1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2015 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
29 # include <openssl/ocsp.h>
31 #ifdef EXPERIMENTAL_DANE
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
46 * X509_check_host provides sane certificate hostname checking, but was added
47 * to OpenSSL late, after other projects forked off the code-base. So in
48 * addition to guarding against the base version number, beware that LibreSSL
49 * does not (at this time) support this function.
51 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
52 * opt to disentangle and ask a LibreSSL user to provide glue for a third
53 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
54 * into even twistier knots. If LibreSSL gains the same API, we can just
55 * change this guard and punt the issue for a while longer.
57 #ifndef LIBRESSL_VERSION_NUMBER
58 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
59 # define EXIM_HAVE_OPENSSL_CHECKHOST
61 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
62 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
63 # define EXIM_HAVE_OPENSSL_CHECKHOST
66 # if !defined(OPENSSL_NO_ECDH)
67 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
68 # define EXIM_HAVE_ECDH
70 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
71 # define EXIM_HAVE_OPENSSL_ECDH_AUTO
72 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
77 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
78 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
82 /* Structure for collecting random data for seeding. */
84 typedef struct randstuff {
89 /* Local static variables */
91 static BOOL client_verify_callback_called = FALSE;
92 static BOOL server_verify_callback_called = FALSE;
93 static const uschar *sid_ctx = US"exim";
95 /* We have three different contexts to care about.
97 Simple case: client, `client_ctx`
98 As a client, we can be doing a callout or cut-through delivery while receiving
99 a message. So we have a client context, which should have options initialised
100 from the SMTP Transport.
103 There are two cases: with and without ServerNameIndication from the client.
104 Given TLS SNI, we can be using different keys, certs and various other
105 configuration settings, because they're re-expanded with $tls_sni set. This
106 allows vhosting with TLS. This SNI is sent in the handshake.
107 A client might not send SNI, so we need a fallback, and an initial setup too.
108 So as a server, we start out using `server_ctx`.
109 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
110 `server_sni` from `server_ctx` and then initialise settings by re-expanding
114 static SSL_CTX *client_ctx = NULL;
115 static SSL_CTX *server_ctx = NULL;
116 static SSL *client_ssl = NULL;
117 static SSL *server_ssl = NULL;
119 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
120 static SSL_CTX *server_sni = NULL;
123 static char ssl_errstring[256];
125 static int ssl_session_timeout = 200;
126 static BOOL client_verify_optional = FALSE;
127 static BOOL server_verify_optional = FALSE;
129 static BOOL reexpand_tls_files_for_sni = FALSE;
132 typedef struct tls_ext_ctx_cb {
140 uschar *file_expanded;
141 OCSP_RESPONSE *response;
144 X509_STORE *verify_store; /* non-null if status requested */
145 BOOL verify_required;
150 /* these are cached from first expand */
151 uschar *server_cipher_list;
152 /* only passed down to tls_error: */
154 const uschar * verify_cert_hostnames;
155 #ifndef DISABLE_EVENT
156 uschar * event_action;
160 /* should figure out a cleanup of API to handle state preserved per
161 implementation, for various reasons, which can be void * in the APIs.
162 For now, we hack around it. */
163 tls_ext_ctx_cb *client_static_cbinfo = NULL;
164 tls_ext_ctx_cb *server_static_cbinfo = NULL;
167 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
168 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
171 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
172 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
175 static int tls_server_stapling_cb(SSL *s, void *arg);
179 /*************************************************
181 *************************************************/
183 /* Called from lots of places when errors occur before actually starting to do
184 the TLS handshake, that is, while the session is still in clear. Always returns
185 DEFER for a server and FAIL for a client so that most calls can use "return
186 tls_error(...)" to do this processing and then give an appropriate return. A
187 single function is used for both server and client, because it is called from
188 some shared functions.
191 prefix text to include in the logged error
192 host NULL if setting up a server;
193 the connected host if setting up a client
194 msg error message or NULL if we should ask OpenSSL
196 Returns: OK/DEFER/FAIL
200 tls_error(uschar * prefix, const host_item * host, uschar * msg)
204 ERR_error_string(ERR_get_error(), ssl_errstring);
205 msg = (uschar *)ssl_errstring;
210 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
211 host->name, host->address, prefix, msg);
216 uschar *conn_info = smtp_get_connection_info();
217 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
219 /* I'd like to get separated H= here, but too hard for now */
220 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
221 conn_info, prefix, msg);
228 /*************************************************
229 * Callback to generate RSA key *
230 *************************************************/
238 Returns: pointer to generated key
242 rsa_callback(SSL *s, int export, int keylength)
245 export = export; /* Shut picky compilers up */
246 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
247 rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
250 ERR_error_string(ERR_get_error(), ssl_errstring);
251 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
263 x509_store_dump_cert_s_names(X509_STORE * store)
265 STACK_OF(X509_OBJECT) * roots= store->objs;
267 static uschar name[256];
269 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
271 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
272 if(tmp_obj->type == X509_LU_X509)
274 X509 * current_cert= tmp_obj->data.x509;
275 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
276 name[sizeof(name)-1] = '\0';
277 debug_printf(" %s\n", name);
285 #ifndef DISABLE_EVENT
287 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
288 BOOL *calledp, const BOOL *optionalp, const uschar * what)
294 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
297 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
298 old_cert = tlsp->peercert;
299 tlsp->peercert = X509_dup(cert);
300 /* NB we do not bother setting peerdn */
301 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
303 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
304 "depth=%d cert=%s: %s",
305 tlsp == &tls_out ? deliver_host_address : sender_host_address,
306 what, depth, dn, yield);
310 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
311 return 1; /* reject (leaving peercert set) */
313 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
314 "(host in tls_try_verify_hosts)\n");
316 X509_free(tlsp->peercert);
317 tlsp->peercert = old_cert;
323 /*************************************************
324 * Callback for verification *
325 *************************************************/
327 /* The SSL library does certificate verification if set up to do so. This
328 callback has the current yes/no state is in "state". If verification succeeded,
329 we set the certificate-verified flag. If verification failed, what happens
330 depends on whether the client is required to present a verifiable certificate
333 If verification is optional, we change the state to yes, but still log the
334 verification error. For some reason (it really would help to have proper
335 documentation of OpenSSL), this callback function then gets called again, this
336 time with state = 1. We must take care not to set the private verified flag on
337 the second time through.
339 Note: this function is not called if the client fails to present a certificate
340 when asked. We get here only if a certificate has been received. Handling of
341 optional verification for this case is done when requesting SSL to verify, by
342 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
344 May be called multiple times for different issues with a certificate, even
345 for a given "depth" in the certificate chain.
