-direction (client vs. server) support data
368 calledp has-been-called flag
369 optionalp verification-is-optional flag
371 Returns: 0 if verification should fail, otherwise 1
375 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
376 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
378 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
379 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
382 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
383 dn[sizeof(dn)-1] = '\0';
385 if (preverify_ok == 0)
387 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
388 *verify_mode, sender_host_address)
390 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
391 tlsp == &tls_out ? deliver_host_address : sender_host_address,
393 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
398 tlsp->peercert = X509_dup(cert); /* record failing cert */
399 return 0; /* reject */
401 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
402 "tls_try_verify_hosts)\n");
407 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
409 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
410 { /* client, wanting stapling */
411 /* Add the server cert's signing chain as the one
412 for the verification of the OCSP stapled information. */
414 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
417 sk_X509_push(client_static_cbinfo->verify_stack, cert);
420 #ifndef DISABLE_EVENT
421 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
422 return 0; /* reject, with peercert set */
427 const uschar * verify_cert_hostnames;
429 if ( tlsp == &tls_out
430 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
431 /* client, wanting hostname check */
434 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
435 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
436 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
438 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
439 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
442 const uschar * list = verify_cert_hostnames;
445 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
446 if ((rc = X509_check_host(cert, CCS name, 0,
447 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
448 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
453 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
454 tlsp == &tls_out ? deliver_host_address : sender_host_address);
461 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
464 uschar * extra = verify_mode
465 ? string_sprintf(" (during %c-verify for [%s])",
466 *verify_mode, sender_host_address)
468 log_write(0, LOG_MAIN,
469 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
470 tlsp == &tls_out ? deliver_host_address : sender_host_address,
471 extra, dn, verify_cert_hostnames);
476 tlsp->peercert = X509_dup(cert); /* record failing cert */
477 return 0; /* reject */
479 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
480 "tls_try_verify_hosts)\n");
484 #ifndef DISABLE_EVENT
485 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
486 return 0; /* reject, with peercert set */
489 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
490 *calledp ? "" : " authenticated", dn);
491 if (!*calledp) tlsp->certificate_verified = TRUE;
495 return 1; /* accept, at least for this level */
499 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
501 return verify_callback(preverify_ok, x509ctx, &tls_out,
502 &client_verify_callback_called, &client_verify_optional);
506 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
508 return verify_callback(preverify_ok, x509ctx, &tls_in,
509 &server_verify_callback_called, &server_verify_optional);
513 #ifdef EXPERIMENTAL_DANE
515 /* This gets called *by* the dane library verify callback, which interposes
519 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
521 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
523 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
524 #ifndef DISABLE_EVENT
525 BOOL dummy_called, optional = FALSE;
528 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
529 dn[sizeof(dn)-1] = '\0';
531 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
532 preverify_ok ? "ok":"BAD", depth, dn);
534 #ifndef DISABLE_EVENT
535 if (verify_event(&tls_out, cert, depth, dn,
536 &dummy_called, &optional, US"DANE"))
537 return 0; /* reject, with peercert set */
540 if (preverify_ok == 1)
541 tls_out.dane_verified =
542 tls_out.certificate_verified = TRUE;
545 int err = X509_STORE_CTX_get_error(x509ctx);
547 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
548 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
554 #endif /*EXPERIMENTAL_DANE*/
557 /*************************************************
558 * Information callback *
559 *************************************************/
561 /* The SSL library functions call this from time to time to indicate what they
562 are doing. We copy the string to the debugging output when TLS debugging has
574 info_callback(SSL *s, int where, int ret)
578 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
583 /*************************************************
584 * Initialize for DH *
585 *************************************************/
587 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
590 sctx The current SSL CTX (inbound or outbound)
591 dhparam DH parameter file or fixed parameter identity string
592 host connected host, if client; NULL if server
593 errstr error string pointer
595 Returns: TRUE if OK (nothing to set up, or setup worked)
599 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
607 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
610 if (!dhexpanded || !*dhexpanded)
611 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
612 else if (dhexpanded[0] == '/')
614 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
616 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
617 host, US strerror(errno), errstr);
623 if (Ustrcmp(dhexpanded, "none") == 0)
625 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
629 if (!(pem = std_dh_prime_named(dhexpanded)))
631 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
632 host, US strerror(errno), errstr);
635 bio = BIO_new_mem_buf(CS pem, -1);
638 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
641 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
646 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
647 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
648 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
649 * If someone wants to dance at the edge, then they can raise the limit or use
650 * current libraries. */
651 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
652 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
653 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
654 dh_bitsize = DH_bits(dh);
656 dh_bitsize = 8 * DH_size(dh);
659 /* Even if it is larger, we silently return success rather than cause things
660 * to fail out, so that a too-large DH will not knock out all TLS; it's a
661 * debatable choice. */
662 if (dh_bitsize > tls_dh_max_bits)
665 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
666 dh_bitsize, tls_dh_max_bits);
670 SSL_CTX_set_tmp_dh(sctx, dh);
672 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
673 dhexpanded ? dhexpanded : US"default", dh_bitsize);
685 /*************************************************
686 * Initialize for ECDH *
687 *************************************************/
689 /* Load parameters for ECDH encryption.
691 For now, we stick to NIST P-256 because: it's simple and easy to configure;
692 it avoids any patent issues that might bite redistributors; despite events in
693 the news and concerns over curve choices, we're not cryptographers, we're not
694 pretending to be, and this is "good enough" to be better than no support,
695 protecting against most adversaries. Given another year or two, there might
696 be sufficient clarity about a "right" way forward to let us make an informed
697 decision, instead of a knee-jerk reaction.
699 Longer-term, we should look at supporting both various named curves and
700 external files generated with "openssl ecparam", much as we do for init_dh().
701 We should also support "none" as a value, to explicitly avoid initialisation.
706 sctx The current SSL CTX (inbound or outbound)
707 host connected host, if client; NULL if server
708 errstr error string pointer
710 Returns: TRUE if OK (nothing to set up, or setup worked)
714 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
716 #ifdef OPENSSL_NO_ECDH
725 if (host) /* No ECDH setup for clients, only for servers */
728 # ifndef EXIM_HAVE_ECDH
730 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
734 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
736 if (!exp_curve || !*exp_curve)
739 /* "auto" needs to be handled carefully.
