1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2019 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Portions Copyright (c) The OpenSSL Project 1999 */
11 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
12 library. It is #included into the tls.c file when that library is used. The
13 code herein is based on a patch that was originally contributed by Steve
14 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
16 No cryptographic code is included in Exim. All this module does is to call
17 functions from the OpenSSL library. */
22 #include <openssl/lhash.h>
23 #include <openssl/ssl.h>
24 #include <openssl/err.h>
25 #include <openssl/rand.h>
26 #ifndef OPENSSL_NO_ECDH
27 # include <openssl/ec.h>
30 # include <openssl/ocsp.h>
38 # define EXIM_OCSP_SKEW_SECONDS (300L)
39 # define EXIM_OCSP_MAX_AGE (-1L)
42 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
43 # define EXIM_HAVE_OPENSSL_TLSEXT
45 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
46 # define EXIM_HAVE_RSA_GENKEY_EX
48 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
49 # define EXIM_HAVE_OCSP_RESP_COUNT
50 # define OPENSSL_AUTO_SHA256
52 # define EXIM_HAVE_EPHEM_RSA_KEX
53 # define EXIM_HAVE_RAND_PSEUDO
55 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
56 # define EXIM_HAVE_SHA256
59 /* X509_check_host provides sane certificate hostname checking, but was added
60 to OpenSSL late, after other projects forked off the code-base. So in
61 addition to guarding against the base version number, beware that LibreSSL
62 does not (at this time) support this function.
64 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
65 opt to disentangle and ask a LibreSSL user to provide glue for a third
66 crypto provider for libtls instead of continuing to tie the OpenSSL glue
67 into even twistier knots. If LibreSSL gains the same API, we can just
68 change this guard and punt the issue for a while longer. */
70 #ifndef LIBRESSL_VERSION_NUMBER
71 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
72 # define EXIM_HAVE_OPENSSL_CHECKHOST
73 # define EXIM_HAVE_OPENSSL_DH_BITS
74 # define EXIM_HAVE_OPENSSL_TLS_METHOD
75 # define EXIM_HAVE_OPENSSL_KEYLOG
76 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
77 # define EXIM_HAVE_SESSION_TICKET
78 # define EXIM_HAVE_OPESSL_TRACE
79 # define EXIM_HAVE_OPESSL_GET0_SERIAL
81 # define EXIM_HAVE_OCSP
84 # define EXIM_NEED_OPENSSL_INIT
86 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
87 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
88 # define EXIM_HAVE_OPENSSL_CHECKHOST
92 #if !defined(LIBRESSL_VERSION_NUMBER) \
93 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
94 # if !defined(OPENSSL_NO_ECDH)
95 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
96 # define EXIM_HAVE_ECDH
98 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
99 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
104 #ifndef LIBRESSL_VERSION_NUMBER
105 # if OPENSSL_VERSION_NUMBER >= 0x010101000L
106 # define OPENSSL_HAVE_KEYLOG_CB
107 # define OPENSSL_HAVE_NUM_TICKETS
108 # define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
110 # define OPENSSL_BAD_SRVR_OURCERT
114 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
115 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
116 # define DISABLE_OCSP
119 #ifdef EXPERIMENTAL_TLS_RESUME
120 # if OPENSSL_VERSION_NUMBER < 0x0101010L
121 # error OpenSSL version too old for session-resumption
125 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
126 # include <openssl/x509v3.h>
129 #ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
130 # ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
131 # define SSL_CIPHER_get_id(c) (c->id)
133 # ifndef MACRO_PREDEF
134 # include "tls-cipher-stdname.c"
138 /*************************************************
139 * OpenSSL option parse *
140 *************************************************/
142 typedef struct exim_openssl_option {
145 } exim_openssl_option;
146 /* We could use a macro to expand, but we need the ifdef and not all the
147 options document which version they were introduced in. Policylet: include
148 all options unless explicitly for DTLS, let the administrator choose which
151 This list is current as of:
154 XXX could we autobuild this list, as with predefined-macros?
155 Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS).
156 Also allow a numeric literal?
158 static exim_openssl_option exim_openssl_options[] = {
159 /* KEEP SORTED ALPHABETICALLY! */
161 { US"all", (long) SSL_OP_ALL },
163 #ifdef SSL_OP_ALLOW_NO_DHE_KEX
164 { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX },
166 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
167 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
169 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
170 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
172 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
173 { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
175 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
176 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
178 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
179 { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT },
181 #ifdef SSL_OP_EPHEMERAL_RSA
182 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
184 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
185 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
187 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
188 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
190 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
191 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
193 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
194 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
196 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
197 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
199 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
200 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
202 #ifdef SSL_OP_NO_ANTI_REPLAY
203 { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY },
205 #ifdef SSL_OP_NO_COMPRESSION
206 { US"no_compression", SSL_OP_NO_COMPRESSION },
208 #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
209 { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC },
211 #ifdef SSL_OP_NO_RENEGOTIATION
212 { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
214 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
215 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
217 #ifdef SSL_OP_NO_SSLv2
218 { US"no_sslv2", SSL_OP_NO_SSLv2 },
220 #ifdef SSL_OP_NO_SSLv3
221 { US"no_sslv3", SSL_OP_NO_SSLv3 },
223 #ifdef SSL_OP_NO_TICKET
224 { US"no_ticket", SSL_OP_NO_TICKET },
226 #ifdef SSL_OP_NO_TLSv1
227 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
229 #ifdef SSL_OP_NO_TLSv1_1
230 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
231 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
232 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
234 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
237 #ifdef SSL_OP_NO_TLSv1_2
238 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
240 #ifdef SSL_OP_NO_TLSv1_3
241 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
243 #ifdef SSL_OP_PRIORITIZE_CHACHA
244 { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA },
246 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
247 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
249 #ifdef SSL_OP_SINGLE_DH_USE
250 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
252 #ifdef SSL_OP_SINGLE_ECDH_USE
253 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
255 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
256 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
258 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
259 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
261 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
262 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
264 #ifdef SSL_OP_TLS_D5_BUG
265 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
267 #ifdef SSL_OP_TLS_ROLLBACK_BUG
268 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
270 #ifdef SSL_OP_TLSEXT_PADDING
271 { US"tlsext_padding", SSL_OP_TLSEXT_PADDING },
276 static int exim_openssl_options_size = nelem(exim_openssl_options);
285 for (struct exim_openssl_option * o = exim_openssl_options;
286 o < exim_openssl_options + nelem(exim_openssl_options); o++)
288 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
289 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
291 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
292 builtin_macro_create(buf);
295 # ifdef EXPERIMENTAL_TLS_RESUME
296 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
298 # ifdef SSL_OP_NO_TLSv1_3
299 builtin_macro_create(US"_HAVE_TLS1_3");
301 # ifdef OPENSSL_BAD_SRVR_OURCERT
302 builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
304 # ifdef EXIM_HAVE_OCSP
305 builtin_macro_create(US"_HAVE_TLS_OCSP");
306 builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
311 /******************************************************************************/
313 /* Structure for collecting random data for seeding. */
315 typedef struct randstuff {
320 /* Local static variables */
322 static BOOL client_verify_callback_called = FALSE;
323 static BOOL server_verify_callback_called = FALSE;
324 static const uschar *sid_ctx = US"exim";
326 /* We have three different contexts to care about.
328 Simple case: client, `client_ctx`
329 As a client, we can be doing a callout or cut-through delivery while receiving
330 a message. So we have a client context, which should have options initialised
331 from the SMTP Transport. We may also concurrently want to make TLS connections
332 to utility daemons, so client-contexts are allocated and passed around in call
333 args rather than using a gobal.
336 There are two cases: with and without ServerNameIndication from the client.
337 Given TLS SNI, we can be using different keys, certs and various other
338 configuration settings, because they're re-expanded with $tls_sni set. This
339 allows vhosting with TLS. This SNI is sent in the handshake.
340 A client might not send SNI, so we need a fallback, and an initial setup too.
341 So as a server, we start out using `server_ctx`.
342 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
343 `server_sni` from `server_ctx` and then initialise settings by re-expanding
351 } exim_openssl_client_tls_ctx;
353 static SSL_CTX *server_ctx = NULL;
354 static SSL *server_ssl = NULL;
356 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
357 static SSL_CTX *server_sni = NULL;
360 static char ssl_errstring[256];
362 static int ssl_session_timeout = 7200; /* Two hours */
363 static BOOL client_verify_optional = FALSE;
364 static BOOL server_verify_optional = FALSE;
366 static BOOL reexpand_tls_files_for_sni = FALSE;
369 typedef struct ocsp_resp {
370 struct ocsp_resp * next;
371 OCSP_RESPONSE * resp;
374 typedef struct tls_ext_ctx_cb {
380 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
384 const uschar *file_expanded;
385 ocsp_resplist *olist;
388 X509_STORE *verify_store; /* non-null if status requested */
389 BOOL verify_required;
394 /* these are cached from first expand */
395 uschar *server_cipher_list;
396 /* only passed down to tls_error: */
398 const uschar * verify_cert_hostnames;
399 #ifndef DISABLE_EVENT
400 uschar * event_action;
404 /* should figure out a cleanup of API to handle state preserved per
405 implementation, for various reasons, which can be void * in the APIs.
406 For now, we hack around it. */
407 tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
408 tls_ext_ctx_cb *server_static_cbinfo = NULL;
411 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
412 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
415 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
416 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
419 static int tls_server_stapling_cb(SSL *s, void *arg);
424 /* Daemon-called, before every connection, key create/rotate */
425 #ifdef EXPERIMENTAL_TLS_RESUME
426 static void tk_init(void);
427 static int tls_exdata_idx = -1;
431 tls_daemon_init(void)
433 #ifdef EXPERIMENTAL_TLS_RESUME
440 /*************************************************
442 *************************************************/
444 /* Called from lots of places when errors occur before actually starting to do
445 the TLS handshake, that is, while the session is still in clear. Always returns
446 DEFER for a server and FAIL for a client so that most calls can use "return
447 tls_error(...)" to do this processing and then give an appropriate return. A
448 single function is used for both server and client, because it is called from
449 some shared functions.