348 preverify_ok current yes/no state as 1/0
349 x509ctx certificate information.
350 tlsp per-direction (client vs. server) support data
351 calledp has-been-called flag
352 optionalp verification-is-optional flag
354 Returns: 0 if verification should fail, otherwise 1
358 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
359 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
361 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
362 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
365 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
366 dn[sizeof(dn)-1] = '\0';
368 if (preverify_ok == 0)
370 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
371 tlsp == &tls_out ? deliver_host_address : sender_host_address,
373 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
379 tlsp->peercert = X509_dup(cert); /* record failing cert */
380 return 0; /* reject */
382 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
383 "tls_try_verify_hosts)\n");
388 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
390 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
391 { /* client, wanting stapling */
392 /* Add the server cert's signing chain as the one
393 for the verification of the OCSP stapled information. */
395 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
400 #ifndef DISABLE_EVENT
401 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
402 return 0; /* reject, with peercert set */
407 const uschar * verify_cert_hostnames;
409 if ( tlsp == &tls_out
410 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
411 /* client, wanting hostname check */
414 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
415 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
416 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
418 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
419 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
422 const uschar * list = verify_cert_hostnames;
425 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
426 if ((rc = X509_check_host(cert, CCS name, 0,
427 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
428 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
433 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
434 tlsp == &tls_out ? deliver_host_address : sender_host_address);
441 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
444 log_write(0, LOG_MAIN,
445 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
446 tlsp == &tls_out ? deliver_host_address : sender_host_address,
452 tlsp->peercert = X509_dup(cert); /* record failing cert */
453 return 0; /* reject */
455 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
456 "tls_try_verify_hosts)\n");
460 #ifndef DISABLE_EVENT
461 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
462 return 0; /* reject, with peercert set */
465 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
466 *calledp ? "" : " authenticated", dn);
467 if (!*calledp) tlsp->certificate_verified = TRUE;
471 return 1; /* accept, at least for this level */
475 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
477 return verify_callback(preverify_ok, x509ctx, &tls_out,
478 &client_verify_callback_called, &client_verify_optional);
482 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
484 return verify_callback(preverify_ok, x509ctx, &tls_in,
485 &server_verify_callback_called, &server_verify_optional);
489 #ifdef EXPERIMENTAL_DANE
491 /* This gets called *by* the dane library verify callback, which interposes
495 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
497 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
499 #ifndef DISABLE_EVENT
500 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
501 BOOL dummy_called, optional = FALSE;
504 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
505 dn[sizeof(dn)-1] = '\0';
507 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
508 preverify_ok ? "ok":"BAD", depth, dn);
510 #ifndef DISABLE_EVENT
511 if (verify_event(&tls_out, cert, depth, dn,
512 &dummy_called, &optional, US"DANE"))
513 return 0; /* reject, with peercert set */
516 if (preverify_ok == 1)
517 tls_out.dane_verified =
518 tls_out.certificate_verified = TRUE;
521 int err = X509_STORE_CTX_get_error(x509ctx);
523 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
524 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
530 #endif /*EXPERIMENTAL_DANE*/
533 /*************************************************
534 * Information callback *
535 *************************************************/
537 /* The SSL library functions call this from time to time to indicate what they
538 are doing. We copy the string to the debugging output when TLS debugging has
550 info_callback(SSL *s, int where, int ret)
554 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
559 /*************************************************
560 * Initialize for DH *
561 *************************************************/
563 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
566 sctx The current SSL CTX (inbound or outbound)
567 dhparam DH parameter file or fixed parameter identity string
568 host connected host, if client; NULL if server
570 Returns: TRUE if OK (nothing to set up, or setup worked)
574 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
581 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
584 if (!dhexpanded || !*dhexpanded)
585 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
586 else if (dhexpanded[0] == '/')
588 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
590 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
591 host, US strerror(errno));
597 if (Ustrcmp(dhexpanded, "none") == 0)
599 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
603 if (!(pem = std_dh_prime_named(dhexpanded)))
605 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
606 host, US strerror(errno));
609 bio = BIO_new_mem_buf(CS pem, -1);
612 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
615 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
620 /* Even if it is larger, we silently return success rather than cause things
621 * to fail out, so that a too-large DH will not knock out all TLS; it's a
622 * debatable choice. */
623 if ((8*DH_size(dh)) > tls_dh_max_bits)
626 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
627 8*DH_size(dh), tls_dh_max_bits);
631 SSL_CTX_set_tmp_dh(sctx, dh);
633 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
634 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
646 /*************************************************
647 * Initialize for ECDH *
648 *************************************************/
650 /* Load parameters for ECDH encryption.
652 For now, we stick to NIST P-256 because: it's simple and easy to configure;
653 it avoids any patent issues that might bite redistributors; despite events in
654 the news and concerns over curve choices, we're not cryptographers, we're not
655 pretending to be, and this is "good enough" to be better than no support,
656 protecting against most adversaries. Given another year or two, there might
657 be sufficient clarity about a "right" way forward to let us make an informed
658 decision, instead of a knee-jerk reaction.
660 Longer-term, we should look at supporting both various named curves and
661 external files generated with "openssl ecparam", much as we do for init_dh().
662 We should also support "none" as a value, to explicitly avoid initialisation.
667 sctx The current SSL CTX (inbound or outbound)
668 host connected host, if client; NULL if server
670 Returns: TRUE if OK (nothing to set up, or setup worked)
674 init_ecdh(SSL_CTX * sctx, host_item * host)
676 #ifdef OPENSSL_NO_ECDH
685 if (host) /* No ECDH setup for clients, only for servers */
688 # ifndef EXIM_HAVE_ECDH
690 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
694 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
696 if (!exp_curve || !*exp_curve)
699 # ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
700 /* check if new enough library to support auto ECDH temp key parameter selection */
701 if (Ustrcmp(exp_curve, "auto") == 0)
703 DEBUG(D_tls) debug_printf(
704 "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
705 SSL_CTX_set_ecdh_auto(sctx, 1);
710 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
711 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
712 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
713 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
717 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
723 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
725 tls_error(US"Unable to create ec curve", host, NULL);
729 /* The "tmp" in the name here refers to setting a temporary key
730 not to the stability of the interface. */
732 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
733 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
735 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
740 # endif /*EXIM_HAVE_ECDH*/
741 #endif /*OPENSSL_NO_ECDH*/
748 /*************************************************
749 * Load OCSP information into state *
750 *************************************************/
752 /* Called to load the server OCSP response from the given file into memory, once
753 caller has determined this is needed. Checks validity. Debugs a message
756 ASSUMES: single response, for single cert.
759 sctx the SSL_CTX* to update
760 cbinfo various parts of session state
761 expanded the filename putatively holding an OCSP response
766 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
770 OCSP_BASICRESP *basic_response;
771 OCSP_SINGLERESP *single_response;
772 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
774 unsigned long verify_flags;
775 int status, reason, i;
777 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
778 if (cbinfo->u_ocsp.server.response)
780 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
781 cbinfo->u_ocsp.server.response = NULL;
784 bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
787 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
788 cbinfo->u_ocsp.server.file_expanded);
792 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
796 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
800 status = OCSP_response_status(resp);
801 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
803 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
804 OCSP_response_status_str(status), status);
808 basic_response = OCSP_response_get1_basic(resp);
812 debug_printf("OCSP response parse error: unable to extract basic response.\n");
816 store = SSL_CTX_get_cert_store(sctx);
817 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
819 /* May need to expose ability to adjust those flags?