740 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
741 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
742 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
743 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
744 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
746 if (Ustrcmp(exp_curve, "auto") == 0)
748 #if OPENSSL_VERSION_NUMBER < 0x10002000L
749 DEBUG(D_tls) debug_printf(
750 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
751 exp_curve = US"prime256v1";
753 # if defined SSL_CTRL_SET_ECDH_AUTO
754 DEBUG(D_tls) debug_printf(
755 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
756 SSL_CTX_set_ecdh_auto(sctx, 1);
759 DEBUG(D_tls) debug_printf(
760 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
766 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
767 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
768 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
769 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
773 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
778 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
780 tls_error(US"Unable to create ec curve", host, NULL, errstr);
784 /* The "tmp" in the name here refers to setting a temporary key
785 not to the stability of the interface. */
787 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
788 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
790 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
795 # endif /*EXIM_HAVE_ECDH*/
796 #endif /*OPENSSL_NO_ECDH*/
803 /*************************************************
804 * Load OCSP information into state *
805 *************************************************/
806 /* Called to load the server OCSP response from the given file into memory, once
807 caller has determined this is needed. Checks validity. Debugs a message
810 ASSUMES: single response, for single cert.
813 sctx the SSL_CTX* to update
814 cbinfo various parts of session state
815 expanded the filename putatively holding an OCSP response
820 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
823 OCSP_RESPONSE * resp;
824 OCSP_BASICRESP * basic_response;
825 OCSP_SINGLERESP * single_response;
826 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
828 unsigned long verify_flags;
829 int status, reason, i;
831 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
832 if (cbinfo->u_ocsp.server.response)
834 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
835 cbinfo->u_ocsp.server.response = NULL;
838 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
840 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
841 cbinfo->u_ocsp.server.file_expanded);
845 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
849 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
853 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
855 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
856 OCSP_response_status_str(status), status);
860 if (!(basic_response = OCSP_response_get1_basic(resp)))
863 debug_printf("OCSP response parse error: unable to extract basic response.\n");
867 sk = cbinfo->verify_stack;
868 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
870 /* May need to expose ability to adjust those flags?
871 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
872 OCSP_TRUSTOTHER OCSP_NOINTERN */
874 /* This does a full verify on the OCSP proof before we load it for serving
875 up; possibly overkill - just date-checks might be nice enough.
877 OCSP_basic_verify takes a "store" arg, but does not
878 use it for the chain verification, which is all we do
879 when OCSP_NOVERIFY is set. The content from the wire
880 "basic_response" and a cert-stack "sk" are all that is used.
882 We have a stack, loaded in setup_certs() if tls_verify_certificates
883 was a file (not a directory, or "system"). It is unfortunate we
884 cannot used the connection context store, as that would neatly
885 handle the "system" case too, but there seems to be no library
886 function for getting a stack from a store.
887 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
888 We do not free the stack since it could be needed a second time for
891 Separately we might try to replace using OCSP_basic_verify() - which seems to not
892 be a public interface into the OpenSSL library (there's no manual entry) -
893 But what with? We also use OCSP_basic_verify in the client stapling callback.
894 And there we NEED it; we must verify that status... unless the
895 library does it for us anyway? */
897 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
901 ERR_error_string(ERR_get_error(), ssl_errstring);
902 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
907 /* Here's the simplifying assumption: there's only one response, for the
908 one certificate we use, and nothing for anything else in a chain. If this
909 proves false, we need to extract a cert id from our issued cert
910 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
911 right cert in the stack and then calls OCSP_single_get0_status()).
913 I'm hoping to avoid reworking a bunch more of how we handle state here. */
915 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
918 debug_printf("Unable to get first response from OCSP basic response.\n");
922 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
923 if (status != V_OCSP_CERTSTATUS_GOOD)
925 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
926 OCSP_cert_status_str(status), status,
927 OCSP_crl_reason_str(reason), reason);
931 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
933 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
938 cbinfo->u_ocsp.server.response = resp;
942 if (running_in_test_harness)
944 extern char ** environ;
946 if (environ) for (p = USS environ; *p != NULL; p++)
947 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
949 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
950 goto supply_response;
955 #endif /*!DISABLE_OCSP*/
960 /* Create and install a selfsigned certificate, for use in server mode */
963 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
971 where = US"allocating pkey";
972 if (!(pkey = EVP_PKEY_new()))
975 where = US"allocating cert";
976 if (!(x509 = X509_new()))
979 where = US"generating pkey";
980 /* deprecated, use RSA_generate_key_ex() */
981 if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
984 where = US"assigning pkey";
985 if (!EVP_PKEY_assign_RSA(pkey, rsa))
988 X509_set_version(x509, 2); /* N+1 - version 3 */
989 ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
990 X509_gmtime_adj(X509_get_notBefore(x509), 0);
991 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
992 X509_set_pubkey(x509, pkey);
994 name = X509_get_subject_name(x509);
995 X509_NAME_add_entry_by_txt(name, "C",
996 MBSTRING_ASC, CUS "UK", -1, -1, 0);
997 X509_NAME_add_entry_by_txt(name, "O",
998 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
999 X509_NAME_add_entry_by_txt(name, "CN",
1000 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1001 X509_set_issuer_name(x509, name);
1003 where = US"signing cert";
1004 if (!X509_sign(x509, pkey, EVP_md5()))
1007 where = US"installing selfsign cert";
1008 if (!SSL_CTX_use_certificate(sctx, x509))
1011 where = US"installing selfsign key";
1012 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1018 (void) tls_error(where, NULL, NULL, errstr);
1019 if (x509) X509_free(x509);
1020 if (pkey) EVP_PKEY_free(pkey);
1027 /*************************************************
1028 * Expand key and cert file specs *
1029 *************************************************/
1031 /* Called once during tls_init and possibly again during TLS setup, for a
1032 new context, if Server Name Indication was used and tls_sni was seen in
1033 the certificate string.