452 prefix text to include in the logged error
453 host NULL if setting up a server;
454 the connected host if setting up a client
455 msg error message or NULL if we should ask OpenSSL
456 errstr pointer to output error message
458 Returns: OK/DEFER/FAIL
462 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
466 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
467 msg = US ssl_errstring;
470 msg = string_sprintf("(%s): %s", prefix, msg);
471 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
472 if (errstr) *errstr = msg;
473 return host ? FAIL : DEFER;
478 /*************************************************
479 * Callback to generate RSA key *
480 *************************************************/
484 s SSL connection (not used)
488 Returns: pointer to generated key
492 rsa_callback(SSL *s, int export, int keylength)
495 #ifdef EXIM_HAVE_RSA_GENKEY_EX
496 BIGNUM *bn = BN_new();
499 export = export; /* Shut picky compilers up */
500 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
502 #ifdef EXIM_HAVE_RSA_GENKEY_EX
503 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
504 || !(rsa_key = RSA_new())
505 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
508 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
512 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
513 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
525 x509_store_dump_cert_s_names(X509_STORE * store)
527 STACK_OF(X509_OBJECT) * roots= store->objs;
528 static uschar name[256];
530 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
532 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
533 if(tmp_obj->type == X509_LU_X509)
535 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
536 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
538 name[sizeof(name)-1] = '\0';
539 debug_printf(" %s\n", name);
548 #ifndef DISABLE_EVENT
550 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
551 BOOL *calledp, const BOOL *optionalp, const uschar * what)
557 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
560 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
561 old_cert = tlsp->peercert;
562 tlsp->peercert = X509_dup(cert);
563 /* NB we do not bother setting peerdn */
564 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
566 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
567 "depth=%d cert=%s: %s",
568 tlsp == &tls_out ? deliver_host_address : sender_host_address,
569 what, depth, dn, yield);
573 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
574 return 1; /* reject (leaving peercert set) */
576 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
577 "(host in tls_try_verify_hosts)\n");
578 tlsp->verify_override = TRUE;
580 X509_free(tlsp->peercert);
581 tlsp->peercert = old_cert;
587 /*************************************************
588 * Callback for verification *
589 *************************************************/
591 /* The SSL library does certificate verification if set up to do so. This
592 callback has the current yes/no state is in "state". If verification succeeded,
593 we set the certificate-verified flag. If verification failed, what happens
594 depends on whether the client is required to present a verifiable certificate
597 If verification is optional, we change the state to yes, but still log the
598 verification error. For some reason (it really would help to have proper
599 documentation of OpenSSL), this callback function then gets called again, this
600 time with state = 1. We must take care not to set the private verified flag on
601 the second time through.
603 Note: this function is not called if the client fails to present a certificate
604 when asked. We get here only if a certificate has been received. Handling of
605 optional verification for this case is done when requesting SSL to verify, by
606 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
608 May be called multiple times for different issues with a certificate, even
609 for a given "depth" in the certificate chain.
612 preverify_ok current yes/no state as 1/0
613 x509ctx certificate information.
614 tlsp per-direction (client vs. server) support data
615 calledp has-been-called flag
616 optionalp verification-is-optional flag
618 Returns: 0 if verification should fail, otherwise 1
622 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
623 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
625 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
626 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
629 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
631 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
632 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
633 tlsp == &tls_out ? deliver_host_address : sender_host_address);
636 dn[sizeof(dn)-1] = '\0';
638 tlsp->verify_override = FALSE;
639 if (preverify_ok == 0)
641 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
642 *verify_mode, sender_host_address)
644 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
645 tlsp == &tls_out ? deliver_host_address : sender_host_address,
647 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
652 tlsp->peercert = X509_dup(cert); /* record failing cert */
653 return 0; /* reject */
655 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
656 "tls_try_verify_hosts)\n");
657 tlsp->verify_override = TRUE;
662 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
664 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
665 { /* client, wanting stapling */
666 /* Add the server cert's signing chain as the one
667 for the verification of the OCSP stapled information. */
669 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
672 sk_X509_push(client_static_cbinfo->verify_stack, cert);
675 #ifndef DISABLE_EVENT
676 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
677 return 0; /* reject, with peercert set */
682 const uschar * verify_cert_hostnames;
684 if ( tlsp == &tls_out
685 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
686 /* client, wanting hostname check */
689 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
690 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
691 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
693 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
694 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
697 const uschar * list = verify_cert_hostnames;
700 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
701 if ((rc = X509_check_host(cert, CCS name, 0,
702 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
703 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
708 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
709 tlsp == &tls_out ? deliver_host_address : sender_host_address);
716 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
719 uschar * extra = verify_mode
720 ? string_sprintf(" (during %c-verify for [%s])",
721 *verify_mode, sender_host_address)
723 log_write(0, LOG_MAIN,
724 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
725 tlsp == &tls_out ? deliver_host_address : sender_host_address,
726 extra, dn, verify_cert_hostnames);
731 tlsp->peercert = X509_dup(cert); /* record failing cert */
732 return 0; /* reject */
734 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
735 "tls_try_verify_hosts)\n");
736 tlsp->verify_override = TRUE;
740 #ifndef DISABLE_EVENT
741 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
742 return 0; /* reject, with peercert set */
745 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
746 *calledp ? "" : " authenticated", dn);
750 return 1; /* accept, at least for this level */
754 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
756 return verify_callback(preverify_ok, x509ctx, &tls_out,
757 &client_verify_callback_called, &client_verify_optional);
761 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
763 return verify_callback(preverify_ok, x509ctx, &tls_in,
764 &server_verify_callback_called, &server_verify_optional);
770 /* This gets called *by* the dane library verify callback, which interposes
774 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
776 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
778 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
779 #ifndef DISABLE_EVENT
780 BOOL dummy_called, optional = FALSE;
783 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
785 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
786 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
787 deliver_host_address);
790 dn[sizeof(dn)-1] = '\0';
792 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
793 preverify_ok ? "ok":"BAD", depth, dn);
795 #ifndef DISABLE_EVENT
796 if (verify_event(&tls_out, cert, depth, dn,
797 &dummy_called, &optional, US"DANE"))
798 return 0; /* reject, with peercert set */
801 if (preverify_ok == 1)
803 tls_out.dane_verified = TRUE;
805 if (client_static_cbinfo->u_ocsp.client.verify_store)
806 { /* client, wanting stapling */
807 /* Add the server cert's signing chain as the one
808 for the verification of the OCSP stapled information. */
810 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
813 sk_X509_push(client_static_cbinfo->verify_stack, cert);
819 int err = X509_STORE_CTX_get_error(x509ctx);
821 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
822 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
828 #endif /*SUPPORT_DANE*/
831 /*************************************************
832 * Information callback *
833 *************************************************/
835 /* The SSL library functions call this from time to time to indicate what they
836 are doing. We copy the string to the debugging output when TLS debugging has
848 info_callback(SSL *s, int where, int ret)
854 if (where & SSL_ST_CONNECT)
855 str = US"SSL_connect";
856 else if (where & SSL_ST_ACCEPT)
857 str = US"SSL_accept";
859 str = US"SSL info (undefined)";
861 if (where & SSL_CB_LOOP)
862 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
863 else if (where & SSL_CB_ALERT)
864 debug_printf("SSL3 alert %s:%s:%s\n",
865 str = where & SSL_CB_READ ? US"read" : US"write",
866 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
867 else if (where & SSL_CB_EXIT)
869 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
871 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
872 else if (where & SSL_CB_HANDSHAKE_START)
873 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
874 else if (where & SSL_CB_HANDSHAKE_DONE)
875 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
879 #ifdef OPENSSL_HAVE_KEYLOG_CB
881 keylog_callback(const SSL *ssl, const char *line)
885 DEBUG(D_tls) debug_printf("%.200s\n", line);
886 if (!(filename = getenv("SSLKEYLOGFILE"))) return;
887 if (!(fp = fopen(filename, "a"))) return;
888 fprintf(fp, "%s\n", line);
894 #ifdef EXPERIMENTAL_TLS_RESUME
895 /* Manage the keysets used for encrypting the session tickets, on the server. */
897 typedef struct { /* Session ticket encryption key */
900 const EVP_CIPHER * aes_cipher;
901 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
902 const EVP_MD * hmac_hash;
908 static exim_stek exim_tk; /* current key */
909 static exim_stek exim_tk_old; /* previous key */
914 time_t t = time(NULL);
918 if (exim_tk.renew >= t) return;
919 exim_tk_old = exim_tk;
922 if (f.running_in_test_harness) ssl_session_timeout = 6;
924 DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
925 if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
926 if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
927 if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
929 exim_tk.name[0] = 'E';
930 exim_tk.aes_cipher = EVP_aes_256_cbc();
931 exim_tk.hmac_hash = EVP_sha256();
932 exim_tk.expire = t + ssl_session_timeout;
933 exim_tk.renew = t + ssl_session_timeout/2;
939 if (!exim_tk.name[0]) return NULL;
944 tk_find(const uschar * name)
946 return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
947 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
951 /* Callback for session tickets, on server */
953 ticket_key_callback(SSL * ssl, uschar key_name[16],
954 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
956 tls_support * tlsp = server_static_cbinfo->tlsp;
961 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
962 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
964 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
965 return -1; /* insufficient random */
967 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
968 return 0; /* key couldn't be created */
969 memcpy(key_name, key->name, 16);
970 DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
972 /*XXX will want these dependent on the ssl session strength */
973 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
974 key->hmac_hash, NULL);
975 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
977 DEBUG(D_tls) debug_printf("ticket created\n");
982 time_t now = time(NULL);
984 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
985 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
987 if (!(key = tk_find(key_name)) || key->expire < now)
991 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
992 if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
997 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
998 key->hmac_hash, NULL);
999 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
1001 DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
1003 /* The ticket lifetime and renewal are the same as the STEK lifetime and
1004 renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
1005 be better. To do that we'd have to encode ticket lifetime in the name as
1006 we don't yet see the restored session. Could check posthandshake for TLS1.3
1007 and trigger a new ticket then, but cannot do that for TLS1.2 */
1008 return key->renew < now ? 2 : 1;
1015 /*************************************************
1016 * Initialize for DH *
1017 *************************************************/
1019 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
1022 sctx The current SSL CTX (inbound or outbound)
1023 dhparam DH parameter file or fixed parameter identity string
1024 host connected host, if client; NULL if server
1025 errstr error string pointer
1027 Returns: TRUE if OK (nothing to set up, or setup worked)
1031 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
1039 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
1042 if (!dhexpanded || !*dhexpanded)
1043 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
1044 else if (dhexpanded[0] == '/')
1046 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
1048 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
1049 host, US strerror(errno), errstr);
1055 if (Ustrcmp(dhexpanded, "none") == 0)
1057 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
1061 if (!(pem = std_dh_prime_named(dhexpanded)))
1063 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
1064 host, US strerror(errno), errstr);
1067 bio = BIO_new_mem_buf(CS pem, -1);
1070 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
1073 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
1074 host, NULL, errstr);
1078 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1079 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1080 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1081 * If someone wants to dance at the edge, then they can raise the limit or use
1082 * current libraries. */
1083 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
1084 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1085 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1086 dh_bitsize = DH_bits(dh);
1088 dh_bitsize = 8 * DH_size(dh);
1091 /* Even if it is larger, we silently return success rather than cause things
1092 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1093 * debatable choice. */
1094 if (dh_bitsize > tls_dh_max_bits)
1097 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
1098 dh_bitsize, tls_dh_max_bits);
1102 SSL_CTX_set_tmp_dh(sctx, dh);
1104 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
1105 dhexpanded ? dhexpanded : US"default", dh_bitsize);
1117 /*************************************************
1118 * Initialize for ECDH *
1119 *************************************************/
1121 /* Load parameters for ECDH encryption.