820 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
821 OCSP_TRUSTOTHER OCSP_NOINTERN */
823 i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
827 ERR_error_string(ERR_get_error(), ssl_errstring);
828 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
833 /* Here's the simplifying assumption: there's only one response, for the
834 one certificate we use, and nothing for anything else in a chain. If this
835 proves false, we need to extract a cert id from our issued cert
836 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
837 right cert in the stack and then calls OCSP_single_get0_status()).
839 I'm hoping to avoid reworking a bunch more of how we handle state here. */
840 single_response = OCSP_resp_get0(basic_response, 0);
841 if (!single_response)
844 debug_printf("Unable to get first response from OCSP basic response.\n");
848 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
849 if (status != V_OCSP_CERTSTATUS_GOOD)
851 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
852 OCSP_cert_status_str(status), status,
853 OCSP_crl_reason_str(reason), reason);
857 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
859 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
864 cbinfo->u_ocsp.server.response = resp;
868 if (running_in_test_harness)
870 extern char ** environ;
872 for (p = USS environ; *p != NULL; p++)
873 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
875 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
876 goto supply_response;
881 #endif /*!DISABLE_OCSP*/
886 /*************************************************
887 * Expand key and cert file specs *
888 *************************************************/
890 /* Called once during tls_init and possibly again during TLS setup, for a
891 new context, if Server Name Indication was used and tls_sni was seen in
892 the certificate string.
895 sctx the SSL_CTX* to update
896 cbinfo various parts of session state
898 Returns: OK/DEFER/FAIL
902 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
906 if (cbinfo->certificate == NULL)
909 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
910 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
911 Ustrstr(cbinfo->certificate, US"tls_out_sni")
913 reexpand_tls_files_for_sni = TRUE;
915 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
918 if (expanded != NULL)
920 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
921 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
922 return tls_error(string_sprintf(
923 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
927 if (cbinfo->privatekey != NULL &&
928 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
931 /* If expansion was forced to fail, key_expanded will be NULL. If the result
932 of the expansion is an empty string, ignore it also, and assume the private
933 key is in the same file as the certificate. */
935 if (expanded && *expanded)
937 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
938 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
939 return tls_error(string_sprintf(
940 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
944 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
946 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
949 if (expanded && *expanded)
951 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
952 if ( cbinfo->u_ocsp.server.file_expanded
953 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
955 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
959 ocsp_load_response(sctx, cbinfo, expanded);
971 /*************************************************
972 * Callback to handle SNI *
973 *************************************************/
975 /* Called when acting as server during the TLS session setup if a Server Name
976 Indication extension was sent by the client.
978 API documentation is OpenSSL s_server.c implementation.
981 s SSL* of the current session
982 ad unknown (part of OpenSSL API) (unused)
983 arg Callback of "our" registered data
985 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
988 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
990 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
992 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
993 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
995 int old_pool = store_pool;
998 return SSL_TLSEXT_ERR_OK;
1000 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1001 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1003 /* Make the extension value available for expansion */
1004 store_pool = POOL_PERM;
1005 tls_in.sni = string_copy(US servername);
1006 store_pool = old_pool;
1008 if (!reexpand_tls_files_for_sni)
1009 return SSL_TLSEXT_ERR_OK;
1011 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1012 not confident that memcpy wouldn't break some internal reference counting.
1013 Especially since there's a references struct member, which would be off. */
1015 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1017 ERR_error_string(ERR_get_error(), ssl_errstring);
1018 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1019 return SSL_TLSEXT_ERR_NOACK;
1022 /* Not sure how many of these are actually needed, since SSL object
1023 already exists. Might even need this selfsame callback, for reneg? */
1025 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1026 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1027 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1028 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1029 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1030 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1032 if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
1033 || !init_ecdh(server_sni, NULL)
1035 return SSL_TLSEXT_ERR_NOACK;
1037 if (cbinfo->server_cipher_list)
1038 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1039 #ifndef DISABLE_OCSP
1040 if (cbinfo->u_ocsp.server.file)
1042 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1043 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1047 rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
1048 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
1050 /* do this after setup_certs, because this can require the certs for verifying
1051 OCSP information. */
1052 if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
1053 return SSL_TLSEXT_ERR_NOACK;
1055 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1056 SSL_set_SSL_CTX(s, server_sni);
1058 return SSL_TLSEXT_ERR_OK;
1060 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1065 #ifndef DISABLE_OCSP
1067 /*************************************************
1068 * Callback to handle OCSP Stapling *
1069 *************************************************/
1071 /* Called when acting as server during the TLS session setup if the client
1072 requests OCSP information with a Certificate Status Request.