1036 sctx the SSL_CTX* to update
1037 cbinfo various parts of session state
1038 errstr error string pointer
1040 Returns: OK/DEFER/FAIL
1044 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1049 if (!cbinfo->certificate)
1051 if (cbinfo->host) /* client */
1054 if (tls_install_selfsign(sctx, errstr) != OK)
1059 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1060 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1061 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1063 reexpand_tls_files_for_sni = TRUE;
1065 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1068 if (expanded != NULL)
1070 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1071 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1072 return tls_error(string_sprintf(
1073 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
1074 cbinfo->host, NULL, errstr);
1077 if (cbinfo->privatekey != NULL &&
1078 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1081 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1082 of the expansion is an empty string, ignore it also, and assume the private
1083 key is in the same file as the certificate. */
1085 if (expanded && *expanded)
1087 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1088 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1089 return tls_error(string_sprintf(
1090 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
1094 #ifndef DISABLE_OCSP
1095 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1097 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1100 if (expanded && *expanded)
1102 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1103 if ( cbinfo->u_ocsp.server.file_expanded
1104 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1106 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1109 ocsp_load_response(sctx, cbinfo, expanded);
1120 /*************************************************
1121 * Callback to handle SNI *
1122 *************************************************/
1124 /* Called when acting as server during the TLS session setup if a Server Name
1125 Indication extension was sent by the client.
1127 API documentation is OpenSSL s_server.c implementation.
1130 s SSL* of the current session
1131 ad unknown (part of OpenSSL API) (unused)
1132 arg Callback of "our" registered data
1134 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1137 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1139 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1141 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1142 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1144 int old_pool = store_pool;
1145 uschar * dummy_errstr;
1148 return SSL_TLSEXT_ERR_OK;
1150 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1151 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1153 /* Make the extension value available for expansion */
1154 store_pool = POOL_PERM;
1155 tls_in.sni = string_copy(US servername);
1156 store_pool = old_pool;
1158 if (!reexpand_tls_files_for_sni)
1159 return SSL_TLSEXT_ERR_OK;
1161 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1162 not confident that memcpy wouldn't break some internal reference counting.
1163 Especially since there's a references struct member, which would be off. */
1165 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1167 ERR_error_string(ERR_get_error(), ssl_errstring);
1168 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1169 return SSL_TLSEXT_ERR_NOACK;
1172 /* Not sure how many of these are actually needed, since SSL object
1173 already exists. Might even need this selfsame callback, for reneg? */
1175 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1176 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1177 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1178 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1179 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1180 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1182 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1183 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1185 return SSL_TLSEXT_ERR_NOACK;
1187 if (cbinfo->server_cipher_list)
1188 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1189 #ifndef DISABLE_OCSP
1190 if (cbinfo->u_ocsp.server.file)
1192 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1193 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1197 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1198 verify_callback_server, &dummy_errstr)) != OK)
1199 return SSL_TLSEXT_ERR_NOACK;
1201 /* do this after setup_certs, because this can require the certs for verifying
1202 OCSP information. */
1203 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1204 return SSL_TLSEXT_ERR_NOACK;
1206 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1207 SSL_set_SSL_CTX(s, server_sni);
1209 return SSL_TLSEXT_ERR_OK;
1211 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1216 #ifndef DISABLE_OCSP
1218 /*************************************************
1219 * Callback to handle OCSP Stapling *
1220 *************************************************/
1222 /* Called when acting as server during the TLS session setup if the client
1223 requests OCSP information with a Certificate Status Request.
1225 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1231 tls_server_stapling_cb(SSL *s, void *arg)
1233 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1234 uschar *response_der;
1235 int response_der_len;
1238 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1239 cbinfo->u_ocsp.server.response ? "have" : "lack");
1241 tls_in.ocsp = OCSP_NOT_RESP;
1242 if (!cbinfo->u_ocsp.server.response)
1243 return SSL_TLSEXT_ERR_NOACK;
1245 response_der = NULL;
1246 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1248 if (response_der_len <= 0)
1249 return SSL_TLSEXT_ERR_NOACK;
1251 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1252 tls_in.ocsp = OCSP_VFIED;
1253 return SSL_TLSEXT_ERR_OK;
1258 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1260 BIO_printf(bp, "\t%s: ", str);
1261 ASN1_GENERALIZEDTIME_print(bp, time);
1266 tls_client_stapling_cb(SSL *s, void *arg)
1268 tls_ext_ctx_cb * cbinfo = arg;
1269 const unsigned char * p;
1271 OCSP_RESPONSE * rsp;
1272 OCSP_BASICRESP * bs;
1275 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1276 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1279 /* Expect this when we requested ocsp but got none */
1280 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1281 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1283 DEBUG(D_tls) debug_printf(" null\n");
1284 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1287 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1289 tls_out.ocsp = OCSP_FAILED;
1290 if (LOGGING(tls_cipher))
1291 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1293 DEBUG(D_tls) debug_printf(" parse error\n");
1297 if(!(bs = OCSP_response_get1_basic(rsp)))
1299 tls_out.ocsp = OCSP_FAILED;
1300 if (LOGGING(tls_cipher))
1301 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1303 DEBUG(D_tls) debug_printf(" error parsing response\n");
1304 OCSP_RESPONSE_free(rsp);
1308 /* We'd check the nonce here if we'd put one in the request. */
1309 /* However that would defeat cacheability on the server so we don't. */
1311 /* This section of code reworked from OpenSSL apps source;
1312 The OpenSSL Project retains copyright:
1313 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1318 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1320 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1322 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1324 /* Use the chain that verified the server cert to verify the stapled info */
1325 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1327 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1328 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1330 tls_out.ocsp = OCSP_FAILED;
1331 if (LOGGING(tls_cipher))
1332 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1333 BIO_printf(bp, "OCSP response verify failure\n");
1334 ERR_print_errors(bp);
1338 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1340 /*XXX So we have a good stapled OCSP status. How do we know
1341 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1342 OCSP_resp_find_status() which matches on a cert id, which presumably
1343 we should use. Making an id needs OCSP_cert_id_new(), which takes
1344 issuerName, issuerKey, serialNumber. Are they all in the cert?
1346 For now, carry on blindly accepting the resp. */
1349 OCSP_SINGLERESP * single;
1351 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1352 if (OCSP_resp_count(bs) != 1)
1354 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1355 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1358 tls_out.ocsp = OCSP_FAILED;
1359 log_write(0, LOG_MAIN, "OCSP stapling "
1360 "with multiple responses not handled");
1363 single = OCSP_resp_get0(bs, 0);
1364 status = OCSP_single_get0_status(single, &reason, &rev,
1365 &thisupd, &nextupd);
1368 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1369 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1370 if (!OCSP_check_validity(thisupd, nextupd,
1371 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1373 tls_out.ocsp = OCSP_FAILED;
1374 DEBUG(D_tls) ERR_print_errors(bp);
1375 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1379 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1380 OCSP_cert_status_str(status));
1383 case V_OCSP_CERTSTATUS_GOOD:
1384 tls_out.ocsp = OCSP_VFIED;
1387 case V_OCSP_CERTSTATUS_REVOKED:
1388 tls_out.ocsp = OCSP_FAILED;
1389 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1390 reason != -1 ? "; reason: " : "",
1391 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1392 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1395 tls_out.ocsp = OCSP_FAILED;
1396 log_write(0, LOG_MAIN,
1397 "Server certificate status unknown, in OCSP stapling");
1402 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1407 OCSP_RESPONSE_free(rsp);
1410 #endif /*!DISABLE_OCSP*/
1413 /*************************************************
1414 * Initialize for TLS *
1415 *************************************************/
1417 /* Called from both server and client code, to do preliminary initialization
1418 of the library. We allocate and return a context structure.