1123 For now, we stick to NIST P-256 because: it's simple and easy to configure;
1124 it avoids any patent issues that might bite redistributors; despite events in
1125 the news and concerns over curve choices, we're not cryptographers, we're not
1126 pretending to be, and this is "good enough" to be better than no support,
1127 protecting against most adversaries. Given another year or two, there might
1128 be sufficient clarity about a "right" way forward to let us make an informed
1129 decision, instead of a knee-jerk reaction.
1131 Longer-term, we should look at supporting both various named curves and
1132 external files generated with "openssl ecparam", much as we do for init_dh().
1133 We should also support "none" as a value, to explicitly avoid initialisation.
1138 sctx The current SSL CTX (inbound or outbound)
1139 host connected host, if client; NULL if server
1140 errstr error string pointer
1142 Returns: TRUE if OK (nothing to set up, or setup worked)
1146 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
1148 #ifdef OPENSSL_NO_ECDH
1157 if (host) /* No ECDH setup for clients, only for servers */
1160 # ifndef EXIM_HAVE_ECDH
1162 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1166 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
1168 if (!exp_curve || !*exp_curve)
1171 /* "auto" needs to be handled carefully.
1172 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
1173 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
1174 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
1175 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1176 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1178 if (Ustrcmp(exp_curve, "auto") == 0)
1180 #if OPENSSL_VERSION_NUMBER < 0x10002000L
1181 DEBUG(D_tls) debug_printf(
1182 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
1183 exp_curve = US"prime256v1";
1185 # if defined SSL_CTRL_SET_ECDH_AUTO
1186 DEBUG(D_tls) debug_printf(
1187 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
1188 SSL_CTX_set_ecdh_auto(sctx, 1);
1191 DEBUG(D_tls) debug_printf(
1192 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1198 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1199 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1200 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1201 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1205 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1206 host, NULL, errstr);
1210 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1212 tls_error(US"Unable to create ec curve", host, NULL, errstr);
1216 /* The "tmp" in the name here refers to setting a temporary key
1217 not to the stability of the interface. */
1219 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
1220 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
1222 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1227 # endif /*EXIM_HAVE_ECDH*/
1228 #endif /*OPENSSL_NO_ECDH*/
1234 #ifndef DISABLE_OCSP
1235 /*************************************************
1236 * Load OCSP information into state *
1237 *************************************************/
1238 /* Called to load the server OCSP response from the given file into memory, once
1239 caller has determined this is needed. Checks validity. Debugs a message
1242 ASSUMES: single response, for single cert.
1245 sctx the SSL_CTX* to update
1246 cbinfo various parts of session state
1247 filename the filename putatively holding an OCSP response
1248 is_pem file is PEM format; otherwise is DER
1253 ocsp_load_response(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1254 const uschar * filename, BOOL is_pem)
1257 OCSP_RESPONSE * resp;
1258 OCSP_BASICRESP * basic_response;
1259 OCSP_SINGLERESP * single_response;
1260 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1261 STACK_OF(X509) * sk;
1262 unsigned long verify_flags;
1263 int status, reason, i;
1266 debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename);
1268 if (!(bio = BIO_new_file(CS filename, "rb")))
1270 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1277 uschar * data, * freep;
1280 if (!PEM_read_bio(bio, &dummy, &dummy, &data, &len))
1282 DEBUG(D_tls) debug_printf("Failed to read PEM file \"%s\"\n",
1286 debug_printf("read pem file\n");
1288 resp = d2i_OCSP_RESPONSE(NULL, CUSS &data, len);
1289 OPENSSL_free(freep);
1292 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1297 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1301 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1303 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1304 OCSP_response_status_str(status), status);
1310 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1311 OCSP_RESPONSE_print(bp, resp, 0); /* extreme debug: stapling content */
1316 if (!(basic_response = OCSP_response_get1_basic(resp)))
1319 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1323 sk = cbinfo->verify_stack;
1324 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1326 /* May need to expose ability to adjust those flags?
1327 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1328 OCSP_TRUSTOTHER OCSP_NOINTERN */
1330 /* This does a full verify on the OCSP proof before we load it for serving
1331 up; possibly overkill - just date-checks might be nice enough.
1333 OCSP_basic_verify takes a "store" arg, but does not
1334 use it for the chain verification, which is all we do
1335 when OCSP_NOVERIFY is set. The content from the wire
1336 "basic_response" and a cert-stack "sk" are all that is used.
1338 We have a stack, loaded in setup_certs() if tls_verify_certificates
1339 was a file (not a directory, or "system"). It is unfortunate we
1340 cannot used the connection context store, as that would neatly
1341 handle the "system" case too, but there seems to be no library
1342 function for getting a stack from a store.
1343 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1344 We do not free the stack since it could be needed a second time for
1347 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1348 be a public interface into the OpenSSL library (there's no manual entry) -
1349 But what with? We also use OCSP_basic_verify in the client stapling callback.
1350 And there we NEED it; we must verify that status... unless the
1351 library does it for us anyway? */
1353 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1357 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1358 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1363 /* Here's the simplifying assumption: there's only one response, for the
1364 one certificate we use, and nothing for anything else in a chain. If this
1365 proves false, we need to extract a cert id from our issued cert
1366 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1367 right cert in the stack and then calls OCSP_single_get0_status()).
1369 I'm hoping to avoid reworking a bunch more of how we handle state here.
1371 XXX that will change when we add support for (TLS1.3) whole-chain stapling
1374 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1377 debug_printf("Unable to get first response from OCSP basic response.\n");
1381 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1382 if (status != V_OCSP_CERTSTATUS_GOOD)
1384 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1385 OCSP_cert_status_str(status), status,
1386 OCSP_crl_reason_str(reason), reason);
1390 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1392 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1397 /* Add the resp to the list used by tls_server_stapling_cb() */
1399 ocsp_resplist ** op = &cbinfo->u_ocsp.server.olist, * oentry;
1400 while (oentry = *op)
1402 *op = oentry = store_get(sizeof(ocsp_resplist), FALSE);
1403 oentry->next = NULL;
1404 oentry->resp = resp;
1409 if (f.running_in_test_harness)
1411 extern char ** environ;
1412 if (environ) for (uschar ** p = USS environ; *p; p++)
1413 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1415 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1416 goto supply_response;
1424 ocsp_free_response_list(tls_ext_ctx_cb * cbinfo)
1426 for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
1427 olist = olist->next)
1428 OCSP_RESPONSE_free(olist->resp);
1429 cbinfo->u_ocsp.server.olist = NULL;
1431 #endif /*!DISABLE_OCSP*/
1436 /* Create and install a selfsigned certificate, for use in server mode */
1439 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1447 where = US"allocating pkey";
1448 if (!(pkey = EVP_PKEY_new()))
1451 where = US"allocating cert";
1452 if (!(x509 = X509_new()))
1455 where = US"generating pkey";
1456 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1459 where = US"assigning pkey";
1460 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1463 X509_set_version(x509, 2); /* N+1 - version 3 */
1464 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1465 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1466 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1467 X509_set_pubkey(x509, pkey);
1469 name = X509_get_subject_name(x509);
1470 X509_NAME_add_entry_by_txt(name, "C",
1471 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1472 X509_NAME_add_entry_by_txt(name, "O",
1473 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1474 X509_NAME_add_entry_by_txt(name, "CN",
1475 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1476 X509_set_issuer_name(x509, name);
1478 where = US"signing cert";
1479 if (!X509_sign(x509, pkey, EVP_md5()))
1482 where = US"installing selfsign cert";
1483 if (!SSL_CTX_use_certificate(sctx, x509))
1486 where = US"installing selfsign key";
1487 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1493 (void) tls_error(where, NULL, NULL, errstr);
1494 if (x509) X509_free(x509);
1495 if (pkey) EVP_PKEY_free(pkey);
1503 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1506 DEBUG(D_tls) debug_printf("tls_certificate file '%s'\n", file);
1507 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1508 return tls_error(string_sprintf(
1509 "SSL_CTX_use_certificate_chain_file file=%s", file),
1510 cbinfo->host, NULL, errstr);
1515 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1518 DEBUG(D_tls) debug_printf("tls_privatekey file '%s'\n", file);
1519 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1520 return tls_error(string_sprintf(
1521 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1526 /*************************************************
1527 * Expand key and cert file specs *
1528 *************************************************/
1530 /* Called once during tls_init and possibly again during TLS setup, for a
1531 new context, if Server Name Indication was used and tls_sni was seen in
1532 the certificate string.