1074 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1080 tls_server_stapling_cb(SSL *s, void *arg)
1082 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1083 uschar *response_der;
1084 int response_der_len;
1087 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1088 cbinfo->u_ocsp.server.response ? "have" : "lack");
1090 tls_in.ocsp = OCSP_NOT_RESP;
1091 if (!cbinfo->u_ocsp.server.response)
1092 return SSL_TLSEXT_ERR_NOACK;
1094 response_der = NULL;
1095 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1097 if (response_der_len <= 0)
1098 return SSL_TLSEXT_ERR_NOACK;
1100 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1101 tls_in.ocsp = OCSP_VFIED;
1102 return SSL_TLSEXT_ERR_OK;
1107 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1109 BIO_printf(bp, "\t%s: ", str);
1110 ASN1_GENERALIZEDTIME_print(bp, time);
1115 tls_client_stapling_cb(SSL *s, void *arg)
1117 tls_ext_ctx_cb * cbinfo = arg;
1118 const unsigned char * p;
1120 OCSP_RESPONSE * rsp;
1121 OCSP_BASICRESP * bs;
1124 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1125 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1128 /* Expect this when we requested ocsp but got none */
1129 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1130 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1132 DEBUG(D_tls) debug_printf(" null\n");
1133 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1136 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1138 tls_out.ocsp = OCSP_FAILED;
1139 if (LOGGING(tls_cipher))
1140 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1142 DEBUG(D_tls) debug_printf(" parse error\n");
1146 if(!(bs = OCSP_response_get1_basic(rsp)))
1148 tls_out.ocsp = OCSP_FAILED;
1149 if (LOGGING(tls_cipher))
1150 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1152 DEBUG(D_tls) debug_printf(" error parsing response\n");
1153 OCSP_RESPONSE_free(rsp);
1157 /* We'd check the nonce here if we'd put one in the request. */
1158 /* However that would defeat cacheability on the server so we don't. */
1160 /* This section of code reworked from OpenSSL apps source;
1161 The OpenSSL Project retains copyright:
1162 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1167 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1169 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1171 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1173 /* Use the chain that verified the server cert to verify the stapled info */
1174 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1176 if ((i = OCSP_basic_verify(bs, NULL,
1177 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1179 tls_out.ocsp = OCSP_FAILED;
1180 if (LOGGING(tls_cipher))
1181 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1182 BIO_printf(bp, "OCSP response verify failure\n");
1183 ERR_print_errors(bp);
1184 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1188 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1191 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1192 OCSP_SINGLERESP * single;
1194 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1196 tls_out.ocsp = OCSP_FAILED;
1197 log_write(0, LOG_MAIN, "OCSP stapling "
1198 "with multiple responses not handled");
1199 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1202 single = OCSP_resp_get0(bs, 0);
1203 status = OCSP_single_get0_status(single, &reason, &rev,
1204 &thisupd, &nextupd);
1207 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1208 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1209 if (!OCSP_check_validity(thisupd, nextupd,
1210 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1212 tls_out.ocsp = OCSP_FAILED;
1213 DEBUG(D_tls) ERR_print_errors(bp);
1214 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1215 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1219 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1220 OCSP_cert_status_str(status));
1223 case V_OCSP_CERTSTATUS_GOOD:
1224 tls_out.ocsp = OCSP_VFIED;
1227 case V_OCSP_CERTSTATUS_REVOKED:
1228 tls_out.ocsp = OCSP_FAILED;
1229 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1230 reason != -1 ? "; reason: " : "",
1231 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1232 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1233 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1236 tls_out.ocsp = OCSP_FAILED;
1237 log_write(0, LOG_MAIN,
1238 "Server certificate status unknown, in OCSP stapling");
1239 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1247 OCSP_RESPONSE_free(rsp);
1250 #endif /*!DISABLE_OCSP*/
1253 /*************************************************
1254 * Initialize for TLS *
1255 *************************************************/
1257 /* Called from both server and client code, to do preliminary initialization
1258 of the library. We allocate and return a context structure.
1261 ctxp returned SSL context
1262 host connected host, if client; NULL if server
1263 dhparam DH parameter file
1264 certificate certificate file
1265 privatekey private key
1266 ocsp_file file of stapling info (server); flag for require ocsp (client)
1267 addr address if client; NULL if server (for some randomness)
1268 cbp place to put allocated callback context
1270 Returns: OK/DEFER/FAIL
1274 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1276 #ifndef DISABLE_OCSP
1279 address_item *addr, tls_ext_ctx_cb ** cbp)
1284 tls_ext_ctx_cb * cbinfo;
1286 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1287 cbinfo->certificate = certificate;
1288 cbinfo->privatekey = privatekey;
1289 #ifndef DISABLE_OCSP
1290 if ((cbinfo->is_server = host==NULL))
1292 cbinfo->u_ocsp.server.file = ocsp_file;
1293 cbinfo->u_ocsp.server.file_expanded = NULL;
1294 cbinfo->u_ocsp.server.response = NULL;
1297 cbinfo->u_ocsp.client.verify_store = NULL;
1299 cbinfo->dhparam = dhparam;
1300 cbinfo->server_cipher_list = NULL;
1301 cbinfo->host = host;
1302 #ifndef DISABLE_EVENT
1303 cbinfo->event_action = NULL;
1306 SSL_load_error_strings(); /* basic set up */
1307 OpenSSL_add_ssl_algorithms();
1309 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1310 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1311 list of available digests. */
1312 EVP_add_digest(EVP_sha256());
1315 /* Create a context.
1316 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1317 negotiation in the different methods; as far as I can tell, the only
1318 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1319 when OpenSSL is built without SSLv2 support.
1320 By disabling with openssl_options, we can let admins re-enable with the
1323 *ctxp = SSL_CTX_new((host == NULL)?
1324 SSLv23_server_method() : SSLv23_client_method());
1326 if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
1328 /* It turns out that we need to seed the random number generator this early in
1329 order to get the full complement of ciphers to work. It took me roughly a day
1330 of work to discover this by experiment.
1332 On systems that have /dev/urandom, SSL may automatically seed itself from
1333 there. Otherwise, we have to make something up as best we can. Double check
1339 gettimeofday(&r.tv, NULL);
1342 RAND_seed((uschar *)(&r), sizeof(r));
1343 RAND_seed((uschar *)big_buffer, big_buffer_size);
1344 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1347 return tls_error(US"RAND_status", host,
1348 US"unable to seed random number generator");
1351 /* Set up the information callback, which outputs if debugging is at a suitable
1354 DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1356 /* Automatically re-try reads/writes after renegotiation. */
1357 (void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1359 /* Apply administrator-supplied work-arounds.
1360 Historically we applied just one requested option,
1361 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1362 moved to an administrator-controlled list of options to specify and
1363 grandfathered in the first one as the default value for "openssl_options".