1421 ctxp returned SSL context
1422 host connected host, if client; NULL if server
1423 dhparam DH parameter file
1424 certificate certificate file
1425 privatekey private key
1426 ocsp_file file of stapling info (server); flag for require ocsp (client)
1427 addr address if client; NULL if server (for some randomness)
1428 cbp place to put allocated callback context
1429 errstr error string pointer
1431 Returns: OK/DEFER/FAIL
1435 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1437 #ifndef DISABLE_OCSP
1440 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1445 tls_ext_ctx_cb * cbinfo;
1447 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1448 cbinfo->certificate = certificate;
1449 cbinfo->privatekey = privatekey;
1450 #ifndef DISABLE_OCSP
1451 cbinfo->verify_stack = NULL;
1452 if ((cbinfo->is_server = host==NULL))
1454 cbinfo->u_ocsp.server.file = ocsp_file;
1455 cbinfo->u_ocsp.server.file_expanded = NULL;
1456 cbinfo->u_ocsp.server.response = NULL;
1459 cbinfo->u_ocsp.client.verify_store = NULL;
1461 cbinfo->dhparam = dhparam;
1462 cbinfo->server_cipher_list = NULL;
1463 cbinfo->host = host;
1464 #ifndef DISABLE_EVENT
1465 cbinfo->event_action = NULL;
1468 SSL_load_error_strings(); /* basic set up */
1469 OpenSSL_add_ssl_algorithms();
1471 #ifdef EXIM_HAVE_SHA256
1472 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1473 list of available digests. */
1474 EVP_add_digest(EVP_sha256());
1477 /* Create a context.
1478 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1479 negotiation in the different methods; as far as I can tell, the only
1480 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1481 when OpenSSL is built without SSLv2 support.
1482 By disabling with openssl_options, we can let admins re-enable with the
1485 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1486 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1488 /* It turns out that we need to seed the random number generator this early in
1489 order to get the full complement of ciphers to work. It took me roughly a day
1490 of work to discover this by experiment.
1492 On systems that have /dev/urandom, SSL may automatically seed itself from
1493 there. Otherwise, we have to make something up as best we can. Double check
1499 gettimeofday(&r.tv, NULL);
1502 RAND_seed(US (&r), sizeof(r));
1503 RAND_seed(US big_buffer, big_buffer_size);
1504 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1507 return tls_error(US"RAND_status", host,
1508 US"unable to seed random number generator", errstr);
1511 /* Set up the information callback, which outputs if debugging is at a suitable
1514 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1516 /* Automatically re-try reads/writes after renegotiation. */
1517 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1519 /* Apply administrator-supplied work-arounds.
1520 Historically we applied just one requested option,
1521 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1522 moved to an administrator-controlled list of options to specify and
1523 grandfathered in the first one as the default value for "openssl_options".
1525 No OpenSSL version number checks: the options we accept depend upon the
1526 availability of the option value macros from OpenSSL. */
1528 if (!tls_openssl_options_parse(openssl_options, &init_options))
1529 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1533 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1534 if (!(SSL_CTX_set_options(ctx, init_options)))
1535 return tls_error(string_sprintf(
1536 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1539 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1541 /* Disable session cache unconditionally */
1543 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1545 /* Initialize with DH parameters if supplied */
1546 /* Initialize ECDH temp key parameter selection */
1548 if ( !init_dh(ctx, dhparam, host, errstr)
1549 || !init_ecdh(ctx, host, errstr)
1553 /* Set up certificate and key (and perhaps OCSP info) */
1555 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1558 /* If we need to handle SNI or OCSP, do so */
1560 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1561 # ifndef DISABLE_OCSP
1562 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1564 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1569 if (host == NULL) /* server */
1571 # ifndef DISABLE_OCSP
1572 /* We check u_ocsp.server.file, not server.response, because we care about if
1573 the option exists, not what the current expansion might be, as SNI might
1574 change the certificate and OCSP file in use between now and the time the
1575 callback is invoked. */
1576 if (cbinfo->u_ocsp.server.file)
1578 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1579 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1582 /* We always do this, so that $tls_sni is available even if not used in
1584 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1585 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1587 # ifndef DISABLE_OCSP
1589 if(ocsp_file) /* wanting stapling */
1591 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1593 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1596 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1597 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1602 cbinfo->verify_cert_hostnames = NULL;
1604 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1605 /* Set up the RSA callback */
1606 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1609 /* Finally, set the timeout, and we are done */
1611 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1612 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1623 /*************************************************
1624 * Get name of cipher in use *
1625 *************************************************/
1628 Argument: pointer to an SSL structure for the connection
1629 buffer to use for answer
1631 pointer to number of bits for cipher
1636 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1638 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1639 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1640 the accessor functions use const in the prototype. */
1641 const SSL_CIPHER *c;
1644 ver = (const uschar *)SSL_get_version(ssl);
1646 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1647 SSL_CIPHER_get_bits(c, bits);
1649 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1650 SSL_CIPHER_get_name(c), *bits);
1652 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1657 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1659 /*XXX we might consider a list-of-certs variable for the cert chain.