1535 sctx the SSL_CTX* to update
1536 cbinfo various parts of session state
1537 errstr error string pointer
1539 Returns: OK/DEFER/FAIL
1543 tls_expand_session_files(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo,
1548 if (!cbinfo->certificate)
1550 if (!cbinfo->is_server) /* client */
1553 if (tls_install_selfsign(sctx, errstr) != OK)
1560 if ( !reexpand_tls_files_for_sni
1561 && ( Ustrstr(cbinfo->certificate, US"tls_sni")
1562 || Ustrstr(cbinfo->certificate, US"tls_in_sni")
1563 || Ustrstr(cbinfo->certificate, US"tls_out_sni")
1565 reexpand_tls_files_for_sni = TRUE;
1567 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1571 if (cbinfo->is_server)
1573 const uschar * file_list = expanded;
1576 #ifndef DISABLE_OCSP
1577 const uschar * olist = cbinfo->u_ocsp.server.file;
1580 BOOL fmt_pem = FALSE;
1583 if (!expand_check(olist, US"tls_ocsp_file", USS &olist, errstr))
1585 if (olist && !*olist)
1588 if ( cbinfo->u_ocsp.server.file_expanded && olist
1589 && (Ustrcmp(olist, cbinfo->u_ocsp.server.file_expanded) == 0))
1591 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1596 ocsp_free_response_list(cbinfo);
1597 cbinfo->u_ocsp.server.file_expanded = olist;
1601 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1603 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1606 #ifndef DISABLE_OCSP
1608 if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
1610 if (Ustrncmp(ofile, US"PEM ", 4) == 0)
1615 else if (Ustrncmp(ofile, US"DER ", 4) == 0)
1620 ocsp_load_response(sctx, cbinfo, ofile, fmt_pem);
1623 DEBUG(D_tls) debug_printf("ran out of ocsp file list\n");
1627 else /* would there ever be a need for multiple client certs? */
1628 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1631 if ( cbinfo->privatekey
1632 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1635 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1636 of the expansion is an empty string, ignore it also, and assume the private
1637 key is in the same file as the certificate. */
1639 if (expanded && *expanded)
1640 if (cbinfo->is_server)
1642 const uschar * file_list = expanded;
1646 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1647 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1650 else /* would there ever be a need for multiple client certs? */
1651 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1661 /*************************************************
1662 * Callback to handle SNI *
1663 *************************************************/
1665 /* Called when acting as server during the TLS session setup if a Server Name
1666 Indication extension was sent by the client.
1668 API documentation is OpenSSL s_server.c implementation.
1671 s SSL* of the current session
1672 ad unknown (part of OpenSSL API) (unused)
1673 arg Callback of "our" registered data
1675 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1677 XXX might need to change to using ClientHello callback,
1678 per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
1681 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1683 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1685 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1686 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1688 int old_pool = store_pool;
1689 uschar * dummy_errstr;
1692 return SSL_TLSEXT_ERR_OK;
1694 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1695 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1697 /* Make the extension value available for expansion */
1698 store_pool = POOL_PERM;
1699 tls_in.sni = string_copy_taint(US servername, TRUE);
1700 store_pool = old_pool;
1702 if (!reexpand_tls_files_for_sni)
1703 return SSL_TLSEXT_ERR_OK;
1705 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1706 not confident that memcpy wouldn't break some internal reference counting.
1707 Especially since there's a references struct member, which would be off. */
1709 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1710 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1712 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1715 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1716 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1720 /* Not sure how many of these are actually needed, since SSL object
1721 already exists. Might even need this selfsame callback, for reneg? */
1723 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1724 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1725 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1726 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1727 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1728 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1730 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1731 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1735 if ( cbinfo->server_cipher_list
1736 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1739 #ifndef DISABLE_OCSP
1740 if (cbinfo->u_ocsp.server.file)
1742 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1743 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1747 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1748 verify_callback_server, &dummy_errstr)) != OK)
1751 /* do this after setup_certs, because this can require the certs for verifying
1752 OCSP information. */
1753 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1756 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1757 SSL_set_SSL_CTX(s, server_sni);
1758 return SSL_TLSEXT_ERR_OK;
1760 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1762 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1767 #ifndef DISABLE_OCSP
1769 /*************************************************
1770 * Callback to handle OCSP Stapling *
1771 *************************************************/
1773 /* Called when acting as server during the TLS session setup if the client
1774 requests OCSP information with a Certificate Status Request.
1776 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1782 tls_server_stapling_cb(SSL *s, void *arg)
1784 const tls_ext_ctx_cb * cbinfo = (tls_ext_ctx_cb *) arg;
1785 ocsp_resplist * olist = cbinfo->u_ocsp.server.olist;
1786 uschar * response_der; /*XXX blob */
1787 int response_der_len;
1790 debug_printf("Received TLS status request (OCSP stapling); %s response list\n",
1791 olist ? "have" : "lack");
1793 tls_in.ocsp = OCSP_NOT_RESP;
1795 return SSL_TLSEXT_ERR_NOACK;
1797 #ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
1799 const X509 * cert_sent = SSL_get_certificate(s);
1800 const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
1801 const BIGNUM * cert_bn = ASN1_INTEGER_to_BN(cert_serial, NULL);
1802 const X509_NAME * cert_issuer = X509_get_issuer_name(cert_sent);
1806 for (; olist; olist = olist->next)
1808 OCSP_BASICRESP * bs = OCSP_response_get1_basic(olist->resp);
1809 const OCSP_SINGLERESP * single = OCSP_resp_get0(bs, 0);
1810 const OCSP_CERTID * cid = OCSP_SINGLERESP_get0_id(single);
1811 ASN1_INTEGER * res_cert_serial;
1812 const BIGNUM * resp_bn;
1813 ASN1_OCTET_STRING * res_cert_iNameHash;
1816 (void) OCSP_id_get0_info(&res_cert_iNameHash, NULL, NULL, &res_cert_serial,
1817 (OCSP_CERTID *) cid);
1818 resp_bn = ASN1_INTEGER_to_BN(res_cert_serial, NULL);
1822 debug_printf("cert serial: %s\n", BN_bn2hex(cert_bn));
1823 debug_printf("resp serial: %s\n", BN_bn2hex(resp_bn));
1826 if (BN_cmp(cert_bn, resp_bn) == 0)
1828 DEBUG(D_tls) debug_printf("matched serial for ocsp\n");
1830 /*XXX TODO: check the rest of the list for duplicate matches.
1831 If any, need to also check the Issuer Name hash.
1832 Without this, we will provide the wrong status in the case of
1837 DEBUG(D_tls) debug_printf("not match serial for ocsp\n");
1841 DEBUG(D_tls) debug_printf("failed to find match for ocsp\n");
1842 return SSL_TLSEXT_ERR_NOACK;
1848 DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
1849 return SSL_TLSEXT_ERR_NOACK;
1853 /*XXX could we do the i2d earlier, rather than during the callback? */
1854 response_der = NULL;
1855 response_der_len = i2d_OCSP_RESPONSE(olist->resp, &response_der);
1856 if (response_der_len <= 0)
1857 return SSL_TLSEXT_ERR_NOACK;
1859 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1860 tls_in.ocsp = OCSP_VFIED;
1861 return SSL_TLSEXT_ERR_OK;
1866 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1868 BIO_printf(bp, "\t%s: ", str);
1869 ASN1_GENERALIZEDTIME_print(bp, time);
1874 tls_client_stapling_cb(SSL *s, void *arg)
1876 tls_ext_ctx_cb * cbinfo = arg;
1877 const unsigned char * p;
1879 OCSP_RESPONSE * rsp;
1880 OCSP_BASICRESP * bs;
1883 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
1884 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1887 /* Expect this when we requested ocsp but got none */
1888 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1889 log_write(0, LOG_MAIN, "Required TLS certificate status not received");
1891 DEBUG(D_tls) debug_printf(" null\n");
1892 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1895 if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1897 tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */
1898 if (LOGGING(tls_cipher))
1899 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1901 DEBUG(D_tls) debug_printf(" parse error\n");
1905 if (!(bs = OCSP_response_get1_basic(rsp)))
1907 tls_out.ocsp = OCSP_FAILED;
1908 if (LOGGING(tls_cipher))
1909 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1911 DEBUG(D_tls) debug_printf(" error parsing response\n");
1912 OCSP_RESPONSE_free(rsp);
1916 /* We'd check the nonce here if we'd put one in the request. */
1917 /* However that would defeat cacheability on the server so we don't. */
1919 /* This section of code reworked from OpenSSL apps source;
1920 The OpenSSL Project retains copyright:
1921 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1925 #ifndef EXIM_HAVE_OCSP_RESP_COUNT
1926 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1929 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1931 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1933 /* Use the chain that verified the server cert to verify the stapled info */
1934 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1936 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1937 cbinfo->u_ocsp.client.verify_store, OCSP_NOEXPLICIT)) <= 0)
1938 if (ERR_peek_error())
1940 tls_out.ocsp = OCSP_FAILED;
1941 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1942 "Received TLS cert status response, itself unverifiable: %s",
1943 ERR_reason_error_string(ERR_peek_error()));
1944 BIO_printf(bp, "OCSP response verify failure\n");
1945 ERR_print_errors(bp);
1946 OCSP_RESPONSE_print(bp, rsp, 0);
1950 DEBUG(D_tls) debug_printf("no explicit trust for OCSP signing"
1951 " in the root CA certificate; ignoring\n");
1953 DEBUG(D_tls) debug_printf("OCSP response well-formed and signed OK\n");
1955 /*XXX So we have a good stapled OCSP status. How do we know
1956 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1957 OCSP_resp_find_status() which matches on a cert id, which presumably
1958 we should use. Making an id needs OCSP_cert_id_new(), which takes
1959 issuerName, issuerKey, serialNumber. Are they all in the cert?
1961 For now, carry on blindly accepting the resp. */
1964 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1965 OCSP_resp_count(bs) - 1;
1967 sk_OCSP_SINGLERESP_num(sresp) - 1;
1971 OCSP_SINGLERESP * single = OCSP_resp_get0(bs, idx);
1973 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1975 /*XXX so I can see putting a loop in here to handle a rsp with >1 singleresp
1976 - but what happens with a GnuTLS-style input?
1978 we could do with a debug label for each singleresp
1979 - it has a certID with a serialNumber, but I see no API to get that
1981 status = OCSP_single_get0_status(single, &reason, &rev,
1982 &thisupd, &nextupd);
1984 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1985 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1986 if (!OCSP_check_validity(thisupd, nextupd,
1987 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1989 tls_out.ocsp = OCSP_FAILED;
1990 DEBUG(D_tls) ERR_print_errors(bp);
1991 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1995 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1996 OCSP_cert_status_str(status));
1999 case V_OCSP_CERTSTATUS_GOOD:
2000 continue; /* the idx loop */
2001 case V_OCSP_CERTSTATUS_REVOKED:
2002 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
2003 reason != -1 ? "; reason: " : "",
2004 reason != -1 ? OCSP_crl_reason_str(reason) : "");
2005 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
2008 log_write(0, LOG_MAIN,
2009 "Server certificate status unknown, in OCSP stapling");
2017 tls_out.ocsp = OCSP_VFIED;
2021 tls_out.ocsp = OCSP_FAILED;
2022 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
2027 OCSP_RESPONSE_free(rsp);
2030 #endif /*!DISABLE_OCSP*/
2033 /*************************************************
2034 * Initialize for TLS *
2035 *************************************************/
2038 tls_openssl_init(void)
2040 #ifdef EXIM_NEED_OPENSSL_INIT
2041 SSL_load_error_strings(); /* basic set up */
2042 OpenSSL_add_ssl_algorithms();
2045 #if defined(EXIM_HAVE_SHA256) && !defined(OPENSSL_AUTO_SHA256)
2046 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2047 list of available digests. */
2048 EVP_add_digest(EVP_sha256());
2054 /* Called from both server and client code, to do preliminary initialization
2055 of the library. We allocate and return a context structure.