1365 No OpenSSL version number checks: the options we accept depend upon the
1366 availability of the option value macros from OpenSSL. */
1368 okay = tls_openssl_options_parse(openssl_options, &init_options);
1370 return tls_error(US"openssl_options parsing failed", host, NULL);
1374 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1375 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1376 return tls_error(string_sprintf(
1377 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1380 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1382 /* Initialize with DH parameters if supplied */
1383 /* Initialize ECDH temp key parameter selection */
1385 if ( !init_dh(*ctxp, dhparam, host)
1386 || !init_ecdh(*ctxp, host)
1390 /* Set up certificate and key (and perhaps OCSP info) */
1392 rc = tls_expand_session_files(*ctxp, cbinfo);
1393 if (rc != OK) return rc;
1395 /* If we need to handle SNI, do so */
1396 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1397 if (host == NULL) /* server */
1399 # ifndef DISABLE_OCSP
1400 /* We check u_ocsp.server.file, not server.response, because we care about if
1401 the option exists, not what the current expansion might be, as SNI might
1402 change the certificate and OCSP file in use between now and the time the
1403 callback is invoked. */
1404 if (cbinfo->u_ocsp.server.file)
1406 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1407 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1410 /* We always do this, so that $tls_sni is available even if not used in
1412 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1413 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1415 # ifndef DISABLE_OCSP
1417 if(ocsp_file) /* wanting stapling */
1419 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1421 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1424 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1425 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1430 cbinfo->verify_cert_hostnames = NULL;
1432 /* Set up the RSA callback */
1434 SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1436 /* Finally, set the timeout, and we are done */
1438 SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1439 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1449 /*************************************************
1450 * Get name of cipher in use *
1451 *************************************************/
1454 Argument: pointer to an SSL structure for the connection
1455 buffer to use for answer
1457 pointer to number of bits for cipher
1462 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1464 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1465 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1466 the accessor functions use const in the prototype. */
1467 const SSL_CIPHER *c;
1470 ver = (const uschar *)SSL_get_version(ssl);
1472 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1473 SSL_CIPHER_get_bits(c, bits);
1475 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1476 SSL_CIPHER_get_name(c), *bits);
1478 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1483 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1485 /*XXX we might consider a list-of-certs variable for the cert chain.
1486 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1487 in list-handling functions, also consider the difference between the entire
1488 chain and the elements sent by the peer. */
1490 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1491 if (!tlsp->peercert)
1492 tlsp->peercert = SSL_get_peer_certificate(ssl);
1493 /* Beware anonymous ciphers which lead to server_cert being NULL */
1496 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1497 peerdn[bsize-1] = '\0';
1498 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1501 tlsp->peerdn = NULL;
1508 /*************************************************
1509 * Set up for verifying certificates *
1510 *************************************************/
1512 /* Called by both client and server startup
1515 sctx SSL_CTX* to initialise
1516 certs certs file or NULL
1517 crl CRL file or NULL
1518 host NULL in a server; the remote host in a client
1519 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1520 otherwise passed as FALSE
1521 cert_vfy_cb Callback function for certificate verification
1523 Returns: OK/DEFER/FAIL
1527 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1528 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1530 uschar *expcerts, *expcrl;
1532 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1535 if (expcerts && *expcerts)
1537 /* Tell the library to use its compiled-in location for the system default
1538 CA bundle. Then add the ones specified in the config, if any. */
1540 if (!SSL_CTX_set_default_verify_paths(sctx))
1541 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1543 if (Ustrcmp(expcerts, "system") != 0)
1545 struct stat statbuf;
1547 if (Ustat(expcerts, &statbuf) < 0)
1549 log_write(0, LOG_MAIN|LOG_PANIC,
1550 "failed to stat %s for certificates", expcerts);
1556 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1557 { file = NULL; dir = expcerts; }
1559 { file = expcerts; dir = NULL; }
1561 /* If a certificate file is empty, the next function fails with an
1562 unhelpful error message. If we skip it, we get the correct behaviour (no
1563 certificates are recognized, but the error message is still misleading (it
1564 says no certificate was supplied.) But this is better. */
1566 if ( (!file || statbuf.st_size > 0)
1567 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1568 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1570 /* Load the list of CAs for which we will accept certs, for sending
1571 to the client. This is only for the one-file tls_verify_certificates
1573 If a list isn't loaded into the server, but
1574 some verify locations are set, the server end appears to make
1575 a wildcard reqest for client certs.
1576 Meanwhile, the client library as default behaviour *ignores* the list
1577 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1578 Because of this, and that the dir variant is likely only used for
1579 the public-CA bundle (not for a private CA), not worth fixing.
1583 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1585 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1586 sk_X509_NAME_num(names));
1587 SSL_CTX_set_client_CA_list(sctx, names);
1592 /* Handle a certificate revocation list. */
1594 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1596 /* This bit of code is now the version supplied by Lars Mainka. (I have
1597 merely reformatted it into the Exim code style.)
1599 "From here I changed the code to add support for multiple crl's
1600 in pem format in one file or to support hashed directory entries in
1601 pem format instead of a file. This method now uses the library function
1602 X509_STORE_load_locations to add the CRL location to the SSL context.
1603 OpenSSL will then handle the verify against CA certs and CRLs by
1604 itself in the verify callback." */
1606 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1607 if (expcrl && *expcrl)
1609 struct stat statbufcrl;
1610 if (Ustat(expcrl, &statbufcrl) < 0)
1612 log_write(0, LOG_MAIN|LOG_PANIC,
1613 "failed to stat %s for certificates revocation lists", expcrl);
1618 /* is it a file or directory? */
1620 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1621 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1625 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1631 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1633 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1634 return tls_error(US"X509_STORE_load_locations", host, NULL);
1636 /* setting the flags to check against the complete crl chain */
1638 X509_STORE_set_flags(cvstore,
1639 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1643 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1645 /* If verification is optional, don't fail if no certificate */
1647 SSL_CTX_set_verify(sctx,
1648 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1657 /*************************************************
1658 * Start a TLS session in a server *
1659 *************************************************/
1661 /* This is called when Exim is running as a server, after having received
1662 the STARTTLS command. It must respond to that command, and then negotiate
1666 require_ciphers allowed ciphers
1668 Returns: OK on success
1669 DEFER for errors before the start of the negotiation
1670 FAIL for errors during the negotation; the server can't
1675 tls_server_start(const uschar *require_ciphers)
1679 tls_ext_ctx_cb *cbinfo;
1680 static uschar peerdn[256];
1681 static uschar cipherbuf[256];
1683 /* Check for previous activation */
1685 if (tls_in.active >= 0)
1687 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1688 smtp_printf("554 Already in TLS\r\n");
1692 /* Initialize the SSL library. If it fails, it will already have logged
1695 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1696 #ifndef DISABLE_OCSP
1699 NULL, &server_static_cbinfo);
1700 if (rc != OK) return rc;
1701 cbinfo = server_static_cbinfo;
1703 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1706 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1707 were historically separated by underscores. So that I can use either form in my
1708 tests, and also for general convenience, we turn underscores into hyphens here.