1660 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1661 in list-handling functions, also consider the difference between the entire
1662 chain and the elements sent by the peer. */
1664 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1665 if (!tlsp->peercert)
1666 tlsp->peercert = SSL_get_peer_certificate(ssl);
1667 /* Beware anonymous ciphers which lead to server_cert being NULL */
1670 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1671 peerdn[bsize-1] = '\0';
1672 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1675 tlsp->peerdn = NULL;
1682 /*************************************************
1683 * Set up for verifying certificates *
1684 *************************************************/
1686 /* Load certs from file, return TRUE on success */
1689 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1694 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1695 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1696 sk_X509_push(verify_stack, x);
1703 /* Called by both client and server startup
1706 sctx SSL_CTX* to initialise
1707 certs certs file or NULL
1708 crl CRL file or NULL
1709 host NULL in a server; the remote host in a client
1710 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1711 otherwise passed as FALSE
1712 cert_vfy_cb Callback function for certificate verification
1713 errstr error string pointer
1715 Returns: OK/DEFER/FAIL
1719 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1720 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1722 uschar *expcerts, *expcrl;
1724 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1726 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1728 if (expcerts && *expcerts)
1730 /* Tell the library to use its compiled-in location for the system default
1731 CA bundle. Then add the ones specified in the config, if any. */
1733 if (!SSL_CTX_set_default_verify_paths(sctx))
1734 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
1736 if (Ustrcmp(expcerts, "system") != 0)
1738 struct stat statbuf;
1740 if (Ustat(expcerts, &statbuf) < 0)
1742 log_write(0, LOG_MAIN|LOG_PANIC,
1743 "failed to stat %s for certificates", expcerts);
1749 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1750 { file = NULL; dir = expcerts; }
1753 file = expcerts; dir = NULL;
1754 #ifndef DISABLE_OCSP
1755 /* In the server if we will be offering an OCSP proof, load chain from
1756 file for verifying the OCSP proof at load time. */
1759 && statbuf.st_size > 0
1760 && server_static_cbinfo->u_ocsp.server.file
1761 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1764 log_write(0, LOG_MAIN|LOG_PANIC,
1765 "failed to load cert hain from %s", file);
1771 /* If a certificate file is empty, the next function fails with an
1772 unhelpful error message. If we skip it, we get the correct behaviour (no
1773 certificates are recognized, but the error message is still misleading (it
1774 says no certificate was supplied). But this is better. */
1776 if ( (!file || statbuf.st_size > 0)
1777 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1778 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
1780 /* Load the list of CAs for which we will accept certs, for sending
1781 to the client. This is only for the one-file tls_verify_certificates
1783 If a list isn't loaded into the server, but
1784 some verify locations are set, the server end appears to make
1785 a wildcard request for client certs.
1786 Meanwhile, the client library as default behaviour *ignores* the list
1787 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1788 Because of this, and that the dir variant is likely only used for
1789 the public-CA bundle (not for a private CA), not worth fixing.
1793 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1795 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1796 sk_X509_NAME_num(names));
1797 SSL_CTX_set_client_CA_list(sctx, names);
1802 /* Handle a certificate revocation list. */
1804 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1806 /* This bit of code is now the version supplied by Lars Mainka. (I have
1807 merely reformatted it into the Exim code style.)
1809 "From here I changed the code to add support for multiple crl's
1810 in pem format in one file or to support hashed directory entries in
1811 pem format instead of a file. This method now uses the library function
1812 X509_STORE_load_locations to add the CRL location to the SSL context.
1813 OpenSSL will then handle the verify against CA certs and CRLs by
1814 itself in the verify callback." */
1816 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
1817 if (expcrl && *expcrl)
1819 struct stat statbufcrl;
1820 if (Ustat(expcrl, &statbufcrl) < 0)
1822 log_write(0, LOG_MAIN|LOG_PANIC,
1823 "failed to stat %s for certificates revocation lists", expcrl);
1828 /* is it a file or directory? */
1830 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1831 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1835 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1841 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1843 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1844 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
1846 /* setting the flags to check against the complete crl chain */
1848 X509_STORE_set_flags(cvstore,
1849 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1853 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1855 /* If verification is optional, don't fail if no certificate */
1857 SSL_CTX_set_verify(sctx,
1858 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1867 /*************************************************
1868 * Start a TLS session in a server *
1869 *************************************************/
1871 /* This is called when Exim is running as a server, after having received
1872 the STARTTLS command. It must respond to that command, and then negotiate
1876 require_ciphers allowed ciphers
1877 errstr pointer to error message
1879 Returns: OK on success
1880 DEFER for errors before the start of the negotiation
1881 FAIL for errors during the negotiation; the server can't
1886 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
1889 uschar * expciphers;
1890 tls_ext_ctx_cb * cbinfo;
1891 static uschar peerdn[256];
1892 static uschar cipherbuf[256];
1894 /* Check for previous activation */
1896 if (tls_in.active >= 0)
1898 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
1899 smtp_printf("554 Already in TLS\r\n", FALSE);
1903 /* Initialize the SSL library. If it fails, it will already have logged
1906 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1907 #ifndef DISABLE_OCSP
1910 NULL, &server_static_cbinfo, errstr);
1911 if (rc != OK) return rc;
1912 cbinfo = server_static_cbinfo;
1914 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
1917 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1918 were historically separated by underscores. So that I can use either form in my
1919 tests, and also for general convenience, we turn underscores into hyphens here.
1924 uschar * s = expciphers;
1925 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1926 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1927 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1928 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1929 cbinfo->server_cipher_list = expciphers;
1932 /* If this is a host for which certificate verification is mandatory or
1933 optional, set up appropriately. */
1935 tls_in.certificate_verified = FALSE;
1936 #ifdef EXPERIMENTAL_DANE
1937 tls_in.dane_verified = FALSE;
1939 server_verify_callback_called = FALSE;
1941 if (verify_check_host(&tls_verify_hosts) == OK)
1943 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1944 FALSE, verify_callback_server, errstr);
1945 if (rc != OK) return rc;
1946 server_verify_optional = FALSE;
1948 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1950 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1951 TRUE, verify_callback_server, errstr);
1952 if (rc != OK) return rc;
1953 server_verify_optional = TRUE;
1956 /* Prepare for new connection */
1958 if (!(server_ssl = SSL_new(server_ctx)))
1959 return tls_error(US"SSL_new", NULL, NULL, errstr);
1961 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1963 * With the SSL_clear(), we get strange interoperability bugs with
1964 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1965 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1967 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1968 * session shutdown. In this case, we have a brand new object and there's no
1969 * obvious reason to immediately clear it. I'm guessing that this was
1970 * originally added because of incomplete initialisation which the clear fixed,
1971 * in some historic release.
1974 /* Set context and tell client to go ahead, except in the case of TLS startup
1975 on connection, where outputting anything now upsets the clients and tends to
1976 make them disconnect. We need to have an explicit fflush() here, to force out
1977 the response. Other smtp_printf() calls do not need it, because in non-TLS
1978 mode, the fflush() happens when smtp_getc() is called. */
1980 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1981 if (!tls_in.on_connect)
1983 smtp_printf("220 TLS go ahead\r\n", FALSE);
1987 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1988 that the OpenSSL library doesn't. */
1990 SSL_set_wfd(server_ssl, fileno(smtp_out));
1991 SSL_set_rfd(server_ssl, fileno(smtp_in));
1992 SSL_set_accept_state(server_ssl);
1994 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1996 sigalrm_seen = FALSE;
1997 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1998 rc = SSL_accept(server_ssl);
2003 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2007 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2009 /* TLS has been set up. Adjust the input functions to read via TLS,
2010 and initialize things. */
2012 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2014 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2015 tls_in.cipher = cipherbuf;
2020 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2021 debug_printf("Shared ciphers: %s\n", buf);
2024 /* Record the certificate we presented */
2026 X509 * crt = SSL_get_certificate(server_ssl);
2027 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2030 /* Only used by the server-side tls (tls_in), including tls_getc.