2058 ctxp returned SSL context
2059 host connected host, if client; NULL if server
2060 dhparam DH parameter file
2061 certificate certificate file
2062 privatekey private key
2063 ocsp_file file of stapling info (server); flag for require ocsp (client)
2064 addr address if client; NULL if server (for some randomness)
2065 cbp place to put allocated callback context
2066 errstr error string pointer
2068 Returns: OK/DEFER/FAIL
2072 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
2074 #ifndef DISABLE_OCSP
2077 address_item *addr, tls_ext_ctx_cb ** cbp,
2084 tls_ext_ctx_cb * cbinfo;
2086 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
2087 cbinfo->tlsp = tlsp;
2088 cbinfo->certificate = certificate;
2089 cbinfo->privatekey = privatekey;
2090 cbinfo->is_server = host==NULL;
2091 #ifndef DISABLE_OCSP
2092 cbinfo->verify_stack = NULL;
2095 cbinfo->u_ocsp.server.file = ocsp_file;
2096 cbinfo->u_ocsp.server.file_expanded = NULL;
2097 cbinfo->u_ocsp.server.olist = NULL;
2100 cbinfo->u_ocsp.client.verify_store = NULL;
2102 cbinfo->dhparam = dhparam;
2103 cbinfo->server_cipher_list = NULL;
2104 cbinfo->host = host;
2105 #ifndef DISABLE_EVENT
2106 cbinfo->event_action = NULL;
2111 /* Create a context.
2112 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
2113 negotiation in the different methods; as far as I can tell, the only
2114 *_{server,client}_method which allows negotiation is SSLv23, which exists even
2115 when OpenSSL is built without SSLv2 support.
2116 By disabling with openssl_options, we can let admins re-enable with the
2119 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
2120 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
2122 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
2124 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
2126 /* It turns out that we need to seed the random number generator this early in
2127 order to get the full complement of ciphers to work. It took me roughly a day
2128 of work to discover this by experiment.
2130 On systems that have /dev/urandom, SSL may automatically seed itself from
2131 there. Otherwise, we have to make something up as best we can. Double check
2137 gettimeofday(&r.tv, NULL);
2140 RAND_seed(US (&r), sizeof(r));
2141 RAND_seed(US big_buffer, big_buffer_size);
2142 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
2145 return tls_error(US"RAND_status", host,
2146 US"unable to seed random number generator", errstr);
2149 /* Set up the information callback, which outputs if debugging is at a suitable
2154 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
2155 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
2156 /* this needs a debug build of OpenSSL */
2157 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
2159 #ifdef OPENSSL_HAVE_KEYLOG_CB
2160 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
2164 /* Automatically re-try reads/writes after renegotiation. */
2165 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
2167 /* Apply administrator-supplied work-arounds.
2168 Historically we applied just one requested option,
2169 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
2170 moved to an administrator-controlled list of options to specify and
2171 grandfathered in the first one as the default value for "openssl_options".
2173 No OpenSSL version number checks: the options we accept depend upon the
2174 availability of the option value macros from OpenSSL. */
2176 if (!tls_openssl_options_parse(openssl_options, &init_options))
2177 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
2179 #ifdef EXPERIMENTAL_TLS_RESUME
2180 tlsp->resumption = RESUME_SUPPORTED;
2184 #ifdef EXPERIMENTAL_TLS_RESUME
2185 /* Should the server offer session resumption? */
2186 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
2188 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
2189 init_options &= ~SSL_OP_NO_TICKET;
2190 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
2191 tlsp->host_resumable = TRUE;
2195 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
2196 if (!(SSL_CTX_set_options(ctx, init_options)))
2197 return tls_error(string_sprintf(
2198 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
2201 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
2203 /* We'd like to disable session cache unconditionally, but foolish Outlook
2204 Express clients then give up the first TLS connection and make a second one
2205 (which works). Only when there is an IMAP service on the same machine.
2206 Presumably OE is trying to use the cache for A on B. Leave it enabled for
2207 now, until we work out a decent way of presenting control to the config. It
2208 will never be used because we use a new context every time. */
2210 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
2213 /* Initialize with DH parameters if supplied */
2214 /* Initialize ECDH temp key parameter selection */
2216 if ( !init_dh(ctx, dhparam, host, errstr)
2217 || !init_ecdh(ctx, host, errstr)
2221 /* Set up certificate and key (and perhaps OCSP info) */
2223 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
2226 /* If we need to handle SNI or OCSP, do so */
2228 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2229 # ifndef DISABLE_OCSP
2230 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2232 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2237 if (!host) /* server */
2239 # ifndef DISABLE_OCSP
2240 /* We check u_ocsp.server.file, not server.olist, because we care about if
2241 the option exists, not what the current expansion might be, as SNI might
2242 change the certificate and OCSP file in use between now and the time the
2243 callback is invoked. */
2244 if (cbinfo->u_ocsp.server.file)
2246 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2247 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2250 /* We always do this, so that $tls_sni is available even if not used in
2252 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2253 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
2255 # ifndef DISABLE_OCSP
2257 if(ocsp_file) /* wanting stapling */
2259 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2261 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2264 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2265 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
2270 cbinfo->verify_cert_hostnames = NULL;
2272 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
2273 /* Set up the RSA callback */
2274 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
2277 /* Finally, set the session cache timeout, and we are done.
2278 The period appears to be also used for (server-generated) session tickets */
2280 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
2281 DEBUG(D_tls) debug_printf("Initialized TLS\n");
2292 /*************************************************
2293 * Get name of cipher in use *
2294 *************************************************/
2297 Argument: pointer to an SSL structure for the connection
2298 pointer to number of bits for cipher
2299 Returns: pointer to allocated string in perm-pool
2303 construct_cipher_name(SSL * ssl, const uschar * ver, int * bits)
2305 int pool = store_pool;
2306 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
2307 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2308 the accessor functions use const in the prototype. */
2310 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
2313 SSL_CIPHER_get_bits(c, bits);
2315 store_pool = POOL_PERM;
2316 s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2318 DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2323 /* Get IETF-standard name for ciphersuite.
2324 Argument: pointer to an SSL structure for the connection
2325 Returns: pointer to string
2328 static const uschar *
2329 cipher_stdname_ssl(SSL * ssl)
2331 #ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2332 return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2334 ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2335 return cipher_stdname(id >> 8, id & 0xff);
2340 static const uschar *
2341 tlsver_name(SSL * ssl)
2344 int pool = store_pool;
2346 store_pool = POOL_PERM;
2347 s = string_copy(US SSL_get_version(ssl));
2349 if ((p = Ustrchr(s, 'v'))) /* TLSv1.2 -> TLS1.2 */
2350 for (;; p++) if (!(*p = p[1])) break;
2356 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
2358 /*XXX we might consider a list-of-certs variable for the cert chain.
2359 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2360 in list-handling functions, also consider the difference between the entire
2361 chain and the elements sent by the peer. */
2363 tlsp->peerdn = NULL;
2365 /* Will have already noted peercert on a verify fail; possibly not the leaf */
2366 if (!tlsp->peercert)
2367 tlsp->peercert = SSL_get_peer_certificate(ssl);
2368 /* Beware anonymous ciphers which lead to server_cert being NULL */
2370 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2371 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2374 int oldpool = store_pool;
2376 peerdn[siz-1] = '\0'; /* paranoia */
2377 store_pool = POOL_PERM;
2378 tlsp->peerdn = string_copy(peerdn);
2379 store_pool = oldpool;
2381 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2382 but they don't get called on session-resumption. So use the official
2383 interface, which uses the resumed value. Unfortunately this claims verified
2384 when it actually failed but we're in try-verify mode, due to us wanting the
2385 knowlege that it failed so needing to have the callback and forcing a
2386 permissive return. If we don't force it, the TLS startup is failed.
2387 The extra bit of information is set in verify_override in the cb, stashed
2388 for resumption next to the TLS session, and used here. */
2390 if (!tlsp->verify_override)
2391 tlsp->certificate_verified =
2393 tlsp->dane_verified ||
2395 SSL_get_verify_result(ssl) == X509_V_OK;
2403 /*************************************************
2404 * Set up for verifying certificates *
2405 *************************************************/
2407 #ifndef DISABLE_OCSP
2408 /* Load certs from file, return TRUE on success */
2411 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2416 while (sk_X509_num(verify_stack) > 0)
2417 X509_free(sk_X509_pop(verify_stack));
2419 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2420 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2421 sk_X509_push(verify_stack, x);
2429 /* Called by both client and server startup; on the server possibly
2430 repeated after a Server Name Indication.
2433 sctx SSL_CTX* to initialise
2434 certs certs file or NULL
2435 crl CRL file or NULL
2436 host NULL in a server; the remote host in a client
2437 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2438 otherwise passed as FALSE
2439 cert_vfy_cb Callback function for certificate verification
2440 errstr error string pointer
2442 Returns: OK/DEFER/FAIL
2446 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
2447 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
2449 uschar *expcerts, *expcrl;
2451 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
2453 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
2455 if (expcerts && *expcerts)
2457 /* Tell the library to use its compiled-in location for the system default
2458 CA bundle. Then add the ones specified in the config, if any. */
2460 if (!SSL_CTX_set_default_verify_paths(sctx))
2461 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2463 if (Ustrcmp(expcerts, "system") != 0)
2465 struct stat statbuf;
2467 if (Ustat(expcerts, &statbuf) < 0)
2469 log_write(0, LOG_MAIN|LOG_PANIC,
2470 "failed to stat %s for certificates", expcerts);
2476 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2477 { file = NULL; dir = expcerts; }
2480 file = expcerts; dir = NULL;
2481 #ifndef DISABLE_OCSP
2482 /* In the server if we will be offering an OCSP proof, load chain from
2483 file for verifying the OCSP proof at load time. */
2485 /*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
2486 This is inconsistent with the need to verify the OCSP proof of the server cert.
2490 && statbuf.st_size > 0
2491 && server_static_cbinfo->u_ocsp.server.file
2492 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2495 log_write(0, LOG_MAIN|LOG_PANIC,
2496 "failed to load cert chain from %s", file);
2502 /* If a certificate file is empty, the load function fails with an
2503 unhelpful error message. If we skip it, we get the correct behaviour (no
2504 certificates are recognized, but the error message is still misleading (it
2505 says no certificate was supplied). But this is better. */
2507 if ( (!file || statbuf.st_size > 0)
2508 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2509 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2511 /* On the server load the list of CAs for which we will accept certs, for
2512 sending to the client. This is only for the one-file
2513 tls_verify_certificates variant.