1711 if (expciphers != NULL)
1713 uschar *s = expciphers;
1714 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1715 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1716 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1717 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1718 cbinfo->server_cipher_list = expciphers;
1721 /* If this is a host for which certificate verification is mandatory or
1722 optional, set up appropriately. */
1724 tls_in.certificate_verified = FALSE;
1725 #ifdef EXPERIMENTAL_DANE
1726 tls_in.dane_verified = FALSE;
1728 server_verify_callback_called = FALSE;
1730 if (verify_check_host(&tls_verify_hosts) == OK)
1732 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1733 FALSE, verify_callback_server);
1734 if (rc != OK) return rc;
1735 server_verify_optional = FALSE;
1737 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1739 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1740 TRUE, verify_callback_server);
1741 if (rc != OK) return rc;
1742 server_verify_optional = TRUE;
1745 /* Prepare for new connection */
1747 if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1749 /* Warning: we used to SSL_clear(ssl) here, it was removed.
1751 * With the SSL_clear(), we get strange interoperability bugs with
1752 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1753 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1755 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1756 * session shutdown. In this case, we have a brand new object and there's no
1757 * obvious reason to immediately clear it. I'm guessing that this was
1758 * originally added because of incomplete initialisation which the clear fixed,
1759 * in some historic release.
1762 /* Set context and tell client to go ahead, except in the case of TLS startup
1763 on connection, where outputting anything now upsets the clients and tends to
1764 make them disconnect. We need to have an explicit fflush() here, to force out
1765 the response. Other smtp_printf() calls do not need it, because in non-TLS
1766 mode, the fflush() happens when smtp_getc() is called. */
1768 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1769 if (!tls_in.on_connect)
1771 smtp_printf("220 TLS go ahead\r\n");
1775 /* Now negotiate the TLS session. We put our own timer on it, since it seems
1776 that the OpenSSL library doesn't. */
1778 SSL_set_wfd(server_ssl, fileno(smtp_out));
1779 SSL_set_rfd(server_ssl, fileno(smtp_in));
1780 SSL_set_accept_state(server_ssl);
1782 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1784 sigalrm_seen = FALSE;
1785 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1786 rc = SSL_accept(server_ssl);
1791 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1792 if (ERR_get_error() == 0)
1793 log_write(0, LOG_MAIN,
1794 "TLS client disconnected cleanly (rejected our certificate?)");
1798 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1800 /* TLS has been set up. Adjust the input functions to read via TLS,
1801 and initialize things. */
1803 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1805 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1806 tls_in.cipher = cipherbuf;
1811 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1812 debug_printf("Shared ciphers: %s\n", buf);
1815 /* Record the certificate we presented */
1817 X509 * crt = SSL_get_certificate(server_ssl);
1818 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1821 /* Only used by the server-side tls (tls_in), including tls_getc.
1822 Client-side (tls_out) reads (seem to?) go via
1823 smtp_read_response()/ip_recv().
1824 Hence no need to duplicate for _in and _out.
1826 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1827 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1828 ssl_xfer_eof = ssl_xfer_error = 0;
1830 receive_getc = tls_getc;
1831 receive_ungetc = tls_ungetc;
1832 receive_feof = tls_feof;
1833 receive_ferror = tls_ferror;
1834 receive_smtp_buffered = tls_smtp_buffered;
1836 tls_in.active = fileno(smtp_out);
1844 tls_client_basic_ctx_init(SSL_CTX * ctx,
1845 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
1849 /* stick to the old behaviour for compatibility if tls_verify_certificates is
1850 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1851 the specified host patterns if one of them is defined */
1853 if ( ( !ob->tls_verify_hosts
1854 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1856 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
1858 client_verify_optional = FALSE;
1859 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
1860 client_verify_optional = TRUE;
1864 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1865 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1868 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
1870 cbinfo->verify_cert_hostnames =
1872 string_domain_utf8_to_alabel(host->name, NULL);
1876 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1877 cbinfo->verify_cert_hostnames);
1883 #ifdef EXPERIMENTAL_DANE
1885 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1889 const char * hostnames[2] = { CS host->name, NULL };
1892 if (DANESSL_init(ssl, NULL, hostnames) != 1)
1893 return tls_error(US"hostnames load", host, NULL);
1895 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1897 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1898 ) if (rr->type == T_TLSA)
1900 uschar * p = rr->data;
1901 uint8_t usage, selector, mtype;
1902 const char * mdname;
1906 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1907 if (usage != 2 && usage != 3) continue;
1914 default: continue; /* Only match-types 0, 1, 2 are supported */
1915 case 0: mdname = NULL; break;
1916 case 1: mdname = "sha256"; break;
1917 case 2: mdname = "sha512"; break;
1921 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1924 case 0: /* action not taken */
1925 return tls_error(US"tlsa load", host, NULL);
1929 tls_out.tlsa_usage |= 1<<usage;
1935 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
1938 #endif /*EXPERIMENTAL_DANE*/
1942 /*************************************************
1943 * Start a TLS session in a client *
1944 *************************************************/
1946 /* Called from the smtp transport after STARTTLS has been accepted.
1949 fd the fd of the connection
1950 host connected host (for messages)
1951 addr the first address
1952 tb transport (always smtp)
1953 tlsa_dnsa tlsa lookup, if DANE, else null
1955 Returns: OK on success
1956 FAIL otherwise - note that tls_error() will not give DEFER
1957 because this is not a server
1961 tls_client_start(int fd, host_item *host, address_item *addr,
1962 transport_instance *tb
1963 #ifdef EXPERIMENTAL_DANE
1964 , dns_answer * tlsa_dnsa
1968 smtp_transport_options_block * ob =
1969 (smtp_transport_options_block *)tb->options_block;
1970 static uschar peerdn[256];
1971 uschar * expciphers;
1973 static uschar cipherbuf[256];
1975 #ifndef DISABLE_OCSP
1976 BOOL request_ocsp = FALSE;
1977 BOOL require_ocsp = FALSE;
1980 #ifdef EXPERIMENTAL_DANE
1981 tls_out.tlsa_usage = 0;
1984 #ifndef DISABLE_OCSP
1986 # ifdef EXPERIMENTAL_DANE
1988 && ob->hosts_request_ocsp[0] == '*'
1989 && ob->hosts_request_ocsp[1] == '\0'
1992 /* Unchanged from default. Use a safer one under DANE */
1993 request_ocsp = TRUE;
1994 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
1995 " {= {4}{$tls_out_tlsa_usage}} } "
2001 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2002 request_ocsp = TRUE;
2004 # ifdef EXPERIMENTAL_DANE
2008 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2012 rc = tls_init(&client_ctx, host, NULL,
2013 ob->tls_certificate, ob->tls_privatekey,
2014 #ifndef DISABLE_OCSP
2015 (void *)(long)request_ocsp,
2017 addr, &client_static_cbinfo);
2018 if (rc != OK) return rc;
2020 tls_out.certificate_verified = FALSE;
2021 client_verify_callback_called = FALSE;
2023 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2027 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2028 are separated by underscores. So that I can use either form in my tests, and
2029 also for general convenience, we turn underscores into hyphens here. */
2031 if (expciphers != NULL)
2033 uschar *s = expciphers;
2034 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2035 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2036 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2037 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
2040 #ifdef EXPERIMENTAL_DANE
2043 SSL_CTX_set_verify(client_ctx,
2044 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2045 verify_callback_client_dane);
2047 if (!DANESSL_library_init())
2048 return tls_error(US"library init", host, NULL);
2049 if (DANESSL_CTX_init(client_ctx) <= 0)
2050 return tls_error(US"context init", host, NULL);