2031 Client-side (tls_out) reads (seem to?) go via
2032 smtp_read_response()/ip_recv().
2033 Hence no need to duplicate for _in and _out.
2035 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2036 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2037 ssl_xfer_eof = ssl_xfer_error = 0;
2039 receive_getc = tls_getc;
2040 receive_getbuf = tls_getbuf;
2041 receive_get_cache = tls_get_cache;
2042 receive_ungetc = tls_ungetc;
2043 receive_feof = tls_feof;
2044 receive_ferror = tls_ferror;
2045 receive_smtp_buffered = tls_smtp_buffered;
2047 tls_in.active = fileno(smtp_out);
2055 tls_client_basic_ctx_init(SSL_CTX * ctx,
2056 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2060 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2061 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2062 the specified host patterns if one of them is defined */
2064 if ( ( !ob->tls_verify_hosts
2065 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2067 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
2069 client_verify_optional = FALSE;
2070 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
2071 client_verify_optional = TRUE;
2075 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2076 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2080 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
2082 cbinfo->verify_cert_hostnames =
2084 string_domain_utf8_to_alabel(host->name, NULL);
2088 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2089 cbinfo->verify_cert_hostnames);
2095 #ifdef EXPERIMENTAL_DANE
2097 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2101 const char * hostnames[2] = { CS host->name, NULL };
2104 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2105 return tls_error(US"hostnames load", host, NULL, errstr);
2107 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2109 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2110 ) if (rr->type == T_TLSA)
2112 const uschar * p = rr->data;
2113 uint8_t usage, selector, mtype;
2114 const char * mdname;
2118 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2119 if (usage != 2 && usage != 3) continue;
2126 default: continue; /* Only match-types 0, 1, 2 are supported */
2127 case 0: mdname = NULL; break;
2128 case 1: mdname = "sha256"; break;
2129 case 2: mdname = "sha512"; break;
2133 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2136 return tls_error(US"tlsa load", host, NULL, errstr);
2137 case 0: /* action not taken */
2141 tls_out.tlsa_usage |= 1<<usage;
2147 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2150 #endif /*EXPERIMENTAL_DANE*/
2154 /*************************************************
2155 * Start a TLS session in a client *
2156 *************************************************/
2158 /* Called from the smtp transport after STARTTLS has been accepted.
2161 fd the fd of the connection
2162 host connected host (for messages)
2163 addr the first address
2164 tb transport (always smtp)
2165 tlsa_dnsa tlsa lookup, if DANE, else null
2166 errstr error string pointer
2168 Returns: OK on success
2169 FAIL otherwise - note that tls_error() will not give DEFER
2170 because this is not a server
2174 tls_client_start(int fd, host_item *host, address_item *addr,
2175 transport_instance * tb,
2176 #ifdef EXPERIMENTAL_DANE
2177 dns_answer * tlsa_dnsa,
2181 smtp_transport_options_block * ob =
2182 (smtp_transport_options_block *)tb->options_block;
2183 static uschar peerdn[256];
2184 uschar * expciphers;
2186 static uschar cipherbuf[256];
2188 #ifndef DISABLE_OCSP
2189 BOOL request_ocsp = FALSE;
2190 BOOL require_ocsp = FALSE;
2193 #ifdef EXPERIMENTAL_DANE
2194 tls_out.tlsa_usage = 0;
2197 #ifndef DISABLE_OCSP
2199 # ifdef EXPERIMENTAL_DANE
2201 && ob->hosts_request_ocsp[0] == '*'
2202 && ob->hosts_request_ocsp[1] == '\0'
2205 /* Unchanged from default. Use a safer one under DANE */
2206 request_ocsp = TRUE;
2207 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2208 " {= {4}{$tls_out_tlsa_usage}} } "
2214 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2215 request_ocsp = TRUE;
2217 # ifdef EXPERIMENTAL_DANE
2221 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2225 rc = tls_init(&client_ctx, host, NULL,
2226 ob->tls_certificate, ob->tls_privatekey,
2227 #ifndef DISABLE_OCSP
2228 (void *)(long)request_ocsp,
2230 addr, &client_static_cbinfo, errstr);
2231 if (rc != OK) return rc;
2233 tls_out.certificate_verified = FALSE;
2234 client_verify_callback_called = FALSE;
2236 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2237 &expciphers, errstr))
2240 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2241 are separated by underscores. So that I can use either form in my tests, and
2242 also for general convenience, we turn underscores into hyphens here. */
2246 uschar *s = expciphers;
2247 while (*s) { if (*s == '_') *s = '-'; s++; }
2248 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2249 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2250 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2253 #ifdef EXPERIMENTAL_DANE
2256 SSL_CTX_set_verify(client_ctx,
2257 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2258 verify_callback_client_dane);
2260 if (!DANESSL_library_init())
2261 return tls_error(US"library init", host, NULL, errstr);
2262 if (DANESSL_CTX_init(client_ctx) <= 0)
2263 return tls_error(US"context init", host, NULL, errstr);
2269 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2270 client_static_cbinfo, errstr)) != OK)
2273 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2274 return tls_error(US"SSL_new", host, NULL, errstr);
2275 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2276 SSL_set_fd(client_ssl, fd);
2277 SSL_set_connect_state(client_ssl);
2281 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
2285 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2287 else if (!Ustrlen(tls_out.sni))
2291 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2292 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2293 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2295 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2301 #ifdef EXPERIMENTAL_DANE
2303 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
2307 #ifndef DISABLE_OCSP
2308 /* Request certificate status at connection-time. If the server
2309 does OCSP stapling we will get the callback (set in tls_init()) */
2310 # ifdef EXPERIMENTAL_DANE
2314 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2315 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2317 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2318 this means we avoid the OCSP request, we wasted the setup
2319 cost in tls_init(). */
2320 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2321 request_ocsp = require_ocsp
2322 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2329 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2330 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2331 tls_out.ocsp = OCSP_NOT_RESP;
2335 #ifndef DISABLE_EVENT
2336 client_static_cbinfo->event_action = tb->event_action;
2339 /* There doesn't seem to be a built-in timeout on connection. */
2341 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2342 sigalrm_seen = FALSE;
2343 alarm(ob->command_timeout);
2344 rc = SSL_connect(client_ssl);
2347 #ifdef EXPERIMENTAL_DANE
2349 DANESSL_cleanup(client_ssl);
2353 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2356 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2358 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2360 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2361 tls_out.cipher = cipherbuf;
2363 /* Record the certificate we presented */
2365 X509 * crt = SSL_get_certificate(client_ssl);
2366 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2369 tls_out.active = fd;