2514 If a list isn't loaded into the server, but some verify locations are set,
2515 the server end appears to make a wildcard request for client certs.
2516 Meanwhile, the client library as default behaviour *ignores* the list
2517 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2518 Because of this, and that the dir variant is likely only used for
2519 the public-CA bundle (not for a private CA), not worth fixing. */
2523 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2525 if (!host) SSL_CTX_set_client_CA_list(sctx, names);
2526 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2527 sk_X509_NAME_num(names));
2532 /* Handle a certificate revocation list. */
2534 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2536 /* This bit of code is now the version supplied by Lars Mainka. (I have
2537 merely reformatted it into the Exim code style.)
2539 "From here I changed the code to add support for multiple crl's
2540 in pem format in one file or to support hashed directory entries in
2541 pem format instead of a file. This method now uses the library function
2542 X509_STORE_load_locations to add the CRL location to the SSL context.
2543 OpenSSL will then handle the verify against CA certs and CRLs by
2544 itself in the verify callback." */
2546 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2547 if (expcrl && *expcrl)
2549 struct stat statbufcrl;
2550 if (Ustat(expcrl, &statbufcrl) < 0)
2552 log_write(0, LOG_MAIN|LOG_PANIC,
2553 "failed to stat %s for certificates revocation lists", expcrl);
2558 /* is it a file or directory? */
2560 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2561 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2565 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2571 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2573 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2574 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2576 /* setting the flags to check against the complete crl chain */
2578 X509_STORE_set_flags(cvstore,
2579 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2583 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2585 /* If verification is optional, don't fail if no certificate */
2587 SSL_CTX_set_verify(sctx,
2588 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2597 /*************************************************
2598 * Start a TLS session in a server *
2599 *************************************************/
2601 /* This is called when Exim is running as a server, after having received
2602 the STARTTLS command. It must respond to that command, and then negotiate
2606 require_ciphers allowed ciphers
2607 errstr pointer to error message
2609 Returns: OK on success
2610 DEFER for errors before the start of the negotiation
2611 FAIL for errors during the negotiation; the server can't
2616 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2619 uschar * expciphers;
2620 tls_ext_ctx_cb * cbinfo;
2621 static uschar peerdn[256];
2623 /* Check for previous activation */
2625 if (tls_in.active.sock >= 0)
2627 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2628 smtp_printf("554 Already in TLS\r\n", FALSE);
2632 /* Initialize the SSL library. If it fails, it will already have logged
2635 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2636 #ifndef DISABLE_OCSP
2639 NULL, &server_static_cbinfo, &tls_in, errstr);
2640 if (rc != OK) return rc;
2641 cbinfo = server_static_cbinfo;
2643 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2646 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2647 were historically separated by underscores. So that I can use either form in my
2648 tests, and also for general convenience, we turn underscores into hyphens here.
2650 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2651 for TLS 1.3 . Since we do not call it at present we get the default list:
2652 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2657 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
2658 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2659 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2660 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2661 cbinfo->server_cipher_list = expciphers;
2664 /* If this is a host for which certificate verification is mandatory or
2665 optional, set up appropriately. */
2667 tls_in.certificate_verified = FALSE;
2669 tls_in.dane_verified = FALSE;
2671 server_verify_callback_called = FALSE;
2673 if (verify_check_host(&tls_verify_hosts) == OK)
2675 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2676 FALSE, verify_callback_server, errstr);
2677 if (rc != OK) return rc;
2678 server_verify_optional = FALSE;
2680 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2682 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2683 TRUE, verify_callback_server, errstr);
2684 if (rc != OK) return rc;
2685 server_verify_optional = TRUE;
2688 #ifdef EXPERIMENTAL_TLS_RESUME
2689 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2690 /* despite working, appears to always return failure, so ignoring */
2692 #ifdef OPENSSL_HAVE_NUM_TICKETS
2693 # ifdef EXPERIMENTAL_TLS_RESUME
2694 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2696 SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2701 /* Prepare for new connection */
2703 if (!(server_ssl = SSL_new(server_ctx)))
2704 return tls_error(US"SSL_new", NULL, NULL, errstr);
2706 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2708 * With the SSL_clear(), we get strange interoperability bugs with
2709 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2710 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2712 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2713 * session shutdown. In this case, we have a brand new object and there's no
2714 * obvious reason to immediately clear it. I'm guessing that this was
2715 * originally added because of incomplete initialisation which the clear fixed,
2716 * in some historic release.
2719 /* Set context and tell client to go ahead, except in the case of TLS startup
2720 on connection, where outputting anything now upsets the clients and tends to
2721 make them disconnect. We need to have an explicit fflush() here, to force out
2722 the response. Other smtp_printf() calls do not need it, because in non-TLS
2723 mode, the fflush() happens when smtp_getc() is called. */
2725 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2726 if (!tls_in.on_connect)
2728 smtp_printf("220 TLS go ahead\r\n", FALSE);
2732 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2733 that the OpenSSL library doesn't. */
2735 SSL_set_wfd(server_ssl, fileno(smtp_out));
2736 SSL_set_rfd(server_ssl, fileno(smtp_in));
2737 SSL_set_accept_state(server_ssl);
2739 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2741 sigalrm_seen = FALSE;
2742 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2743 rc = SSL_accept(server_ssl);
2748 int error = SSL_get_error(server_ssl, rc);
2751 case SSL_ERROR_NONE:
2754 case SSL_ERROR_ZERO_RETURN:
2755 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2756 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2758 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2759 SSL_shutdown(server_ssl);
2761 tls_close(NULL, TLS_NO_SHUTDOWN);
2764 /* Handle genuine errors */
2767 uschar * s = US"SSL_accept";
2768 int r = ERR_GET_REASON(ERR_peek_error());
2769 if ( r == SSL_R_WRONG_VERSION_NUMBER
2770 #ifdef SSL_R_VERSION_TOO_LOW
2771 || r == SSL_R_VERSION_TOO_LOW
2773 || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
2774 s = string_sprintf("%s (%s)", s, SSL_get_version(server_ssl));
2775 (void) tls_error(s, NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2780 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2781 if (error == SSL_ERROR_SYSCALL)
2785 *errstr = US"SSL_accept: TCP connection closed by peer";
2788 DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
2790 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2795 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2796 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2797 anon-authentication ciphersuite negotiated. */
2799 #ifdef EXPERIMENTAL_TLS_RESUME
2800 if (SSL_session_reused(server_ssl))
2802 tls_in.resumption |= RESUME_USED;
2803 DEBUG(D_tls) debug_printf("Session reused\n");
2807 /* TLS has been set up. Record data for the connection,
2808 adjust the input functions to read via TLS, and initialize things. */
2810 #ifdef SSL_get_extms_support
2811 tls_in.ext_master_secret = SSL_get_extms_support(server_ssl) == 1;
2813 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2815 tls_in.ver = tlsver_name(server_ssl);
2816 tls_in.cipher = construct_cipher_name(server_ssl, tls_in.ver, &tls_in.bits);
2817 tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2822 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
2823 debug_printf("Shared ciphers: %s\n", buf);
2825 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
2827 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2828 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
2833 #ifdef EXIM_HAVE_SESSION_TICKET
2835 SSL_SESSION * ss = SSL_get_session(server_ssl);
2836 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
2837 debug_printf("The session has a ticket, life %lu seconds\n",
2838 SSL_SESSION_get_ticket_lifetime_hint(ss));
2843 /* Record the certificate we presented */
2845 X509 * crt = SSL_get_certificate(server_ssl);
2846 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2849 /* Channel-binding info for authenticators
2850 See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */
2853 size_t len = SSL_get_peer_finished(server_ssl, &c, 0);
2854 int old_pool = store_pool;
2856 SSL_get_peer_finished(server_ssl, s = store_get((int)len, FALSE), len);
2857 store_pool = POOL_PERM;
2858 tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE);
2859 store_pool = old_pool;
2860 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p\n", tls_in.channelbinding);
2863 /* Only used by the server-side tls (tls_in), including tls_getc.
2864 Client-side (tls_out) reads (seem to?) go via
2865 smtp_read_response()/ip_recv().