2056 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2060 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2061 return tls_error(US"SSL_new", host, NULL);
2062 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2063 SSL_set_fd(client_ssl, fd);
2064 SSL_set_connect_state(client_ssl);
2068 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
2070 if (tls_out.sni == NULL)
2072 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2074 else if (!Ustrlen(tls_out.sni))
2078 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2079 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2080 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2083 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
2089 #ifdef EXPERIMENTAL_DANE
2091 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
2095 #ifndef DISABLE_OCSP
2096 /* Request certificate status at connection-time. If the server
2097 does OCSP stapling we will get the callback (set in tls_init()) */
2098 # ifdef EXPERIMENTAL_DANE
2102 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2103 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2105 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2106 this means we avoid the OCSP request, we wasted the setup
2107 cost in tls_init(). */
2108 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2109 request_ocsp = require_ocsp
2110 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2117 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2118 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2119 tls_out.ocsp = OCSP_NOT_RESP;
2123 #ifndef DISABLE_EVENT
2124 client_static_cbinfo->event_action = tb->event_action;
2127 /* There doesn't seem to be a built-in timeout on connection. */
2129 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2130 sigalrm_seen = FALSE;
2131 alarm(ob->command_timeout);
2132 rc = SSL_connect(client_ssl);
2135 #ifdef EXPERIMENTAL_DANE
2137 DANESSL_cleanup(client_ssl);
2141 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
2143 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2145 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2147 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2148 tls_out.cipher = cipherbuf;
2150 /* Record the certificate we presented */
2152 X509 * crt = SSL_get_certificate(client_ssl);
2153 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2156 tls_out.active = fd;
2164 /*************************************************
2165 * TLS version of getc *
2166 *************************************************/
2168 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2169 it refills the buffer via the SSL reading function.
2172 Returns: the next character or EOF
2174 Only used by the server-side TLS.
2180 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2185 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2186 ssl_xfer_buffer, ssl_xfer_buffer_size);
2188 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2189 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2190 error = SSL_get_error(server_ssl, inbytes);
2193 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2194 closed down, not that the socket itself has been closed down. Revert to
2195 non-SSL handling. */
2197 if (error == SSL_ERROR_ZERO_RETURN)
2199 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2201 receive_getc = smtp_getc;
2202 receive_ungetc = smtp_ungetc;
2203 receive_feof = smtp_feof;
2204 receive_ferror = smtp_ferror;
2205 receive_smtp_buffered = smtp_buffered;
2207 SSL_free(server_ssl);
2211 tls_in.cipher = NULL;
2212 tls_in.peerdn = NULL;
2218 /* Handle genuine errors */
2220 else if (error == SSL_ERROR_SSL)
2222 ERR_error_string(ERR_get_error(), ssl_errstring);
2223 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2228 else if (error != SSL_ERROR_NONE)
2230 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2235 #ifndef DISABLE_DKIM
2236 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2238 ssl_xfer_buffer_hwm = inbytes;
2239 ssl_xfer_buffer_lwm = 0;
2242 /* Something in the buffer; return next uschar */
2244 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2249 /*************************************************
2250 * Read bytes from TLS channel *
2251 *************************************************/
2258 Returns: the number of bytes read
2259 -1 after a failed read
2261 Only used by the client-side TLS.
2265 tls_read(BOOL is_server, uschar *buff, size_t len)
2267 SSL *ssl = is_server ? server_ssl : client_ssl;
2271 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2272 buff, (unsigned int)len);
2274 inbytes = SSL_read(ssl, CS buff, len);
2275 error = SSL_get_error(ssl, inbytes);
2277 if (error == SSL_ERROR_ZERO_RETURN)
2279 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2282 else if (error != SSL_ERROR_NONE)
2294 /*************************************************
2295 * Write bytes down TLS channel *
2296 *************************************************/
2300 is_server channel specifier
2304 Returns: the number of bytes after a successful write,
2305 -1 after a failed write
2307 Used by both server-side and client-side TLS.
2311 tls_write(BOOL is_server, const uschar *buff, size_t len)
2316 SSL *ssl = is_server ? server_ssl : client_ssl;
2318 DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2321 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2322 outbytes = SSL_write(ssl, CS buff, left);
2323 error = SSL_get_error(ssl, outbytes);
2324 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2328 ERR_error_string(ERR_get_error(), ssl_errstring);
2329 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2332 case SSL_ERROR_NONE:
2337 case SSL_ERROR_ZERO_RETURN:
2338 log_write(0, LOG_MAIN, "SSL channel closed on write");
2341 case SSL_ERROR_SYSCALL:
2342 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2343 sender_fullhost ? sender_fullhost : US"<unknown>",
2347 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2356 /*************************************************
2357 * Close down a TLS session *
2358 *************************************************/
2360 /* This is also called from within a delivery subprocess forked from the
2361 daemon, to shut down the TLS library, without actually doing a shutdown (which
2362 would tamper with the SSL session in the parent process).
2364 Arguments: TRUE if SSL_shutdown is to be called
2367 Used by both server-side and client-side TLS.
2371 tls_close(BOOL is_server, BOOL shutdown)
2373 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2374 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2376 if (*fdp < 0) return; /* TLS was not active */
2380 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2381 SSL_shutdown(*sslp);
2393 /*************************************************
2394 * Let tls_require_ciphers be checked at startup *
2395 *************************************************/
2397 /* The tls_require_ciphers option, if set, must be something which the
2400 Returns: NULL on success, or error message
2404 tls_validate_require_cipher(void)
2407 uschar *s, *expciphers, *err;
2409 /* this duplicates from tls_init(), we need a better "init just global
2410 state, for no specific purpose" singleton function of our own */
2412 SSL_load_error_strings();
2413 OpenSSL_add_ssl_algorithms();
2414 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2415 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2416 list of available digests. */
2417 EVP_add_digest(EVP_sha256());
2420 if (!(tls_require_ciphers && *tls_require_ciphers))
2423 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2424 return US"failed to expand tls_require_ciphers";
2426 if (!(expciphers && *expciphers))
2429 /* normalisation ripped from above */
2431 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2435 ctx = SSL_CTX_new(SSLv23_server_method());
2438 ERR_error_string(ERR_get_error(), ssl_errstring);
2439 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2443 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2445 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2447 ERR_error_string(ERR_get_error(), ssl_errstring);
2448 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2459 /*************************************************
2460 * Report the library versions. *
2461 *************************************************/
2463 /* There have historically been some issues with binary compatibility in
2464 OpenSSL libraries; if Exim (like many other applications) is built against
2465 one version of OpenSSL but the run-time linker picks up another version,
2466 it can result in serious failures, including crashing with a SIGSEGV. So
2467 report the version found by the compiler and the run-time version.