2378 tls_refill(unsigned lim)
2383 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2384 ssl_xfer_buffer, ssl_xfer_buffer_size);
2386 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2387 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2388 MIN(ssl_xfer_buffer_size, lim));
2389 error = SSL_get_error(server_ssl, inbytes);
2392 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2393 closed down, not that the socket itself has been closed down. Revert to
2394 non-SSL handling. */
2396 if (error == SSL_ERROR_ZERO_RETURN)
2398 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2400 receive_getc = smtp_getc;
2401 receive_getbuf = smtp_getbuf;
2402 receive_get_cache = smtp_get_cache;
2403 receive_ungetc = smtp_ungetc;
2404 receive_feof = smtp_feof;
2405 receive_ferror = smtp_ferror;
2406 receive_smtp_buffered = smtp_buffered;
2408 SSL_free(server_ssl);
2412 tls_in.cipher = NULL;
2413 tls_in.peerdn = NULL;
2419 /* Handle genuine errors */
2421 else if (error == SSL_ERROR_SSL)
2423 ERR_error_string(ERR_get_error(), ssl_errstring);
2424 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2429 else if (error != SSL_ERROR_NONE)
2431 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2436 #ifndef DISABLE_DKIM
2437 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2439 ssl_xfer_buffer_hwm = inbytes;
2440 ssl_xfer_buffer_lwm = 0;
2445 /*************************************************
2446 * TLS version of getc *
2447 *************************************************/
2449 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2450 it refills the buffer via the SSL reading function.
2452 Arguments: lim Maximum amount to read/buffer
2453 Returns: the next character or EOF
2455 Only used by the server-side TLS.
2459 tls_getc(unsigned lim)
2461 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2462 if (!tls_refill(lim))
2463 return ssl_xfer_error ? EOF : smtp_getc(lim);
2465 /* Something in the buffer; return next uschar */
2467 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2471 tls_getbuf(unsigned * len)
2476 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2477 if (!tls_refill(*len))
2479 if (!ssl_xfer_error) return smtp_getbuf(len);
2484 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2486 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2487 ssl_xfer_buffer_lwm += size;
2496 #ifndef DISABLE_DKIM
2497 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2499 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2505 tls_could_read(void)
2507 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2511 /*************************************************
2512 * Read bytes from TLS channel *
2513 *************************************************/
2520 Returns: the number of bytes read
2521 -1 after a failed read
2523 Only used by the client-side TLS.
2527 tls_read(BOOL is_server, uschar *buff, size_t len)
2529 SSL *ssl = is_server ? server_ssl : client_ssl;
2533 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2534 buff, (unsigned int)len);
2536 inbytes = SSL_read(ssl, CS buff, len);
2537 error = SSL_get_error(ssl, inbytes);
2539 if (error == SSL_ERROR_ZERO_RETURN)
2541 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2544 else if (error != SSL_ERROR_NONE)
2554 /*************************************************
2555 * Write bytes down TLS channel *
2556 *************************************************/
2560 is_server channel specifier
2563 more further data expected soon
2565 Returns: the number of bytes after a successful write,
2566 -1 after a failed write
2568 Used by both server-side and client-side TLS.
2572 tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
2574 int outbytes, error, left;
2575 SSL *ssl = is_server ? server_ssl : client_ssl;
2576 static gstring * corked = NULL;
2578 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2579 buff, (unsigned long)len, more ? ", more" : "");
2581 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2582 "more" is notified. This hack is only ok if small amounts are involved AND only
2583 one stream does it, in one context (i.e. no store reset). Currently it is used
2584 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2586 if (is_server && (more || corked))
2588 corked = string_catn(corked, buff, len);
2591 buff = CUS corked->s;
2596 for (left = len; left > 0;)
2598 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2599 outbytes = SSL_write(ssl, CS buff, left);
2600 error = SSL_get_error(ssl, outbytes);
2601 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2605 ERR_error_string(ERR_get_error(), ssl_errstring);
2606 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2609 case SSL_ERROR_NONE:
2614 case SSL_ERROR_ZERO_RETURN:
2615 log_write(0, LOG_MAIN, "SSL channel closed on write");
2618 case SSL_ERROR_SYSCALL:
2619 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2620 sender_fullhost ? sender_fullhost : US"<unknown>",
2625 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2634 /*************************************************
2635 * Close down a TLS session *
2636 *************************************************/
2638 /* This is also called from within a delivery subprocess forked from the
2639 daemon, to shut down the TLS library, without actually doing a shutdown (which
2640 would tamper with the SSL session in the parent process).
2642 Arguments: TRUE if SSL_shutdown is to be called
2645 Used by both server-side and client-side TLS.
2649 tls_close(BOOL is_server, BOOL shutdown)
2651 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2652 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2654 if (*fdp < 0) return; /* TLS was not active */
2658 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2659 SSL_shutdown(*sslp);
2671 /*************************************************
2672 * Let tls_require_ciphers be checked at startup *
2673 *************************************************/
2675 /* The tls_require_ciphers option, if set, must be something which the
2678 Returns: NULL on success, or error message
2682 tls_validate_require_cipher(void)
2685 uschar *s, *expciphers, *err;
2687 /* this duplicates from tls_init(), we need a better "init just global
2688 state, for no specific purpose" singleton function of our own */
2690 SSL_load_error_strings();
2691 OpenSSL_add_ssl_algorithms();
2692 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2693 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2694 list of available digests. */
2695 EVP_add_digest(EVP_sha256());
2698 if (!(tls_require_ciphers && *tls_require_ciphers))
2701 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2703 return US"failed to expand tls_require_ciphers";
2705 if (!(expciphers && *expciphers))
2708 /* normalisation ripped from above */
2710 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2714 ctx = SSL_CTX_new(SSLv23_server_method());
2717 ERR_error_string(ERR_get_error(), ssl_errstring);
2718 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2722 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2724 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2726 ERR_error_string(ERR_get_error(), ssl_errstring);
2727 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2728 expciphers, ssl_errstring);
2739 /*************************************************
2740 * Report the library versions. *
2741 *************************************************/
2743 /* There have historically been some issues with binary compatibility in
2744 OpenSSL libraries; if Exim (like many other applications) is built against
2745 one version of OpenSSL but the run-time linker picks up another version,
2746 it can result in serious failures, including crashing with a SIGSEGV. So
2747 report the version found by the compiler and the run-time version.