2866 Hence no need to duplicate for _in and _out.
2868 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2869 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2870 ssl_xfer_eof = ssl_xfer_error = FALSE;
2872 receive_getc = tls_getc;
2873 receive_getbuf = tls_getbuf;
2874 receive_get_cache = tls_get_cache;
2875 receive_ungetc = tls_ungetc;
2876 receive_feof = tls_feof;
2877 receive_ferror = tls_ferror;
2878 receive_smtp_buffered = tls_smtp_buffered;
2880 tls_in.active.sock = fileno(smtp_out);
2881 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2889 tls_client_basic_ctx_init(SSL_CTX * ctx,
2890 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2894 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2895 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2896 the specified host patterns if one of them is defined */
2898 if ( ( !ob->tls_verify_hosts
2899 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2901 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2903 client_verify_optional = FALSE;
2904 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2905 client_verify_optional = TRUE;
2909 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2910 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2914 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2916 cbinfo->verify_cert_hostnames =
2918 string_domain_utf8_to_alabel(host->name, NULL);
2922 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2923 cbinfo->verify_cert_hostnames);
2931 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2934 const char * hostnames[2] = { CS host->name, NULL };
2937 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2938 return tls_error(US"hostnames load", host, NULL, errstr);
2940 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2941 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2942 ) if (rr->type == T_TLSA && rr->size > 3)
2944 const uschar * p = rr->data;
2945 uint8_t usage, selector, mtype;
2946 const char * mdname;
2950 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2951 if (usage != 2 && usage != 3) continue;
2958 default: continue; /* Only match-types 0, 1, 2 are supported */
2959 case 0: mdname = NULL; break;
2960 case 1: mdname = "sha256"; break;
2961 case 2: mdname = "sha512"; break;
2965 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2968 return tls_error(US"tlsa load", host, NULL, errstr);
2969 case 0: /* action not taken */
2973 tls_out.tlsa_usage |= 1<<usage;
2979 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2982 #endif /*SUPPORT_DANE*/
2986 #ifdef EXPERIMENTAL_TLS_RESUME
2987 /* On the client, get any stashed session for the given IP from hints db
2988 and apply it to the ssl-connection for attempted resumption. */
2991 tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2993 tlsp->resumption |= RESUME_SUPPORTED;
2994 if (tlsp->host_resumable)
2996 dbdata_tls_session * dt;
2998 open_db dbblock, * dbm_file;
3000 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
3001 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
3002 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3004 /* key for the db is the IP */
3005 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
3007 SSL_SESSION * ss = NULL;
3008 const uschar * sess_asn1 = dt->session;
3010 len -= sizeof(dbdata_tls_session);
3011 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
3015 ERR_error_string_n(ERR_get_error(),
3016 ssl_errstring, sizeof(ssl_errstring));
3017 debug_printf("decoding session: %s\n", ssl_errstring);
3020 #ifdef EXIM_HAVE_SESSION_TICKET
3021 else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
3024 DEBUG(D_tls) debug_printf("session expired\n");
3025 dbfn_delete(dbm_file, key);
3028 else if (!SSL_set_session(ssl, ss))
3032 ERR_error_string_n(ERR_get_error(),
3033 ssl_errstring, sizeof(ssl_errstring));
3034 debug_printf("applying session to ssl: %s\n", ssl_errstring);
3039 DEBUG(D_tls) debug_printf("good session\n");
3040 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
3041 tlsp->verify_override = dt->verify_override;
3042 tlsp->ocsp = dt->ocsp;
3046 DEBUG(D_tls) debug_printf("no session record\n");
3047 dbfn_close(dbm_file);
3053 /* On the client, save the session for later resumption */
3056 tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
3058 tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
3061 DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
3063 if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
3065 # ifdef OPENSSL_HAVE_NUM_TICKETS
3066 if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
3069 int len = i2d_SSL_SESSION(ss, NULL);
3070 int dlen = sizeof(dbdata_tls_session) + len;
3071 dbdata_tls_session * dt = store_get(dlen, TRUE);
3072 uschar * s = dt->session;
3073 open_db dbblock, * dbm_file;
3075 DEBUG(D_tls) debug_printf("session is resumable\n");
3076 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
3078 dt->verify_override = tlsp->verify_override;
3079 dt->ocsp = tlsp->ocsp;
3080 (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
3082 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
3084 const uschar * key = cbinfo->host->address;
3085 dbfn_delete(dbm_file, key);
3086 dbfn_write(dbm_file, key, dt, dlen);
3087 dbfn_close(dbm_file);
3088 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
3097 tls_client_ctx_resume_prehandshake(
3098 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
3099 smtp_transport_options_block * ob, host_item * host)
3101 /* Should the client request a session resumption ticket? */
3102 if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
3104 tlsp->host_resumable = TRUE;
3106 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
3107 SSL_SESS_CACHE_CLIENT
3108 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
3109 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
3114 tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
3115 host_item * host, uschar ** errstr)
3117 if (tlsp->host_resumable)
3120 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
3121 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3123 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
3124 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
3126 tls_error(US"set ex_data", host, NULL, errstr);
3129 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
3132 tlsp->resumption = RESUME_SUPPORTED;
3133 /* Pick up a previous session, saved on an old ticket */
3134 tls_retrieve_session(tlsp, ssl, host->address);
3139 tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
3142 if (SSL_session_reused(exim_client_ctx->ssl))
3144 DEBUG(D_tls) debug_printf("The session was reused\n");
3145 tlsp->resumption |= RESUME_USED;
3148 #endif /* EXPERIMENTAL_TLS_RESUME */
3151 /*************************************************
3152 * Start a TLS session in a client *
3153 *************************************************/
3155 /* Called from the smtp transport after STARTTLS has been accepted.
3158 cctx connection context
3159 conn_args connection details
3160 cookie datum for randomness; can be NULL
3161 tlsp record details of TLS channel configuration here; must be non-NULL
3162 errstr error string pointer
3164 Returns: TRUE for success with TLS session context set in connection context,
3169 tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
3170 void * cookie, tls_support * tlsp, uschar ** errstr)
3172 host_item * host = conn_args->host; /* for msgs and option-tests */
3173 transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
3174 smtp_transport_options_block * ob = tb
3175 ? (smtp_transport_options_block *)tb->options_block
3176 : &smtp_transport_option_defaults;
3177 exim_openssl_client_tls_ctx * exim_client_ctx;
3178 uschar * expciphers;
3180 static uschar peerdn[256];
3182 #ifndef DISABLE_OCSP
3183 BOOL request_ocsp = FALSE;
3184 BOOL require_ocsp = FALSE;
3188 store_pool = POOL_PERM;
3189 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
3190 exim_client_ctx->corked = NULL;
3194 tlsp->tlsa_usage = 0;
3197 #ifndef DISABLE_OCSP
3199 # ifdef SUPPORT_DANE
3200 if ( conn_args->dane
3201 && ob->hosts_request_ocsp[0] == '*'
3202 && ob->hosts_request_ocsp[1] == '\0'
3205 /* Unchanged from default. Use a safer one under DANE */
3206 request_ocsp = TRUE;
3207 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
3208 " {= {4}{$tls_out_tlsa_usage}} } "
3214 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
3215 request_ocsp = TRUE;
3217 # ifdef SUPPORT_DANE
3221 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3225 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
3226 ob->tls_certificate, ob->tls_privatekey,
3227 #ifndef DISABLE_OCSP
3228 (void *)(long)request_ocsp,
3230 cookie, &client_static_cbinfo, tlsp, errstr);
3231 if (rc != OK) return FALSE;
3233 tlsp->certificate_verified = FALSE;
3234 client_verify_callback_called = FALSE;
3238 if (conn_args->dane)
3240 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
3241 other failures should be treated as problems. */
3242 if (ob->dane_require_tls_ciphers &&
3243 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
3244 &expciphers, errstr))
3246 if (expciphers && *expciphers == '\0')
3251 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
3252 &expciphers, errstr))
3255 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
3256 are separated by underscores. So that I can use either form in my tests, and
3257 also for general convenience, we turn underscores into hyphens here. */
3261 uschar *s = expciphers;
3262 while (*s) { if (*s == '_') *s = '-'; s++; }
3263 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
3264 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
3266 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
3272 if (conn_args->dane)
3274 SSL_CTX_set_verify(exim_client_ctx->ctx,
3275 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
3276 verify_callback_client_dane);
3278 if (!DANESSL_library_init())
3280 tls_error(US"library init", host, NULL, errstr);
3283 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
3285 tls_error(US"context init", host, NULL, errstr);
3293 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
3294 client_static_cbinfo, errstr) != OK)
3297 #ifdef EXPERIMENTAL_TLS_RESUME
3298 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3302 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3304 tls_error(US"SSL_new", host, NULL, errstr);
3307 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
3309 SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
3310 SSL_set_connect_state(exim_client_ctx->ssl);
3314 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
3318 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3320 else if (!Ustrlen(tlsp->sni))
3324 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
3325 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3326 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
3328 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
3335 if (conn_args->dane)
3336 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3340 #ifndef DISABLE_OCSP
3341 /* Request certificate status at connection-time. If the server
3342 does OCSP stapling we will get the callback (set in tls_init()) */
3343 # ifdef SUPPORT_DANE
3347 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3348 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3350 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3351 this means we avoid the OCSP request, we wasted the setup
3352 cost in tls_init(). */
3353 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
3354 request_ocsp = require_ocsp
3355 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
3362 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
3363 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
3364 tlsp->ocsp = OCSP_NOT_RESP;
3368 #ifdef EXPERIMENTAL_TLS_RESUME
3369 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3374 #ifndef DISABLE_EVENT
3375 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
3378 /* There doesn't seem to be a built-in timeout on connection. */
3380 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3381 sigalrm_seen = FALSE;
3382 ALARM(ob->command_timeout);
3383 rc = SSL_connect(exim_client_ctx->ssl);
3387 if (conn_args->dane)
3388 DANESSL_cleanup(exim_client_ctx->ssl);
3393 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
3399 debug_printf("SSL_connect succeeded\n");
3400 #ifdef EXIM_HAVE_OPENSSL_KEYLOG
3402 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3403 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3409 #ifdef EXPERIMENTAL_TLS_RESUME
3410 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3413 #ifdef SSL_get_extms_support
3414 tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1;
3416 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
3418 tlsp->ver = tlsver_name(exim_client_ctx->ssl);
3419 tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, tlsp->ver, &tlsp->bits);
3420 tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
3422 /* Record the certificate we presented */
3424 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3425 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
3428 /*XXX will this work with continued-TLS? */
3429 /* Channel-binding info for authenticators */
3432 size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0);
3433 int old_pool = store_pool;
3435 SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len);
3436 store_pool = POOL_PERM;
3437 tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE);
3438 store_pool = old_pool;
3439 DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp);
3442 tlsp->active.sock = cctx->sock;
3443 tlsp->active.tls_ctx = exim_client_ctx;
3444 cctx->tls_ctx = exim_client_ctx;
3453 tls_refill(unsigned lim)
3458 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3459 ssl_xfer_buffer, ssl_xfer_buffer_size);
3461 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
3462 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3463 MIN(ssl_xfer_buffer_size, lim));
3464 error = SSL_get_error(server_ssl, inbytes);
3465 if (smtp_receive_timeout > 0) ALARM_CLR(0);
3467 if (had_command_timeout) /* set by signal handler */
3468 smtp_command_timeout_exit(); /* does not return */
3469 if (had_command_sigterm)
3470 smtp_command_sigterm_exit();
3471 if (had_data_timeout)
3472 smtp_data_timeout_exit();
3473 if (had_data_sigint)
3474 smtp_data_sigint_exit();
3476 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3477 closed down, not that the socket itself has been closed down. Revert to
3478 non-SSL handling. */
3482 case SSL_ERROR_NONE:
3485 case SSL_ERROR_ZERO_RETURN:
3486 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3488 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3489 SSL_shutdown(server_ssl);
3491 tls_close(NULL, TLS_NO_SHUTDOWN);
3494 /* Handle genuine errors */
3496 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3497 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3498 ssl_xfer_error = TRUE;
3502 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3503 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3504 debug_printf(" - syscall %s\n", strerror(errno));
3505 ssl_xfer_error = TRUE;
3509 #ifndef DISABLE_DKIM
3510 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3512 ssl_xfer_buffer_hwm = inbytes;
3513 ssl_xfer_buffer_lwm = 0;
3518 /*************************************************
3519 * TLS version of getc *
3520 *************************************************/
3522 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
3523 it refills the buffer via the SSL reading function.