2469 Note: some OS vendors backport security fixes without changing the version
2470 number/string, and the version date remains unchanged. The _build_ date
2471 will change, so we can more usefully assist with version diagnosis by also
2472 reporting the build date.
2474 Arguments: a FILE* to print the results to
2479 tls_version_report(FILE *f)
2481 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2484 OPENSSL_VERSION_TEXT,
2485 SSLeay_version(SSLEAY_VERSION),
2486 SSLeay_version(SSLEAY_BUILT_ON));
2487 /* third line is 38 characters for the %s and the line is 73 chars long;
2488 the OpenSSL output includes a "built on: " prefix already. */
2494 /*************************************************
2495 * Random number generation *
2496 *************************************************/
2498 /* Pseudo-random number generation. The result is not expected to be
2499 cryptographically strong but not so weak that someone will shoot themselves
2500 in the foot using it as a nonce in input in some email header scheme or
2501 whatever weirdness they'll twist this into. The result should handle fork()
2502 and avoid repeating sequences. OpenSSL handles that for us.
2506 Returns a random number in range [0, max-1]
2510 vaguely_random_number(int max)
2514 static pid_t pidlast = 0;
2517 uschar smallbuf[sizeof(r)];
2523 if (pidnow != pidlast)
2525 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2526 is unique for each thread", this doesn't apparently apply across processes,
2527 so our own warning from vaguely_random_number_fallback() applies here too.
2528 Fix per PostgreSQL. */
2534 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2538 gettimeofday(&r.tv, NULL);
2541 RAND_seed((uschar *)(&r), sizeof(r));
2543 /* We're after pseudo-random, not random; if we still don't have enough data
2544 in the internal PRNG then our options are limited. We could sleep and hope
2545 for entropy to come along (prayer technique) but if the system is so depleted
2546 in the first place then something is likely to just keep taking it. Instead,
2547 we'll just take whatever little bit of pseudo-random we can still manage to
2550 needed_len = sizeof(r);
2551 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2552 asked for a number less than 10. */
2553 for (r = max, i = 0; r; ++i)
2559 /* We do not care if crypto-strong */
2560 i = RAND_pseudo_bytes(smallbuf, needed_len);
2564 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2565 return vaguely_random_number_fallback(max);
2569 for (p = smallbuf; needed_len; --needed_len, ++p)
2575 /* We don't particularly care about weighted results; if someone wants
2576 smooth distribution and cares enough then they should submit a patch then. */
2583 /*************************************************
2584 * OpenSSL option parse *
2585 *************************************************/
2587 /* Parse one option for tls_openssl_options_parse below
2590 name one option name
2591 value place to store a value for it
2592 Returns success or failure in parsing
2595 struct exim_openssl_option {
2599 /* We could use a macro to expand, but we need the ifdef and not all the
2600 options document which version they were introduced in. Policylet: include
2601 all options unless explicitly for DTLS, let the administrator choose which
2604 This list is current as of:
2606 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2608 static struct exim_openssl_option exim_openssl_options[] = {
2609 /* KEEP SORTED ALPHABETICALLY! */
2611 { US"all", SSL_OP_ALL },
2613 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2614 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2616 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2617 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2619 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2620 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2622 #ifdef SSL_OP_EPHEMERAL_RSA
2623 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2625 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2626 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2628 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2629 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2631 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2632 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2634 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2635 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2637 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2638 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2640 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2641 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2643 #ifdef SSL_OP_NO_COMPRESSION
2644 { US"no_compression", SSL_OP_NO_COMPRESSION },
2646 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2647 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2649 #ifdef SSL_OP_NO_SSLv2
2650 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2652 #ifdef SSL_OP_NO_SSLv3
2653 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2655 #ifdef SSL_OP_NO_TICKET
2656 { US"no_ticket", SSL_OP_NO_TICKET },
2658 #ifdef SSL_OP_NO_TLSv1
2659 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2661 #ifdef SSL_OP_NO_TLSv1_1
2662 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2663 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2664 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2666 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2669 #ifdef SSL_OP_NO_TLSv1_2
2670 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2672 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2673 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2675 #ifdef SSL_OP_SINGLE_DH_USE
2676 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2678 #ifdef SSL_OP_SINGLE_ECDH_USE
2679 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2681 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2682 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2684 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2685 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2687 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2688 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2690 #ifdef SSL_OP_TLS_D5_BUG
2691 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2693 #ifdef SSL_OP_TLS_ROLLBACK_BUG
2694 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2697 static int exim_openssl_options_size =
2698 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2702 tls_openssl_one_option_parse(uschar *name, long *value)
2705 int last = exim_openssl_options_size;
2706 while (last > first)
2708 int middle = (first + last)/2;
2709 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2712 *value = exim_openssl_options[middle].value;
2726 /*************************************************
2727 * OpenSSL option parsing logic *
2728 *************************************************/
2730 /* OpenSSL has a number of compatibility options which an administrator might
2731 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2732 we look like log_selector.
2735 option_spec the administrator-supplied string of options
2736 results ptr to long storage for the options bitmap
2737 Returns success or failure
2741 tls_openssl_options_parse(uschar *option_spec, long *results)
2746 BOOL adding, item_parsed;
2749 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2750 * from default because it increases BEAST susceptibility. */
2751 #ifdef SSL_OP_NO_SSLv2
2752 result |= SSL_OP_NO_SSLv2;
2754 #ifdef SSL_OP_SINGLE_DH_USE
2755 result |= SSL_OP_SINGLE_DH_USE;
2758 if (option_spec == NULL)
2764 for (s=option_spec; *s != '\0'; /**/)
2766 while (isspace(*s)) ++s;
2769 if (*s != '+' && *s != '-')
2771 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2772 "+ or - expected but found \"%s\"\n", s);
2775 adding = *s++ == '+';
2776 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2779 item_parsed = tls_openssl_one_option_parse(s, &item);
2782 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2785 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2786 adding ? "adding" : "removing", result, item, s);
2801 /* End of tls-openssl.c */