2749 Note: some OS vendors backport security fixes without changing the version
2750 number/string, and the version date remains unchanged. The _build_ date
2751 will change, so we can more usefully assist with version diagnosis by also
2752 reporting the build date.
2754 Arguments: a FILE* to print the results to
2759 tls_version_report(FILE *f)
2761 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2764 OPENSSL_VERSION_TEXT,
2765 SSLeay_version(SSLEAY_VERSION),
2766 SSLeay_version(SSLEAY_BUILT_ON));
2767 /* third line is 38 characters for the %s and the line is 73 chars long;
2768 the OpenSSL output includes a "built on: " prefix already. */
2774 /*************************************************
2775 * Random number generation *
2776 *************************************************/
2778 /* Pseudo-random number generation. The result is not expected to be
2779 cryptographically strong but not so weak that someone will shoot themselves
2780 in the foot using it as a nonce in input in some email header scheme or
2781 whatever weirdness they'll twist this into. The result should handle fork()
2782 and avoid repeating sequences. OpenSSL handles that for us.
2786 Returns a random number in range [0, max-1]
2790 vaguely_random_number(int max)
2794 static pid_t pidlast = 0;
2797 uschar smallbuf[sizeof(r)];
2803 if (pidnow != pidlast)
2805 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2806 is unique for each thread", this doesn't apparently apply across processes,
2807 so our own warning from vaguely_random_number_fallback() applies here too.
2808 Fix per PostgreSQL. */
2814 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2818 gettimeofday(&r.tv, NULL);
2821 RAND_seed(US (&r), sizeof(r));
2823 /* We're after pseudo-random, not random; if we still don't have enough data
2824 in the internal PRNG then our options are limited. We could sleep and hope
2825 for entropy to come along (prayer technique) but if the system is so depleted
2826 in the first place then something is likely to just keep taking it. Instead,
2827 we'll just take whatever little bit of pseudo-random we can still manage to
2830 needed_len = sizeof(r);
2831 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2832 asked for a number less than 10. */
2833 for (r = max, i = 0; r; ++i)
2839 #ifdef EXIM_HAVE_RAND_PSEUDO
2840 /* We do not care if crypto-strong */
2841 i = RAND_pseudo_bytes(smallbuf, needed_len);
2843 i = RAND_bytes(smallbuf, needed_len);
2849 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2850 return vaguely_random_number_fallback(max);
2854 for (p = smallbuf; needed_len; --needed_len, ++p)
2860 /* We don't particularly care about weighted results; if someone wants
2861 smooth distribution and cares enough then they should submit a patch then. */
2868 /*************************************************
2869 * OpenSSL option parse *
2870 *************************************************/
2872 /* Parse one option for tls_openssl_options_parse below
2875 name one option name
2876 value place to store a value for it
2877 Returns success or failure in parsing
2880 struct exim_openssl_option {
2884 /* We could use a macro to expand, but we need the ifdef and not all the
2885 options document which version they were introduced in. Policylet: include
2886 all options unless explicitly for DTLS, let the administrator choose which
2889 This list is current as of:
2891 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2893 static struct exim_openssl_option exim_openssl_options[] = {
2894 /* KEEP SORTED ALPHABETICALLY! */
2896 { US"all", SSL_OP_ALL },
2898 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2899 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2901 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2902 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2904 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2905 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2907 #ifdef SSL_OP_EPHEMERAL_RSA
2908 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2910 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2911 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2913 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2914 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2916 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2917 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2919 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2920 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2922 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2923 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2925 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2926 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2928 #ifdef SSL_OP_NO_COMPRESSION
2929 { US"no_compression", SSL_OP_NO_COMPRESSION },
2931 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2932 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2934 #ifdef SSL_OP_NO_SSLv2
2935 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2937 #ifdef SSL_OP_NO_SSLv3
2938 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2940 #ifdef SSL_OP_NO_TICKET
2941 { US"no_ticket", SSL_OP_NO_TICKET },
2943 #ifdef SSL_OP_NO_TLSv1
2944 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2946 #ifdef SSL_OP_NO_TLSv1_1
2947 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2948 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2949 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2951 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2954 #ifdef SSL_OP_NO_TLSv1_2
2955 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2957 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2958 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2960 #ifdef SSL_OP_SINGLE_DH_USE
2961 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2963 #ifdef SSL_OP_SINGLE_ECDH_USE
2964 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2966 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2967 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2969 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2970 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2972 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2973 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2975 #ifdef SSL_OP_TLS_D5_BUG
2976 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2978 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2979 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2982 static int exim_openssl_options_size =
2983 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2987 tls_openssl_one_option_parse(uschar *name, long *value)
2990 int last = exim_openssl_options_size;
2991 while (last > first)
2993 int middle = (first + last)/2;
2994 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2997 *value = exim_openssl_options[middle].value;
3011 /*************************************************
3012 * OpenSSL option parsing logic *
3013 *************************************************/
3015 /* OpenSSL has a number of compatibility options which an administrator might
3016 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3017 we look like log_selector.
3020 option_spec the administrator-supplied string of options
3021 results ptr to long storage for the options bitmap
3022 Returns success or failure
3026 tls_openssl_options_parse(uschar *option_spec, long *results)
3031 BOOL adding, item_parsed;
3033 result = SSL_OP_NO_TICKET;
3034 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3035 * from default because it increases BEAST susceptibility. */
3036 #ifdef SSL_OP_NO_SSLv2
3037 result |= SSL_OP_NO_SSLv2;
3039 #ifdef SSL_OP_SINGLE_DH_USE
3040 result |= SSL_OP_SINGLE_DH_USE;
3049 for (s=option_spec; *s != '\0'; /**/)
3051 while (isspace(*s)) ++s;
3054 if (*s != '+' && *s != '-')
3056 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3057 "+ or - expected but found \"%s\"\n", s);
3060 adding = *s++ == '+';
3061 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3064 item_parsed = tls_openssl_one_option_parse(s, &item);
3068 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3071 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3072 adding ? "adding" : "removing", result, item, s);
3086 /* End of tls-openssl.c */
git://git.exim.org / exim.git / blob