3525 Arguments: lim Maximum amount to read/buffer
3526 Returns: the next character or EOF
3528 Only used by the server-side TLS.
3532 tls_getc(unsigned lim)
3534 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3535 if (!tls_refill(lim))
3536 return ssl_xfer_error ? EOF : smtp_getc(lim);
3538 /* Something in the buffer; return next uschar */
3540 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3544 tls_getbuf(unsigned * len)
3549 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3550 if (!tls_refill(*len))
3552 if (!ssl_xfer_error) return smtp_getbuf(len);
3557 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3559 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3560 ssl_xfer_buffer_lwm += size;
3569 #ifndef DISABLE_DKIM
3570 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3572 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
3578 tls_could_read(void)
3580 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
3584 /*************************************************
3585 * Read bytes from TLS channel *
3586 *************************************************/
3590 ct_ctx client context pointer, or NULL for the one global server context
3594 Returns: the number of bytes read
3595 -1 after a failed read, including EOF
3597 Only used by the client-side TLS.
3601 tls_read(void * ct_ctx, uschar *buff, size_t len)
3603 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3607 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
3608 buff, (unsigned int)len);
3610 inbytes = SSL_read(ssl, CS buff, len);
3611 error = SSL_get_error(ssl, inbytes);
3613 if (error == SSL_ERROR_ZERO_RETURN)
3615 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3618 else if (error != SSL_ERROR_NONE)
3628 /*************************************************
3629 * Write bytes down TLS channel *
3630 *************************************************/
3634 ct_ctx client context pointer, or NULL for the one global server context
3637 more further data expected soon
3639 Returns: the number of bytes after a successful write,
3640 -1 after a failed write
3642 Used by both server-side and client-side TLS. Calling with len zero and more unset
3643 will flush buffered writes; buff can be null for this case.
3647 tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
3650 int outbytes, error;
3652 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3653 static gstring * server_corked = NULL;
3654 gstring ** corkedp = ct_ctx
3655 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3656 gstring * corked = *corkedp;
3658 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
3659 buff, (unsigned long)len, more ? ", more" : "");
3661 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3662 "more" is notified. This hack is only ok if small amounts are involved AND only
3663 one stream does it, in one context (i.e. no store reset). Currently it is used
3664 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3665 We support callouts done by the server process by using a separate client
3666 context for the stashed information. */
3667 /* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3668 a store reset there, so use POOL_PERM. */
3669 /* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
3671 if ((more || corked))
3673 if (!len) buff = US &error; /* dummy just so that string_catn is ok */
3675 #ifndef DISABLE_PIPE_CONNECT
3676 int save_pool = store_pool;
3677 store_pool = POOL_PERM;
3680 corked = string_catn(corked, buff, len);
3682 #ifndef DISABLE_PIPE_CONNECT
3683 store_pool = save_pool;
3691 buff = CUS corked->s;
3696 for (int left = len; left > 0;)
3698 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
3699 outbytes = SSL_write(ssl, CS buff, left);
3700 error = SSL_get_error(ssl, outbytes);
3701 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3704 case SSL_ERROR_NONE: /* the usual case */
3710 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3711 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3714 case SSL_ERROR_ZERO_RETURN:
3715 log_write(0, LOG_MAIN, "SSL channel closed on write");
3718 case SSL_ERROR_SYSCALL:
3719 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3720 sender_fullhost ? sender_fullhost : US"<unknown>",
3725 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3734 /*************************************************
3735 * Close down a TLS session *
3736 *************************************************/
3738 /* This is also called from within a delivery subprocess forked from the
3739 daemon, to shut down the TLS library, without actually doing a shutdown (which
3740 would tamper with the SSL session in the parent process).
3743 ct_ctx client TLS context pointer, or NULL for the one global server context
3744 shutdown 1 if TLS close-alert is to be sent,
3745 2 if also response to be waited for
3749 Used by both server-side and client-side TLS.
3753 tls_close(void * ct_ctx, int shutdown)
3755 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3756 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3757 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3758 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3760 if (*fdp < 0) return; /* TLS was not active */
3765 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3766 shutdown > 1 ? " (with response-wait)" : "");
3768 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3772 rc = SSL_shutdown(*sslp); /* wait for response */
3776 if (rc < 0) DEBUG(D_tls)
3778 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3779 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3783 if (!o_ctx) /* server side */
3785 #ifndef DISABLE_OCSP
3786 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3787 server_static_cbinfo->verify_stack = NULL;
3790 receive_getc = smtp_getc;
3791 receive_getbuf = smtp_getbuf;
3792 receive_get_cache = smtp_get_cache;
3793 receive_ungetc = smtp_ungetc;
3794 receive_feof = smtp_feof;
3795 receive_ferror = smtp_ferror;
3796 receive_smtp_buffered = smtp_buffered;
3797 tls_in.active.tls_ctx = NULL;
3799 /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
3802 SSL_CTX_free(*ctxp);
3812 /*************************************************
3813 * Let tls_require_ciphers be checked at startup *
3814 *************************************************/
3816 /* The tls_require_ciphers option, if set, must be something which the
3819 Returns: NULL on success, or error message
3823 tls_validate_require_cipher(void)
3826 uschar *s, *expciphers, *err;
3830 if (!(tls_require_ciphers && *tls_require_ciphers))
3833 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3835 return US"failed to expand tls_require_ciphers";
3837 if (!(expciphers && *expciphers))
3840 /* normalisation ripped from above */
3842 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3846 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3847 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3849 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3852 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3853 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3857 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3859 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3861 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3862 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3863 expciphers, ssl_errstring);
3874 /*************************************************
3875 * Report the library versions. *
3876 *************************************************/
3878 /* There have historically been some issues with binary compatibility in
3879 OpenSSL libraries; if Exim (like many other applications) is built against
3880 one version of OpenSSL but the run-time linker picks up another version,
3881 it can result in serious failures, including crashing with a SIGSEGV. So
3882 report the version found by the compiler and the run-time version.
3884 Note: some OS vendors backport security fixes without changing the version
3885 number/string, and the version date remains unchanged. The _build_ date
3886 will change, so we can more usefully assist with version diagnosis by also
3887 reporting the build date.
3889 Arguments: a FILE* to print the results to
3894 tls_version_report(FILE *f)
3896 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3899 OPENSSL_VERSION_TEXT,
3900 SSLeay_version(SSLEAY_VERSION),
3901 SSLeay_version(SSLEAY_BUILT_ON));
3902 /* third line is 38 characters for the %s and the line is 73 chars long;
3903 the OpenSSL output includes a "built on: " prefix already. */
3909 /*************************************************
3910 * Random number generation *
3911 *************************************************/
3913 /* Pseudo-random number generation. The result is not expected to be
3914 cryptographically strong but not so weak that someone will shoot themselves
3915 in the foot using it as a nonce in input in some email header scheme or
3916 whatever weirdness they'll twist this into. The result should handle fork()
3917 and avoid repeating sequences. OpenSSL handles that for us.
3921 Returns a random number in range [0, max-1]
3925 vaguely_random_number(int max)
3929 static pid_t pidlast = 0;
3931 uschar smallbuf[sizeof(r)];
3937 if (pidnow != pidlast)
3939 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3940 is unique for each thread", this doesn't apparently apply across processes,
3941 so our own warning from vaguely_random_number_fallback() applies here too.
3942 Fix per PostgreSQL. */
3948 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3952 gettimeofday(&r.tv, NULL);
3955 RAND_seed(US (&r), sizeof(r));
3957 /* We're after pseudo-random, not random; if we still don't have enough data
3958 in the internal PRNG then our options are limited. We could sleep and hope
3959 for entropy to come along (prayer technique) but if the system is so depleted
3960 in the first place then something is likely to just keep taking it. Instead,
3961 we'll just take whatever little bit of pseudo-random we can still manage to
3964 needed_len = sizeof(r);
3965 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3966 asked for a number less than 10. */
3967 for (r = max, i = 0; r; ++i)
3973 #ifdef EXIM_HAVE_RAND_PSEUDO
3974 /* We do not care if crypto-strong */
3975 i = RAND_pseudo_bytes(smallbuf, needed_len);
3977 i = RAND_bytes(smallbuf, needed_len);
3983 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3984 return vaguely_random_number_fallback(max);
3988 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3991 /* We don't particularly care about weighted results; if someone wants
3992 smooth distribution and cares enough then they should submit a patch then. */
3999 /*************************************************
4000 * OpenSSL option parse *
4001 *************************************************/
4003 /* Parse one option for tls_openssl_options_parse below
4006 name one option name
4007 value place to store a value for it
4008 Returns success or failure in parsing
4014 tls_openssl_one_option_parse(uschar *name, long *value)
4017 int last = exim_openssl_options_size;
4018 while (last > first)
4020 int middle = (first + last)/2;
4021 int c = Ustrcmp(name, exim_openssl_options[middle].name);
4024 *value = exim_openssl_options[middle].value;
4038 /*************************************************
4039 * OpenSSL option parsing logic *
4040 *************************************************/
4042 /* OpenSSL has a number of compatibility options which an administrator might
4043 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
4044 we look like log_selector.
4047 option_spec the administrator-supplied string of options
4048 results ptr to long storage for the options bitmap
4049 Returns success or failure
4053 tls_openssl_options_parse(uschar *option_spec, long *results)
4056 uschar * exp, * end;
4058 BOOL adding, item_parsed;
4060 /* Server: send no (<= TLS1.2) session tickets */
4061 result = SSL_OP_NO_TICKET;
4063 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
4064 from default because it increases BEAST susceptibility. */
4065 #ifdef SSL_OP_NO_SSLv2
4066 result |= SSL_OP_NO_SSLv2;
4068 #ifdef SSL_OP_NO_SSLv3
4069 result |= SSL_OP_NO_SSLv3;
4071 #ifdef SSL_OP_SINGLE_DH_USE
4072 result |= SSL_OP_SINGLE_DH_USE;
4074 #ifdef SSL_OP_NO_RENEGOTIATION
4075 result |= SSL_OP_NO_RENEGOTIATION;
4084 if (!expand_check(option_spec, US"openssl_options", &exp, &end))
4087 for (uschar * s = exp; *s; /**/)
4089 while (isspace(*s)) ++s;
4092 if (*s != '+' && *s != '-')
4094 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
4095 "+ or - expected but found \"%s\"\n", s);
4098 adding = *s++ == '+';
4099 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
4102 item_parsed = tls_openssl_one_option_parse(s, &item);
4106 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
4109 DEBUG(D_tls) debug_printf("openssl option, %s %08lx: %08lx (%s)\n",
4110 adding ? "adding to " : "removing from", result, item, s);
4122 #endif /*!MACRO_PREDEF*/
4125 /* End of tls-openssl.c */